中国电信某省级网站SQL注入(疑似影响千万数据)

发表于 2014年12月29日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2014-088892

漏洞标题：中国电信某省级网站SQL注入(疑似影响千万数据)

漏洞详情

披露状态：

2014-12-29: 细节已通知厂商并且等待厂商处理中
2014-12-31: 厂商已经确认，细节仅向厂商公开
2015-01-10: 细节向核心白帽子及相关领域专家公开
2015-01-20: 细节向普通白帽子公开
2015-01-30: 细节向实习白帽子公开
2015-02-10: 细节向公众公开

简要描述：

中国电信某省级网站SQL注入(影响千万数据)

详细说明：

大婶请看与这个的区别：http://**.**.**.**/bugs/wooyun-2014-082767它的是登录页面，我的是注册页面，而且登录页面已经修复了跪谢 - -！@本来是用工具扫，结果半天没出东西，直觉告诉我注册页面可能会有问题，注册个账号，抓包，跑一跑，就出来了！问题在这里：

数据：

POST /sysadmin/RegistUser.aspx HTTP/1.1<br>
Host: **.**.**.**<br>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0<br>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br>
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3<br>
Accept-Encoding: gzip, deflate<br>
Referer: http://**.**.**.**/sysadmin/RegistUser.aspx<br>
Cookie: CNZZDATA2558089=cnzz_eid%3D1950861709-1419644325-%26ntime%3D1419644325; ASP.NET_SessionId=dr5mawejvr1tqn55xlnzvn55<br>
X-Forwarded-For: **.**.**.**<br>
Connection: keep-alive<br>
Content-Type: application/x-www-form-urlencoded<br>
Content-Length: 1682__VIEWSTATE=%2FwEPDwUINDk2NDc4NzIPZBYCAgMPZBYIAgkPEA8WBh4ORGF0YVZhbHVlRmllbGQFBkNvZGVJRB4NRGF0YVRleHRGaWVsZAUIQ29kZU5hbWUeC18hRGF0YUJvdW5kZ2QQFQID55S3A%2BWlsxUCATABMRQrAwJnZ2RkAg0PEA8WBh8ABQZDb2RlSUQfAQUIQ29kZU5hbWUfAmdkEBUNCeWTiOWwlOa7qAzpvZDpvZDlk4jlsJQJ54mh5Li55rGfCeS9s%2BacqOaWrwbnu6XljJYG6buR5rKzDOWkp%2BWFtOWuieWyrQbkvIrmmKUG5aSn5bqGCeS4g%2BWPsOayswbpuKHopb8G6bmk5bKXCeWPjOm4reWxsRUNBDA0NTEEMDQ1MgQwNDUzBDA0NTQEMDQ1NQQwNDU2BDA0NTcEMDQ1OAQwNDU5BDA0NjQEMDQ2NwQwNDY4BDA0NjkUKwMNZ2dnZ2dnZ2dnZ2dnZ2RkAhcPEA8WBh8ABQZST0xFSUQfAQUIUk9MRU5BTUUfAmdkEBUEDOWVhuWcuui0reeJqQzppJDppa7ppa3lupcM6YWS5bqX5a6%2B6aaGDOS8kemXsuWoseS5kBUEJDdmZWU0ZDg5LTUxOGUtNDY1NS1hYzFlLWM1ZjA1OWU5YThjYyQ0Zjk5ZmIyZC0xODE4LTRiZjMtOGM1ZS03NjJhZDIyM2IzYjEkOTI3YzEwNWUtNWFjZC00ZjI3LWJiMDItNmFhOWFhYjUzYzcxJGQxOTdkN2M0LThjYjItNDJlYy05YTZmLWJhZjk1ZWJkMGYzZBQrAwRnZ2dnZGQCIQ8PZBYCHgdvbmNsaWNrBTtyZXR1cm4gQ2hlY2tJbnB1dCgpICYmIENvbmZpcm1PcGVyYXRpb24oJ%2BehruiupOS%2FneWtmOWQlz8nKWRkznvIoCJm2yfkHxNkjIxVS3ku9Wc%3D&__EVENTVALIDATION=%2FwEWIwLltfqbDgKl1bKzCQKpwK%2FOBgLG8eCkDwLoi56uBgKF%2B%2FqNBwKDrof0CQKcrof0CQLhlb2lAgKama7yCgKambrfAQKamYaECAKamZJhApqZ%2Fs0HApqZyqoOApqZ1pcFApqZ4q4IApqZzosPAueAsP4KAueA9GwC54CAhAIC54Ds4AoCp9u%2FqQYC6drruQ0Cq9rXgQUChPP9ugwCkdG4yw0C3%2BXntQ0CpOyCqw8ClO2fsgsCnqjY3QMC592L7QECjqWrigUC6N3juQYCwova3gMMaoOWSEG4d25KMGFc0V%2BMwd18Ew%3D%3D&txtUserName=blackmanba&txtLoginName=blackmanba&txtUserPwd=bma123&txtUserPwd_Repeat=bma123&txtJob=bma&ddlSex=0&txtPostCode=411000&ddlArea=0452&txtTelNumber=13585654895&txtMobNumber=&txtFaxNumber=&txtEmail=blackmanba.china%**.**.**.**&drpRoles=4f99fb2d-1818-4bf3-8c5e-762ad223b3b1&hidUserID=&DataIDList=&IDList=&hidsDeptvalues=&btnSubmit=%E6%8F%90%E4%BA%A4

