当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102850

漏洞标题:某网络办公化系统存在POST注入

相关厂商:国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-03-23 15:04

修复时间:2015-06-25 14:28

公开时间:2015-06-25 14:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-23: 细节已通知厂商并且等待厂商处理中
2015-03-27: 厂商已经确认,细节仅向厂商公开
2015-03-30: 细节向第三方安全合作伙伴开放
2015-05-21: 细节向核心白帽子及相关领域专家公开
2015-05-31: 细节向普通白帽子公开
2015-06-10: 细节向实习白帽子公开
2015-06-25: 细节向公众公开

简要描述:

详细说明:

前人有经验(注意与前人提交的不一样):

 WooYun: 某网络办公自动化系统的通杀注入 


前人说的页面和这个一样,但是前人说的是GET的注入,但是发现这里的搜索也存在注入~本次SQL注入点:

/mainpage/articleclasslist.aspx?classid=1
POST注入参数:
ctl00%24ContentPlaceHolder1%24Uc_article_list1%24TextBox1


01.jpg


互联网自动采集案例5枚:

【以下是搜索中的POST注入,非GET注入】
http://59.55.33.137:8040/mainpage/articleclasslist.aspx?classid=1
http://oa.jxgxedu.gov.cn/mainpage/articleclasslist.aspx?classid=11
http://www.gznoa.com/mainpage/articleclasslist.aspx?classid=1
http://218.87.140.106/mainpage/articleclasslist.aspx?classid=1
http://59.55.33.137:8010/mainpage/articleclasslist.aspx?classid=1

漏洞证明:

我就测试2个案例了:
1、

POST /mainpage/articleclasslist.aspx?classid=11 HTTP/1.1
Host: **.****.**.cn
Proxy-Connection: keep-alive
Content-Length: 1991
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://**.*****.***.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://**.****.**.cn/mainpage/articleclasslist.aspx?classid=11
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=cznsh5fvpj1xhp2kum1xna45
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUIMzM5NTU5NDgPZBYCZg9kFgICAw9kFgICAQ9kFgQCAQ9kFgJmDzwrAAsBAA8WCB4IRGF0YUtleXMWAB4LXyFJdGVtQ291bnQCBR4JUGFnZUNvdW50AgEeFV8hRGF0YVNvdXJjZUl0ZW1Db3VudAIFZBYCZg9kFgoCAQ9kFgJmD2QWAmYPFQIArgE8aW1nIGJvcmRlcj0nMCcgc3JjPScuLi9pbWFnZXMvYXJ0aWNsZS9hcnJvdzQuZ2lmJz4mbmJzcDs8QSB0YXJnZXQ9J19ibGFuaycgIGhyZWY9Jy4uL21haW5wYWdlL2FydGljbGVjbGFzc2xpc3QuYXNweD9jbGFzc2lkPTEwJz48Zm9udCBjb2xvcj0nIzMzMzMzMyc%2B5Y2V5L2N566A5LuLPC9mb250PjwvYT5kAgIPZBYCZg9kFgJmDxUCAK4BPGltZyBib3JkZXI9JzAnIHNyYz0nLi4vaW1hZ2VzL2FydGljbGUvYXJyb3c0LmdpZic%2BJm5ic3A7PEEgdGFyZ2V0PSdfYmxhbmsnICBocmVmPScuLi9tYWlucGFnZS9hcnRpY2xlY2xhc3NsaXN0LmFzcHg%2FY2xhc3NpZD0xMSc%2BPGZvbnQgY29sb3I9JyMzMzMzMzMnPue7hOe7h%2BaetuaehDwvZm9udD48L2E%2BZAIDD2QWAmYPZBYCZg8VAgCuATxpbWcgYm9yZGVyPScwJyBzcmM9Jy4uL2ltYWdlcy9hcnRpY2xlL2Fycm93NC5naWYnPiZuYnNwOzxBIHRhcmdldD0nX2JsYW5rJyAgaHJlZj0nLi4vbWFpbnBhZ2UvYXJ0aWNsZWNsYXNzbGlzdC5hc3B4P2NsYXNzaWQ9MTInPjxmb250IGNvbG9yPScjMzMzMzMzJz7ojaPoqonmrr%2FloII8L2ZvbnQ%2BPC9hPmQCBA9kFgJmD2QWAmYPFQIAqwE8aW1nIGJvcmRlcj0nMCcgc3JjPScuLi9pbWFnZXMvYXJ0aWNsZS9hcnJvdzQuZ2lmJz4mbmJzcDs8QSB0YXJnZXQ9J19ibGFuaycgIGhyZWY9Jy4uL21haW5wYWdlL2FydGljbGVjbGFzc2xpc3QuYXNweD9jbGFzc2lkPTEzJz48Zm9udCBjb2xvcj0nIzMzMzMzMyc%2B5aSn5LqL6K6wPC9mb250PjwvYT5kAgUPZBYCZg9kFgJmDxUCAK4BPGltZyBib3JkZXI9JzAnIHNyYz0nLi4vaW1hZ2VzL2FydGljbGUvYXJyb3c0LmdpZic%2BJm5ic3A7PEEgdGFyZ2V0PSdfYmxhbmsnICBocmVmPScuLi9tYWlucGFnZS9hcnRpY2xlY2xhc3NsaXN0LmFzcHg%2FY2xhc3NpZD0xNCc%2BPGZvbnQgY29sb3I9JyMzMzMzMzMnPuWPi%2BaDhemTvuaOpTwvZm9udD48L2E%2BZAIDD2QWBGYPDxYCHgRUZXh0BTrlvZPliY3kvY3nva7vvJog5L%2Bh5oGv6Zeo5oi3LS0%2B5Y2V5L2N5L%2Bh5oGvLS0%2B57uE57uH5p625p6EZGQCBA88KwALAQAPFggfABYAHwFmHwICAR8DZmRkZCITHfdEQYH3niH6bRqVXRiBl6rR&__EVENTVALIDATION=%2FwEWBALd5%2FemAgKKmILXBALa6q6fAQK0q4zhDFpUvXMonj97QMq0upXofc0AAF40&ctl00%24ContentPlaceHolder1%24Uc_article_list1%24HiddenField1=&ctl00%24ContentPlaceHolder1%24Uc_article_list1%24TextBox1=aaa&ctl00%24ContentPlaceHolder1%24Uc_article_list1%24Submit1=%E6%9F%A5%E8%AF%A2


