当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-089668

漏洞标题:国家人口计生委培训交流中心存在SQL注射

相关厂商:cncert国家互联网应急中心

漏洞作者: Yang

提交时间:2015-01-04 16:59

修复时间:2015-02-18 17:00

公开时间:2015-02-18 17:00

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-04: 细节已通知厂商并且等待厂商处理中
2015-01-09: 厂商已经确认,细节仅向厂商公开
2015-01-19: 细节向核心白帽子及相关领域专家公开
2015-01-29: 细节向普通白帽子公开
2015-02-08: 细节向实习白帽子公开
2015-02-18: 细节向公众公开

简要描述:

国家人口计生委培训交流中心是国家人口计生委直属的事业单位,成立于1999年1月。成立十余年来,中心坚持以统筹解决人口问题、促进人的全面发展为目标,以提高人口计生系统队伍综合素质为重点,引入先进理念,学习先进技术,促进队伍的职业化建设,促进能力建设。迄今为止,已经为全国省、地、县级分管领导和人口计生委主任、各级公务员举办了300多个专业知识培训班,组织了60多个出国培训考察团,参加培训的学员达5万余人次。正在实施生殖健康咨询师的职业技能鉴定工作,并进一步开发家庭计划指导师、人口信息师、人口社会工作者等新职业。与此同时,从提供基本公共服务的角度出发,中心组织实施了儿童早期发展项目,通过教材开发、建立示范区等,努力提高人的基本素质。

详细说明:

http://www.tcc-npfpc.org.cn/list.aspx?id=0101

1.jpg


back-end DBMS: Microsoft SQL Server 2005
available databases [34]:
[*] cuteenin_db
[*] ddao
[*] exam
[*] gf
[*] globao
[*] htcd
[*] hy2007
[*] infobbs
[*] intername88
[*] jiaye
[*] jsjedu
[*] juliebaby_db
[*] lifine
[*] lmysjj
[*] lya
[*] master
[*] meido
[*] model
[*] msdb
[*] nft
[*] njwww
[*] nongxue
[*] office
[*] Pinchela
[*] ptsfjw
[*] TCC_NPFPC
[*] tempdb
[*] Test
[*] winsel
[*] winser
[*] wise
[*] x-mm_cache
[*] yeah
[*] zerogift


