当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0108502

漏洞标题:某学生综合管理系统60处高危SQL注入漏洞打包

相关厂商:安脉科技

漏洞作者: 路人甲

提交时间:2015-04-17 18:55

修复时间:2015-07-20 17:40

公开时间:2015-07-20 17:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-17: 细节已通知厂商并且等待厂商处理中
2015-04-21: 厂商已经确认,细节仅向厂商公开
2015-04-24: 细节向第三方安全合作伙伴开放
2015-06-15: 细节向核心白帽子及相关领域专家公开
2015-06-25: 细节向普通白帽子公开
2015-07-05: 细节向实习白帽子公开
2015-07-20: 细节向公众公开

简要描述:

由于该系统注入太多,良心白帽子一次性打包,希望cncert能够通报厂商尽快修复吧,我就不一一单刷了,那样会遭到鄙视的。没有功劳也有苦劳,60处注入分别小小地证明测试一下漏洞存在然后写漏洞报告也花了一晚上时间呢?

详细说明:

来个首页吧?
厂商:

http://anmai.net/case.htm  官方案例枚举了特别多


GET类型注入(50处):

1、/teacher/teachingtechnology/patentinfoEdit.aspx?id=1
2、/teacher/teachingtechnology/teachingcoursewareEdit.aspx?id=1
3、/teacher/teachingtechnology/wonderfulcoursewareEdit.aspx?id=1
4、/teacher/teachingtechnology/ColligationSelect/TeachingExperience_P.aspx?id=1
5、/teacher/teachingtechnology/ColligationSelect/TeachingPlan_P.aspx?id=1
6、/teacher/teachingtechnology/ColligationSelect/TeachingPractise_P.aspx?id=1
7、/teacher/teachingtechnology/ColligationSelect/TeachingReflect_P.aspx?id=1
8、/teacher/teachingtechnology/ColligationSelect/TeachingSum_up_P.aspx?id=1
9、/teacher/teachingtechnology/ColligationSelect/wonderfulcourseware_P.aspx?id=1
10、/teacher/teachingtechnology/Course_Record_P.aspx?id=1
11、/teacher//teachingtechnology/Literature_P.aspx?id=1
12、/teacher/teachingtechnology/Patentinfo_P.aspx?id=1
13、/teacher/teachingtechnology/Specialtyinfo_P.aspx?id=1
14、/teacher/teachingtechnology/TitlePractice_P.aspx?id=1
15、/teacher/teachingtechnology/TitleResearch_P.aspx?id=1
16、/teacher/teachingtechnology/AppraiseDepReSet.aspx?type=getteatype&depid=1&cardid=1 cardid参数存在注入
17、/teacher/mystudy/exchangestudyxiangxi.aspx?id=1
18、/teacher/mystudy/peixunxiangxi.aspx?id=1
19、/teacher/mystudy/professionxiangxi.aspx?id=1
20、/teacher/mystudy/specialxiangxi.aspx?id=1
21、/time/shezhiSystem/HBCourse.aspx?Gradename=1
22、/time/ChangeCourse/HandChagneCourse.aspx?clsname=1
23、/time/InsertCourseTable/rightInsertCourseTable.aspx?clsname=1
24、/time/ChangeCourse/ChangeCourseList.aspx?idcard=1
25、/TWmanage/weisheng/healthteachxx.aspx?id=1
26、/ZJ_Manage/Work_Man_Particular.aspx?id=1
27、/ZJ_Manage/Class_ZjWork/Work_Plan_Particular.aspx?id=1
28、/ZJ_Manage/Class_ZjWork/Work_Log_Particular.aspx?id=1
29、/ZJ_Manage/Class_ZjWork/Importance_Events_Particular.aspx?id=1
30、/ZJ_Manage/Class_ZjWork/AwardAndPunishRecord_Particular.aspx?id=1
31、/ZJ_Manage/Zj_Record/Class_Comparison_Particular.aspx?id=1
32、/ZJ_Manage/Zj_Record/Glory_Apply_Particular.aspx?id=1
33、/ZJ_Manage/Zj_Record/OnDuty_ClassComparison_Particular.aspx?id=1
34、/ZJ_Manage/Zj_Record/Server_Feedback_Particular.aspx?id=1
35、/ZJ_Manage/Zj_Record/Zj_Record_Particular.aspx?id=1
36、/Asset/Device/DeviceCancelSearch.aspx?DeviceBelong=1&assetname=&assetspec=&assetmodel=&assetfactory=&cancel_date_begin=&cancel_date_end=2015-3-9&sel_cancelnum=&txt_cancelnum=&sel_feesource=&txt_feesource=&cancelno=aaa&assettypeid=aaa&hidsearch=search DeviceBelong参数存在注入
