当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098531

漏洞标题:某学校信息技术教学辅助平台通用SQL注入(目测全版本通杀)

相关厂商:上海万欣计算机科技有限公司

漏洞作者: 路人甲

提交时间:2015-03-03 14:29

修复时间:2015-06-04 21:48

公开时间:2015-06-04 21:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-03: 细节已通知厂商并且等待厂商处理中
2015-03-06: 厂商已经确认,细节仅向厂商公开
2015-03-09: 细节向第三方安全合作伙伴开放
2015-04-30: 细节向核心白帽子及相关领域专家公开
2015-05-10: 细节向普通白帽子公开
2015-05-20: 细节向实习白帽子公开
2015-06-04: 细节向公众公开

简要描述:

RT...

详细说明:

登陆界面密码框POST注入:

POST /index.aspx HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/x-ms-xbap, application/x-ms-application, */*
Referer: http://it.qzgjzx.com/index.aspx
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; qihu theworld)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: it.qzgjzx.com
Content-Length: 5008
Proxy-Connection: Keep-Alive
Pragma: no-cache
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKLTcwNDI2ODA1NA9kFgICAw9kFgwCAw9kFghmD2QWBAIDDxAPFgIeC18hRGF0YUJvdW5kZ2QPFiwCAQICAgMCBAIFAgYCBwIIAgkCCgILAgwCDQIOAg8CEAIRAhICEwIUAhUCFgIXAhgCGQIaAhsCHAIdAh4CHwIgAiECIgIjAiQCJQImAicCKAIpAioCKwIsFiwQBQcyMDEy57qnBQcyMDEy57qnZxAFCzIwMTLnuqcx54%2BtBQsyMDEy57qnMeePrWcQBRQyMDEz57qn6auY5LqMKDAxKeePrQUUMjAxM%2Be6p%2BmrmOS6jCgwMSnnj61nEAUUMjAxM%2Be6p%2BmrmOS6jCgwMinnj60FFDIwMTPnuqfpq5jkuowoMDIp54%2BtZxAFFDIwMTPnuqfpq5jkuowoMDMp54%2BtBRQyMDEz57qn6auY5LqMKDAzKeePrWcQBRQyMDEz57qn6auY5LqMKDA0KeePrQUUMjAxM%2Be6p%2BmrmOS6jCgwNCnnj61nEAUUMjAxM%2Be6p%2BmrmOS6jCgwNSnnj60FFDIwMTPnuqfpq5jkuowoMDUp54%2BtZxAFFDIwMTPnuqfpq5jkuowoMDYp54%2BtBRQyMDEz57qn6auY5LqMKDA2KeePrWcQBRQyMDEz57qn6auY5LqMKDA3KeePrQUUMjAxM%2Be6p%2BmrmOS6jCgwNynnj61nEAUUMjAxM%2Be6p%2BmrmOS6jCgwOCnnj60FFDIwMTPnuqfpq5jkuowoMDgp54%2BtZxAFFDIwMTPnuqfpq5jkuowoMDkp54%2BtBRQyMDEz57qn6auY5LqMKDA5KeePrWcQBRQyMDEz57qn6auY5LqMKDEwKeePrQUUMjAxM%2Be6p%2BmrmOS6jCgxMCnnj61nEAUUMjAxM%2Be6p%2BmrmOS6jCgxMSnnj60FFDIwMTPnuqfpq5jkuowoMTEp54%2BtZxAFFDIwMTPnuqfpq5jkuowoMTIp54%2BtBRQyMDEz57qn6auY5LqMKDEyKeePrWcQBRQyMDEz57qn6auY5LqMKDEzKeePrQUUMjAxM%2Be6p%2BmrmOS6jCgxMynnj61nEAUUMjAxM%2Be6p%2BmrmOS6jCgxNCnnj60FFDIwMTPnuqfpq5jkuowoMTQp54%2BtZxAFFDIwMTPnuqfpq5jkuowoMTUp54