Database: master
[291 tables]
+---------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS              |
| INFORMATION_SCHEMA.COLUMNS                        |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE            |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES              |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE        |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE         |
| INFORMATION_SCHEMA.DOMAINS                        |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS             |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE               |
| INFORMATION_SCHEMA.PARAMETERS                     |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS        |
| INFORMATION_SCHEMA.ROUTINES                       |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS                |
| INFORMATION_SCHEMA.SCHEMATA                       |
| INFORMATION_SCHEMA.TABLES                         |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS              |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES               |
| INFORMATION_SCHEMA.VIEWS                          |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE              |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE               |
| spt_fallback_db                                   |
| spt_fallback_dev                                  |
| spt_fallback_usg                                  |
| spt_monitor                                       |
| spt_values                                        |
| sys.all_columns                                   |
| sys.all_objects                                   |
| sys.all_parameters                                |
| sys.all_sql_modules                               |
| sys.all_views                                     |
| sys.allocation_units                              |
| sys.assemblies                                    |
| sys.assembly_files                                |
| sys.assembly_modules                              |
| sys.assembly_references                           |
| sys.assembly_types                                |
| sys.asymmetric_keys                               |
| sys.backup_devices                                |
| sys.certificates                                  |
| sys.check_constraints                             |
| sys.column_type_usages                            |
| sys.column_xml_schema_collection_usages           |
| sys.columns                                       |
| sys.computed_columns                              |
| sys.configurations                                |
| sys.conversation_endpoints                        |
| sys.conversation_groups                           |
| sys.credentials                                   |
| sys.crypt_properties                              |
| sys.data_spaces                                   |
| sys.database_files                                |
| sys.database_mirroring_endpoints                  |
| sys.database_mirroring_endpoints                  |
| sys.database_mirroring_witnesses                  |
| sys.database_permissions                          |
| sys.database_principal_aliases                    |
| sys.database_principals                           |
| sys.database_recovery_status                      |
| sys.database_role_members                         |
| sys.databases                                     |
| sys.default_constraints                           |
| sys.destination_data_spaces                       |
| sys.dm_broker_activated_tasks                     |
| sys.dm_broker_connections                         |
| sys.dm_broker_forwarded_messages                  |
| sys.dm_broker_queue_monitors                      |
| sys.dm_clr_appdomains                             |
| sys.dm_clr_loaded_assemblies                      |
| sys.dm_clr_properties                             |
| sys.dm_clr_tasks                                  |
| sys.dm_db_file_space_usage                        |
| sys.dm_db_index_usage_stats                       |
| sys.dm_db_mirroring_connections                   |
| sys.dm_db_missing_index_details                   |
| sys.dm_db_missing_index_group_stats               |
| sys.dm_db_missing_index_groups                    |
| sys.dm_db_partition_stats                         |
| sys.dm_db_session_space_usage                     |
| sys.dm_db_task_space_usage                        |
| sys.dm_exec_background_job_queue_stats            |
| sys.dm_exec_background_job_queue_stats            |
| sys.dm_exec_cached_plans                          |
| sys.dm_exec_connections                           |
| sys.dm_exec_query_memory_grants                   |
| sys.dm_exec_query_optimizer_info                  |
| sys.dm_exec_query_resource_semaphores             |
| sys.dm_exec_query_stats                           |
| sys.dm_exec_query_transformation_stats            |
| sys.dm_exec_requests                              |
| sys.dm_exec_sessions                              |
| sys.dm_fts_active_catalogs                        |
| sys.dm_fts_index_population                       |
| sys.dm_fts_memory_buffers                         |
| sys.dm_fts_memory_pools                           |
| sys.dm_fts_population_ranges                      |
| sys.dm_io_backup_tapes                            |
| sys.dm_io_cluster_shared_drives                   |
| sys.dm_io_pending_io_requests                     |
| sys.dm_os_buffer_descriptors                      |
| sys.dm_os_child_instances                         |
| sys.dm_os_cluster_nodes                           |
| sys.dm_os_hosts                                   |
| sys.dm_os_latch_stats                             |
| sys.dm_os_loaded_modules                          |
| sys.dm_os_memory_allocations                      |
| sys.dm_os_memory_cache_clock_hands                |
| sys.dm_os_memory_cache_counters                   |
| sys.dm_os_memory_cache_entries                    |
| sys.dm_os_memory_cache_hash_tables                |
| sys.dm_os_memory_clerks                           |
| sys.dm_os_memory_objects                          |
| sys.dm_os_memory_pools                            |
