当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0211735

漏洞标题:安徽省环境保护厅SQL注入一枚/涉及OA系统数据库

相关厂商:安徽省环境保护厅

漏洞作者: by刺心

提交时间:2016-05-22 21:00

修复时间:2016-07-09 09:50

公开时间:2016-07-09 09:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-22: 细节已通知厂商并且等待厂商处理中
2016-05-25: 厂商已经确认,细节仅向厂商公开
2016-06-04: 细节向核心白帽子及相关领域专家公开
2016-06-14: 细节向普通白帽子公开
2016-06-24: 细节向实习白帽子公开
2016-07-09: 细节向公众公开

简要描述:

rt

详细说明:

安徽省环境保护厅 http://**.**.**.**/
sql注入一枚 导致数据库泄露 包括OA系统
注入点 http://**.**.**.**:8080/WRYJG/STZXGK/show.aspx?NewsID=8

QQ截图20160522151052.jpg


QQ截图20160522151100.jpg


QQ截图20160522162737.jpg


QQ截图20160522162745.jpg


QQ截图20160522162756.jpg


Database: AepbWRYJG
[149 tables]
+-------------------------------------+
| dbo.AccountData |
| dbo.BaseInfo |
| dbo.CMS_Article |
| dbo.CMS_Article2 |
| dbo.CMS_Article454 |
| dbo.CMS_Article5555 |
| dbo.CMS_ArticleTemp |
| dbo.CMS_MenuChannel |
| dbo.CMS_MenuClass |
| dbo.CODE_Area |
| dbo.CODE_COAL |
| dbo.CODE_FACTSCALE |
| dbo.CODE_FACTTYPE |
| dbo.CODE_FACT_KIND |
| dbo.CODE_FACT_TYPE |
| dbo.CODE_FIRE_TYPE |
| dbo.CODE_HAVINGTYPE |
| dbo.CODE_POLLUTETYPE |
| dbo.CODE_POLLUTION_TABLE |
| dbo.CODE_TRADE |
| dbo.CODE_VALLY |
| dbo.DBSync_Aepb_ConnString |
| dbo.DBSync_Aepb_ConnString_X |
| dbo.DBSync_Aepb_Data |
| dbo.DBSync_Record_Data |
| dbo.DBSync_Record_Log |
| dbo.DT_SHJCJGML |
| dbo.D_GAS_EMITION_HOUR_DATA |
| dbo.D_WATER_EMITION_HOUR_DATA |
| dbo.Data_Dictionary |
| dbo.Data_Dictionary12 |
| dbo.Dictionary |
| dbo.DirectInfo_ReportChild |
| dbo.DirectInfo_ReportChild2 |
| dbo.JDXJC_Sync_View |
| dbo.JG_CityWCL |
| dbo.JG_Factor_Code |
| dbo.JG_Factor_Code1 |
| dbo.JG_Factor_Code2 |
| dbo.JG_Factor_Code3 |
| dbo.JG_Factor_Setting |
| dbo.JG_Gas_Data |
| dbo.JG_Gas_Data2 |
| dbo.JG_JCTJB |
| dbo.JG_JCTJBZD |
| dbo.JG_Polultion_Code |
| dbo.JG_WCLTJ |
| dbo.JG_WRY_PFSB |
| dbo.JG_Water_Data |
| dbo.JG_Water_Data2 |
| dbo.JG_ZDJCPZ |
| dbo.Noise_Data |
| dbo.Noise_Data2 |
| dbo.Noise_Function_Level |
| dbo.Noise_S_Station_Info |
| dbo.Noise_S_Station_Info2 |
| dbo.Noise_S_Station_Type |
| dbo.OA_Apps |
| dbo.OA_Function |
| dbo.OA_FunctionAcl |
| dbo.OA_Org |
| dbo.OA_PollutionAcl |
| dbo.OA_Role |
| dbo.OA_RoleUser_R |
| dbo.OA_SButton |
| dbo.OA_SYSLog |
| dbo.OA_SysConfig |
| dbo.OA_User |
| dbo.PMC_b_gas_emition |
