漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0138190
漏洞标题:东风汽车某站SQL注入之一(sa用户,涉及7个数据库)
相关厂商:dfyb.com
漏洞作者: Xmyth_夏洛克
提交时间:2015-09-01 11:30
修复时间:2015-09-06 11:32
公开时间:2015-09-06 11:32
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-09-01: 细节已通知厂商并且等待厂商处理中
2015-09-06: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
23333
详细说明:
存在注入URL:
http://www.dfcv.com.cn/ModelPages/Company/Events.aspx?ColumnCode=Achievement
ColumnCode参数存在注入:
放入sqlmap跑,可以看到是sa用户
漏洞证明:
涉及7个数据库
当前数据库存在82个表
Database: CVWeb
[82 tables]
+--------------------------------+
| AccessLogs |
| Achievements_EN |
| Achievements_EN |
| Achments |
| AutoShowInfo |
| CompanyEvents_EN |
| CompanyEvents_EN |
| DealersInfo_EN |
| DealersInfo_EN |
| FW_DeptStruc |
| FW_Group |
| FW_HelpInfo |
| FW_Log |
| FW_ModelFunc |
| FW_ModelInfo |
| FW_Operation |
| FW_RoleFunctionOperation |
| FW_RoleInfo |
| FW_RoleRight |
| FW_TypeCata |
| FW_TypeCode |
| FW_UserInfo |
| FW_UserRoleGroup |
| FW_UserRoleGroup |
| ImageDirectory |
| ImagesInfo |
| IssueInfo_EN |
| IssueInfo_EN |
| KVImageInfo |
| ManagementInfo_EN |
| ManagementInfo_EN |
| MarketActivityInfo |
| PicInfo |
| ProvinceInfo |
| RecruitmentInfo |
| RecruitmentPersonInfo |
| ServiceSiteInfo_EN |
| ServiceSiteInfo_EN |
| V_FW_DEPTSTRUC |
| VideoInfo |
| WFCLASSES |
| WFCONTENTHISTORY |
| WFCONTENTS |
| WFCONTROLTASKS |
| WFCONTROLTYPES |
| WFDEPARTMENTS |
| WFDICTINSTANCESTATUSES |
| WFDICTPROCESSSTATUSES |
| WFDICTTASKTYPES |
| WFFIELDCONTROLS |
| WFFIELDS |
| WFGROUPS |
| WFINSTANCEHISTORY |
| WFINSTANCEMANUALS |
| WFINSTANCES |
| WFLINKS |
| WFMESSAGESHISTORY |
| WFMESSAGESHISTORY |
| WFMODELS |
| WFNOTIONHISTORY |
| WFNOTIONS |
| WFNumber |
| WFPROCESSES |
| WFPROCESSHISTORY |
| WFPROCESSREF |
| WFREDIRECTRIGHTS |
| WFREDIRECTRIGHTSRECORDS |
| WFROLERELATIONS |
| WFROLES |
| WFSIGNUSER |
| WFTASKCHILDS |
| WFTASKMANUALS |
| WFTASKS |
| WFUSERDEPTRELATION |
| WFUSERGROUPS |
| WFUSERS |
| WF_Instance_Process_Task_Model |
| WebContents_EN |
| WebContents_EN |
| WebMapInfo |
| WebResources |
| test |
+--------------------------------+
不再深入
修复方案:
过滤
版权声明:转载请注明来源 Xmyth_夏洛克@乌云
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2015-09-06 11:32
厂商回复:
漏洞Rank:4 (WooYun评价)
最新状态:
暂无