| sys.dm_os_performance_counters                    |
| sys.dm_os_ring_buffers                            |
| sys.dm_os_schedulers                              |
| sys.dm_os_stacks                                  |
| sys.dm_os_sublatches                              |
| sys.dm_os_sys_info                                |
| sys.dm_os_tasks                                   |
| sys.dm_os_threads                                 |
| sys.dm_os_virtual_address_dump                    |
| sys.dm_os_wait_stats                              |
| sys.dm_os_waiting_tasks                           |
| sys.dm_os_worker_local_storage                    |
| sys.dm_os_workers                                 |
| sys.dm_qn_subscriptions                           |
| sys.dm_repl_articles                              |
| sys.dm_repl_schemas                               |
| sys.dm_repl_tranhash                              |
| sys.dm_repl_traninfo                              |
| sys.dm_tran_active_snapshot_database_transactions |
| sys.dm_tran_active_transactions                   |
| sys.dm_tran_current_snapshot                      |
| sys.dm_tran_current_transaction                   |
| sys.dm_tran_database_transactions                 |
| sys.dm_tran_locks                                 |
| sys.dm_tran_session_transactions                  |
| sys.dm_tran_top_version_generators                |
| sys.dm_tran_transactions_snapshot                 |
| sys.dm_tran_version_store                         |
| sys.endpoint_webmethods                           |
| sys.endpoints                                     |
| sys.event_notification_event_types                |
| sys.event_notifications                           |
| sys.events                                        |
| sys.extended_procedures                           |
| sys.extended_properties                           |
| sys.filegroups                                    |
| sys.foreign_key_columns                           |
| sys.foreign_keys                                  |
| sys.fulltext_catalogs                             |
| sys.fulltext_document_types                       |
| sys.fulltext_index_catalog_usages                 |
| sys.fulltext_index_columns                        |
| sys.fulltext_indexes                              |
| sys.fulltext_languages                            |
| sys.http_endpoints                                |
| sys.identity_columns                              |
| sys.index_columns                                 |
| sys.indexes                                       |
| sys.internal_tables                               |
| sys.key_constraints                               |
| sys.key_encryptions                               |
| sys.linked_logins                                 |
| sys.login_token                                   |
| sys.master_files                                  |
| sys.master_key_passwords                          |
| sys.message_type_xml_schema_collection_usages     |
| sys.messages                                      |
| sys.module_assembly_usages                        |
| sys.numbered_procedure_parameters                 |
| sys.numbered_procedures                           |
| sys.objects                                       |
| sys.openkeys                                      |
| sys.parameter_type_usages                         |
| sys.parameter_xml_schema_collection_usages        |
| sys.parameters                                    |
| sys.partition_functions                           |
| sys.partition_parameters                          |
| sys.partition_range_values                        |
| sys.partition_schemes                             |
| sys.partitions                                    |
| sys.plan_guides                                   |
| sys.procedures                                    |
| sys.remote_logins                                 |
| sys.remote_service_bindings                       |
| sys.routes                                        |
| sys.schemas                                       |
| sys.securable_classes                             |
| sys.server_assembly_modules                       |
| sys.server_event_notifications                    |
| sys.server_events                                 |
| sys.server_permissions                            |
| sys.server_principals                             |
| sys.server_role_members                           |
| sys.server_sql_modules                            |
| sys.server_trigger_events                         |
| sys.server_triggers                               |
| sys.servers                                       |
| sys.service_broker_endpoints                      |
| sys.service_contract_message_usages               |
| sys.service_contract_usages                       |
| sys.service_contracts                             |
| sys.service_message_types                         |
| sys.service_queue_usages                          |
| sys.service_queues                                |
| sys.services                                      |
| sys.soap_endpoints                                |
| sys.sql_dependencies                              |
| sys.sql_logins                                    |
| sys.sql_modules                                   |
| sys.stats_columns                                 |
| sys.stats_columns                                 |
| sys.symmetric_keys                                |
| sys.synonyms                                      |
| sys.sysaltfiles                                   |
| sys.syscacheobjects                               |
| sys.syscharsets                                   |
| sys.syscolumns                                    |
| sys.syscomments                                   |
| sys.sysconfigures                                 |
| sys.sysconstraints                                |
| sys.syscurconfigs                                 |
| sys.syscursorcolumns                              |
| sys.syscursorrefs                                 |
| sys.syscursors                                    |
| sys.syscursortables                               |
