当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-089668

漏洞标题:国家人口计生委培训交流中心存在SQL注射

相关厂商:cncert国家互联网应急中心

漏洞作者: Yang

提交时间:2015-01-04 16:59

修复时间:2015-02-18 17:00

公开时间:2015-02-18 17:00

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-04: 细节已通知厂商并且等待厂商处理中
2015-01-09: 厂商已经确认,细节仅向厂商公开
2015-01-19: 细节向核心白帽子及相关领域专家公开
2015-01-29: 细节向普通白帽子公开
2015-02-08: 细节向实习白帽子公开
2015-02-18: 细节向公众公开

简要描述:

国家人口计生委培训交流中心是国家人口计生委直属的事业单位,成立于1999年1月。成立十余年来,中心坚持以统筹解决人口问题、促进人的全面发展为目标,以提高人口计生系统队伍综合素质为重点,引入先进理念,学习先进技术,促进队伍的职业化建设,促进能力建设。迄今为止,已经为全国省、地、县级分管领导和人口计生委主任、各级公务员举办了300多个专业知识培训班,组织了60多个出国培训考察团,参加培训的学员达5万余人次。正在实施生殖健康咨询师的职业技能鉴定工作,并进一步开发家庭计划指导师、人口信息师、人口社会工作者等新职业。与此同时,从提供基本公共服务的角度出发,中心组织实施了儿童早期发展项目,通过教材开发、建立示范区等,努力提高人的基本素质。

详细说明:

http://www.tcc-npfpc.org.cn/list.aspx?id=0101

1.jpg


back-end DBMS: Microsoft SQL Server 2005
available databases [34]:
[*] cuteenin_db
[*] ddao
[*] exam
[*] gf
[*] globao
[*] htcd
[*] hy2007
[*] infobbs
[*] intername88
[*] jiaye
[*] jsjedu
[*] juliebaby_db
[*] lifine
[*] lmysjj
[*] lya
[*] master
[*] meido
[*] model
[*] msdb
[*] nft
[*] njwww
[*] nongxue
[*] office
[*] Pinchela
[*] ptsfjw
[*] TCC_NPFPC
[*] tempdb
[*] Test
[*] winsel
[*] winser
[*] wise
[*] x-mm_cache
[*] yeah
[*] zerogift