37、/Asset/Device/DevicetowaySearch.aspx?spodepart=1&assetname=&assetspec=&assetmodel=&assetfactory=&Lead_date_begin=2015-3-9&Lead_date_end=2015-3-9&hidsearch=search assetnam参数存在注入
38、/Asset/Device/stateright.aspx?useddepart=1&assetname=&assetspec=&assetmodel=&assetfactory=&Lead_date_begin=2015-3-9&Lead_date_end=2015-3-9&hidsearch=search useddepart参数存在注入
39、/Asset/House/HouseCancelSearch.aspx?housebelong=1&housefabric=&housemode=&maintain_date_begin=&maintain_date_end=2015-3-9&housename=aaa&houseaddress=aaa&hidsearch=search housebelong参数存在注入
40、/Asset/House/HouseMaintainSearch.aspx?housebelong=1&housefabric=&housemode=&buildquality=&maintain_date_begin=&maintain_date_end=2015-3-9&sel_worth=&txt_worth=&maintaincompany=aa&housename=aaa&houseaddress=aaa&hidsearch=search housefabric参数存在注入
41、/Asset/House/HouseMaintainStat.aspx?housebelong=1&housefabric=&housemode=&buildquality=&maintain_date_begin=2015-3-9&maintain_date_end=2015-3-9&hidsearch=search housebelong参数存在注入
42、/Asset/House/HouseRebuildSearch.aspx?housebelong=1&housefabric=&housemode=&maintain_date_begin=&maintain_date_end=2015-3-9&sel_worth=&txt_worth=&housename=aaa&houseaddress=aaaa&hidsearch=search housemode参数存在注入
43、/Asset/House/HouseRebuildStat.aspx?housebelong=1&housefabric=&housemode=&maintain_date_begin=2015-3-9&maintain_date_end=2015-3-9&hidsearch=search housebelong参数存在注入
44、/Asset/House/HouseRegistersearch.aspx?housebelong=1&housefabric=&housemode=&buildquality=&register_date_begin=&register_date_end=2015-3-9&build_date_begin=&build_date_end=2015-3-9&sel_buildarea=&txt_buildarea=&sel_occupyarea=&txt_occupyarea=&sel_houseusearea=&txt_houseusearea=&sel_worth=&txt_worth=&housename=aaa&houseaddress=aaa&hidsearch=search buildquality参数存在注入
45、/Asset//House/HouseRegisterStat.aspx?housebelong=1&housefabric=&housemode=&buildquality=&register_date_begin=&register_date_end=2015-3-9&hidsearch=search housebelong参数存在注入
46、/Asset//House/HouseRegistersearch.aspx?housebelong=1&housefabric=&housemode=&buildquality=&register_date_begin=&register_date_end=2015-3-9&build_date_begin=&build_date_end=2015-3-9&sel_buildarea=&txt_buildarea=&sel_occupyarea=&txt_occupyarea=&sel_houseusearea=&txt_houseusearea=&sel_worth=&txt_worth=&housename=aaa&houseaddress=aaa&hidsearch=search housefabric参数存在注入
47、/Asset/House/Newhexiao.aspx?housebelong=1&register_date_begin=2015-3-9&register_date_end=2015-3-9&build_date_begin=&build_date_end=2015-3-9&sel_buildarea=&txt_buildarea=aa&hidsearch=search housebelong参数存在注入
48、/Asset/Device/currentassetstatright.aspx?useddepart=1&assetname=&assetspec=&assetmodel=&assetfactory=&assetmodeltype=&Lead_date_end=2015-3-9&hidsearch=search assetmodeltype参数存在注入
49、/oa/stock/applyInfo.aspx?username=1
50、/time/shezhiSystem/SZTime.aspx?clsname=1
以上36-48处不仅仅是列出的参数存在注入,其它参数也都存在注入


POST类型注入(10处注入):