02.jpg


03.jpg


04.jpg


2、

POST /mainpage/articleclasslist.aspx?classid=1 HTTP/1.1
Host: ****.*****.com
Proxy-Connection: keep-alive
Content-Length: 664
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://****.*****.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://***.****.com/mainpage/articleclasslist.aspx?classid=1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=5v1dd255ws0rnh45ugoeih45
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUIMzM5NTU5NDgPZBYCZg9kFgICAw9kFgICAQ9kFgQCAQ9kFgJmDzwrAAsBAA8WCB4IRGF0YUtleXMWAB4LXyFJdGVtQ291bnRmHglQYWdlQ291bnQCAR4VXyFEYXRhU291cmNlSXRlbUNvdW50ZmRkAgMPZBYEZg8PFgIeBFRleHQFHOW9k%2BWJjeS9jee9ru%2B8miDkv6Hmga%2Fpl6jmiLdkZAIEDzwrAAsBAA8WCB8AFgAfAWYfAgIBHwNmZGRklOoQ%2FBOFHluLNa%2FCkVJBO0rfAMk%3D&__VIEWSTATEGENERATOR=BD8CA00D&__EVENTVALIDATION=%2FwEWBAL22uvgDQKKmILXBALa6q6fAQK0q4zhDNnJp%2BKvcA3FmFcLFyTZuh61cjN4&ctl00%24ContentPlaceHolder1%24Uc_article_list1%24HiddenField1=&ctl00%24ContentPlaceHolder1%24Uc_article_list1%24TextBox1=xxx&ctl00%24ContentPlaceHolder1%24Uc_article_list1%24Submit1=%E6%9F%A5%E8%AF%A2


05.jpg


06.jpg

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-03-27 14:27

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给江西分中心,由其后续协调网站管理单位处置.

最新状态:

暂无