Database: master
[291 tables]
+---------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_values |
| sys.all_columns |
| sys.all_objects |
| sys.all_parameters |
| sys.all_sql_modules |
| sys.all_views |
| sys.allocation_units |
| sys.assemblies |
| sys.assembly_files |
| sys.assembly_modules |
| sys.assembly_references |
| sys.assembly_types |
| sys.asymmetric_keys |
| sys.backup_devices |
| sys.certificates |
| sys.check_constraints |
| sys.column_type_usages |
| sys.column_xml_schema_collection_usages |
| sys.columns |
| sys.computed_columns |
| sys.configurations |
| sys.conversation_endpoints |
| sys.conversation_groups |
| sys.credentials |
| sys.crypt_properties |
| sys.data_spaces |
| sys.database_files |
| sys.database_mirroring_endpoints |
| sys.database_mirroring_endpoints |
| sys.database_mirroring_witnesses |
| sys.database_permissions |
| sys.database_principal_aliases |
| sys.database_principals |
| sys.database_recovery_status |
| sys.database_role_members |
| sys.databases |
| sys.default_constraints |
| sys.destination_data_spaces |
| sys.dm_broker_activated_tasks |
| sys.dm_broker_connections |
| sys.dm_broker_forwarded_messages |
| sys.dm_broker_queue_monitors |
| sys.dm_clr_appdomains |
| sys.dm_clr_loaded_assemblies |
| sys.dm_clr_properties |
| sys.dm_clr_tasks |
| sys.dm_db_file_space_usage |
| sys.dm_db_index_usage_stats |
| sys.dm_db_mirroring_connections |
| sys.dm_db_missing_index_details |
| sys.dm_db_missing_index_group_stats |
| sys.dm_db_missing_index_groups |
| sys.dm_db_partition_stats |
| sys.dm_db_session_space_usage |
| sys.dm_db_task_space_usage |
| sys.dm_exec_background_job_queue_stats |
| sys.dm_exec_background_job_queue_stats |
| sys.dm_exec_cached_plans |
| sys.dm_exec_connections |
| sys.dm_exec_query_memory_grants |
| sys.dm_exec_query_optimizer_info |
| sys.dm_exec_query_resource_semaphores |
| sys.dm_exec_query_stats |
| sys.dm_exec_query_transformation_stats |
| sys.dm_exec_requests |
| sys.dm_exec_sessions |
| sys.dm_fts_active_catalogs |
| sys.dm_fts_index_population |
| sys.dm_fts_memory_buffers |
| sys.dm_fts_memory_pools |
| sys.dm_fts_population_ranges |
| sys.dm_io_backup_tapes |
| sys.dm_io_cluster_shared_drives |
| sys.dm_io_pending_io_requests |
| sys.dm_os_buffer_descriptors |
| sys.dm_os_child_instances |
| sys.dm_os_cluster_nodes |
| sys.dm_os_hosts |
| sys.dm_os_latch_stats |
| sys.dm_os_loaded_modules |
| sys.dm_os_memory_allocations |
| sys.dm_os_memory_cache_clock_hands |
| sys.dm_os_memory_cache_counters |
| sys.dm_os_memory_cache_entries |
| sys.dm_os_memory_cache_hash_tables |
| sys.dm_os_memory_clerks |
| sys.dm_os_memory_objects |
| sys.dm_os_memory_pools |
| sys.dm_os_performance_counters |
| sys.dm_os_ring_buffers |
| sys.dm_os_schedulers |
| sys.dm_os_stacks |
| sys.dm_os_sublatches |
| sys.dm_os_sys_info |
| sys.dm_os_tasks |
| sys.dm_os_threads |