%2BtBRQyMDEz57qn6auY5LqMKDE1KeePrWcQBRQyMDEz57qn6auY5LqMKDE2KeePrQUUMjAxM%2Be6p%2BmrmOS6jCgxNinnj61nEAUUMjAxM%2Be6p%2BmrmOS6jCgxNynnj60FFDIwMTPnuqfpq5jkuowoMTcp54%2BtZxAFFDIwMTPnuqfpq5jkuowoMTgp54%2BtBRQyMDEz57qn6auY5LqMKDE4KeePrWcQBRQyMDEz57qn6auY5LqMKDE5KeePrQUUMjAxM%2Be6p%2BmrmOS6jCgxOSnnj61nEAUUMjAxM%2Be6p%2BmrmOS6jCgyMCnnj60FFDIwMTPnuqfpq5jkuowoMjAp54%2BtZxAFFDIwMTPnuqfpq5jkuowoMjEp54%2BtBRQyMDEz57qn6auY5LqMKDIxKeePrWcQBRQyMDEz57qn6auY5LqMKDIyKeePrQUUMjAxM%2Be6p%2BmrmOS6jCgyMinnj61nEAUUMjAxM%2Be6p%2BmrmOS6jCgyMynnj60FFDIwMTPnuqfpq5jkuowoMjMp54%2BtZxAFFDIwMTPnuqfpq5jkuowoMjQp54%2BtBRQyMDEz57qn6auY5LqMKDI0KeePrWcQBRQyMDEz57qn6auY5LqMKDI1KeePrQUUMjAxM%2Be6p%2BmrmOS6jCgyNSnnj61nEAUUMjAxM%2Be6p%2BmrmOS6jCgyNinnj60FFDIwMTPnuqfpq5jkuowoMjYp54%2BtZxAFFjIwMTTnuqfkuow45L2V5LiA5a6JcHMFFjIwMTTnuqfkuow45L2V5LiA5a6JcHNnEAUWMjAxNOe6p%2BS6jDjnjovmlofmgbpwcwUWMjAxNOe6p%2BS6jDjnjovmlofmgbpwc2cQBRYyMDE057qn5LqMOOeGiuebvOetoHBzBRYyMDE057qn5LqMOOeGiuebvOetoHBzZxAFGTIwMTTnuqflm5s36YKx5Zu95rSqZmxhc2gFGTIwMTTnuqflm5s36YKx5Zu95rSqZmxhc2hnEAUWMjAxNOe6p%2BWbmzfmsarnh5VmbGFzaAUWMjAxNOe6p%2BWbmzfmsarnh5VmbGFzaGcQBRkyMDE057qn5ZubN%2BeOi%2BaWh%2BaBumZsYXNoBRkyMDE057qn5ZubN%2BeOi%2BaWh%2BaBumZsYXNoZxAFGTIwMTTnuqflm5s354aK55u8562gZmxhc2gFGTIwMTTnuqflm5s354aK55u8562gZmxhc2hnEAUWMjAxNOe6p%2BWbmzjpmYjog5xmbGFzaAUWMjAxNOe6p%2BWbmzjpmYjog5xmbGFzaGcQBRkyMDE057qn5ZubOOiDoeWwj%2BS8n2ZsYXNoBRkyMDE057qn5ZubOOiDoeWwj%2BS8n2ZsYXNoZxAFGTIwMTTnuqflm5s45b2t5pil6IqxZmxhc2gFGTIwMTTnuqflm5s45b2t5pil6IqxZmxhc2hnEAUZMjAxNOe6p%2BWbmzjpgrHlm73mtKpmbGFzaAUZMjAxNOe6p%2BWbmzjpgrHlm73mtKpmbGFzaGcQBRYyMDE057qn5ZubOOaxqueHlWZsYXNoBRYyMDE057qn5ZubOOaxqueHlWZsYXNoZxAFGTIwMTTnuqflm5s45ZGo5bCR5ZCbZmxhc2gFGTIwMTTnuqflm5s45ZGo5bCR5ZCbZmxhc2hnEAUZMjAxNOe6p%2BS6lDfkvZXkuIDlrolmbGFzaAUZMjAxNOe6p%2BS6lDfkvZXkuIDlrolmbGFzaGcQBRkyMDE057qn5LqUN%2BW9reaYpeiKsWZsYXNoBRkyMDE057qn5LqUN%2BW9reaYpeiKsWZsYXNoZxAFGTIwMTTnuqfkupQ35ZGo5bCR5ZCbZmxhc2gFGTIwMTTnuqfkupQ35ZGo5bCR5ZCbZmxhc2hnZGQCBw8QDxYCHwBnZBAVJwnpg5HoirPnjqsJ6ZmG5paH5rSBCeWRqOWunOiBqgnlkL7mt5HoibMJ6ZmI5bCP5piOCeWRqOW7uuebmwblhbDmmJUG6ZmG5aaNBumZiOihjgnmnLHor5fosaoJ6auY5a2Q56a%2BCeWnmuS9s%2BmbrwbmtKrnpaUJ6YOR55Gc5am3BumDkeaYsQnlp5rmopPpjqMG5Y2i5a6HBuWPtui%2BiQnlgKrmqqzkvbMJ6buE6ICA5Z2kCemZiOWYiembrwnoiJLmhafmlY8J5pa55ZiJ5piOCeW7luaMr%2BS4nAnolpvmmZPpvpkJ5p2O5a2f55G%2BCeaxn%2BiHquW8ugnpm7fms73mnpcJ5q%2Bb5rWp5qWgCeWPtuWuh%2Bmjngnpg5HpqbDnhLYG6LS%2B6KGiCeagvuaAoeiQjQnmlrnmtannhLYJ5ZCV5paH5pumCeacseiLseWBpQnlva3lpZrlr4UJ5b6Q546J5rOiDOWQrOivvuiAgeW4iBUnBDk1MjAEOTUyMQQ5NTIyBDk1MjMEOTUyNAQ5NTI1BDk1MjYEOTUyNwQ5NTI4BDk1MjkEOTUzMAQ5NTMxBDk1MzIEOTUzMwQ5NTM0BDk1MzUEOTUzNgQ5NTM3BDk1MzgEOTUzOQQ5NTQwBDk1NDEEOTU0MgQ5NTQzBDk1NDQEOTU0NQQ5NTQ2BDk1NDcEOTU0OAQ5NTQ5BDk1NTAEOTU1MQQ5NTUyBDk1NTMEOTU1NAQ5NTU1BDk1NTYEOTU1NwUxMTIxNhQrAydnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAIBD2QWBAIDDxBkZBYBZmQCBw8QZGQWAWZkAgMPZBYCAgEPDxYGHgtOYXZpZ2F0ZVVybAUcaHR0cDovL0l0dG9vbHMud2xlcnpob25nLm5ldB4EVGV4dAUt5Yqg55uf5L%2Bh5oGv5oqA5pyv5pWZ5a2m6L6F5Yqp5bmz5Y%2Bw6LWE5rqQ56uZHgdWaXNpYmxlZ2RkAgUPZBYIAgMPEGRkFgFmZAIHDxBkZBYBZmQCGQ9kFgQCCQ88KwAJAGQCCw8PZA8QFgFmFgEWAh4OUGFyYW1ldGVyVmFsdWVlFgFmZGQCGw8WBh4OUG9wdXBDb250cm9sSUQFBlBhbmVsMR4Qc3RyaW5nRHJvcFNoYWRvd2ceGFBvcHVwRHJhZ0hhbmRsZUNvbnRyb2xJRAUGUGFuZWwxZAIFDw8WAh8CBSHliqDnm5%2FlrabmoKHvvJrooaLlt57pq5jnuqfkuK3lraZkZAIJDw8WAh8CBUDlu7rorq7liIbovqjnjofvvJoxMDI0Kjc2OCAg54mI5pys5Y%2B377yaSVR0b29sczMuNDUoMjAxNC0xMi0477yJZGQCDQ8PZA8QFgFmFgEWAh8EBRQyMDEz57qn6auY5LqMKDAzKeePrRYBZmRkAg8PD2QPEBYBZhYBFgIfBAUBMBYBZmRkAhEPD2QPEBYBZhYBFgIfBAUBMBYBZmRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxJbWFnZUJ1dHRvbjEFCk11bHRpVmlldzEPD2RmZIxNleG%2FMAyNH3IudfAHFka%2FyYoU&DropDownList1=2013%BC%B6%B8%DF%B6%FE%2803%29%B0%E0&DropDownList2=9520&TextBox1=123456&ImageButton1.x=80&ImageButton1.y=7


注入参数:TextBox1 目测全版本通杀。。。

漏洞证明:

最新版:ITtools3.45(2014-12-8)演示地址:http://it.qzgjzx.com/

1.jpg


丢sqlmap跑当前用户:

2.jpg


版本号:ITtools3.43_2(2014-4-1)演示地址:http://student.dydzx.cn/

3.jpg


丢sqlmap跑当前用户:

4.jpg


版本号:ITtools3.40_3(2013-04-27)演示地址:http://edu.wz15.net/

5.jpg


丢sqlmap跑当前用户:

6.jpg


修复方案:

过滤。。。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-03-06 21:47

厂商回复:

CNVD确认所述情况,暂未建立与厂商的直接处置渠道,待认领。

最新状态:

暂无