51、/oa/stock/stockStat.aspx  startdate参数存在注入
52、/oa/usecar/carStat.aspx startdate参数存在注入
53、/DormManage/MainDorm/StudentQuery.aspx selgradeno参数存在注入
54、/TWmanage/weisheng/Wsearch2Left.aspx POST>>Wsearch2.aspx selItemname参数存在注入
55、/TWmanage/weisheng/Wsearch1Left.aspx POST>>Wsearch1.aspx selItemname参数存在注入
56、/TWmanage/weisheng/Wsearch3Left.aspx POST>>Wsearch3.aspx selItemname参数存在注入
57、/TWmanage/weisheng/Wsearch4Left.aspx POST>>Wsearch4.aspx selItemname、seltesttype参数存在注入
58、/TWmanage/weisheng/Wsearch5Left.aspx POST>>Wsearch5.aspx selStuno参数存在注入
59、/TWmanage/zonghetongji/wssearch.aspx POST>>/TWmanage/zonghetongji/shillisy.aspx selyear、selterm参数存在注入
60、/time/shezhiSystem/XueKeNocourse.aspx Course参数存在注入


Case From Google:

mask 区域
1.http://**.**.**/anmai/login.aspx_
2.http://**.**.**/login.aspx_
3.http://**.**.**/anmai/login.aspx_
4.http://**.**.**/login.aspx_
5.http://**.**.**/anmai/login.aspx_
6.http://**.**.**/login.aspx_
7.http://**.**.**/anmai/login.aspx_
8.http://**.**.**/anmai/login.aspx_
9.http://**.**.**/anmai/login.aspx_
10.http://**.**.**/ANMAI/login.aspx_
11.http://**.**.**/ANMAI/login.aspx_
12.http://**.**.**/anmai654202_458357626/login.aspx_
13.http://**.**.**/anmai654202_230794424/login.aspx_
14.http://**.**.**/anmai654202_458357124/login.aspx_
15.http://**.**.**/anmai/login.aspx_
16.http://**.**.**/login.aspx_
17.http://**.**.**/ANMAI/login.aspx_
18.http://**.**.**/login.aspx_
19.http://**.**.**/ANMAI/login.aspx_
20.http://**.**.**/login.aspx_
21.http://**.**.**/login.aspx_
22.http://**.**.**/anmai/login.aspx_
23.http://**.**.**/login.aspx_
24.http://**.**.**/ANMAI/login.aspx_
25.http://**.**.**/login.aspx_
26.http://**.**.**/anmai/login.aspx_
27.http://**.**.**/anmai/login.aspx_
28.http://**.**.**/login.aspx_
29.http://**.**.**/ANMAI/login.aspx_
30.http://**.**.**/anmai/login.aspx_
31.http://**.**.**/ANMAI/login.aspx_
32.http://**.**.**/ANMAI/login.aspx_
33.http://**.**.**/anmai/login.aspx_
34.http://**.**.**/login.aspx_
35.http://**.**.**/anmai/login.aspx_
36.http://**.**.**/anmai/login.aspx_
37.http://**.**.**/anmai/login.aspx_
38.http://**.**.**/anmai/login.aspx_
39.http://**.**.**/anmai/login.aspx_
40.http://**.**.**/anmai/login.aspx_
41.http://**.**.**/anmai/login.aspx_
42.http://**.**.**/anmai/login.aspx_
43.http://**.**.**/anmai/login.aspx_
44.http://**.**.**/anmai/login.aspx_
45.http://**.**.**/ANMAI/login.aspx_
46.http://**.**.**/anmai/login.aspx_
47.http://**.**.**/ANMAI/login.aspx_
48.http://**.**.**/ANMAI/login.aspx_
49.http://**.**.**/anmai/login.aspx_
50.http://**.**.**/anmai/login.aspx_
51.http://**.**.**/anmai/login.aspx

漏洞证明:

第一处证明:/teacher/teachingtechnology/patentinfoEdit.aspx?id=1

01.png


第二处证明:/teacher/teachingtechnology/teachingcoursewareEdit.aspx?id=1

02.png


第三处证明:/teacher/teachingtechnology/wonderfulcoursewareEdit.aspx?id=1

03.png


第四处证明:/teacher/teachingtechnology/ColligationSelect/TeachingExperience_P.aspx?id=1

04.png


第五处证明:/teacher/teachingtechnology/ColligationSelect/TeachingPlan_P.aspx?id=1

05.png


第六处证明:/teacher/teachingtechnology/ColligationSelect/TeachingPractise_P.aspx?id=1

06.png


第七处证明:/teacher/teachingtechnology/ColligationSelect/TeachingReflect_P.aspx?id=1

07.png


第八处证明:/teacher/teachingtechnology/ColligationSelect/TeachingSum_up_P.aspx?id=1

08.png


第九处证明:/teacher/teachingtechnology/ColligationSelect/wonderfulcourseware_P.aspx?id=1

