当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137641

漏洞标题:海淀妇幼保健院SQL注入getshell(可泄露4500条病人密码/邮箱/电话/身份证号/家庭住址)

相关厂商:海淀妇幼保健院

漏洞作者: 小胖胖

提交时间:2015-08-30 17:35

修复时间:2015-10-17 10:46

公开时间:2015-10-17 10:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-30: 细节已通知厂商并且等待厂商处理中
2015-09-02: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-12: 细节向核心白帽子及相关领域专家公开
2015-09-22: 细节向普通白帽子公开
2015-10-02: 细节向实习白帽子公开
2015-10-17: 细节向公众公开

简要描述:

海淀妇幼保健院SQL注入getshell(泄露4500条病人密码/邮箱/电话/身份证号/家庭住址)

详细说明:

2.png


1.png


3.png

漏洞证明:

注入点:
http://**.**.**.**/expertsstyle.aspx 
POST:(hdfptitle)
hdfcenter=&hdfparentcode=&hdfptitle=QddU1Bz9&headers$ImageButton1=&rbtnclinicalcenter=de6f1e56-f33c-44b0-af31-2f02bd5d019d&rbtnprofessionaltitle=2&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWGAKFhuS%2bCQL5oszkAQLq15iLDAKO1MygCAKL0%2bbFBQLszeL3CwKJ5NCFAwKN8q%2b4AwLpw77wBALqx%2bJpAsjYg5gFArzqtcgCAobgy/YBArz7lN0BAszBx/EOAt%2bYstALAsnxktIBAq3Q7NcNAomPmZsNAr3x1dYNAtPV1O4OArzx1dYNAr7x1dYNArOe/7gBEir5KOtfniOJG7DNIbv5RuVjGj7NhBnST5wcKoAW%2bgg%3d&__LASTFOCUS=&__VIEWSTATE=/wEPDwUKMTU0ODU2MzQyOA9kFgICAw9kFgoCEQ8QDxYGHg1EYXRhVGV4dEZpZWxkBRJjbGluaWNhbGNlbnRlcm5hbWUeDkRhdGFWYWx1ZUZpZWxkBRJjbGluaWNhbGNlbnRlcmNvZGUeC18hRGF0YUJvdW5kZ2QQFQwM5Lqn56eR6Zeo6K%2bKEuS6p%2bWJjeetm%2bafpemXqOivigzlhL/np5Hpl6jor4oM5aaH56eR6Zeo6K%2bKCeWPo%2biFlOenkQzlhoXnp5Hpl6jor4oM55S356eR6Zeo6K%2bKDOS5s%2biFuumXqOivigznlJ/mrpbpl6jor4oM5L2T5qOA5Lit5b%2bDDOecvOenkemXqOivigzokKXlhbvpl6jor4oVDCRkZTZmMWU1Ni1mMzNjLTQ0YjAtYWYzMS0yZjAyYmQ1ZDAxOWQkZTRhNGMwMmEtMGY0YS00N2MxLTgxYTYtNjczNjY5MzM3ZDVmJGE3MjI5ZGY4LTI4NmUtNDkxYi1iNzQ1LWFkOGUyMmQ1MWI3ZiQwMWRiNjc4ZS1lZGU2LTQ0ZjUtOTkxMi1kZWQyNWE2ZjMzNDAkZTg4OWE2MzQtZjIyZS00MDVhLTk2NGMtYWE2NGJjMjc3NmVmJDE5MGI1ODA2LTczMDktNGQ0Mi04ZDUwLWZhNjNhNTU0YTA4ZQIxNiQ3NDM3OGQ4ZC1kZmEyLTQzZWEtODU0NS00ZWY5Mjg3ODZkMWIkMTZlYTc1NjMtMjc4NS00MjE0LWFlYzktNjNhNDRmOGZhMDU0JDQ4MTU4ZjlmLWQyOWItNDgwYi04NTgyLTY4NGY4ZmI2ZDIwYiQyZDI0MGY1Mi0yODhhLTQ1MWUtYTkxMi0xMDJmZmI0NjIyOTIkZjMxOGJjYjAtNWFiMi00ZDdiLWJhZTMtY2Y3MDRkY2Y5MzgxFCsDDGdnZ2dnZ2dnZ2dnZxYAZAITDxAPFgYfAAUVcHJvZmVzc2lvbmFsdGl0bGVkZXNjHwEFFXByb2Zlc3Npb25hbHRpdGxlY29kZR8CZ2QQFQQP5Ymv5Li75Lu75Yy75biIEuWJr%2bS4u%2bS7u%2biQpeWFu%2bW4iAzkuLvku7