漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0127297
漏洞标题:鸿星尔克官方网站存在SQL注入
相关厂商:cncert国家互联网应急中心
漏洞作者: zchacker
提交时间:2015-07-19 16:47
修复时间:2015-09-07 08:06
公开时间:2015-09-07 08:06
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:5
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-07-19: 细节已通知厂商并且等待厂商处理中
2015-07-24: 厂商已经确认,细节仅向厂商公开
2015-08-03: 细节向核心白帽子及相关领域专家公开
2015-08-13: 细节向普通白帽子公开
2015-08-23: 细节向实习白帽子公开
2015-09-07: 细节向公众公开
简要描述:
SQL注入网址:http://www.erke.com/newsdetail.aspx?CateID=47&NewsID=201
尝试单引号是显示Server Error in '/' Application.
详细说明:
SQL注入网址:http://www.erke.com/newsdetail.aspx?CateID=47&NewsID=201
将 nvarchar 值 '201'' 转换为数据类型为 int 的列时发生语法错误。
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: 将 nvarchar 值 '201'' 转换为数据类型为 int 的列时发生语法错误。
Source Error:
The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:
1. Add a "Debug=true" directive at the top of the file that generated the error. Example:
<%@ Page Language="C#" Debug="true" %>
or:
2) Add the following section to the configuration file of your application:
<configuration>
<system.web>
<compilation debug="true"/>
</system.web>
</configuration>
Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.
Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.
Stack Trace:
[SqlException (0x80131904): 将 nvarchar 值 '201'' 转换为数据类型为 int 的列时发生语法错误。]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +2073294
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +5063436
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning() +234
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +2275
System.Data.SqlClient.SqlDataReader.HasMoreRows() +211
System.Data.SqlClient.SqlDataReader.ReadInternal(Boolean setTimeout) +217
System.Data.SqlClient.SqlDataReader.Read() +9
SqlServer2000.SqlSession.GetTable(String Sql, IQueryable QueryParam) +542
[SessionException: Get List errorselect top 1 News_Title,News_AddTime,News_Author,News_Count,News_Content,News_Order,News_CateId,News_Id from Dcms_News where News_State='1' and News_Id = @News_Id order by News_Order Desc ]
SqlServer2000.SqlSession.GetTable(String Sql, IQueryable QueryParam) +749
Dcms.Controls.RenderApi.RenderRepTemp(Int32 layerI, DataQuery dq, Int32 TotalRecord, Int32 TotalPage) +468
Dcms.Controls.RenderApi.RenderSelect() +625
Dcms.Controls.Drepeater.Render(HtmlTextWriter output) +522
System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter) +27
System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter) +100
System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +25
ASP.aspx_cn_newsdetail_aspx.__Render__control1(HtmlTextWriter __w, Control parameterContainer) in c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\c659c216\7a8c398\App_Web_cje3p2r3.10.cs:0
System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children) +109
System.Web.UI.Control.RenderChildren(HtmlTextWriter writer) +8
System.Web.UI.Page.Render(HtmlTextWriter writer) +29
System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter) +27
System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter) +100
System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +25
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3060
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1031
知道了服务器的一些信息,我尝试用sqlmap,如图:
漏洞证明:
SQL注入网址:http://www.erke.com/newsdetail.aspx?CateID=47&NewsID=201
将 nvarchar 值 '201'' 转换为数据类型为 int 的列时发生语法错误。
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: 将 nvarchar 值 '201'' 转换为数据类型为 int 的列时发生语法错误。
Source Error:
The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:
1. Add a "Debug=true" directive at the top of the file that generated the error. Example:
<%@ Page Language="C#" Debug="true" %>
or:
2) Add the following section to the configuration file of your application:
<configuration>
<system.web>
<compilation debug="true"/>
</system.web>
</configuration>
Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.
Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.
Stack Trace:
[SqlException (0x80131904): 将 nvarchar 值 '201'' 转换为数据类型为 int 的列时发生语法错误。]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +2073294
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +5063436
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning() +234
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +2275
System.Data.SqlClient.SqlDataReader.HasMoreRows() +211
System.Data.SqlClient.SqlDataReader.ReadInternal(Boolean setTimeout) +217
System.Data.SqlClient.SqlDataReader.Read() +9
SqlServer2000.SqlSession.GetTable(String Sql, IQueryable QueryParam) +542
[SessionException: Get List errorselect top 1 News_Title,News_AddTime,News_Author,News_Count,News_Content,News_Order,News_CateId,News_Id from Dcms_News where News_State='1' and News_Id = @News_Id order by News_Order Desc ]
SqlServer2000.SqlSession.GetTable(String Sql, IQueryable QueryParam) +749
Dcms.Controls.RenderApi.RenderRepTemp(Int32 layerI, DataQuery dq, Int32 TotalRecord, Int32 TotalPage) +468
Dcms.Controls.RenderApi.RenderSelect() +625
Dcms.Controls.Drepeater.Render(HtmlTextWriter output) +522
System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter) +27
System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter) +100
System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +25
ASP.aspx_cn_newsdetail_aspx.__Render__control1(HtmlTextWriter __w, Control parameterContainer) in c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\c659c216\7a8c398\App_Web_cje3p2r3.10.cs:0
System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children) +109
System.Web.UI.Control.RenderChildren(HtmlTextWriter writer) +8
System.Web.UI.Page.Render(HtmlTextWriter writer) +29
System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter) +27
System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter) +100
System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +25
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3060
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1031
知道了服务器的一些信息,我尝试用sqlmap,如图:
修复方案:
---
版权声明:转载请注明来源 zchacker@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:9
确认时间:2015-07-24 08:04
厂商回复:
暂未能建立与网站管理单位的直接处置渠道,待认领.
最新状态:
暂无