| sys.sysdatabases                                  |
| sys.sysdepends                                    |
| sys.sysdevices                                    |
| sys.sysfilegroups                                 |
| sys.sysfiles                                      |
| sys.sysforeignkeys                                |
| sys.sysfulltextcatalogs                           |
| sys.sysindexes                                    |
| sys.sysindexkeys                                  |
| sys.syslanguages                                  |
| sys.syslockinfo                                   |
| sys.syslogins                                     |
| sys.sysmembers                                    |
| sys.sysmessages                                   |
| sys.sysobjects                                    |
| sys.sysoledbusers                                 |
| sys.sysopentapes                                  |
| sys.sysperfinfo                                   |
| sys.syspermissions                                |
| sys.sysprocesses                                  |
| sys.sysprotects                                   |
| sys.sysreferences                                 |
| sys.sysremotelogins                               |
| sys.syssegments                                   |
| sys.sysservers                                    |
| sys.system_columns                                |
| sys.system_components_surface_area_configuration  |
| sys.system_internals_allocation_units             |
| sys.system_internals_partition_columns            |
| sys.system_internals_partitions                   |
| sys.system_objects                                |
| sys.system_parameters                             |
| sys.system_sql_modules                            |
| sys.system_views                                  |
| sys.systypes                                      |
| sys.sysusers                                      |
| sys.tables                                        |
| sys.tcp_endpoints                                 |
| sys.trace_categories                              |
| sys.trace_columns                                 |
| sys.trace_event_bindings                          |
| sys.trace_events                                  |
| sys.trace_subclass_values                         |
| sys.traces                                        |
| sys.transmission_queue                            |
| sys.trigger_events                                |
| sys.triggers                                      |
| sys.type_assembly_usages                          |
| sys.types                                         |
| sys.user_token                                    |
| sys.via_endpoints                                 |
| sys.views                                         |
| sys.xml_indexes                                   |
| sys.xml_schema_attributes                         |
| sys.xml_schema_collections                        |
| sys.xml_schema_component_placements               |
| sys.xml_schema_components                         |
| sys.xml_schema_elements                           |
| sys.xml_schema_facets                             |
| sys.xml_schema_model_groups                       |
| sys.xml_schema_namespaces                         |
| sys.xml_schema_types                              |
| sys.xml_schema_wildcard_namespaces                |
| sys.xml_schema_wildcards                          |
+---------------------------------------------------+
Database: TCC_NPFPC
[36 tables]
+---------------------------------------------------+
| dtproperties                                      |
| tcc_npfpc_f.D99_Tmp                               |
| tcc_npfpc_f.DictType                              |
| tcc_npfpc_f.LitBooks                              |
| tcc_npfpc_f.MyFavorite                            |
| tcc_npfpc_f.UserRight                             |
| tcc_npfpc_f.WebLink                               |
| tcc_npfpc_f.comd_list                             |
| tcc_npfpc_f.jiaozhu                               |
| tcc_npfpc_f.sysdiagrams                           |
| tcc_npfpc_f.tblDept                               |
| tcc_npfpc_f.tblDict                               |
| tcc_npfpc_f.tblLog                                |
| tcc_npfpc_f.tblMenu                               |
| tcc_npfpc_f.tblNews                               |
| tcc_npfpc_f.tblUnit                               |
| tcc_npfpc_f.tblUser                               |
| tcc_npfpc_f.tblVote                               |
| tcc_npfpc_f.vDept                                 |
| tcc_npfpc_f.vDict                                 |
| tcc_npfpc_f.vKeyWords                             |
| tcc_npfpc_f.vLinkType                             |
| tcc_npfpc_f.vLitBookTraining                      |
| tcc_npfpc_f.vLitBooksCls                          |
| tcc_npfpc_f.vLitBooksCls                          |
| tcc_npfpc_f.vMyFavoriteCls                        |
| tcc_npfpc_f.vMyFavoriteCls                        |
| tcc_npfpc_f.vNews                                 |
| tcc_npfpc_f.vOriginal                             |
| tcc_npfpc_f.vTitle                                |
| tcc_npfpc_f.vTopicInfo                            |
| tcc_npfpc_f.vTrainingTopic                        |
| tcc_npfpc_f.vUser                                 |
| tcc_npfpc_f.vUserRight                            |
| tcc_npfpc_f.vWebLink                              |
| tcc_npfpc_f.v_Menu                                |
+---------------------------------------------------+
Database: msdb
[10 tables]
+---------------------------------------------------+
| backupfile                                        |
| backupmediafamily                                 |
| backupmediaset                                    |
| backupset                                         |
| logmarkhistory                                    |
| restorefilegroup                                  |
| restorefilegroup                                  |
| restorehistory                                    |
| suspect_pages                                     |
| sysdac_instances                                  |
+---------------------------------------------------+