| sys.dm_os_virtual_address_dump |
| sys.dm_os_wait_stats |
| sys.dm_os_waiting_tasks |
| sys.dm_os_worker_local_storage |
| sys.dm_os_workers |
| sys.dm_qn_subscriptions |
| sys.dm_repl_articles |
| sys.dm_repl_schemas |
| sys.dm_repl_tranhash |
| sys.dm_repl_traninfo |
| sys.dm_tran_active_snapshot_database_transactions |
| sys.dm_tran_active_transactions |
| sys.dm_tran_current_snapshot |
| sys.dm_tran_current_transaction |
| sys.dm_tran_database_transactions |
| sys.dm_tran_locks |
| sys.dm_tran_session_transactions |
| sys.dm_tran_top_version_generators |
| sys.dm_tran_transactions_snapshot |
| sys.dm_tran_version_store |
| sys.endpoint_webmethods |
| sys.endpoints |
| sys.event_notification_event_types |
| sys.event_notifications |
| sys.events |
| sys.extended_procedures |
| sys.extended_properties |
| sys.filegroups |
| sys.foreign_key_columns |
| sys.foreign_keys |
| sys.fulltext_catalogs |
| sys.fulltext_document_types |
| sys.fulltext_index_catalog_usages |
| sys.fulltext_index_columns |
| sys.fulltext_indexes |
| sys.fulltext_languages |
| sys.http_endpoints |
| sys.identity_columns |
| sys.index_columns |
| sys.indexes |
| sys.internal_tables |
| sys.key_constraints |
| sys.key_encryptions |
| sys.linked_logins |
| sys.login_token |
| sys.master_files |
| sys.master_key_passwords |
| sys.message_type_xml_schema_collection_usages |
| sys.messages |
| sys.module_assembly_usages |
| sys.numbered_procedure_parameters |
| sys.numbered_procedures |
| sys.objects |
| sys.openkeys |
| sys.parameter_type_usages |
| sys.parameter_xml_schema_collection_usages |
| sys.parameters |
| sys.partition_functions |
| sys.partition_parameters |
| sys.partition_range_values |
| sys.partition_schemes |
| sys.partitions |
| sys.plan_guides |
| sys.procedures |
| sys.remote_logins |
| sys.remote_service_bindings |
| sys.routes |
| sys.schemas |
| sys.securable_classes |
| sys.server_assembly_modules |
| sys.server_event_notifications |
| sys.server_events |
| sys.server_permissions |
| sys.server_principals |
| sys.server_role_members |
| sys.server_sql_modules |
| sys.server_trigger_events |
| sys.server_triggers |
| sys.servers |
| sys.service_broker_endpoints |
| sys.service_contract_message_usages |
| sys.service_contract_usages |
| sys.service_contracts |
| sys.service_message_types |
| sys.service_queue_usages |
| sys.service_queues |
| sys.services |
| sys.soap_endpoints |
| sys.sql_dependencies |
| sys.sql_logins |
| sys.sql_modules |
| sys.stats_columns |
| sys.stats_columns |
| sys.symmetric_keys |
| sys.synonyms |
| sys.sysaltfiles |
| sys.syscacheobjects |
| sys.syscharsets |
| sys.syscolumns |
| sys.syscomments |
| sys.sysconfigures |
| sys.sysconstraints |
| sys.syscurconfigs |
| sys.syscursorcolumns |
| sys.syscursorrefs |
| sys.syscursors |
| sys.syscursortables |
| sys.sysdatabases |
| sys.sysdepends |
| sys.sysdevices |
| sys.sysfilegroups |
