当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101003

漏洞标题:浙江教育考试院网站又一SQL注入漏洞,可读取浙江考生信息

相关厂商:浙江教育考试院

漏洞作者: Caviar

提交时间:2015-03-16 11:19

修复时间:2015-05-04 11:12

公开时间:2015-05-04 11:12

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-16: 细节已通知厂商并且等待厂商处理中
2015-03-20: 厂商已经确认,细节仅向厂商公开
2015-03-30: 细节向核心白帽子及相关领域专家公开
2015-04-09: 细节向普通白帽子公开
2015-04-19: 细节向实习白帽子公开
2015-05-04: 细节向公众公开

简要描述:

最近大家都在挖浙江教育考试院网站的漏洞,之前发现了个漏洞还被人抢先提交了。之前的SQL注入漏洞已经修复,但是在另一处仍可以注入
( •̀ .̫ •́ )✧ 。涉及浙江考生信息,求求你们认认真真的排查一下都修复掉好么。

详细说明:

对于登陆等操作确实进行了过滤,但是登陆成功将登陆学生的身份证号储存在本地的cookies中(名为usersfz P.S 对这种英文+拼音的命名方式感到无力Orz),之后的部分操作(例如这个会考成绩查询 

http://pgzy.zjzs.net:8011/exam/gaokao2014/cjcx.aspx

)直接调用了这个cookie并放入数据库中拼接查询,没有经过任何过滤,很容易注入。

漏洞证明:

sqlmap截图及部分数据库结构

3EFAB46E-B356-432B-841C-4E0C8D85804C.png


web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: active fingerprint: Oracle 11i
               banner parsing fingerprint: Oracle 11.2.0.1.0
banner:    'Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production'
Database: EXAMIMSTEST
Table: ZXDS
[3 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| DS_H   | NUMBER   |
| JC     | VARCHAR2 |
| MC     | VARCHAR2 |
+--------+----------+
Database: EXAMIMSTEST
Table: KSLB
[3 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| KSLB_DES  | VARCHAR2 |
| KSLB_ID   | NUMBER   |
| KSLB_NAME | VARCHAR2 |
+-----------+----------+
Database: EXAMIMSTEST
Table: CONSTRAINTSWHERE
[5 columns]
+--------------------+-----------+
| Column             | Type      |
+--------------------+-----------+
| CATEGORY2_ID       | NUMBER    |
| CONSTRAINT_CONTENT | NVARCHAR2 |
| CONSTRAINT_DES     | VARCHAR2  |
| CONSTRAINT_ID      | NUMBER    |
| CONSTRAINTTYPE_ID  | NUMBER    |
+--------------------+-----------+
Database: EXAMIMSTEST
Table: BJ
[2 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| BJ_H   | NUMBER   |
| BJ_MC  | VARCHAR2 |
+--------+----------+
Database: EXAMIMSTEST
Table: FIELDALONG
[3 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| FIELDSTYPE_DES  | VARCHAR2 |
| FIELDSTYPE_ID   | NUMBER   |
| FIELDSTYPE_NAME | VARCHAR2 |
+-----------------+----------+
Database: EXAMIMSTEST
Table: XKCJ_1230
[16 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| BZ     | VARCHAR2 |
| KM10DD | VARCHAR2 |
| KM11DD | VARCHAR2 |
| KM12DD | VARCHAR2 |
| KM1DD  | VARCHAR2 |
| KM2DD  | VARCHAR2 |
| KM3DD  | VARCHAR2 |
| KM4DD  | VARCHAR2 |
| KM5DD  | VARCHAR2 |
| KM6DD  | VARCHAR2 |
| KM7DD  | VARCHAR2 |
| KM8DD  | VARCHAR2 |
| KM9DD  | VARCHAR2 |
| SFZH   | VARCHAR2 |
| XJFH   | VARCHAR2 |
| XM     | VARCHAR2 |
+--------+----------+
Database: EXAMIMSTEST
Table: CONSTRAINTTYPE
[3 columns]
+---------------------+-----------+
| Column              | Type      |
+---------------------+-----------+
| CONSTRAINTTYPE_DES  | VARCHAR2  |
| CONSTRAINTTYPE_ID   | NUMBER    |
| CONSTRAINTTYPE_NAME | NVARCHAR2 |
+---------------------+-----------+
Database: EXAMIMSTEST
Table: ZXLB
[3 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| JC     | VARCHAR2 |
| MC     | VARCHAR2 |
| ZXLB_H | NUMBER   |
+--------+----------+
Database: EXAMIMSTEST
Table: RY
[3 columns]
+---------+----------+
| Column  | Type     |
+---------+----------+
| RY_DES  | VARCHAR2 |
| RY_ID   | NUMBER   |
| RY_NAME | VARCHAR2 |
+---------+----------+
Database: EXAMIMSTEST
Table: SXKS
[8 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| BZ     | VARCHAR2 |
| FSJS   | VARCHAR2 |
| FSSJ   | VARCHAR2 |
| FSTL   | VARCHAR2 |
| FSTY   | VARCHAR2 |
| FSXX   | VARCHAR2 |
| SFZH   | VARCHAR2 |
| XM     | VARCHAR2 |
+--------+----------+
Database: EXAMIMSTEST
Table: SIGNFORM
[3 columns]
+---------------+-----------+
| Column        | Type      |
+---------------+-----------+
| SIGNFORM_DES  | VARCHAR2  |
| SIGNFORM_ID   | NUMBER    |
| SIGNFORM_NAME | NVARCHAR2 |
+---------------+-----------+
Database: EXAMIMSTEST
Table: JNLB
[3 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| LB_H   | NUMBER   |
| LB_MC  | VARCHAR2 |
| MEMO   | VARCHAR2 |
+--------+----------+
Database: EXAMIMSTEST
Table: AUTH_MAGEDOBJ
[5 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| APP_NO | VARCHAR2 |
| BZ     | VARCHAR2 |
| MC     | VARCHAR2 |
| OBJ_H  | VARCHAR2 |
| SQLSTR | CHAR     |
+--------+----------+
Database: EXAMIMSTEST
Table: XYKS201501_KD
[19 columns]
+----------+----------+
| Column   | Type     |
+----------+----------+
| BMD_H    | NUMBER   |
| BZ       | VARCHAR2 |
| DS_H     | NUMBER   |
| DZ       | VARCHAR2 |
| FAX      | VARCHAR2 |
| FZKR     | VARCHAR2 |
| JC       | VARCHAR2 |
| KCSL     | NUMBER   |
| KD_H     | NUMBER   |
| KD_ORDER | NUMBER   |
| LXDH     | VARCHAR2 |
| LXR      | VARCHAR2 |
| MC       | VARCHAR2 |
| USEDIT   | NUMBER   |
| XQ_H     | NUMBER   |
| YYRS     | NUMBER   |
| YZBM     | VARCHAR2 |
| ZKR      | VARCHAR2 |
| ZRS      | NUMBER   |
+----------+----------+
Database: EXAMIMSTEST
Table: XYKS201501_KC
[5 columns]
+--------+--------+
| Column | Type   |
+--------+--------+
| KC_H   | NUMBER |
| KCKSLC | NUMBER |
| KD_H   | NUMBER |
| KSLX_H | NUMBER |
| RS     | NUMBER |
+--------+--------+

修复方案:

cookies里的数据是不可控的! 不要将用户登陆的凭证放在cookies里,同时也不要直接读取cookies里的数据不经过滤直接拼接放入数据库中查询!

版权声明:转载请注明来源 Caviar@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-03-20 11:10

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给分中心,由其后续协调网站管理单位处置。

最新状态:

暂无