Database: master
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| sys.messages                                     | 99632   |
| sys.sysmessages                                  | 99632   |
| sys.syscolumns                                   | 10759   |
| sys.all_parameters                               | 6761    |
| sys.system_parameters                            | 6761    |
| sys.trace_subclass_values                        | 4729    |
| sys.trace_event_bindings                         | 3965    |
| sys.all_columns                                  | 3793    |
| sys.system_columns                               | 3749    |
| sys.syscomments                                  | 2793    |
| dbo.spt_values                                   | 2346    |
| sys.all_objects                                  | 1779    |
| sys.sysobjects                                   | 1779    |
| sys.system_objects                               | 1773    |
| sys.database_permissions                         | 1675    |
| sys.syspermissions                               | 1675    |
| sys.sysprotects                                  | 1674    |
| sys.all_sql_modules                              | 1621    |
| sys.system_sql_modules                           | 1621    |
| sys.all_views                                    | 286     |
| sys.system_views                                 | 286     |
| sys.event_notification_event_types               | 193     |
| sys.trace_events                                 | 171     |
| sys.syscharsets                                  | 114     |
| sys.allocation_units                             | 112     |
| sys.partitions                                   | 101     |
| sys.system_components_surface_area_configuration | 99      |
| sys.xml_schema_facets                            | 97      |
| sys.xml_schema_components                        | 93      |
| sys.xml_schema_types                             | 77      |
| sys.configurations                               | 65      |
| sys.sysconfigures                                | 65      |
| sys.syscurconfigs                                | 65      |
| sys.trace_columns                                | 65      |
| sys.fulltext_document_types                      | 50      |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES             | 44      |
| INFORMATION_SCHEMA.COLUMNS                       | 44      |
| sys.columns                                      | 44      |
| sys.database_recovery_status                     | 36      |
| sys.databases                                    | 36      |
| sys.sysdatabases                                 | 36      |
| sys.syslanguages                                 | 33      |
| sys.systypes                                     | 27      |
| sys.types                                        | 27      |
| sys.securable_classes                            | 21      |
| sys.trace_categories                             | 21      |
| sys.fulltext_languages                           | 17      |
| sys.xml_schema_component_placements              | 17      |
| INFORMATION_SCHEMA.SCHEMATA                      | 14      |
| sys.database_principals                          | 14      |
| sys.schemas                                      | 14      |
| sys.sysusers                                     | 14      |
| sys.xml_schema_attributes                        | 14      |
| sys.server_principals                            | 11      |
| sys.service_contract_message_usages              | 11      |
| sys.server_permissions                           | 7       |
| sys.sysindexes                                   | 7       |
| sys.indexes                                      | 6       |
| sys.objects                                      | 6       |
| sys.stats_columns                                | 6       |
| sys.stats_columns                                | 6       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES              | 5       |
| INFORMATION_SCHEMA.TABLES                        | 5       |
| sys.index_columns                                | 5       |
| sys.sysindexkeys                                 | 5       |
| sys.tables                                       | 5       |
| sys.endpoints                                    | 4       |
| sys.service_queue_usages                         | 3       |
| sys.syssegments                                  | 3       |
| sys.xml_schema_namespaces                        | 3       |
| sys.database_files                               | 2       |
| sys.login_token                                  | 2       |
| sys.service_contract_usages                      | 2       |
| sys.sql_logins                                   | 2       |
| sys.sysfiles                                     | 2       |
| sys.syslogins                                    | 2       |
| sys.user_token                                   | 2       |
| dbo.spt_monitor                                  | 1       |
| sys.data_spaces                                  | 1       |
| sys.database_role_members                        | 1       |
| sys.default_constraints                          | 1       |
| sys.dm_exec_requests                             | 1       |
| sys.dm_exec_sessions                             | 1       |
| sys.filegroups                                   | 1       |
| sys.server_role_members                          | 1       |
| sys.servers                                      | 1       |
| sys.sysconstraints                               | 1       |
| sys.sysfilegroups                                | 1       |
| sys.sysmembers                                   | 1       |
| sys.sysprocesses                                 | 1       |
| sys.sysservers                                   | 1       |
| sys.tcp_endpoints                                | 1       |
| sys.via_endpoints                                | 1       |
| sys.xml_schema_collections                       | 1       |
| sys.xml_schema_model_groups                      | 1       |
| sys.xml_schema_wildcards                         | 1       |
+--------------------------------------------------+---------+
Database: TCC_NPFPC
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| tcc_npfpc_f.tblLog                               | 1622    |
| tcc_npfpc_f.tblNews                              | 373     |
| tcc_npfpc_f.vNews                                | 356     |
| tcc_npfpc_f.UserRight                            | 118     |
| tcc_npfpc_f.tblMenu                              | 47      |
| tcc_npfpc_f.vUserRight                           | 45      |
| tcc_npfpc_f.v_Menu                               | 37      |
| tcc_npfpc_f.tblDict                              | 22      |
| tcc_npfpc_f.vDict                                | 22      |
| tcc_npfpc_f.vTopicInfo                           | 11      |
| tcc_npfpc_f.vTitle                               | 9       |
| tcc_npfpc_f.MyFavorite                           | 8       |
| tcc_npfpc_f.DictType                             | 6       |
| tcc_npfpc_f.LitBooks                             | 4       |
| tcc_npfpc_f.tblDept                              | 4       |
| tcc_npfpc_f.vDept                                | 4       |
| tcc_npfpc_f.vOriginal                            | 4       |
| tcc_npfpc_f.vTrainingTopic                       | 4       |
| tcc_npfpc_f.vLinkType                            | 3       |
| tcc_npfpc_f.vMyFavoriteCls                       | 3       |
| tcc_npfpc_f.vMyFavoriteCls                       | 3       |
| tcc_npfpc_f.vKeyWords                            | 2       |
| tcc_npfpc_f.tblUnit                              | 1       |
| tcc_npfpc_f.tblUser                              | 1       |
| tcc_npfpc_f.tblVote                              | 1       |
| tcc_npfpc_f.vUser                                | 1       |
| tcc_npfpc_f.vWebLink                             | 1       |
| tcc_npfpc_f.WebLink                              | 1       |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile                                   | 22      |
| dbo.backupset                                    | 11      |
| dbo.backupmediafamily                            | 7       |
| dbo.backupmediaset                               | 7       |
+--------------------------------------------------+---------+


漏洞证明:

如上

修复方案:

我不知道这个属于哪里。的 先提交到乌云吧

版权声明:转载请注明来源 Yang@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-01-09 15:51

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向计生委通报。

最新状态:

暂无