vljLvluIgM5Li75rK75Yy75biIFQQBMiQ2ZmM2MWIyZS03ZDEyLTRhZDctOWY0Mi04NzE2NTlkOTAxYjMBMQEzFCsDBGdnZ2cWAGQCFQ8WAh4LXyFJdGVtQ291bnQCChYUZg9kFgJmDxUUJGVlMzBlNGE0LTNjNTMtNGY1Zi1hMmQwLTA0YWM4NDVjMWNiOBUyMDE1MDgyMTEwNDQxNzYwOS5qcGckZWUzMGU0YTQtM2M1My00ZjVmLWEyZDAtMDRhYzg0NWMxY2I4CemrmOmbheWGmwzkubPohbrpl6jor4oP5Ymv5Li75Lu75Yy75biIJTxpbWcgc3JjPSJiYWNraW1nL2R1aWhhb19pY29uLnBuZyIgLz4AJTxpbWcgc3JjPSJiYWNraW1nL2R1aWhhb19pY29uLnBuZyIgLz4AAAAAAAAAAAAAAGQCAQ9kFgJmDxUUJDg2M2Q3ZTI1LWZmY2ItNGRmNi04YmVmLWMyMjk5ZTVjODBlORUyMDE1MDgyMTEwNDM0NDk1My5qcGckODYzZDdlMjUtZmZjYi00ZGY2LThiZWYtYzIyOTllNWM4MGU5CeWRqOi3g%2bWugQzkubPohbrpl6jor4oM5Li75Lu75Yy75biIAAAlPGltZyBzcmM9ImJhY2tpbWcvZHVpaGFvX2ljb24ucG5nIiAvPgAAAAAAACU8aW1nIHNyYz0iYmFja2ltZy9kdWloYW9faWNvbi5wbmciIC8%2bAAAAAGQCAg9kFgJmDxUUJDQyMDEyMWY2LWRjODItNGVjMi1iMWI5LWRjMDM5NDU1YzlmNBUyMDE1MDgyMTEwNDI1MzY3MS5qcGckNDIwMTIxZjYtZGM4Mi00ZWMyLWIxYjktZGMwMzk0NTVjOWY0Buaxqua0gQzkubPohbrpl6jor4oP5Ymv5Li75Lu75Yy75biIACU8aW1nIHNyYz0iYmFja2ltZy9kdWloYW9faWNvbi5wbmciIC8%2bACU8aW1nIHNyYz0iYmFja2ltZy9kdWloYW9faWNvbi5wbmciIC8%2bAAAAACU8aW1nIHNyYz0iYmFja2ltZy9kdWloYW9faWNvbi5wbmciIC8%2bACU8aW1nIHNyYz0iYmFja2ltZy9kdWloYW9faWNvbi5wbmciIC8%2bAAAAZAIDD2QWAmYPFRQkYTYzNmRiZTAtZmM1Yy00MjViLTlhMzMtOTdjODdmMDRkYjA5FTIwMTUwODIxMTA0MDIyNDg0LmpwZyRhNjM2ZGJlMC1mYzVjLTQyNWItOWEzMy05N2M4N2YwNGRiMDkJ6auY5rW35YekDOS5s%2biFuumXqOivig/lia/kuLvku7vljLvluIgAJTxpbWcgc3JjPSJiYWNraW1nL2R1aWhhb19pY29uLnBuZyIgLz4AACU8aW1nIHNyYz0iYmFja2ltZy9kdWloYW9faWNvbi5wbmciIC8%2bAAAAAAAAAAAAZAIED2QWAmYPFRQkM2UzOWUxMTgtNjAxNi00N2RkLWFmMzgtNGJjYWFiMjcyMzc4FTIwMTUwODIxMTAzNzE4MTQwLmpwZyQzZTM5ZTExOC02MDE2LTQ3ZGQtYWYzOC00YmNhYWIyNzIzNzgJ6ams5bqG6I6yDOS5s%2biFuumXqOivigzkuLvku7vljLvluIgAAAAAJTxpbWcgc3JjPSJiYWNraW1nL2R1aWhhb19pY29uLnBuZyIgLz4AAAAAAAAlPGltZyBzcmM9ImJhY2tpbWcvZHVpaGFvX2ljb24ucG5nIiAvPgAAZAIFD2QWAmYPFRQkNzk0OTYxYWEtNGQ1NC00NTRmLTg0ZGEtNDkwM2FiZmVmMjRjFTIwMTQxMDI3MDkyNjU4OTA2LmdpZiQ3OTQ5NjFhYS00ZDU0LTQ1NGYtODRkYS00OTAzYWJmZWYyNGMJ6ams56Wl5ZCbDOS5s%2biFuumXqOivigzkuLvku7vljLvluIglPGltZyBzcmM9ImJhY2tpbWcvZHVpaGFvX2ljb24ucG5nIiAvPgAAAAAAAAAAAAAAAABkAgYPZBYCZg8VFCQzMzE4ZTE4OS0xYTQwLTQ0MWItYjIzZS1jMzA1NjZkZDNiNjMVMjAxNTA4MjExMDMzMjM2NTYuanBnJDMzMThlMTg5LTFhNDAtNDQxYi1iMjNlLWMzMDU2NmRkM2I2MwnkuIHmnb7mtpsM5Lmz6IW66Zeo6K%2bKDOS4u%2bS7u%2bWMu%2bW4iAAAAAAAAAAAACU8aW1nIHNyYz0iYmFja2ltZy9kdWloYW9faWNvbi5wbmciIC8%2bACU8aW1nIHNyYz0iYmFja2ltZy9kdWloYW9faWNvbi5wbmciIC8%2bAABkAgcPZBYCZg8VFCRmMGM1ZTZiZS05ODkxLTRjZjUtOGJlMS01NjlmNTNjNTlmMGMVMjAxNTA4MjExMDMyMzI0MzcuanBnJGYwYzVlNmJlLTk4OTEtNGNmNS04YmUxLTU2OWY1M2M1OWYwYwnkvZXmuZjokI0M5Lmz6IW66Zeo6K%2bKDOS4u%2bayu%2bWMu%2bW4iAAAAAAAAAAlPGltZyBzcmM9ImJhY2tpbWcvZHVpaGFvX2ljb24ucG5nIiAvPgAAJTxpbWcgc3JjPSJiYWNraW1nL2R1aWhhb19pY29uLnBuZyIgLz4AAABkAggPZBYCZg8VFCQ3MTI1NGFhNS0zMDYyLTQ1OWEtYWRiNS0zMzQ1NjE0YTgyMWEVMjAxNDEwMjcwOTM5NTQ2ODcuZ2lmJDcxMjU0YWE1LTMwNjItNDU5YS1hZGI1LTMzNDU2MTRhODIxYQnlvpDkuL3mooUS5Lqn5YmN562b5p%2bl6Zeo6K%2bKD%2bWJr%2bS4u%2bS7u%2bWMu%2bW4iCU8aW1nIHNyYz0iYmFja2ltZy9kdWloYW9faWNvbi5wbmciIC8%2bJTxpbWcgc3JjPSJiYWNraW1nL2R1aWhhb19pY29uLnBuZyIgLz4lPGltZyBzcmM9ImJhY2tpbWcvZHVpaGFvX2ljb24ucG5nIiAvPiU8aW1nIHNyYz0iYmFja2ltZy9kdWloYW9faWNvbi5wbmciIC8%2bJTxpbWcgc3JjPSJiYWNraW1nL2R1aWhhb19pY29uLnBuZyIgLz4AACU8aW1nIHNyYz0iYmFja2ltZy9kdWloYW9faWNvbi5wbmciIC8%2bJTxpbWcgc3JjPSJiYWNraW1nL2R1aWhhb19pY29uLnBuZyIgLz4lPGltZyBzcmM9ImJhY2tpbWcvZHVpaGFvX2ljb24ucG5nIiAvPiU8aW1nIHNyYz0iYmFja2ltZy9kdWloYW9faWNvbi5wbmciIC8%2bJTxpbWcgc3JjPSJiYWNraW1nL2R1aWhhb19pY29uLnBuZyIgLz4AAGQCCQ9kFgJmDxUUJGVhMTdhNTE5LTI4MGYtNDkyYy1iZmZiLWQ5NjA3ODUwNDMzMBUyMDE0MTAyNzA5NDExMDk1My5naWYkZWExN2E1MTktMjgwZi00OTJjLWJmZmItZDk2MDc4NTA0MzMwBuaImue6ohLkuqfliY3nrZvmn6Xpl6jor4oP5Ymv5Li75Lu75Yy75biIJTxpbWcgc3JjPSJiYWNraW1nL2R1aWhhb19pY29uLnBuZyIgLz4AJTxpbWcgc3JjPSJiYWNraW1nL2R1aWhhb19pY29uLnBuZyIgLz4AAAAAJTxpbWcgc3JjPSJiYWNraW1nL2R1aWhhb19pY29uLnBuZyIgLz4AJTxpbWcgc3JjPSJiYWNraW1nL2R1aWhhb19pY29uLnBuZyIgLz4AAAAAZAIXDw8WBB4LUmVjb3JkY291bnQCMh4IUGFnZVNpemUCCmRkAhkPZBYCAgEPDxYCHgRUZXh0BQYzOTM3NzdkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUUaGVhZGVycyRJbWFnZUJ1dHRvbjFJ6tvlZbPl3g80R36%2bd02y96gBxDjNsMt/xUJUxri3bA%3d%3d


放到sqlmap中跑:

1.png


是dba权限:可以获得sa密码:

4.png


获得管理员密码登陆到后台,getshell:

5.png


泄露4500条病人密码/邮箱/电话/身份证号/家庭住址:

7.png


2.png


添加用户获得服务器权限:

6.png


修复方案:

过滤输入

版权声明:转载请注明来源 小胖胖@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-09-02 10:44

厂商回复:

CNVD确认所述漏洞情况,暂未建立与软件生产厂商(或网站管理单位)的直接处置渠道,待认领。

最新状态:

暂无