09.png


第十处证明:/teacher/teachingtechnology/Course_Record_P.aspx?id=1

10.png


第十一处证明:/teacher//teachingtechnology/Literature_P.aspx?id=1

11.png


第十二处证明:
/teacher/teachingtechnology/Patentinfo_P.aspx?id=1

12.png


第十三处证明:/teacher/teachingtechnology/Specialtyinfo_P.aspx?id=1

13.png


第十四处证明:/teacher/teachingtechnology/TitlePractice_P.aspx?id=1

14.png


第十五处证明:/teacher/teachingtechnology/TitleResearch_P.aspx?id=1

15.png


第十六处证明:/teacher/teachingtechnology/AppraiseDepReSet.aspx?type=getteatype&depid=1&cardid=1

16.png


第十七处证明:/teacher/mystudy/exchangestudyxiangxi.aspx?id=1

17.png


第十八处证明:/teacher/mystudy/peixunxiangxi.aspx?id=1

18.png


第十九处证明:/teacher/mystudy/professionxiangxi.aspx?id=1

19.png


第二十处证明:/teacher/mystudy/specialxiangxi.aspx?id=1

20.png


第二十一处证明:/time/shezhiSystem/HBCourse.aspx?Gradename=1

21.jpg


第二十二处证明:/time/ChangeCourse/HandChagneCourse.aspx?clsname=1

22.jpg


第二十三处证明:/time/InsertCourseTable/rightInsertCourseTable.aspx?clsname=1

23.jpg


第二十四处证明:/time/ChangeCourse/ChangeCourseList.aspx?idcard=1

24.jpg


第二十五处证明:/TWmanage/weisheng/healthteachxx.aspx?id=1

25.jpg


第二十六处证明:/ZJ_Manage/Work_Man_Particular.aspx?id=1

26.jpg


第二十七处证明:/ZJ_Manage/Class_ZjWork/Work_Plan_Particular.aspx?id=1

27.jpg


第二十八处证明:/ZJ_Manage/Class_ZjWork/Work_Log_Particular.aspx?id=1

28.jpg


第二十九处证明:/ZJ_Manage/Class_ZjWork/Importance_Events_Particular.aspx?id=1

29.jpg


第三十处证明:/ZJ_Manage/Class_ZjWork/AwardAndPunishRecord_Particular.aspx?id=1

30.jpg


第三十一处证明:/ZJ_Manage/Zj_Record/Class_Comparison_Particular.aspx?id=1

31.jpg


第三十二处证明:/ZJ_Manage/Zj_Record/Glory_Apply_Particular.aspx?id=1

32.jpg


第三十三处证明:/ZJ_Manage/Zj_Record/OnDuty_ClassComparison_Particular.aspx?id=1

33.jpg


第三十四处证明:/ZJ_Manage/Zj_Record/Zj_Record_Particular.aspx?id=1

34.jpg


第三十五处证明:/ZJ_Manage/Zj_Record/Zj_Record_Particular.aspx?id=1

35.jpg


第三十六处证明:/Asset/Device/DeviceCancelSearch.aspx?DeviceBelong=1&assetname=&assetspec=&assetmodel=&assetfactory=&cancel_date_begin=&cancel_date_end=2015-3-9&sel_cancelnum=&txt_cancelnum=&sel_feesource=&txt_feesource=&cancelno=aaa&assettypeid=aaa&hidsearch=search DeviceBelong参数存在注入

36.jpg


第三十七处证明:/Asset/Device/DevicetowaySearch.aspx?spodepart=1&assetname=&assetspec=&assetmodel=&assetfactory=&Lead_date_begin=2015-3-9&Lead_date_end=2015-3-9&hidsearch=search assetnam参数存在注入

37.jpg


第三十八处证明:/Asset/Device/stateright.aspx?useddepart=1&assetname=&assetspec=&assetmodel=&assetfactory=&Lead_date_begin=2015-3-9&Lead_date_end=2015-3-9&hidsearch=search

38.jpg


第三十九处证明:/Asset/House/HouseCancelSearch.aspx?housebelong=1&housefabric=&housemode=&maintain_date_begin=&maintain_date_end=2015-3-9&housename=aaa&houseaddress=aaa&hidsearch=search

