当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-037170

漏洞标题:中华人民共和国交通运输部SQL注射

相关厂商:中华人民共和国交通运输部

漏洞作者: m1x7e1

提交时间:2013-09-16 18:15

修复时间:2013-10-31 18:15

公开时间:2013-10-31 18:15

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-09-16: 细节已通知厂商并且等待厂商处理中
2013-09-21: 厂商已经确认,细节仅向厂商公开
2013-10-01: 细节向核心白帽子及相关领域专家公开
2013-10-11: 细节向普通白帽子公开
2013-10-21: 细节向实习白帽子公开
2013-10-31: 细节向公众公开

简要描述:

中华人民共和国交通运输部SQL注射

详细说明:

地址:http://jtst.moc.gov.cn:8086/ShowPage.aspx?pid=502

jiaotong_01.png


jiaotong_02.png


jiaotong_03.png


Database: BZCX2008925
[50 tables]
+----------------------------+
| dbo.CrtCompany |
| dbo.D99_REG |
| dbo.D99_Tmp |
| dbo.DataManage |
| dbo.DictCompany |
| dbo.Files |
| dbo.Funt |
| dbo.Log |
| dbo.MgrCompany |
| dbo.Operator |
| dbo.Role |
| dbo.RoleFunt |
| dbo.Standard |
| dbo.StandardHis |
| dbo.StandardType |
| dbo.StdDomain |
| dbo.SysParam |
| dbo.[ctsn123.D99_CMD] |
| dbo.[ctsn123.D99_Tmp] |
| dbo.[ctsn123.WCRTEMP00008] |
| dbo.[ctsn123.XPDIRTMP] |
| dbo.[ctsn123.cmd2] |
| dbo.[ctsn123.foofoofoo] |
| dbo.[ctsn123.jiaozhu] |
| dbo.[ctsn123.qweqwe_dir] |
| dbo.[ctsn123.t_jiaozhu] |
| dbo._NewCompany |
| dbo._NewCompanyPlan |
| dbo._Sheet1 |
| dbo._StandardPlan |
| dbo._User |
| dbo._User1 |
| dbo._tmp_hu |
| dbo.comd_list |
| dbo.dtproperties |
| dbo.heige |
| dbo.kill_kk |
| dbo.newtable |
| dbo.newtable1 |
| dbo.t_jiaozhu |
| dbo.tmp |
| dbo.vFornewtable1 |
| dbo.vLog |
| dbo.vNewTable1 |
| dbo.vStandard |
| dbo.v_AggCrt |
| dbo.v_AggMgr |
| dbo.v_CrtCompany |
| dbo.v_MgrCompany |
| dbo.v_StandardPlan |
+----------------------------+

漏洞证明:

jiaotong_03.png


Database: BZCX2008925
[50 tables]
+----------------------------+
| dbo.CrtCompany |
| dbo.D99_REG |
| dbo.D99_Tmp |
| dbo.DataManage |
| dbo.DictCompany |
| dbo.Files |
| dbo.Funt |
| dbo.Log |
| dbo.MgrCompany |
| dbo.Operator |
| dbo.Role |
| dbo.RoleFunt |
| dbo.Standard |
| dbo.StandardHis |
| dbo.StandardType |
| dbo.StdDomain |
| dbo.SysParam |
| dbo.[ctsn123.D99_CMD] |
| dbo.[ctsn123.D99_Tmp] |
| dbo.[ctsn123.WCRTEMP00008] |
| dbo.[ctsn123.XPDIRTMP] |
| dbo.[ctsn123.cmd2] |
| dbo.[ctsn123.foofoofoo] |
| dbo.[ctsn123.jiaozhu] |
| dbo.[ctsn123.qweqwe_dir] |
| dbo.[ctsn123.t_jiaozhu] |
| dbo._NewCompany |
| dbo._NewCompanyPlan |
| dbo._Sheet1 |
| dbo._StandardPlan |
| dbo._User |
| dbo._User1 |
| dbo._tmp_hu |
| dbo.comd_list |
| dbo.dtproperties |
| dbo.heige |
| dbo.kill_kk |
| dbo.newtable |
| dbo.newtable1 |
| dbo.t_jiaozhu |
| dbo.tmp |
| dbo.vFornewtable1 |
| dbo.vLog |
| dbo.vNewTable1 |
| dbo.vStandard |
| dbo.v_AggCrt |
| dbo.v_AggMgr |
| dbo.v_CrtCompany |
| dbo.v_MgrCompany |
| dbo.v_StandardPlan |
+----------------------------+

修复方案:

管理员修复。

版权声明:转载请注明来源 m1x7e1@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2013-09-21 00:04

厂商回复:

CNVD确认并复现所述情况,转由CNCERT上报国家某信息安全协调机构,由其后续联系网站主管部委处置。

最新状态:

暂无


漏洞评价:

评论