| sys.sysfiles |
| sys.sysforeignkeys |
| sys.sysfulltextcatalogs |
| sys.sysindexes |
| sys.sysindexkeys |
| sys.syslanguages |
| sys.syslockinfo |
| sys.syslogins |
| sys.sysmembers |
| sys.sysmessages |
| sys.sysobjects |
| sys.sysoledbusers |
| sys.sysopentapes |
| sys.sysperfinfo |
| sys.syspermissions |
| sys.sysprocesses |
| sys.sysprotects |
| sys.sysreferences |
| sys.sysremotelogins |
| sys.syssegments |
| sys.sysservers |
| sys.system_columns |
| sys.system_components_surface_area_configuration |
| sys.system_internals_allocation_units |
| sys.system_internals_partition_columns |
| sys.system_internals_partitions |
| sys.system_objects |
| sys.system_parameters |
| sys.system_sql_modules |
| sys.system_views |
| sys.systypes |
| sys.sysusers |
| sys.tables |
| sys.tcp_endpoints |
| sys.trace_categories |
| sys.trace_columns |
| sys.trace_event_bindings |
| sys.trace_events |
| sys.trace_subclass_values |
| sys.traces |
| sys.transmission_queue |
| sys.trigger_events |
| sys.triggers |
| sys.type_assembly_usages |
| sys.types |
| sys.user_token |
| sys.via_endpoints |
| sys.views |
| sys.xml_indexes |
| sys.xml_schema_attributes |
| sys.xml_schema_collections |
| sys.xml_schema_component_placements |
| sys.xml_schema_components |
| sys.xml_schema_elements |
| sys.xml_schema_facets |
| sys.xml_schema_model_groups |
| sys.xml_schema_namespaces |
| sys.xml_schema_types |
| sys.xml_schema_wildcard_namespaces |
| sys.xml_schema_wildcards |
+---------------------------------------------------+
Database: TCC_NPFPC
[36 tables]
+---------------------------------------------------+
| dtproperties |
| tcc_npfpc_f.D99_Tmp |
| tcc_npfpc_f.DictType |
| tcc_npfpc_f.LitBooks |
| tcc_npfpc_f.MyFavorite |
| tcc_npfpc_f.UserRight |
| tcc_npfpc_f.WebLink |
| tcc_npfpc_f.comd_list |
| tcc_npfpc_f.jiaozhu |
| tcc_npfpc_f.sysdiagrams |
| tcc_npfpc_f.tblDept |
| tcc_npfpc_f.tblDict |
| tcc_npfpc_f.tblLog |
| tcc_npfpc_f.tblMenu |
| tcc_npfpc_f.tblNews |
| tcc_npfpc_f.tblUnit |
| tcc_npfpc_f.tblUser |
| tcc_npfpc_f.tblVote |
| tcc_npfpc_f.vDept |
| tcc_npfpc_f.vDict |
| tcc_npfpc_f.vKeyWords |
| tcc_npfpc_f.vLinkType |
| tcc_npfpc_f.vLitBookTraining |
| tcc_npfpc_f.vLitBooksCls |
| tcc_npfpc_f.vLitBooksCls |
| tcc_npfpc_f.vMyFavoriteCls |
| tcc_npfpc_f.vMyFavoriteCls |
| tcc_npfpc_f.vNews |
| tcc_npfpc_f.vOriginal |
| tcc_npfpc_f.vTitle |
| tcc_npfpc_f.vTopicInfo |
| tcc_npfpc_f.vTrainingTopic |
| tcc_npfpc_f.vUser |
| tcc_npfpc_f.vUserRight |
| tcc_npfpc_f.vWebLink |
| tcc_npfpc_f.v_Menu |
+---------------------------------------------------+
Database: msdb
[10 tables]
+---------------------------------------------------+
| backupfile |
| backupmediafamily |
| backupmediaset |
| backupset |
| logmarkhistory |
| restorefilegroup |
| restorefilegroup |
| restorehistory |
| suspect_pages |
| sysdac_instances |
+---------------------------------------------------+