39.jpg


第四十处证明:/Asset/House/HouseMaintainSearch.aspx?housebelong=1&housefabric=&housemode=&buildquality=&maintain_date_begin=&maintain_date_end=2015-3-9&sel_worth=&txt_worth=&maintaincompany=aa&housename=aaa&houseaddress=aaa&hidsearch=search housefabric参数存在注入

40.jpg


第四十一处证明:/Asset/House/HouseMaintainStat.aspx?housebelong=1&housefabric=&housemode=&buildquality=&maintain_date_begin=2015-3-9&maintain_date_end=2015-3-9&hidsearch=search housebelong参数存在注入

41.jpg


第四十二处证明:/Asset/House/HouseRebuildSearch.aspx?housebelong=1&housefabric=&housemode=&maintain_date_begin=&maintain_date_end=2015-3-9&sel_worth=&txt_worth=&housename=aaa&houseaddress=aaaa&hidsearch=search

42.jpg


第四十三处证明:/Asset/House/HouseRebuildStat.aspx?housebelong=1&housefabric=&housemode=&maintain_date_begin=2015-3-9&maintain_date_end=2015-3-9&hidsearch=search housebelong参数存在注入

43.jpg


第四十四处证明:/Asset/House/HouseRegistersearch.aspx?housebelong=1&housefabric=&housemode=&buildquality=&register_date_begin=&register_date_end=2015-3-9&build_date_begin=&build_date_end=2015-3-9&sel_buildarea=&txt_buildarea=&sel_occupyarea=&txt_occupyarea=&sel_houseusearea=&txt_houseusearea=&sel_worth=&txt_worth=&housename=aaa&houseaddress=aaa&hidsearch=search buildquality参数存在注入

44.jpg


第四十五处证明:/Asset//House/HouseRegisterStat.aspx?housebelong=1&housefabric=&housemode=&buildquality=&register_date_begin=&register_date_end=2015-3-9&hidsearch=search housebelong参数存在注入

45.jpg


第四十六处证明:/Asset//House/HouseRegistersearch.aspx?housebelong=1&housefabric=&housemode=&buildquality=&register_date_begin=&register_date_end=2015-3-9&build_date_begin=&build_date_end=2015-3-9&sel_buildarea=&txt_buildarea=&sel_occupyarea=&txt_occupyarea=&sel_houseusearea=&txt_houseusearea=&sel_worth=&txt_worth=&housename=aaa&houseaddress=aaa&hidsearch=search housefabric参数存在注入

46.jpg


第四十七处证明:/Asset/House/Newhexiao.aspx?housebelong=1&register_date_begin=2015-3-9&register_date_end=2015-3-9&build_date_begin=&build_date_end=2015-3-9&sel_buildarea=&txt_buildarea=aa&hidsearch=search housebelong参数存在注入

47.jpg


第四十八处证明:Asset/Device/currentassetstatright.aspx?useddepart=1&assetname=&assetspec=&assetmodel=&assetfactory=&assetmodeltype=&Lead_date_end=2015-3-9&hidsearch=search assetmodeltype参数存在注入

48.jpg


第四十九处证明:/oa/stock/applyInfo.aspx?username=1

49.jpg


第五十处证明:/time/shezhiSystem/SZTime.aspx?clsname=1

58.jpg


第五十一处证明:/oa/stock/stockStat.aspx startdate参数存在注入

49.jpg


第五十二处证明:/oa/usecar/carStat.aspx startdate参数存在注入

51.jpg


第五十三处证明:/DormManage/MainDorm/StudentQuery.aspx selgradeno参数存在注入(使用--form参数获取表单数据)

52.jpg


第五十四处证明:/TWmanage/weisheng/Wsearch2Left.aspx selItemname参数存在注入

53.jpg


第五十五处证明:/TWmanage/weisheng/Wsearch1Left.aspx selItemname参数存在注入

54.jpg


第五十六处证明:/TWmanage/weisheng/Wsearch3Left.aspx selItemname参数存在注入

55.jpg


第五十七处证明:/TWmanage/weisheng/Wsearch4Left.aspx selItemname、seltesttype参数存在注入

56.jpg


第五十八处证明:/TWmanage/weisheng/Wsearch5Left.aspx

57.jpg


第五十九处证明:/TWmanage/zonghetongji/wssearch.aspx

59.jpg


第六十处证明:/time/shezhiSystem/XueKeNocourse.aspx Course参数存在注入

60.jpg

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-04-21 17:38

厂商回复:

CNVD未直接复现所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商通报。

最新状态:

暂无