| dbo.PMC_b_gas_emition_pollutant |
| dbo.PMC_b_pollution_info |
| dbo.PMC_b_water_emition |
| dbo.PMC_b_water_emition_pollutant |
| dbo.PMC_d_gas_emition_day_data |
| dbo.PMC_d_gas_emition_hour_data |
| dbo.PMC_d_gas_pollutant_day_data |
| dbo.PMC_d_gas_pollutant_hour_data |
| dbo.PMC_d_water_emition_day_data |
| dbo.PMC_d_water_emition_hour_data |
| dbo.PMC_d_water_pollutant_day_data |
| dbo.PMC_d_water_pollutant_hour_data |
| dbo.PMC_s_pollutant_code |
| dbo.Supervise |
| dbo.SysApp |
| dbo.SysAppClass |
| dbo.SysFolder |
| dbo.SysFolderApp |
| dbo.SysUser |
| dbo.SysWallpaper |
| dbo.Sys_MiDic |
| dbo.Sys_MiDic11 |
| dbo.Sys_StDic |
| dbo.Sys_StDic_Child |
| dbo.TEMP_B_CONTROL_DEVICE |
| dbo.TEMP_B_GAS_EMITION |
| dbo.TEMP_B_GAS_EMITION_POLLUTANT |
| dbo.TEMP_B_POLLUTION_INFO |
| dbo.TEMP_B_WATER_EMITION |
| dbo.TEMP_B_WATER_EMITION_POLLUTANT |
| dbo.TEMP_CORP |
| dbo.TEMP_CORP_New |
| dbo.TEMP_facotr_code |
| dbo.T_UPDATEID |
| dbo.T_VEHICLES |
| dbo.T_WRY_FQPFK |
| dbo.T_WRY_FQPFK2 |
| dbo.T_WRY_FQPFKYZ |
| dbo.T_WRY_FQPFKYZ2 |
| dbo.T_WRY_FQZLSS |
| dbo.T_WRY_FSPFK |
| dbo.T_WRY_FSPFK2 |
| dbo.T_WRY_FSPFKPFYZ |
| dbo.T_WRY_FSPFKPFYZ2 |
| dbo.T_WRY_FSZLSS |
| dbo.T_WRY_JBXX |
| dbo.T_WRY_JBXX1 |
| dbo.T_WRY_JBXX3 |
| dbo.T_WRY_JCBG |
| dbo.T_WRY_JCBG2 |
| dbo.T_WRY_JCFA |
| dbo.T_WRY_JCFA2 |
| dbo.T_WRY_JDXJC |
| dbo.T_WRY_JXXPF |
| dbo.T_WRY_SBTY |
| dbo.T_WRY_SBTY2 |
| dbo.T_WRY_SCSB |
| dbo.T_WRY_USER |
| dbo.T_WRY_USER2 |
| dbo.T_WRY_WJCYY |
| dbo.T_WRY_WJCYY2 |
| dbo.T_WRY_XTGG |
| dbo.T_WRY_ZCBG |
| dbo.Temp_XFMD |
| dbo.Temp_XXX |
| dbo.Temp_xxx1 |
| dbo.View_1bjbtj |
| dbo.View_2BJBTJ |
| dbo.View_Gas |
| dbo.View_QYZD |
| dbo.View_QYZD_Sync |
| dbo.View_SJ |
| dbo.View_Water |
| dbo.View_ZDYZ |
| dbo.View_ZS |
| dbo.View_emition_hour_data |
| dbo.View_zd_pollutant_hour_data |
| dbo.WRY_WKZJDXJCYY |
| dbo.d_water_pollutant_hour_data |
| dbo.sqlmapoutput |
+-------------------------------------+

漏洞证明:

QQ截图20160522151052.jpg


QQ截图20160522151100.jpg


QQ截图20160522162737.jpg


QQ截图20160522162745.jpg


QQ截图20160522162756.jpg


修复方案:

版权声明:转载请注明来源 by刺心@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-05-25 09:41

厂商回复:

漏洞重复,CNVD不在重复处置。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-25 10:36 | ANS5 ( 普通白帽子 | Rank:349 漏洞数:107 | 此心安处是吾乡)

    漏洞重复,CNVD不在重复处置。