Database: master
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| sys.messages | 99632 |
| sys.sysmessages | 99632 |
| sys.syscolumns | 10759 |
| sys.all_parameters | 6761 |
| sys.system_parameters | 6761 |
| sys.trace_subclass_values | 4729 |
| sys.trace_event_bindings | 3965 |
| sys.all_columns | 3793 |
| sys.system_columns | 3749 |
| sys.syscomments | 2793 |
| dbo.spt_values | 2346 |
| sys.all_objects | 1779 |
| sys.sysobjects | 1779 |
| sys.system_objects | 1773 |
| sys.database_permissions | 1675 |
| sys.syspermissions | 1675 |
| sys.sysprotects | 1674 |
| sys.all_sql_modules | 1621 |
| sys.system_sql_modules | 1621 |
| sys.all_views | 286 |
| sys.system_views | 286 |
| sys.event_notification_event_types | 193 |
| sys.trace_events | 171 |
| sys.syscharsets | 114 |
| sys.allocation_units | 112 |
| sys.partitions | 101 |
| sys.system_components_surface_area_configuration | 99 |
| sys.xml_schema_facets | 97 |
| sys.xml_schema_components | 93 |
| sys.xml_schema_types | 77 |
| sys.configurations | 65 |
| sys.sysconfigures | 65 |
| sys.syscurconfigs | 65 |
| sys.trace_columns | 65 |
| sys.fulltext_document_types | 50 |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 44 |
| INFORMATION_SCHEMA.COLUMNS | 44 |
| sys.columns | 44 |
| sys.database_recovery_status | 36 |
| sys.databases | 36 |
| sys.sysdatabases | 36 |
| sys.syslanguages | 33 |
| sys.systypes | 27 |
| sys.types | 27 |
| sys.securable_classes | 21 |
| sys.trace_categories | 21 |
| sys.fulltext_languages | 17 |
| sys.xml_schema_component_placements | 17 |
| INFORMATION_SCHEMA.SCHEMATA | 14 |
| sys.database_principals | 14 |
| sys.schemas | 14 |
| sys.sysusers | 14 |
| sys.xml_schema_attributes | 14 |
| sys.server_principals | 11 |
| sys.service_contract_message_usages | 11 |
| sys.server_permissions | 7 |
| sys.sysindexes | 7 |
| sys.indexes | 6 |
| sys.objects | 6 |
| sys.stats_columns | 6 |
| sys.stats_columns | 6 |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 |
| INFORMATION_SCHEMA.TABLES | 5 |
| sys.index_columns | 5 |
| sys.sysindexkeys | 5 |
| sys.tables | 5 |
| sys.endpoints | 4 |
| sys.service_queue_usages | 3 |
| sys.syssegments | 3 |
| sys.xml_schema_namespaces | 3 |
| sys.database_files | 2 |
| sys.login_token | 2 |
| sys.service_contract_usages | 2 |
| sys.sql_logins | 2 |
| sys.sysfiles | 2 |
| sys.syslogins | 2 |
| sys.user_token | 2 |
| dbo.spt_monitor | 1 |
| sys.data_spaces | 1 |
| sys.database_role_members | 1 |
| sys.default_constraints | 1 |
| sys.dm_exec_requests | 1 |
| sys.dm_exec_sessions | 1 |
| sys.filegroups | 1 |
| sys.server_role_members | 1 |
| sys.servers | 1 |
| sys.sysconstraints | 1 |
| sys.sysfilegroups | 1 |
| sys.sysmembers | 1 |
| sys.sysprocesses | 1 |
| sys.sysservers | 1 |
| sys.tcp_endpoints | 1 |
| sys.via_endpoints | 1 |
| sys.xml_schema_collections | 1 |
| sys.xml_schema_model_groups | 1 |
| sys.xml_schema_wildcards | 1 |
+--------------------------------------------------+---------+
Database: TCC_NPFPC
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| tcc_npfpc_f.tblLog | 1622 |
| tcc_npfpc_f.tblNews | 373 |
| tcc_npfpc_f.vNews | 356 |
| tcc_npfpc_f.UserRight | 118 |
| tcc_npfpc_f.tblMenu | 47 |
| tcc_npfpc_f.vUserRight | 45 |
| tcc_npfpc_f.v_Menu | 37 |
| tcc_npfpc_f.tblDict | 22 |
| tcc_npfpc_f.vDict | 22 |
| tcc_npfpc_f.vTopicInfo | 11 |
| tcc_npfpc_f.vTitle | 9 |
| tcc_npfpc_f.MyFavorite | 8 |
| tcc_npfpc_f.DictType | 6 |
| tcc_npfpc_f.LitBooks | 4 |
| tcc_npfpc_f.tblDept | 4 |
| tcc_npfpc_f.vDept | 4 |
| tcc_npfpc_f.vOriginal | 4 |
| tcc_npfpc_f.vTrainingTopic | 4 |
| tcc_npfpc_f.vLinkType | 3 |
| tcc_npfpc_f.vMyFavoriteCls | 3 |
| tcc_npfpc_f.vMyFavoriteCls | 3 |
| tcc_npfpc_f.vKeyWords | 2 |
| tcc_npfpc_f.tblUnit | 1 |
| tcc_npfpc_f.tblUser | 1 |
| tcc_npfpc_f.tblVote | 1 |
| tcc_npfpc_f.vUser | 1 |
| tcc_npfpc_f.vWebLink | 1 |
| tcc_npfpc_f.WebLink | 1 |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile | 22 |
| dbo.backupset | 11 |
| dbo.backupmediafamily | 7 |
| dbo.backupmediaset | 7 |
+--------------------------------------------------+---------+


漏洞证明:

如上

修复方案:

我不知道这个属于哪里。的 先提交到乌云吧

版权声明:转载请注明来源 Yang@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-01-09 15:51

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向计生委通报。

最新状态:

暂无