POST /sysadmin/RegistUser.aspx HTTP/1.1

Host: **.**.**.**

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: http://**.**.**.**/sysadmin/RegistUser.aspx

Cookie: CNZZDATA2558089=cnzz_eid%3D1950861709-1419644325-%26ntime%3D1419644325; ASP.NET_SessionId=dr5mawejvr1tqn55xlnzvn55

X-Forwarded-For: **.**.**.**

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 1682__VIEWSTATE=%2FwEPDwUINDk2NDc4NzIPZBYCAgMPZBYIAgkPEA8WBh4ORGF0YVZhbHVlRmllbGQFBkNvZGVJRB4NRGF0YVRleHRGaWVsZAUIQ29kZU5hbWUeC18hRGF0YUJvdW5kZ2QQFQID55S3A%2BWlsxUCATABMRQrAwJnZ2RkAg0PEA8WBh8ABQZDb2RlSUQfAQUIQ29kZU5hbWUfAmdkEBUNCeWTiOWwlOa7qAzpvZDpvZDlk4jlsJQJ54mh5Li55rGfCeS9s%2BacqOaWrwbnu6XljJYG6buR5rKzDOWkp%2BWFtOWuieWyrQbkvIrmmKUG5aSn5bqGCeS4g%2BWPsOayswbpuKHopb8G6bmk5bKXCeWPjOm4reWxsRUNBDA0NTEEMDQ1MgQwNDUzBDA0NTQEMDQ1NQQwNDU2BDA0NTcEMDQ1OAQwNDU5BDA0NjQEMDQ2NwQwNDY4BDA0NjkUKwMNZ2dnZ2dnZ2dnZ2dnZ2RkAhcPEA8WBh8ABQZST0xFSUQfAQUIUk9MRU5BTUUfAmdkEBUEDOWVhuWcuui0reeJqQzppJDppa7ppa3lupcM6YWS5bqX5a6%2B6aaGDOS8kemXsuWoseS5kBUEJDdmZWU0ZDg5LTUxOGUtNDY1NS1hYzFlLWM1ZjA1OWU5YThjYyQ0Zjk5ZmIyZC0xODE4LTRiZjMtOGM1ZS03NjJhZDIyM2IzYjEkOTI3YzEwNWUtNWFjZC00ZjI3LWJiMDItNmFhOWFhYjUzYzcxJGQxOTdkN2M0LThjYjItNDJlYy05YTZmLWJhZjk1ZWJkMGYzZBQrAwRnZ2dnZGQCIQ8PZBYCHgdvbmNsaWNrBTtyZXR1cm4gQ2hlY2tJbnB1dCgpICYmIENvbmZpcm1PcGVyYXRpb24oJ%2BehruiupOS%2FneWtmOWQlz8nKWRkznvIoCJm2yfkHxNkjIxVS3ku9Wc%3D&__EVENTVALIDATION=%2FwEWIwLltfqbDgKl1bKzCQKpwK%2FOBgLG8eCkDwLoi56uBgKF%2B%2FqNBwKDrof0CQKcrof0CQLhlb2lAgKama7yCgKambrfAQKamYaECAKamZJhApqZ%2Fs0HApqZyqoOApqZ1pcFApqZ4q4IApqZzosPAueAsP4KAueA9GwC54CAhAIC54Ds4AoCp9u%2FqQYC6drruQ0Cq9rXgQUChPP9ugwCkdG4yw0C3%2BXntQ0CpOyCqw8ClO2fsgsCnqjY3QMC592L7QECjqWrigUC6N3juQYCwova3gMMaoOWSEG4d25KMGFc0V%2BMwd18Ew%3D%3D&txtUserName=blackmanba&txtLoginName=blackmanba&txtUserPwd=bma123&txtUserPwd_Repeat=bma123&txtJob=bma&ddlSex=0&txtPostCode=411000&ddlArea=0452&txtTelNumber=13585654895&txtMobNumber=&txtFaxNumber=&txtEmail=blackmanba.china%**.**.**.**&drpRoles=4f99fb2d-1818-4bf3-8c5e-762ad223b3b1&hidUserID=&DataIDList=&IDList=&hidsDeptvalues=&btnSubmit=%E6%8F%90%E4%BA%A4

问题参数：txtLoginName上几张图，说不定真有千万：

漏洞证明：

就不深入了，证明一下！

select count(*) from SMSSEND_BACK;:    '9966936'

1	select count(*) from SMSSEND_BACK;: '9966936'

http://**.**.**.**

1	http://...

该子域存在相同问题

修复方案：

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2014-12-3117:09

厂商回复：

CNVD确认并复现所述情况，已经转由CNCERT向中国电信通报。

评价

2010-01-01 00:00 covertops 白帽子 | Rank:64 漏洞数:8)

这个时间截图大法好

原文连接：中国电信某省级网站SQL注入(疑似影响千万数据) 所有媒体，可在保留署名、原文连接的情况下转载，若非则不得使用我方内容。