漏洞标题 | 亿邦动力网多处SQL注射导致管理员信息泄露,密码明文保存 |
---|---|
相关厂商 | 亿邦动力网 |
漏洞作者 | 路人甲 |
提交时间 | 2013-02-22 14:28 |
公开时间 | 2013-04-08 14:28 |
漏洞类型 | SQL注射漏洞 |
危害等级 | 中 |
自评Rank | 10 |
漏洞状态 | 厂商已经确认 |
Tags标签 | 内部敏感信息泄露,php+数字类型注射,管理员密码泄露 |
漏洞详情
首先这个问题出在“微观察”页面中,比如这个页面:
http://www.ebrun.com/mcolumn/expdetail.php?mid=1100'
报错了
code 区域
database error:
SQL not supported: select name, avator, sina_mblog, qq_mblog, ebrun_mblog, remark from cms_mexpert where id=1100'
Date: 2013-02-22 @ 12:42
Script: http://www.ebrun.com/mcolumn/expdetail.php?mid=1100'
Referer:
还有这个
http://www.ebrun.com/mcolumn/hottag.php?tid=752'
code 区域
database error:
SQL not supported: select count(*) as cnt from cms_article as a join cms_FK_nodeArticle as b on b.articleId = a.id left join cms_articleContent as e on a.id=e.articleId left join cms_FK_categoryArticle as c on (c.articleId=a.id) join cms_mexpert as d on c.categoryId=d.id where a.status='4' and c.articleId in (select articleId from cms_FK_categoryArticle where categoryId=752') and b.nodeIdLevel3='2071'
Date: 2013-02-22 @ 12:44
Script: http://www.ebrun.com/mcolumn/hottag.php?tid=752'
Referer:
没错就是注射了,还有几个,自己慢慢找啦~
漏洞证明:
相信这一张图就足以证明了,而且密码居然是明文额。。。
修复方案:
intval下