当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078851

漏洞标题:skcms某处通用型SQL注射

相关厂商:skcms.net

漏洞作者: 小骇

提交时间:2014-10-10 16:12

修复时间:2014-12-30 14:44

公开时间:2014-12-30 14:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-10: 细节已通知厂商并且等待厂商处理中
2014-10-15: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-12-09: 细节向核心白帽子及相关领域专家公开
2014-12-19: 细节向普通白帽子公开
2014-12-29: 细节向实习白帽子公开
2014-12-30: 细节向公众公开

简要描述:

通用型SQL注射

详细说明:

skcms网站管理系统某处存在通用型SQL注射漏洞,问题出现在About.sk.asp这个页面。

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!--#include file="../sk-Cont/sk1.5.cs" --> 
<!--#include file="../sk-Cont/about.cs" -->
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title><%=sk_SiteTitle%>-<%=sk_aboutTitle%></title>
<meta name="keywords" content="<% =sk_Keywords %>" />
<meta name="description" content="<%=sk_aboutDescription%>" />
<link href="img/css.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="wrap">
  <div id="header">
    <h1 id="logo-text">&nbsp;</h1>
    <p id="ad" name="ad"><a href="<%=sk_advurl(4)%>"><img src="<%=sk_advimg(4)%>" border="0" /></a></p>
	   <p id="ad1" name="ad"><a href="<%=sk_advurl(5)%>"><img src="<%=sk_advimg(5)%>" border="0" /></a></p>
    <p id="slogan">+ <a href="http://www.uunuo.com/">English</a><br />
    +<a href="about.sk.asp"> 关于我们</a></p>
	 <p id="search"><%=sk_Search%></p>
  </div>
  <div  id="nav">
		<ul>
		<li ><a href="index.asp">首页</a></li>  
		<li  id="current">  <a href="About.sk.asp">关于我们</a></li>   
		<li >     <a href="ProductList.asp">产品中心 </a></li> 
		<li >  <a href="NewsList.asp">新闻</a> </li>  
		<li ><a href="DownList.asp">下载</a></li>	   
		<li><a href="About.sk.asp?ID=21">联系我们</a></li>	
		</ul>
</div>
  
  
<div id="content-wrap">
   <div id="sidebar1">
     <div class="shh8">分类</div>
              <div id="shh9">
<%=sk_aboutmenu()%>
     </div>
		 <div class="shh10"></div>
		 <%=sk_advhtml(1)%>
		    </div>	
   <div id="main1">
     <h3><%=sk_aboutTitle%></h3>
	 <h4><%=sk_aboutContent()%></h4>
	 <h5>&nbsp;</h5>
   </div> 
     </div>
<div id="footer-wrap"><%=sk_footnav()%> <br />
    <%=sk_Bottom%> <%=sk_foot1%> <%=sk_Code%></div>
</div>
</body>
</html>
<script language="javascript" type="text/javascript" src="../html/kefu/js/sk.js"></script>


构造关键字为:inurl:About.sk.asp?ID=
可谷歌搜索得到大量网站

QQ图片20141010124957.jpg


搜索的多个网站均存在SQL注射漏洞

QQ图片20141010124940.jpg


后台在server中


QQ图片20141010133535.jpg


用户密码在表名sk_admin中,列名为adminname;password


以下给出证明截图


QQ图片20141010134015.jpg


漏洞证明:

谷歌搜索的以下网站都存在SQL注入,给出一些案例。
http://www.xinyongtai.com/Html/About.sk.asp?ID=13
http://www.mdjxsb.com/Html/About.sk.asp?ID=13
http://www.conjointech.com/html/About.sk.asp?ID=13
http://dsifood.com/HTML/About.sk.asp?ID=10
http://www.mefosun.com/Html/About.sk.asp?ID=21
http://www.chhwujin.com/html/About.sk.asp?ID=13
http://www.6085u.com/Html/About.sk.asp?ID=13
http://pinggu.lltqc.com/Html/About.sk.asp?id=10
http://www.zhihongcn.com/Html/About.sk.asp?ID=13
http://www.zj-welding.com/nbzc/Html/About.sk.asp?ID=21
http://www.qdals.com/qdals/html/About.sk.asp?ID=10
http://www.fastin.com.cn/Html/About.sk.asp?ID=21
http://www.qdptw.com/Html/About.sk.asp?ID=21
http://www.botongdata.com/html/About.sk.asp?ID=21
http://dsifood.com/endsi/html/About.sk.asp?ID=21
http://01wenhua.com/changhua/About.sk.asp?ID=26
http://www.bestrely.com/About.sk.asp?ID=26
http://www.mzzdh.com/About.sk.asp?ID=11
http://www.jietuoth.com/About.sk.asp?ID=30
http://www.shddz.cn/Html/About.sk.asp?ID=21
http://www.jngangting.cn/2010/About.sk.asp?ID=11
http://www.dggfel.com/About.sk.asp?ID=11
http://sgkjsz.com/About.sk.asp?ID=11
http://hongheny.com/About.sk.asp?ID=26
http://www.myohbingo.com/About.sk.asp?ID=29
http://www.nbsupor.net/About.sk.asp?ID=26
http://606696.com/About.sk.asp?ID=36
http://www.naipult.com/About.sk.asp?ID=11
并给出截图证明:
http://www.xinyongtai.com/Html/About.sk.asp?ID=13

QQ图片20141010125552.jpg


http://www.mdjxsb.com/Html/About.sk.asp?ID=13

QQ图片20141010125655.jpg


http://www.conjointech.com/html/About.sk.asp?ID=13

QQ图片20141010125747.jpg


http://dsifood.com/HTML/About.sk.asp?ID=10

QQ图片20141010125837.jpg


http://www.mefosun.com/Html/About.sk.asp?ID=21

QQ图片20141010125922.jpg


还可继续渗透,直至getshell


http://www.6085u.com/Html/About.sk.asp?ID=13

QQ图片20141010133338.jpg


QQ图片20141010133318.jpg


修复方案:

呵呵,能过吗?求过...

版权声明:转载请注明来源 小骇@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-12-30 14:44

厂商回复:

最新状态:

暂无